- Kernel Update Version:
- Release Date:
- 2019-03-20 10:08:02
NFSv3 server does not handle payload bounds checking of WRITE requests properly.The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly have unspecified other impact via crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7895
nfsd: Incorrect handling of long RPC replies.The NFS2/3 RPC client could send long arguments to nfsd server. These encoded arguments are stored in an array of memory pages, and accessed via various pointer variables. Arbitrarily long arguments could make these pointers point outside the array, thus causing out-of-bounds memory access. A remote user/program could use this flaw to crash the kernel resulting in DoS.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7645
sctp: Null pointer dereference in sctp_endpoint_destroy().If sctp module is loaded on the host, a privileged user inside a container can cause a kernel crash by triggering a NULL pointer dererefence in sctp_endpoint_destroy() function with a specially crafted sequence of system calls.
User-triggerable BUG_ON() in unregister_netdevice_many().A privileged user inside a container can cause a kernel crash by triggering a BUG_ON in unregister_netdevice_many() function with a specially crafted sequence of system calls.