readykernel-patch-33.22-43.0-1.vl7

Distribution:
Virtuozzo 7
Kernel Update Version:
3.10.0-514.26.1.vz7.33.22
Release Date:
2018-02-02 12:08:48
  • PSBM-81033

    Docker v17.11 and newer failed to start in a container.

    Starting from v17.11, Docker checks is all cgroups are mounted and refuses to start if some cgroups are not. Some of Virtuozzo-specific cgroups were visible in the containers and were not mounted there, which prevented Docker from starting properly.
  • PSBM-81090

    Kernel crash in mem_cgroup_iter().

  • PSBM-80839

    Potential denial of service due to extensive memory consumption.

    It was discovered that some operations with files in a container could lead to denial of service on the host due to extensive memory consumption.
  • CVE-2018-5344

    loop: potential data race between open() and release() leading to use-after-free.

    It was found that release() operation for the loop devices has insufficient protection for the device structures against the accesses from the concurrent open() operations. A local attacker can use specially arranged concurrent operations with a loop device to cause a denial of service (kernel crash due to a use-after-free error).
    https://bugzilla.redhat.com/show_bug.cgi?id=1533909
  • CVE-2017-18017

    netfilter: Use-after-free in tcpmss_mangle_packet().

    If the system uses iptables and there are iptables rules with TCPMSS action there, a remote attacker may cause a denial of service (use-after-free in tcpmss_mangle_packet function leading to memory corruption) or possibly have unspecified other impact by sending specially crafted network packets.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-18017
  • PSBM-79502

    Kernel warnings about memory allocation failures in vznetstat.

    Kernel warnings about memory allocation failures in vznetstat.
  • PSBM-79273

    Soft lockup in isolate_lru_page().

    Migrating large memory ranges may take a while. With no resched points available, it caused soft lockups in isolate_lru_page().
  • CVE-2017-15115

    Use-after-free in sctp_cmp_addr_exact().

    sctp_do_peeloff() function in the Linux kernel before 4.14 did not check whether the intended netns was used in a peel-off action, which allowed local users to cause a denial of service (use-after-free in sctp_cmp_addr_exact() resulting in system crash) or possibly have unspecified other impact via crafted system calls.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15115
  • PSBM-78078

    Containers failed to restart because their VEIP addresses were not released.

    The kernel could consider a container stopped before the resources of that container, for example, VEIP addresses, have been released. As a result, the system could fail to restart the container.
  • PSBM-78342

    FUSE: kernel warning in request_end().

    A warning about FR_PENDING bit was printed by request_end() because fuse_request_send_background() did not clear that bit.
  • CVE-2017-15129

    Potential use-after-free in the processing of namespaces.

    The function get_net_ns_by_id() does not check the net.count value when processing a peer network, which could lead to double free and memory corruption. An unprivileged local user could use this vulnerability to crash the system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15129
  • PSBM-78354

    tcache: kernel warning in tcache_invalidate_node_pages().

    When there were more than two users of a page, __tcache_page_tree_delete() failed to freeze it. The page would never be invalidated and tcache_node->nr_pages would never be decremented. A kernel warning would be output as a result.
  • PSBM-77154

    tcache: unnecessary BUG_ON()s.

    Many of the issues that BUG_ON()s were supposed to catch in tcache were not serious enough to crash the kernel. A warning will now be output in such cases instead.
  • CVE-2017-1000407

    KVM: DoS via write flood to I/O port 0x80.

    A vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000407
  • CVE-2017-8824

    Use-after-free in DCCP socket handling.

    A vulnerability was found in DCCP socket handling code. dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8824
  • CVE-2017-1000405

    PMD can become dirty without going through a COW cycle.

    A flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000405
  • PSBM-76011

    memcgroup: potential deadlocks and soft lockups.

    memcgroup: potential deadlocks and soft lockups.
  • CVE-2017-16939

    ipsec: xfrm: use-after-free leading to potential privilege escalation.

    The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.
    https://bugzilla.redhat.com/show_bug.cgi?id=1517220
  • PSBM-76970

    Incorrect accounting of isolated pages in memcg_numa_isolate_pages().

