-
CVE-2018-18559
Use-after-free due to race condition in AF_PACKET implementation.
It was discovered that a race condition between packet_do_bind() and packet_notifier() in the implementation of AF_PACKET could lead to use-after-free. An unprivileged user on the host or in a container could exploit this to crash the kernel or, potentially, to escalate their privileges in the system.
https://bugzilla.redhat.com/show_bug.cgi?id=1641878
-
PSBM-88809
Potential kernel crash in ext4_close_pfcache().
-
CVE-2018-14634
Integer overflow in create_elf_tables() function.
An integer overflow flaw was found in create_elf_tables(). An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14634
-
CVE-2017-1000365
Bypass of the size restriction on the arguments and environment variables of a process.
The Linux kernel imposes a size limit on the memory needed to store the arguments and environment variables of a process, 1/4 of the maximum stack size (RLIMIT_STACK). However, the pointers to these data were not taken into account, which allowed attackers to bypass the limit and even exhaust the stack of the process.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000365
-
PSBM-88818
Kernel crash in __run_hrtimer().
It was found that the implementation of high resolution timers ('hrtimer' subsystem) did not handle the situation when a timer was started simultaneously with its restart in another thread. As a result, a BUG_ON() could trigger in __run_hrtimer() leading to kernel crash.
-
PSBM-88577
Soft lockup in xfrm_policy_flush().
If an error occurred during execution of xfrm_net_init() when a new network namespace was created, xfrm_policy_lock could remain uninitialized. As a result, soft lockup could happen in xfrm_policy_flush() if it tried to acquire the lock after that.
-
PSBM-88561
ploop: kernel crash in dio_open().
It was found that the implementation of ploop did not handle errors reported by kthread_create() properly. This could lead to a kernel crash in dio_open().
-
PSBM-88082
File systems: insufficient error handling in sget() could lead to excessive memory consumption.
-
PSBM-73001
sunrpc: potential kernel crash (use after free) in svc_process_common().
-
PSBM-87649
Potential out-of-bounds read in fuse_dev_splice_write().
-
PSBM-87670
Attempts to start a container fail with errors like 'cannot create directory /sys/fs/cgroup/beancounter/{something}'.
-
CVE-2017-18344
Out-of-bounds access in show_timer() function.
The implementation of timer_create system call in the Linux kernel before 4.14.8 doesn't properly validate the sigevent::sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-18344
-
CVE-2018-13405
SGID bit was not cleared on the files created by the users not present in the group that owned the SGID directory.
It was discovered that the local users could create files with an unintended group ownership and with group execution and SGID permission bits set. It was possible when a directory was SGID, belonged to a certain group and was writable by a user who was not a member of this group. This could lead to excessive permissions granted in case when they should not.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-13405
-
PSBM-86804
sctp: user-triggerable soft lockups.
A flaw was discovered in the implementation of SCTP protocol. A local unprivileged user could exploit it to cause soft lockups in the kernel (and, eventually, a denial of service) using specially crafted sequences of system calls.
-
PSBM-86790
Missing unlock_page() in the error path in fuse_readpages_fill().
-
PSBM-80743
Kernel warning in kill_block_super() when a mount operation fails.
-
PSBM-86511
The system could fail to restore a container with lots of mounts even if the number of mounts was within the limit.
It was discovered that the system could fail to restore a container ("VZctlError: Not enough system resources") if the container had more mounts than one third of the limit shown in /proc/sys/fs/ve-mount-nr.
-
PSBM-86420
Kernel crashes (NULL pointer dereference) if memory allocation fails in alloc_vfsmnt().
https://bugs.openvz.org/browse/OVZ-7039
-
CVE-2018-1120
Mapping a FUSE-backed file onto the command line arguments of a process causes denial of service.
By mapping a FUSE-backed file onto the memory area containing command line arguments or environment strings of a process, an attacker can cause any program that reads /proc/
/cmdline or /proc//environ for that process to block indefinitely or for a controlled amount of time. 'ps' and 'w' utilities are affected, among other things.
https://bugzilla.redhat.com/show_bug.cgi?id=1575472
-
PSBM-85929
Potential kernel crash (NULL pointer dereference) in sysfs_readdir().
-
CVE-2018-5803
Kernel crash due to missing length check in _sctp_make_chunk() function.
