readykernel-patch-33.22-31.1-1.vl7

Distribution:
Virtuozzo 7
Kernel Update Version:
3.10.0-514.26.1.vz7.33.22
Release Date:
2017-09-21 13:02:54
  • PSBM-72405

    Kernel crash due to missing error handling for negatively instantiated keys.

    (CVE-2017-12192) An unprivileged user inside a container can cause a denial of service (kernel crash in user_read() function) using a specially crafted sequence of system calls.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12192
  • PSBM-71747

    netlink: fix an use-after-free issue for nlk groups.

    ChunYu Wang from Red Hat found a netlink use-after-free issue by syzkaller. Access to already freed memory (groups in struct netlink_sock) can cause host crash or memory corruption.
  • CVE-2017-14489

    scsi: nlmsg not properly parsed in iscsi_if_rx function.

    The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-14489
  • CVE-2017-14106

    net/ipv4: divide error in __tcp_select_window().

    A vulnerability was found in the Linux kernel. A privileged user inside a container can cause a denial of service (kernel crash due to a divide-by-zero error in __tcp_select_window()) using a specially crafted sequence of system calls.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-14106
  • PSBM-70556

    Potential deadlock during destruction of cgroups.

    It was found that an infinite loop could occur in mem_cgroup_reparent_charges() in certain conditions. The problem could happen when cgroups were being destroyed and that function was called under cgroup_mutex. The mutex could remain locked forever as a result, blocking many other processes waiting on it which would make the system nearly unusable.
  • CVE-2017-7558

    Information leak due to out-of-bound reads in the implementation of SCTP.

    A kernel data leak due to an out-of-bound read was found in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions. It happens when these functions fill in sockaddr data structures used to export socket diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7558
  • PSBM-70321

    Incorrect merge operations on IO requests leading to kernel crashes.

    It was discovered that the block layer of the kernel did not properly check for gaps in the IO requests being merged. In some cases, the resulting request could be incorrect, which lead to kernel crashes.
  • CVE-2017-9242

    Incorrect overwrite check in __ip6_append_data().

    The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9242
  • PSBM-70151

    A container could not be stopped in certain situations because of an infinite loop in __get_user_pages().

    If transparent huge pages were enabled, certain processes could enter an infinite loop in __get_user_pages() and become unkillable preventing the container from stopping.
  • PSBM-69999

    Kernel crashes in memcg_numa_migrate_write() during NUMA balancing.

    It was found that memcg_numa_isolate_pages() used unsafe operations with lists, which lead to kernel crashes in memcg_numa_migrate_write() during NUMA balancing.
  • PSBM-69852

    tcache: wrong memory pages were invalidated in some cases.

    It was found that wrong memory pages were invalidated in tcache in certain situations. That caused kernel crashes ("bad page state") in free_pages_prepare().
  • PSBM-70063

    Race on map->levels[] update in ploop.

    ploop could use inconsistent values for iblock and the corresponding delta for IO because of a race over map->levels[]. This could result in incorrect read and write operations for ploop devices.
  • CVE-2017-1000112

    A race condition in the UDP Fragmentation Offload (UFO).

    Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code.
    https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000112.html
  • CVE-2017-1000111

    Heap out-of-bounds in AF_PACKET sockets.

    Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code which may result in out-of-bounds accesses to the heap memory. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code.
    http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000111.html
  • CVE-2017-7533

    A race between inotify_handle_event() and sys_rename().

    Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
    http://seclists.org/oss-sec/2017/q3/240
  • PSBM-69434

    Kernel crash (BUG()) in rpc_abort_task().

    Kernel crash (BUG()) in rpc_abort_task().
  • CVE-2017-7541

    Possible heap buffer overflow in brcmf_cfg80211_mgmt_tx().

    Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash.
    https://bugzilla.redhat.com/show_bug.cgi?id=1473198
  • CVE-2017-7542

    Integer overflow in ip6_find_1stfragopt().

    Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function.
    https://bugzilla.redhat.com/show_bug.cgi?id=1473649