    Isolated pages were accounted for incorrectly in memcg_numa_isolate_pages() in certain cases. As a result, some processes could hang forever.
  • CVE-2017-12193

    Null pointer dereference due to incorrect node-splitting in assoc_array implementation.

    A flaw was found in the implementation of associative arrays in the Linux kernel. A null pointer dereference could happen in assoc_array_apply_edit() due to incorrect node splitting.
    https://bugzilla.redhat.com/show_bug.cgi?id=1501215
  • PSBM-76437

    FUSE issues lots of small writes when resizing a file.

    Each resize issues invalidate_inode_pages2(), which triggers ultra slow synchronous writeback of all dirty pages.
  • PSBM-75073

    Kernel crash (NULL pointer dereference) in fuse_dev_alloc().

    Kernel crash (NULL pointer dereference) in fuse_dev_alloc().
  • PSBM-62094

    sysinfo() returns 0 for uptime if called from a VZ7 container.

    sysinfo() returns 0 for uptime if called from a VZ7 container.
  • CVE-2017-15649

    Use-after-free in af_packet.c.

    A vulnerability in fanout_add() in 'net/packet/af_packet.c' in the Linux kernel version 4.13.6 and older allows local users to gain privileges or cause a denial of service (kernel crash). A specially crafted sequence of system calls may trigger a race condition (involving fanout_add() and packet_do_bind() functions) that leads to a use-after-free.
    https://bugzilla.redhat.com/show_bug.cgi?id=1504574
  • PSBM-70021

    Hung processes when trying to stop a container created on a storage partition.

    Hung processes when trying to stop a container created on a storage partition.
  • CVE-2016-8399

    net: Out of bounds stack read in memcpy_fromiovec.

    A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto().
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8399
  • CVE-2017-12190

    Memory leak when merging buffers in SCSI IO vectors.

    It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.
    https://bugzilla.redhat.com/show_bug.cgi?id=1495089
  • PSBM-75641

    Kernel crash in rt6_ifdown().

    It was discovered that a specially crafted sequence of system calls could cause a kernel crash (general protection fault) in rt6_ifdown().
    https://bugzilla.redhat.com/show_bug.cgi?id=1492640
  • PSBM-75247

    NULL pointer dereference in __task_pid_nr_ns().

    It was discovered that the value of task->pids[type].pid was actually read twice in __task_pid_nr_ns() rather than only once, due to compiler optimizations. As a result, a race condition could happen and that value could become NULL between these reads, leading to a kernel crash (NULL pointer dereference).
  • CVE-2017-12188

    KVM, MMU: potential stack buffer overrun during page walks.

    Linux kernel built with the KVM virtualisation support (CONFIG_KVM), with nested virtualisation (nVMX) feature enabled (nested=1), is vulnerable to a stack buffer overflow issue. It could occur while traversing guest pagetable entries to resolve guest virtual address. A guest system could use this flaw to crash the host kernel resulting in DoS, or potentially execute arbitrary code on the host.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12188
  • CVE-2017-15274

    Adding invalid keys with NULL payload but nonzero payload length leads to kernel crash.

    A flaw was discovered in the key management subsystem of the Linux kernel. It allowed to pass NULL payload with non-zero payload length as parameters to sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl(). A local unprivileged user could exploit this to cause a kernel crash (NULL pointer dereference).
    https://bugzilla.redhat.com/show_bug.cgi?id=1500391
  • PSBM-71536

    autofs: unbalanced pid get/put operation in the error path in autofs4_fill_super().

    autofs: unbalanced pid get/put operation in the error path in autofs4_fill_super().
  • CVE-2017-15299

    Incorrect updates of uninstantiated keys crash the kernel.

    It was discovered that the key management subsystem of the Linux kernel could perform incorrect update operations on uninstantiated keys. A local unprivileged user could exploit this flaw to cause a NULL pointer dereference in the kernel.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15299
  • CVE-2017-1000253

    load_elf_binary() does not allocate sufficient space for the entire binary in some cases.

    A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000253
  • CVE-2017-1000251

    Buffer overflow in the native Bluetooth stack.