It was found that _sctp_make_chunk() function did not check if the chunk length for INIT and INIT_ACK packets was within the allowed limits. A local attacker could exploit this to trigger a kernel crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-5803
-
CVE-2018-1000199
ptrace: incorrect error handling leads to corruption and DoS.
The implementation of ptrace in the kernel does not handle errors correctly when working with the debug registers. As a result, the hardware breakpoints could become corrupted. An unprivileged user could exploit this flaw to crash the kernel resulting in a denial-of-service, or, potentially, to escalate their privileges in the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1000199
-
CVE-2018-1087
KVM: error in exception handling leads to wrong debug stack.
A flaw was found in how KVM handled exceptions delivered after Mov SS or Pop SS instructions have encountered a breakpoint. As a result, exceptions passed to the guest kernel could have wrong values on the stack. An unprivileged KVM guest user could use this flaw to crash the guest kernel or, potentially, escalate their privileges in the guest system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1087
-
PSBM-84191
ip utility hangs in netlink_recvmsg().
It was discovered that the newer versions of ip utility (4.11.0, for example) may hang in netlink_recvmsg() when running on the kernel 3.10.0-693.21.1.vz7.46.7 and older. This was caused by mis-interpretation of netlink commands.
-
CVE-2017-17807
Missing permissions check for request_key() destination allows local attackers to add keys to keyring without write permission.
The KEYS subsystem omitted an access-control check when writing a key to the default keyring of the current task, allowing a local user to bypass security checks for the keyring. This compromised the validity of the keyring for those who relied on it.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17807
-
CVE-2017-17450
System-wide OS fingerprint list was accessible to unprivileged users.
It was discovered that xt_osf_fingers data structure was accessible from any network namespace. This allowed unprivileged local users to bypass intended access restrictions and modify the system-wide OS fingerprint list used by specific iptables rules.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17450
-
CVE-2017-17449
Netlink monitor created in a namespace could observe system-wide activity.
It was discovered that a nlmon link inside a child network namespace was not restricted to that namespace. An unprivilged local user could exploit that to monitor system-wide netlink activity.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17449
-
CVE-2017-17448
Potential unprivileged access to the kernel structures used by netfilter conntrack helpers.
It was discovered that nfnl_cthelper_list structure was accessible to any user with CAP_NET_ADMIN capability in a network namespace. An unprivilged local user could exploit that to affect netfilter conntrack helpers on the host.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17448
-
PSBM-83874
Kernel crash (stack overflow) caused by lots of internal mounts.
It was discovered that clone_mnt() did not clear MNT_INTERNAL flag for the internal mounts. As a result, the kernel could crash due to a stack overflow if lots of bind mounts of /proc/*/ns/* were created in a new namespace.
https://www.spinics.net/lists/netdev/msg496514.html
-
CVE-2018-1130
Kernel crash in dccp_write_xmit().
If "dccp_ipv6" module was loaded on the host, a local unprivileged user could trigger a kernel crash in dccp_write_xmit() or inet_csk_get_port() using a specially crafted sequence of system calls.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f93df79aeefc3add4e4b31a752600f834236e2
-
PSBM-83474
Kernel crash in ip6mr_sk_done().
If the kernel failed to create an IPv6 socket, for example, due to cgroup.memsw limit, it would crash in ip6mr_sk_done() when trying to clean up multicast routes.
-
PSBM-81798
IPv6 routing tables incorrectly handled routing rules for throw routes.
It was discovered that IPv6 routing tables incorrectly handled routing rules for throw routes. This happened because errors were not propagated properly up to the fib_rules_lookup().
-
PSBM-82766
Container remained mounted in some cases after 'shutdown -h now' in it.
It was discovered that incorrect state of a container could be reported in /sys/fs/cgroup/ve/CTID/ve.state in some cases, which confused the user-space tools. As a result, a container could remain mounted after 'shutdown -h now' in it.
-
CVE-2018-1068
ebtables: out-of-bounds write via userland offsets in ebt_entry struct.
It was discovered that the implementation of ebtables in the kernel did not properly validate the offsets received from the user space. A local user with enough privileges in the user and network namespaces could use that to trigger an out-of-bounds write to the kernel address space.
https://bugzilla.redhat.com/show_bug.cgi?id=1552048
-
PSBM-81600
Ploop: some IO requests were not marked as completed in case of errors.
