ipv4/tcp: Infinite loop in tcp_splice_read().
The tcp_splice_read function in net/ipv4/tcp.c allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.
A privileged user inside a container can cause a host kernel crash in udp_lib_get_port().
Broken isolation for some of 'ip ntable' settings.
Use after free in the implementation of DCCP protocol.
A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.
General protection fault in sendmsg() -> netlink_sendmsg() -> netlink_unicast().
NULL pointer dereference in write() -> netlink_sendmsg() -> netlink_unicast().
iptables: forwarding does not work with '--netfilter full'.
kvm: use after free in complete_emulated_mmio.
Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) support is vulnerable to a use after free flaw. It could occur on x86 platform, when emulating instructions fxsave, fxrstor, sgdt, etc. A user/process could use this flaw to crash the host kernel resulting in DoS.
kvm: vmx/svm potential privilege escalation inside guest.
Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to an incorrect segment selector (SS) value error. The error could occur while loading values into the SS register in long mode. A user/process inside guest could use this flaw to crash the guest resulting in DoS or potentially escalate their privileges inside guest.
fs/fadvise: a way was needed to deactivate pages after cached reads.
Support for FADV_DEACTIVATE flag (fs/fadvise) was added to the kernel to address this.
Keys: general protection fault in trusted_update().
A flaw was found in the handling of negatively instantiated keys in the Linux kernel. A local unprivileged user can use this vulnerability to crash the system.
Potential double free in netlink_dump().
A double free vulnerability was found in netlink_dump(), which could cause a denial of service or possibly other unspecified impact.
A BUG() statement can be hit in net/ipv4/tcp_input.c.
It was discovered that the Linux kernel since 3.6-rc1 with net.ipv4.tcp_fastopen set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash.
Kernel panic and system lockup by triggering BUG_ON() in public_key_verify_signature()
A syntax vulnerability was discovered in the kernel's ASN1.1 DER decoder, which could lead to memory corruption or a complete local denial of service through x509 certificate DER files. A local system user could use a specially created key file to trigger BUG_ON() in the public_key_verify_signature() function (crypto/asymmetric_keys/public_key.c), to cause a kernel panic and crash the system.
Null pointer dereference in trace_writeback_dirty_page().
An attempt to move page mapped by AIO ring buffer to the other node triggers NULL pointer dereference at trace_writeback_dirty_page(), because aio_fs_backing_dev_info.dev is 0.