    It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash).
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000251
  • CVE-2017-12154

    kvm: nVMX: L2 guest could access hardware (L0) CR8 register.

    If nested virtualisation (nVMX) feature is enabled in the kernel, L2 guest system could access the hardware CR8 register of the host(L0) and use that to crash the host system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12154
  • CVE-2017-12192

    Kernel crash due to missing error handling for negatively instantiated keys.

    An unprivileged user inside a container can cause a denial of service (kernel crash in user_read() function) using a specially crafted sequence of system calls.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12192
  • PSBM-71747

    netlink: fix an use-after-free issue for nlk groups.

    ChunYu Wang from Red Hat found a netlink use-after-free issue by syzkaller. Access to already freed memory (groups in struct netlink_sock) can cause host crash or memory corruption.
  • CVE-2017-14489

    scsi: nlmsg not properly parsed in iscsi_if_rx function.

    The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-14489
  • CVE-2017-14106

    net/ipv4: divide error in __tcp_select_window().

    A vulnerability was found in the Linux kernel. A privileged user inside a container can cause a denial of service (kernel crash due to a divide-by-zero error in __tcp_select_window()) using a specially crafted sequence of system calls.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-14106
  • PSBM-70556

    Potential deadlock during destruction of cgroups.

    It was found that an infinite loop could occur in mem_cgroup_reparent_charges() in certain conditions. The problem could happen when cgroups were being destroyed and that function was called under cgroup_mutex. The mutex could remain locked forever as a result, blocking many other processes waiting on it which would make the system nearly unusable.
  • CVE-2017-7558

    Information leak due to out-of-bound reads in the implementation of SCTP.

    A kernel data leak due to an out-of-bound read was found in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions. It happens when these functions fill in sockaddr data structures used to export socket diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7558
  • PSBM-70321

    Incorrect merge operations on IO requests leading to kernel crashes.

    It was discovered that the block layer of the kernel did not properly check for gaps in the IO requests being merged. In some cases, the resulting request could be incorrect, which lead to kernel crashes.
  • CVE-2017-9242

    Incorrect overwrite check in __ip6_append_data().

    The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9242
  • PSBM-70151

    A container could not be stopped in certain situations because of an infinite loop in __get_user_pages().

    If transparent huge pages were enabled, certain processes could enter an infinite loop in __get_user_pages() and become unkillable preventing the container from stopping.
  • PSBM-69999

    Kernel crashes in memcg_numa_migrate_write() during NUMA balancing.

    It was found that memcg_numa_isolate_pages() used unsafe operations with lists, which lead to kernel crashes in memcg_numa_migrate_write() during NUMA balancing.
  • PSBM-69852

    tcache: wrong memory pages were invalidated in some cases.

    It was found that wrong memory pages were invalidated in tcache in certain situations. That caused kernel crashes ("bad page state") in free_pages_prepare().
  • PSBM-70063

    Race on map->levels[] update in ploop.

    ploop could use inconsistent values for iblock and the corresponding delta for IO because of a race over map->levels[]. This could result in incorrect read and write operations for ploop devices.
  • CVE-2017-1000112

    A race condition in the UDP Fragmentation Offload (UFO).

    Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code.
    https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000112.html
  • CVE-2017-1000111

    Heap out-of-bounds in AF_PACKET sockets.

    Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code which may result in out-of-bounds accesses to the heap memory. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code.
    http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000111.html
  • CVE-2017-7533

    A race between inotify_handle_event() and sys_rename().

    Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
    http://seclists.org/oss-sec/2017/q3/240
  • PSBM-69434

    Kernel crash (BUG()) in rpc_abort_task().

    Kernel crash (BUG()) in rpc_abort_task().
  • CVE-2017-7541

    Possible heap buffer overflow in brcmf_cfg80211_mgmt_tx().

    Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash.
    https://bugzilla.redhat.com/show_bug.cgi?id=1473198
  • CVE-2017-7542

    Integer overflow in ip6_find_1stfragopt().

    Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function.
    https://bugzilla.redhat.com/show_bug.cgi?id=1473649