-
PSBM-81488
High cpu usage in isolate_freepages_block().
vstorage-mount spent a lot of time in isolate_freepages_block() in some cases, causing performance issues.
-
PSBM-81264
Memory cgroups were not released when starting/stopping a container with Docker.
Memory cgroups were not correctly released during start/stop of a container with Docker. If the node had a significant amount of containers with Docker, this could lead to stopped containers not starting again.
-
PSBM-80340
Hard lockups happened when the kernel was processing SAK (Secure Attention Key).
-
PSBM-81033
Docker v17.11 and newer failed to start in a container.
Starting from v17.11, Docker checks is all cgroups are mounted and refuses to start if some cgroups are not. Some of Virtuozzo-specific cgroups were visible in the containers and were not mounted there, which prevented Docker from starting properly.
-
PSBM-81090
Kernel crash in mem_cgroup_iter().
-
PSBM-80839
Potential denial of service due to extensive memory consumption.
It was discovered that some operations with files in a container could lead to denial of service on the host due to extensive memory consumption.
-
CVE-2018-5344
loop: potential data race between open() and release() leading to use-after-free.
It was found that release() operation for the loop devices has insufficient protection for the device structures against the accesses from the concurrent open() operations. A local attacker can use specially arranged concurrent operations with a loop device to cause a denial of service (kernel crash due to a use-after-free error).
https://bugzilla.redhat.com/show_bug.cgi?id=1533909
-
CVE-2017-18017
netfilter: Use-after-free in tcpmss_mangle_packet().
If the system uses iptables and there are iptables rules with TCPMSS action there, a remote attacker may cause a denial of service (use-after-free in tcpmss_mangle_packet function leading to memory corruption) or possibly have unspecified other impact by sending specially crafted network packets.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-18017
-
PSBM-79502
Kernel warnings about memory allocation failures in vznetstat.
Kernel warnings about memory allocation failures in vznetstat.
-
PSBM-79273
Soft lockup in isolate_lru_page().
Migrating large memory ranges may take a while. With no resched points available, it caused soft lockups in isolate_lru_page().
-
CVE-2017-15115
Use-after-free in sctp_cmp_addr_exact().
sctp_do_peeloff() function in the Linux kernel before 4.14 did not check whether the intended netns was used in a peel-off action, which allowed local users to cause a denial of service (use-after-free in sctp_cmp_addr_exact() resulting in system crash) or possibly have unspecified other impact via crafted system calls.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15115
-
PSBM-78078
Containers failed to restart because their VEIP addresses were not released.
The kernel could consider a container stopped before the resources of that container, for example, VEIP addresses, have been released. As a result, the system could fail to restart the container.
-
CVE-2017-15129
Potential use-after-free in the processing of namespaces.
The function get_net_ns_by_id() does not check the net.count value when processing a peer network, which could lead to double free and memory corruption. An unprivileged local user could use this vulnerability to crash the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15129
-
PSBM-77154
tcache: unnecessary BUG_ON()s.
Many of the issues that BUG_ON()s were supposed to catch in tcache were not serious enough to crash the kernel. A warning will now be output in such cases instead.
-
CVE-2017-8824
Use-after-free in DCCP socket handling.
A vulnerability was found in DCCP socket handling code. dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8824
-
CVE-2017-1000405
PMD can become dirty without going through a COW cycle.
A flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000405
-
PSBM-76011
memcgroup: potential deadlocks and soft lockups.
memcgroup: potential deadlocks and soft lockups.
-
CVE-2017-16939
ipsec: xfrm: use-after-free leading to potential privilege escalation.
The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.
https://bugzilla.redhat.com/show_bug.cgi?id=1517220
-
PSBM-76970
Incorrect accounting of isolated pages in memcg_numa_isolate_pages().
Isolated pages were accounted for incorrectly in memcg_numa_isolate_pages() in certain cases. As a result, some processes could hang forever.
-
CVE-2017-12193
Null pointer dereference due to incorrect node-splitting in assoc_array implementation.
A flaw was found in the implementation of associative arrays in the Linux kernel. A null pointer dereference could happen in assoc_array_apply_edit() due to incorrect node splitting.
https://bugzilla.redhat.com/show_bug.cgi?id=1501215
-
PSBM-76437
FUSE issues lots of small writes when resizing a file.
