-
PSBM-86093
Potential kernel crash (NULL pointer dereference) in ip6_route_dev_notify().
-
PSBM-85929
Potential kernel crash (NULL pointer dereference) in sysfs_readdir().
-
CVE-2018-5803
Kernel crash due to missing length check in _sctp_make_chunk() function.
It was found that _sctp_make_chunk() function did not check if the chunk length for INIT and INIT_ACK packets was within the allowed limits. A local attacker could exploit this to trigger a kernel crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-5803
-
PSBM-81731
Potential kernel crash in tcache_detach_page().
-
CVE-2017-17807
Missing permissions check for request_key() destination allows local attackers to add keys to keyring without write permission.
The KEYS subsystem omitted an access-control check when writing a key to the default keyring of the current task, allowing a local user to bypass security checks for the keyring. This compromised the validity of the keyring for those who relied on it.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17807
-
CVE-2017-17450
System-wide OS fingerprint list was accessible to unprivileged users.
It was discovered that xt_osf_fingers data structure was accessible from any network namespace. This allowed unprivileged local users to bypass intended access restrictions and modify the system-wide OS fingerprint list used by specific iptables rules.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17450
-
CVE-2017-17449
Netlink monitor created in a namespace could observe system-wide activity.
It was discovered that a nlmon link inside a child network namespace was not restricted to that namespace. An unprivilged local user could exploit that to monitor system-wide netlink activity.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17449
-
CVE-2017-17448
Potential unprivileged access to the kernel structures used by netfilter conntrack helpers.
It was discovered that nfnl_cthelper_list structure was accessible to any user with CAP_NET_ADMIN capability in a network namespace. An unprivilged local user could exploit that to affect netfilter conntrack helpers on the host.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17448
-
PSBM-83691
Kernel crash in shrink_slab() when trying to mount an image with a broken ext4 file system.
-
PSBM-83628
Offlined memory cgroups were not destroyed for a long time.
It was found that offlined memory cgroups were not destroyed for a long time in some cases. As a result, the system could hit the limit on cgroups (65535) and would be unable to create new ones.
-
PSBM-83746
Kernel crash in move_freepages() due to incorrect BUG_ON() check.
It was discovered that the BUG_ON() check in move_freepages() did not verify that the relevant memory pages were valid. The kernel could crash as a result.
-
PSBM-83874
Kernel crash (stack overflow) caused by lots of internal mounts.
It was discovered that clone_mnt() did not clear MNT_INTERNAL flag for the internal mounts. As a result, the kernel could crash due to a stack overflow if lots of bind mounts of /proc/*/ns/* were created in a new namespace.
https://www.spinics.net/lists/netdev/msg496514.html
-
CVE-2018-1130
Kernel crash in dccp_write_xmit().
If "dccp_ipv6" module was loaded on the host, a local unprivileged user could trigger a kernel crash in dccp_write_xmit() or inet_csk_get_port() using a specially crafted sequence of system calls.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f93df79aeefc3add4e4b31a752600f834236e2
-
PSBM-83474
Kernel crash in ip6mr_sk_done().
If the kernel failed to create an IPv6 socket, for example, due to cgroup.memsw limit, it would crash in ip6mr_sk_done() when trying to clean up multicast routes.