- Kernel Update Version:
- Release Date:
- 2016-12-01 08:13:02
Slab out-of-bounds access in sctp_sf_ootb().A bug was found in the Linux kernel sctp implementation which allows a remote attacker to trigger a slab-out-of-bounds access with an offset up to 64K bytes and cause a system crash.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9555
Kernel memory disclosure and crash in tty layer.A use-after-free flaw was discovered in the Linux kernel's tty subsystem, which allows for the disclosure of uncontrolled memory location and possible kernel panic. The information leak is caused by a race condition when attempting to set and read the tty line discipline. A local attacker could use the TIOCSETD (via tty_set_ldisc) to switch to a new line discipline; a concurrent call to a TIOCGETD ioctl performing a read on a given tty could then access previously allocated memory. Up to 4 bytes could be leaked when querying the line discipline or the kernel could panic with a NULL-pointer dereference.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0723
Null pointer dereference via keyctl.A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8650
block: fix use-after-free in sys_ioprio_get().Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call.https://source.android.com/security/bulletin/2016-11-01.html
block: fix use-after-free in seq file.Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed.https://source.android.com/security/bulletin/2016-11-01.html
kvm: x86: NULL pointer dereference during instruction decode.An error was found in the x86 instruction decoder in KVM that may result in the kernel crash on the host. Trying to process some invalid instructions may trigger a NULL pointer dereference.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8630
Setting a POSIX ACL via setxattr doesn't clear the setgid bit.When file permissions are modified via chmod and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7097
Out of bounds access in sctp_add_bind_addr.It was found that sctp_add_bind_addr() may read more bytes than expected in case the parameter is a IPv4 address supplied by the user. The kernel might crash as a result.https://groups.google.com/forum/#!msg/syzkaller/BhOYz2ZBraw/-k3iDvD8BAAJ
Use after free in the recvmmsg exit path.A use after free vulnerability was found in the kernel's socket recvmmsg subsystem. It may allow remote attackers to corrupt memory and may also allow execution of arbitrary code.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7117
Remotely triggerable unbounded recursion in the VLAN GRO code leading to a kernel crash.Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path, as an unlimited recursion could happen in both VLAN and TEB modules, leading to a stack corruption in the kernel.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7039
mm: privilege escalation via MAP_PRIVATE COW breakage.A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5195
virtio-net: tx stall due to failed allocations of large skbs.virtio-net: tx stall due to failed allocations of large skbs.
Null pointer dereference in trace_writeback_dirty_page().An attempt to move page mapped by AIO ring buffer to the other node triggers NULL pointer dereference at trace_writeback_dirty_page(), because aio_fs_backing_dev_info.dev is 0.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3070
netfilter: missing bounds check in ipt_entry structure.A security flaw was found in the Linux kernel in the mark_source_chains() function in "net/ipv4/netfilter/ip_tables.c". It is possible for a user-supplied "ipt_entry" structure to have a large "next_offset" field. This field is not bounds checked prior to writing to a counter value at the supplied offset. Patches: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54d83fc74aa9ec72794373cb47432c5f7fb1a309 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f24e230d257af1ad7476c6e81a8dc3127a74204ehttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3134
overlayfs: Double dentry reference leak in copy-up failure.A flaw was found in the implementation of overlayfs in the Linux kernel. An attacker can make the system leak resources by opening a large file for writing on an overlay filesystem that does not have enough space to handle writing of such amounts of data. Patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ab79efab0a0ba01a74df782eb7fa44b044dae8b5https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8953
Use after free in tcp_xmit_retransmit_queue.A use after free vulnerability was found in tcp_xmit_retransmit_queue and other tcp_* functions. Patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bb1fceca22492109be12640d49f5ea5a544c6bb4https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6828
audit: Race condition vulnerability in execve argv arguments.Race condition in the audit_log_single_execve_arg function in the Linux kernel allows local users to bypass intended character-set restrictions or disrupt audit of the system calls. Patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645chttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6136
ext4: mfsync() was broken.ext4: mfsync() was broken.
ext4: fsync() for dirs/symlink was broken.ext4: fsync() for dirs/symlink was broken.
Container start and stop operations took too long when many network namespaces were created and destroyed.Container start and stop operations took too long when many network namespaces were created and destroyed.
Page allocator: freed memory pages could be accessed in the error paths.Page allocator: freed memory pages could be accessed in the error paths.
MAC filter was silently disabled for the containers in some cases.MAC filter was silently disabled for the containers in some cases.
tcp: challenge ACK counter information disclosure.A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack where an attacker is able to determine the shared counter which could be used to determine sequence numbers for TCP stream injection. Patch: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5696
Uninitialized variable in key_reject_and_link() causes a kernel crash in the error pathA flaw was found in the Linux kernel's keyring handling code. An uninitialized variable in key_reject_and_link() function could lead to a system crash or a use-after-free. Patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=38327424b40bcebe2de92d07312c89360ac9229ahttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4470
IPv6 connect causes DoS via NULL pointer dereference.A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system. Patch: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8543