Each resize issues invalidate_inode_pages2(), which triggers ultra slow synchronous writeback of all dirty pages.
-
PSBM-62094
sysinfo() returns 0 for uptime if called from a VZ7 container.
sysinfo() returns 0 for uptime if called from a VZ7 container.
-
CVE-2017-15649
Use-after-free in af_packet.c.
A vulnerability in fanout_add() in 'net/packet/af_packet.c' in the Linux kernel version 4.13.6 and older allows local users to gain privileges or cause a denial of service (kernel crash). A specially crafted sequence of system calls may trigger a race condition (involving fanout_add() and packet_do_bind() functions) that leads to a use-after-free.
https://bugzilla.redhat.com/show_bug.cgi?id=1504574
-
PSBM-70021
Hung processes when trying to stop a container created on a storage partition.
Hung processes when trying to stop a container created on a storage partition.
-
CVE-2016-8399
net: Out of bounds stack read in memcpy_fromiovec.
A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto().
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8399
-
CVE-2017-12190
Memory leak when merging buffers in SCSI IO vectors.
It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.
https://bugzilla.redhat.com/show_bug.cgi?id=1495089
-
PSBM-75641
Kernel crash in rt6_ifdown().
It was discovered that a specially crafted sequence of system calls could cause a kernel crash (general protection fault) in rt6_ifdown().
https://bugzilla.redhat.com/show_bug.cgi?id=1492640
-
PSBM-75247
NULL pointer dereference in __task_pid_nr_ns().
It was discovered that the value of task->pids[type].pid was actually read twice in __task_pid_nr_ns() rather than only once, due to compiler optimizations. As a result, a race condition could happen and that value could become NULL between these reads, leading to a kernel crash (NULL pointer dereference).
-
CVE-2017-12188
KVM, MMU: potential stack buffer overrun during page walks.
Linux kernel built with the KVM virtualisation support (CONFIG_KVM), with nested virtualisation (nVMX) feature enabled (nested=1), is vulnerable to a stack buffer overflow issue. It could occur while traversing guest pagetable entries to resolve guest virtual address. A guest system could use this flaw to crash the host kernel resulting in DoS, or potentially execute arbitrary code on the host.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12188
-
CVE-2017-15274
Adding invalid keys with NULL payload but nonzero payload length leads to kernel crash.
A flaw was discovered in the key management subsystem of the Linux kernel. It allowed to pass NULL payload with non-zero payload length as parameters to sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl(). A local unprivileged user could exploit this to cause a kernel crash (NULL pointer dereference).
https://bugzilla.redhat.com/show_bug.cgi?id=1500391
-
PSBM-71536
autofs: unbalanced pid get/put operation in the error path in autofs4_fill_super().
autofs: unbalanced pid get/put operation in the error path in autofs4_fill_super().
-
CVE-2017-15299
Incorrect updates of uninstantiated keys crash the kernel.
It was discovered that the key management subsystem of the Linux kernel could perform incorrect update operations on uninstantiated keys. A local unprivileged user could exploit this flaw to cause a NULL pointer dereference in the kernel.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15299
-
CVE-2017-1000253
load_elf_binary() does not allocate sufficient space for the entire binary in some cases.
A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000253
-
CVE-2017-1000251
Buffer overflow in the native Bluetooth stack.
It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash).
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000251
-
CVE-2017-12154
kvm: nVMX: L2 guest could access hardware (L0) CR8 register.
If nested virtualisation (nVMX) feature is enabled in the kernel, L2 guest system could access the hardware CR8 register of the host(L0) and use that to crash the host system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12154
-
CVE-2017-12192
Kernel crash due to missing error handling for negatively instantiated keys.
An unprivileged user inside a container can cause a denial of service (kernel crash in user_read() function) using a specially crafted sequence of system calls.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12192
-
PSBM-71747
netlink: fix an use-after-free issue for nlk groups.
ChunYu Wang from Red Hat found a netlink use-after-free issue by syzkaller. Access to already freed memory (groups in struct netlink_sock) can cause host crash or memory corruption.
-
CVE-2017-14489
scsi: nlmsg not properly parsed in iscsi_if_rx function.
