- Kernel Update Version:
- Release Date:
- 2022-03-02 08:28:02
Kernel crash in fuse_direct_IO_bvec().It was discovered that an assertion (BUG_ON) in fuse_direct_IO_bvec() was too strict and could be triggered during the normal operation of FUSE, leading to a kernel crash.
Kernel crashes (NULL pointer dereference) if memory allocation fails in alloc_vfsmnt().https://bugs.openvz.org/browse/OVZ-7039
Mapping a FUSE-backed file onto the command line arguments of a process causes denial of service.By mapping a FUSE-backed file onto the memory area containing command line arguments or environment strings of a process, an attacker can cause any program that reads /proc/https://bugzilla.redhat.com/show_bug.cgi?id=1575472
/cmdline or /proc/ /environ for that process to block indefinitely or for a controlled amount of time. 'ps' and 'w' utilities are affected, among other things.
Potential kernel crash (NULL pointer dereference) in ip6_route_dev_notify().
Potential kernel crash (NULL pointer dereference) in sysfs_readdir().
Kernel crash due to missing length check in _sctp_make_chunk() function.It was found that _sctp_make_chunk() function did not check if the chunk length for INIT and INIT_ACK packets was within the allowed limits. A local attacker could exploit this to trigger a kernel crash.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-5803
Potential kernel crash in tcache_detach_page().
Missing permissions check for request_key() destination allows local attackers to add keys to keyring without write permission.The KEYS subsystem omitted an access-control check when writing a key to the default keyring of the current task, allowing a local user to bypass security checks for the keyring. This compromised the validity of the keyring for those who relied on it.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17807
System-wide OS fingerprint list was accessible to unprivileged users.It was discovered that xt_osf_fingers data structure was accessible from any network namespace. This allowed unprivileged local users to bypass intended access restrictions and modify the system-wide OS fingerprint list used by specific iptables rules.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17450
Netlink monitor created in a namespace could observe system-wide activity.It was discovered that a nlmon link inside a child network namespace was not restricted to that namespace. An unprivilged local user could exploit that to monitor system-wide netlink activity.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17449
Potential unprivileged access to the kernel structures used by netfilter conntrack helpers.It was discovered that nfnl_cthelper_list structure was accessible to any user with CAP_NET_ADMIN capability in a network namespace. An unprivilged local user could exploit that to affect netfilter conntrack helpers on the host.https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17448
Kernel crash in shrink_slab() when trying to mount an image with a broken ext4 file system.
Offlined memory cgroups were not destroyed for a long time.It was found that offlined memory cgroups were not destroyed for a long time in some cases. As a result, the system could hit the limit on cgroups (65535) and would be unable to create new ones.
Kernel crash in move_freepages() due to incorrect BUG_ON() check.It was discovered that the BUG_ON() check in move_freepages() did not verify that the relevant memory pages were valid. The kernel could crash as a result.
Kernel crash (stack overflow) caused by lots of internal mounts.It was discovered that clone_mnt() did not clear MNT_INTERNAL flag for the internal mounts. As a result, the kernel could crash due to a stack overflow if lots of bind mounts of /proc/*/ns/* were created in a new namespace.https://www.spinics.net/lists/netdev/msg496514.html
Kernel crash in dccp_write_xmit().If "dccp_ipv6" module was loaded on the host, a local unprivileged user could trigger a kernel crash in dccp_write_xmit() or inet_csk_get_port() using a specially crafted sequence of system calls.https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f93df79aeefc3add4e4b31a752600f834236e2
Kernel crash in ip6mr_sk_done().If the kernel failed to create an IPv6 socket, for example, due to cgroup.memsw limit, it would crash in ip6mr_sk_done() when trying to clean up multicast routes.