-
PSBM-68472
Kernel crash when accessing /proc/$PID/map_files.
A data race was discovered in the implementation of /proc/$PID/map_files. A privileged user on the host could crash the kernel by using mmap and munmap for a file and simultaneously trying to access /proc/$PID/map_files.
-
PSBM-64050
sctp: potential kernel crash in sctp_wait_for_sndbuf().
If sctp module was loaded on the host, a privileged user inside a container could make sctp listen on a socket in an inappropriate state, causing a kernel crash (use-after-free in sctp_wait_for_sndbuf()).
-
PSBM-68362
Kernel crash due to incorrect skb headroom calculation and missing checks.
It was found that the kernel could crash (skb_under_panic) if an skb from a virtual (NETIF_F_VENET) device was processed in a particular networking configuration. The problem was caused by the incorrect skb headroom calculation and missing headroom checks.
-
PSBM-67513
Kernel crash in ploop due to the list corruption during parallel push backups.
A data race was discovered in ploop, which could lead to the kernel crash due to the list corruption during parallel push backups.
-
PSBM-68052
The values shown in /proc/loadavg can be calculated incorrectly in some cases.
A data race between calc_load_fold_active() and try_to_wake_up() was discovered. As a result of that race, the values shown in /proc/loadavg could be calculated incorrectly in some cases.
-
CVE-2017-11176
Use-after-free in sys_mq_notify().
The implementation of mq_notify system call in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
https://bugzilla.redhat.com/show_bug.cgi?id=1470659
-
PSBM-64752
ipv4: deadlock in ip_ra_control().
A vulnerability was found in the implementation of setsockopt() operations in the Linux kernel. A privileged user inside a container could cause a DoS on the host (kernel deadlock in ip_ra_control() function) using a specially crafted sequence of system calls.
-
CVE-2017-8797
NFSv4 server does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand.
The NFSv4 server in the Linux kernel compiled with CONFIG_NFSD_PNFS enabled does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. The attack payload fits to single one-way UDP packet. The provided input value is used for array dereferencing. This may lead to a remote DoS of [knfsd] and so to a soft-lockup of a whole system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8797
-
PSBM-67221
Kernel crash (general protection fault) in cleanup_timers().
A vulnerability was found in the signal handling in the Linux kernel. A local unprivileged user may cause a kernel crash (general protection fault) in cleanup_timers() function by using rt_tgsigqueueinfo() system call with a specially crafted set of arguments.
-
PSBM-67300
Kernel crash (NULL pointer dereference) in list_lru_destroy().
Kernel crash (NULL pointer dereference) in list_lru_destroy().
-
CVE-2017-9074
IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option.
The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG()) or possibly have unspecified other impact via crafted socket() and send() system calls.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9074
-
CVE-2017-9075
sctp_v6_create_accept_sk function mishandles inheritance.
sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, an issue related to CVE-2017-8890. An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9075
-
CVE-2017-9077
tcp_v6_syn_recv_sock function mishandles inheritance.
tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, an issue related to CVE-2017-8890. An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9077
-
CVE-2017-9076
IPv6 DCCP implementation mishandles inheritance.
The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, an issue related to CVE-2017-8890. An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9076
-
CVE-2017-8890
Double free in inet_csk_clone_lock() function in net/ipv4/inet_connection_sock.c.
inet_csk_clone_lock() function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by using a specially crafted sequence of system calls including accept(). An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8890
-
CVE-2017-7895
NFSv3 server does not handle payload bounds checking of WRITE requests properly.
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly have unspecified other impact via crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7895
-
CVE-2017-7645
nfsd: Incorrect handling of long RPC replies.
The NFS2/3 RPC client could send long arguments to nfsd server. These encoded arguments are stored in an array of memory pages, and accessed via various pointer variables. Arbitrarily long arguments could make these pointers point outside the array, thus causing out-of-bounds memory access. A remote user/program could use this flaw to crash the kernel resulting in DoS.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7645
-
PSBM-65826
sctp: Null pointer dereference in sctp_endpoint_destroy().
If sctp module is loaded on the host, a privileged user inside a container can cause a kernel crash by triggering a NULL pointer dererefence in sctp_endpoint_destroy() function with a specially crafted sequence of system calls.
-
PSBM-65345
User-triggerable BUG_ON() in unregister_netdevice_many().
A privileged user inside a container can cause a kernel crash by triggering a BUG_ON in unregister_netdevice_many() function with a specially crafted sequence of system calls.
-
PSBM-64734
Use after free in __sctp_connect().
A vulnerability was found in the implementation of SCTP protocol in the Linux kernel. If sctp module is loaded on the host, a privileged user inside a container could cause a kernel crash by triggering use after free in __sctp_connect() function with a specially crafted sequence of system calls.
-
CVE-2017-5970
ipv4: Invalid IP options could cause skb->dst drop.
A vulnerability was found in the Linux kernel where having malicious IP options present would cause the ipv4_pktinfo_prepare() function to drop/free the dst. This could result in a system crash or possible privilege escalation.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5970
-
CVE-2017-6353
Possible double free in stcp_sendmsg().
net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6353
-
CVE-2017-5986
Kernel crash in sctp_wait_for_sndbuf().
Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5986
-
CVE-2017-7472
Memory leak in keyctl_set_reqkey_keyring().