The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-14489
-
CVE-2017-14106
net/ipv4: divide error in __tcp_select_window().
A vulnerability was found in the Linux kernel. A privileged user inside a container can cause a denial of service (kernel crash due to a divide-by-zero error in __tcp_select_window()) using a specially crafted sequence of system calls.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-14106
-
CVE-2017-7558
Information leak due to out-of-bound reads in the implementation of SCTP.
A kernel data leak due to an out-of-bound read was found in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions. It happens when these functions fill in sockaddr data structures used to export socket diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7558
-
PSBM-70321
Incorrect merge operations on IO requests leading to kernel crashes.
It was discovered that the block layer of the kernel did not properly check for gaps in the IO requests being merged. In some cases, the resulting request could be incorrect, which lead to kernel crashes.
-
PSBM-70151
A container could not be stopped in certain situations because of an infinite loop in __get_user_pages().
If transparent huge pages were enabled, certain processes could enter an infinite loop in __get_user_pages() and become unkillable preventing the container from stopping.
-
PSBM-69999
Kernel crashes in memcg_numa_migrate_write() during NUMA balancing.
It was found that memcg_numa_isolate_pages() used unsafe operations with lists, which lead to kernel crashes in memcg_numa_migrate_write() during NUMA balancing.
-
PSBM-70063
Race on map->levels[] update in ploop.
ploop could use inconsistent values for iblock and the corresponding delta for IO because of a race over map->levels[]. This could result in incorrect read and write operations for ploop devices.
-
CVE-2017-1000112
A race condition in the UDP Fragmentation Offload (UFO).
Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code.
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000112.html
-
CVE-2017-1000111
Heap out-of-bounds in AF_PACKET sockets.
Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code which may result in out-of-bounds accesses to the heap memory. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code.
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000111.html
-
CVE-2017-7533
A race between inotify_handle_event() and sys_rename().
Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
http://seclists.org/oss-sec/2017/q3/240
-
PSBM-68292
lseek(SEEK_DATA) and lseek(SEEK_HOLE) returned incorrect results on ext4 in some cases.
It was discovered that lseek(SEEK_DATA) and lseek(SEEK_HOLE) returned incorrect values on ext4 FS in some cases, causing corruption of QCOW2 disk images used by VMs.
-
PSBM-69018
Division by zero in dcache_is_low().
Division by zero in dcache_is_low().
-
PSBM-65033
venet: netdevice structures were not always freed (memory leak).
venet: netdevice structures were not always freed (memory leak).
-
CVE-2017-11600
Out-of-bounds access via an XFRM_MSG_MIGRATE xfrm Netlink message.
A vulnerability was found in the handling of xfrm Netlink messages. A privileged user inside a container could cause a denial of service (kernel crash) by sending a crafted Netlink message with type XFRM_MSG_MIGRATE to the kernel.
http://seclists.org/bugtraq/2017/Jul/30
-
CVE-2017-7541
Possible heap buffer overflow in brcmf_cfg80211_mgmt_tx().
Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash.
https://bugzilla.redhat.com/show_bug.cgi?id=1473198
-
CVE-2017-7542
Integer overflow in ip6_find_1stfragopt().
Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function.
https://bugzilla.redhat.com/show_bug.cgi?id=1473649
-
PSBM-68472
Kernel crash when accessing /proc/$PID/map_files.
A data race was discovered in the implementation of /proc/$PID/map_files. A privileged user on the host could crash the kernel by using mmap and munmap for a file and simultaneously trying to access /proc/$PID/map_files.
-
PSBM-64050
sctp: potential kernel crash in sctp_wait_for_sndbuf().
If sctp module was loaded on the host, a privileged user inside a container could make sctp listen on a socket in an inappropriate state, causing a kernel crash (use-after-free in sctp_wait_for_sndbuf()).
-
PSBM-68362
Kernel crash due to incorrect skb headroom calculation and missing checks.
It was found that the kernel could crash (skb_under_panic) if an skb from a virtual (NETIF_F_VENET) device was processed in a particular networking configuration. The problem was caused by the incorrect skb headroom calculation and missing headroom checks.
-
PSBM-67513
Kernel crash in ploop due to the list corruption during parallel push backups.
A data race was discovered in ploop, which could lead to the kernel crash due to the list corruption during parallel push backups.
