readykernel-patch-131.10-129.0-1.vl7

It was discovered that 'weave' network overlay used with Kubernetes tried to create veth devices with MTU 65535 in certain cases. Such operations failed because the maximum allowed MTU was 1500.

Memory leaks could happen when network-related structures were created for a starting container.

It was discovered that an attacker could use a specially crafted sequence of system calls in a container to trigger a memory corruption in the implementation of setsockopt() in the netfilter subsystem. This could result in a kernel crash, or, potentially, could allow the attacker to escalate their privileges.

It was discovered that an attacker could trigger kernel memory corruption from a container by using a specially crafted sequence of operations with CLUSTERIP-related netfilter rules.

It was discovered that the kernel did not check the size of certain iSCSI-related data structures when presenting them in sysfs. A local unprivileged attacker could exploit this (by sending a specially crafted netlink message) to cause a denial of service (system crash) or possibly execute arbitrary code.

It was discovered that the kernel did not properly restrict access to iSCSI sessions and transport handles. A local unprivileged attacker could use this to end arbitrary iSCSI sessions (potentially causing a denial of service) or to expose locations of certain kernel structures.

It was discovered that a local unprivileged attacker could use specially crafted netlink messages to trigger an out-of-bounds read in 'scsi_transport_iscsi' module. The kernel could crash as a result.

It was discovered that an attacker could trigger a kernel crash (null pointer dereference) in ip_set_utest() by running a specially crafted sequence of system calls in a container.

It was discovered that an attacker could trigger a kernel crash (general protection fault) in ip_set_comment_free() by running a specially crafted sequence of system calls in a container.

It was discovered that the implementation of IPv6 multicast routing could try to access wrong data when a user tried to read certain files in /proc. An attacker could exploit that from a container to trigger 'bad unlock balance' error in ipmr_mfc_seq_stop(), followed by a kernel crash.

It was discovered that certain ioctl operations in ext4 did not check their arguments properly. An attacker could exploit that from a container to trigger soft lockups in ext4_ext_find_extent() function, which could result in a denial of service.

If a process running in a container performed large allocations of kernel memory, this could hit the memory limit for the container and trigger the OOM killer. It was discovered, however, that the process being killed by it could continue consuming memory for some time. This could lead to out of memory conditions on the host.

If was discovered that not all memory allocated for ipset-related data was properly accounted for. An attacker could exploit it from a container to consume lots of kernel memory, making the host system unusable (denial of service).

It was discovered that a buffer overflow and memory corruption were possible if a system tried to mount an NFS v4 share where the files had security labels in the file attributes. An attacker would need to control the NFS server and make it send a specific series of responses to trigger the issue. The issue allows the attacker to crash the kernel on the client system or, potentially, escalate their privileges there.

It was discovered that a local attacker could pass a specially crafted configuration of conntrack to the kernel to cause a buffer overflow in ctnetlink_parse_tuple_filter() function. As a result, the kernel could crash.

A race condition was discovered in the implementation of usermode helpers in the kernel. An attacker could exploit it from a container to cause a denial-of-service (kernel crash due to a use-after-free), or, potentially, to escalate their privileges in the system.

It was discovered that the implementation of nf_tables did not properly validate certain parameters. An attacker could exploit this from a container to cause a kernel crash: NULL pointer dereference or a general protection fault in nf_tables_getset().

It was discovered that nfnetlink subsystem did not properly validate certain messages. An attacker could exploit this from a container to cause a kernel crash: skb_over_panic in skb_put().

The original fix for PSBM-99181 and related issues introduced a problem: management of shrinkers used to reclaim memory could become very inefficient in certain cases, causing higher load on the affected nodes.

It was discovered that use-after-free condition was possible in cdev_get() if multiple processes simultaneously accessed a character device in a certain way. A local attacker could potentially exploit this to crash the kernel.

It was found that if TPACKET_V3 was used and the kernel failed to obtain certain settings from a relevant network device, the retirement timer could be set incorrectly in the implementation AF_PACKET protocol. This could result in soft lockups and excessive CPU usage.

A NULL pointer dereference was found in the implementation of SELinux. The issue occurs while importing the Commercial IP Security Option (CIPSO) protocol category bitmap into SELinux extensible bitmap. Parsing of a specially crafted CIPSO packet sent by a remote attacker could lead to a kernel crash (remote DoS).

It was discovered that core dumps of userspace processes could contain copies of uninitialized kernel memory areas in certain cases. Although it is difficult for an attacker to control what data is in these areas, this issue, in theory, could be used to obtain sensitive information from the kernel.

An out-of-bounds read was found in the implementation of IPsec cryptographic algorithms ('authenc' module). When payload of a key was longer than 4 bytes but was not properly aligned, crypto_authenc_extractkeys() function could try to read data from a wrong location. This could lead to a kernel crash in crypto_ahash_setkey().

It was discovered that a race condition was possible between pivot_root() and put_mountpoint() operations. A local unprivileged attacker could exploit this to corrupt mountpoint reference counter and cause a denial of service (kernel crash).

See also: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14305.

It was found that a race was possible between uncharging memory from a cgroup and making that cgroup offline. This could lead to premature destruction of the cgroup and could cause a kernel crash.

When a new netns is created, high-order page allocations can happen in nf_ct_alloc_hashtable(). If memory is fragmented, such allocations can become very slow due to memory reclaim, etc. This, in turn, could result in significant slowdowns on the node.

It was discovered that containers could get a broken on-disk BAT but have healthy in-kernel data in certain cases. To detect and fix such conditions, the means to dump the cached BAT were implemented in ploop. Note that, to make use of this enhancement, version 7.0.187.4 or newer of the userspace ploop tools is needed.