A vulnerability was found in the Linux kernel. keyctl_set_reqkey_keyring() function leaks thread keyring which allows an unprivileged local user to exhaust kernel memory.
https://bugzilla.redhat.com/show_bug.cgi?id=1442086
-
PSBM-56705
Kernel crash in proc_flush_task() triggerable by wait4() syscall.
A vulnerability was discovered in the handling of pid namespaces in the kernel. A privileged user inside a container may trigger a kernel crash (NULL pointer dereference in proc_flush_task()) using a sequence of system calls including wait4().
-
PSBM-44587
Kernel crash in synchronize_mapping_faults_vma() when pfcache is active.
Kernel crash in synchronize_mapping_faults_vma() when pfcache is active.
-
PSBM-52369
Kernel crash in cgroup_show_path() while running rkt in a container.
Kernel crash in cgroup_show_path() while running rkt in a container.
-
PSBM-63197
L1 VZ7 guest: kernel crash due to a race between attach and invalidate page.
L1 VZ7 guest: kernel crash due to a race between attach and invalidate page.
-
CVE-2017-2636
Race condition access to n_hdlc.tbuf causes double free in n_hdlc_release().
A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2636
-
CVE-2017-7308
Integer overflows in packet_set_ring().
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308
-
CVE-2017-7184
Local privilege escalation in XFRM framework.
It was discovered that the xfrm framework for transforming packets in the Linux kernel did not properly validate data received from user space. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges.
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7184.html
-
CVE-2017-2647
Null pointer dereference in search_keyring().
A flaw was discovered in the Linux kernel's key subsystem. Calling request_key() system call with the specially crafted set of arguments may result in a NULL-pointer dereference inside search_keyring() function. A local unprivileged user can use this vulnerability to crash the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647
-
CVE-2017-6214
ipv4/tcp: Infinite loop in tcp_splice_read().
The tcp_splice_read function in net/ipv4/tcp.c allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6214
-
PSBM-57512
A privileged user inside a container can cause a host kernel crash in udp_lib_get_port().
A privileged user inside a container can cause a host kernel crash in udp_lib_get_port().
-
PSBM-59964
Broken isolation for some of 'ip ntable' settings.
Broken isolation for some of "ip ntable" settings.
-
CVE-2017-6074
Use after free in the implementation of DCCP protocol.
A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6074
-
PSBM-57511
General protection fault in sendmsg() -> netlink_sendmsg() -> netlink_unicast().
General protection fault in sendmsg() -> netlink_sendmsg() -> netlink_unicast().
-
PSBM-57499
NULL pointer dereference in write() -> netlink_sendmsg() -> netlink_unicast().
NULL pointer dereference in write() -> netlink_sendmsg() -> netlink_unicast().
-
PSBM-59983
iptables: forwarding does not work with '--netfilter full'.
iptables: forwarding does not work with '--netfilter full'.
-
CVE-2016-9793
Signed overflow for SO_{SND|RCV}BUFFORCE.
Andrey Konovalov discovered that signed integer overflows existed in the setsockopt() system call when handling the SO_SNDBUFFORCE and SO_RCVBUFFORCE options. A local attacker with the CAP_NET_ADMIN capability could use this to cause a denial of service (system crash or memory corruption).
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9793.html
-
CVE-2017-2584
kvm: use after free in complete_emulated_mmio.
Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) support is vulnerable to a use after free flaw. It could occur on x86 platform, when emulating instructions fxsave, fxrstor, sgdt, etc. A user/process could use this flaw to crash the host kernel resulting in DoS.
https://bugzilla.redhat.com/show_bug.cgi?id=1413001
-
CVE-2017-2583
kvm: vmx/svm potential privilege escalation inside guest.
Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to an incorrect segment selector (SS) value error. The error could occur while loading values into the SS register in long mode. A user/process inside guest could use this flaw to crash the guest resulting in DoS or potentially escalate their privileges inside guest.
https://bugzilla.redhat.com/show_bug.cgi?id=1414735
-
PSBM-57915
fs/fadvise: a way was needed to deactivate pages after cached reads.
Support for FADV_DEACTIVATE flag (fs/fadvise) was added to the kernel to address this.
-
CVE-2015-8539
Keys: general protection fault in trusted_update().
A flaw was found in the handling of negatively instantiated keys in the Linux kernel. A local unprivileged user can use this vulnerability to crash the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8539
-
CVE-2016-9806
Potential double free in netlink_dump().
A double free vulnerability was found in netlink_dump(), which could cause a denial of service or possibly other unspecified impact.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9806
-
CVE-2016-8645
A BUG() statement can be hit in net/ipv4/tcp_input.c.
It was discovered that the Linux kernel since 3.6-rc1 with net.ipv4.tcp_fastopen set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8645
-
CVE-2016-2053
Kernel panic and system lockup by triggering BUG_ON() in public_key_verify_signature()
A syntax vulnerability was discovered in the kernel's ASN1.1 DER decoder, which could lead to memory corruption or a complete local denial of service through x509 certificate DER files. A local system user could use a specially created key file to trigger BUG_ON() in the public_key_verify_signature() function (crypto/asymmetric_keys/public_key.c), to cause a kernel panic and crash the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2053
-
CVE-2016-3070
Null pointer dereference in trace_writeback_dirty_page().
An attempt to move page mapped by AIO ring buffer to the other node triggers NULL pointer dereference at trace_writeback_dirty_page(), because aio_fs_backing_dev_info.dev is 0.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3070