-
PSBM-68052
The values shown in /proc/loadavg can be calculated incorrectly in some cases.
A data race between calc_load_fold_active() and try_to_wake_up() was discovered. As a result of that race, the values shown in /proc/loadavg could be calculated incorrectly in some cases.
-
CVE-2017-11176
Use-after-free in sys_mq_notify().
The implementation of mq_notify system call in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
https://bugzilla.redhat.com/show_bug.cgi?id=1470659
-
PSBM-64752
ipv4: deadlock in ip_ra_control().
A vulnerability was found in the implementation of setsockopt() operations in the Linux kernel. A privileged user inside a container could cause a DoS on the host (kernel deadlock in ip_ra_control() function) using a specially crafted sequence of system calls.
-
CVE-2017-7477
net: Heap overflow in skb_to_sgvec in macsec.c.
Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7477
-
CVE-2017-8797
NFSv4 server does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand.
The NFSv4 server in the Linux kernel compiled with CONFIG_NFSD_PNFS enabled does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. The attack payload fits to single one-way UDP packet. The provided input value is used for array dereferencing. This may lead to a remote DoS of [knfsd] and so to a soft-lockup of a whole system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8797
-
PSBM-67263
Use after free in vxlan_dellink().
A vulnerability was found in the implementation of vxlan interfaces in the Linux kernel. A privileged user inside a container was able to trigger a use-after-free in vxlan_dellink() function with a special sequence of operations with vxlan interfaces, which could result in a system crash or could possibly have other unspecified impact.
-
CVE-2017-9242
Kernel crash (out-of-bounds write) in __ip6_append_data().
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9242.html
-
PSBM-67221
Kernel crash (general protection fault) in cleanup_timers().
A vulnerability was found in the signal handling in the Linux kernel. A local unprivileged user may cause a kernel crash (general protection fault) in cleanup_timers() function by using rt_tgsigqueueinfo() system call with a specially crafted set of arguments.
-
PSBM-67300
Kernel crash (NULL pointer dereference) in list_lru_destroy().
Kernel crash (NULL pointer dereference) in list_lru_destroy().
-
PSBM-67076
Kernel deadlocks in try_charge().
When memcgroup reached memory limits, kernel may have entered an endless loop in try_charge(), and deadlocked.
-
PSBM-66468
TCP cgroup memory pressure was checked incorrectly.
TCP cgroup memory pressure was checked incorrectly resulting in lower network speed in certain conditions.
-
CVE-2017-9074
IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option.
The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG()) or possibly have unspecified other impact via crafted socket() and send() system calls.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9074
-
CVE-2017-9075
sctp_v6_create_accept_sk function mishandles inheritance.
sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, an issue related to CVE-2017-8890. An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9075
-
CVE-2017-9077
tcp_v6_syn_recv_sock function mishandles inheritance.
tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, an issue related to CVE-2017-8890. An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9077
-
CVE-2017-9076
IPv6 DCCP implementation mishandles inheritance.
The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, an issue related to CVE-2017-8890. An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9076
-
CVE-2017-8890
Double free in inet_csk_clone_lock() function in net/ipv4/inet_connection_sock.c.
inet_csk_clone_lock() function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by using a specially crafted sequence of system calls including accept(). An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8890
-
CVE-2017-7895
NFSv3 server does not handle payload bounds checking of WRITE requests properly.
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly have unspecified other impact via crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7895
-
CVE-2017-7645
nfsd: Incorrect handling of long RPC replies.
The NFS2/3 RPC client could send long arguments to nfsd server. These encoded arguments are stored in an array of memory pages, and accessed via various pointer variables. Arbitrarily long arguments could make these pointers point outside the array, thus causing out-of-bounds memory access. A remote user/program could use this flaw to crash the kernel resulting in DoS.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7645
-
PSBM-65826
sctp: Null pointer dereference in sctp_endpoint_destroy().
If sctp module is loaded on the host, a privileged user inside a container can cause a kernel crash by triggering a NULL pointer dererefence in sctp_endpoint_destroy() function with a specially crafted sequence of system calls.
-
PSBM-65345
User-triggerable BUG_ON() in unregister_netdevice_many().
A privileged user inside a container can cause a kernel crash by triggering a BUG_ON in unregister_netdevice_many() function with a specially crafted sequence of system calls.