-
PSBM-68472
Kernel crash when accessing /proc/$PID/map_files.
A data race was discovered in the implementation of /proc/$PID/map_files. A privileged user on the host could crash the kernel by using mmap and munmap for a file and simultaneously trying to access /proc/$PID/map_files.
-
PSBM-64050
sctp: potential kernel crash in sctp_wait_for_sndbuf().
If sctp module was loaded on the host, a privileged user inside a container could make sctp listen on a socket in an inappropriate state, causing a kernel crash (use-after-free in sctp_wait_for_sndbuf()).
-
PSBM-68362
Kernel crash due to incorrect skb headroom calculation and missing checks.
It was found that the kernel could crash (skb_under_panic) if an skb from a virtual (NETIF_F_VENET) device was processed in a particular networking configuration. The problem was caused by the incorrect skb headroom calculation and missing headroom checks.
-
PSBM-67513
Kernel crash in ploop due to the list corruption during parallel push backups.
A data race was discovered in ploop, which could lead to the kernel crash due to the list corruption during parallel push backups.
-
PSBM-68052
The values shown in /proc/loadavg can be calculated incorrectly in some cases.
A data race between calc_load_fold_active() and try_to_wake_up() was discovered. As a result of that race, the values shown in /proc/loadavg could be calculated incorrectly in some cases.
-
CVE-2017-11176
Use-after-free in sys_mq_notify().
The implementation of mq_notify system call in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
https://bugzilla.redhat.com/show_bug.cgi?id=1470659
-
PSBM-64752
ipv4: deadlock in ip_ra_control().
A vulnerability was found in the implementation of setsockopt() operations in the Linux kernel. A privileged user inside a container could cause a DoS on the host (kernel deadlock in ip_ra_control() function) using a specially crafted sequence of system calls.
-
CVE-2017-7477
net: Heap overflow in skb_to_sgvec in macsec.c.
Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7477
-
CVE-2017-8797
NFSv4 server does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand.
The NFSv4 server in the Linux kernel compiled with CONFIG_NFSD_PNFS enabled does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. The attack payload fits to single one-way UDP packet. The provided input value is used for array dereferencing. This may lead to a remote DoS of [knfsd] and so to a soft-lockup of a whole system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8797
-
PSBM-67263
Use after free in vxlan_dellink().
A vulnerability was found in the implementation of vxlan interfaces in the Linux kernel. A privileged user inside a container was able to trigger a use-after-free in vxlan_dellink() function with a special sequence of operations with vxlan interfaces, which could result in a system crash or could possibly have other unspecified impact.
-
PSBM-67221
Kernel crash (general protection fault) in cleanup_timers().
A vulnerability was found in the signal handling in the Linux kernel. A local unprivileged user may cause a kernel crash (general protection fault) in cleanup_timers() function by using rt_tgsigqueueinfo() system call with a specially crafted set of arguments.
-
PSBM-67300
Kernel crash (NULL pointer dereference) in list_lru_destroy().
Kernel crash (NULL pointer dereference) in list_lru_destroy().
-
PSBM-67076
Kernel deadlocks in try_charge().
When memcgroup reached memory limits, kernel may have entered an endless loop in try_charge(), and deadlocked.