readykernel-patch-131.10-119.0-1.vl7

If a process running in a container performed large allocations of kernel memory, this could hit the memory limit for the container and trigger the OOM killer. It was discovered, however, that the process being killed by it could continue consuming memory for some time. This could lead to out of memory conditions on the host.

If was discovered that not all memory allocated for ipset-related data was properly accounted for. An attacker could exploit it from a container to consume lots of kernel memory, making the host system unusable (denial of service).

It was discovered that a buffer overflow and memory corruption were possible if a system tried to mount an NFS v4 share where the files had security labels in the file attributes. An attacker would need to control the NFS server and make it send a specific series of responses to trigger the issue. The issue allows the attacker to crash the kernel on the client system or, potentially, escalate their privileges there.

It was discovered that a local attacker could pass a specially crafted configuration of conntrack to the kernel to cause a buffer overflow in ctnetlink_parse_tuple_filter() function. As a result, the kernel could crash.

A race condition was discovered in the implementation of usermode helpers in the kernel. An attacker could exploit it from a container to cause a denial-of-service (kernel crash due to a use-after-free), or, potentially, to escalate their privileges in the system.

It was discovered that the implementation of nf_tables did not properly validate certain parameters. An attacker could exploit this from a container to cause a kernel crash: NULL pointer dereference or a general protection fault in nf_tables_getset().

It was discovered that nfnetlink subsystem did not properly validate certain messages. An attacker could exploit this from a container to cause a kernel crash: skb_over_panic in skb_put().

The original fix for PSBM-99181 and related issues introduced a problem: management of shrinkers used to reclaim memory could become very inefficient in certain cases, causing higher load on the affected nodes.

It was discovered that use-after-free condition was possible in cdev_get() if multiple processes simultaneously accessed a character device in a certain way. A local attacker could potentially exploit this to crash the kernel.

It was found that if TPACKET_V3 was used and the kernel failed to obtain certain settings from a relevant network device, the retirement timer could be set incorrectly in the implementation AF_PACKET protocol. This could result in soft lockups and excessive CPU usage.

A NULL pointer dereference was found in the implementation of SELinux. The issue occurs while importing the Commercial IP Security Option (CIPSO) protocol category bitmap into SELinux extensible bitmap. Parsing of a specially crafted CIPSO packet sent by a remote attacker could lead to a kernel crash (remote DoS).

It was discovered that core dumps of userspace processes could contain copies of uninitialized kernel memory areas in certain cases. Although it is difficult for an attacker to control what data is in these areas, this issue, in theory, could be used to obtain sensitive information from the kernel.

An out-of-bounds read was found in the implementation of IPsec cryptographic algorithms ('authenc' module). When payload of a key was longer than 4 bytes but was not properly aligned, crypto_authenc_extractkeys() function could try to read data from a wrong location. This could lead to a kernel crash in crypto_ahash_setkey().

It was discovered that a race condition was possible between pivot_root() and put_mountpoint() operations. A local unprivileged attacker could exploit this to corrupt mountpoint reference counter and cause a denial of service (kernel crash).

See also: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14305.

It was found that a race was possible between uncharging memory from a cgroup and making that cgroup offline. This could lead to premature destruction of the cgroup and could cause a kernel crash.

When a new netns is created, high-order page allocations can happen in nf_ct_alloc_hashtable(). If memory is fragmented, such allocations can become very slow due to memory reclaim, etc. This, in turn, could result in significant slowdowns on the node.

It was discovered that containers could get a broken on-disk BAT but have healthy in-kernel data in certain cases. To detect and fix such conditions, the means to dump the cached BAT were implemented in ploop. Note that, to make use of this enhancement, version 7.0.187.4 or newer of the userspace ploop tools is needed.