readykernel-patch-63.3-70.0-1.vl7

A flaw was found in the implementation of ebtables in the Linux kernel. A local attacker in a container could exploit it to consume large amounts of memory, eventually causing denial of service on the host.

A flaw was found in the implementation of NFS v4.1 in the Linux kernel. NFS v4.1 shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. A malicious user in a container can exploit this to cause a host kernel memory corruption and a system crash.

Transforming an IPv6-socket to an IPv4, and then transforming it back to a listening socket could result in a kernel memory corruption. An unprivileged user on the host or in a container could exploit this to crash the kernel.

The Linux kernel was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.

It was discovered that a special sequence of operations involving NFS server in a container with FEATURES="nfsd=on" could crash the host kernel.

A flaw was found in the implementation of the shared memory in the Linux kernel. shm_mmap() function did not always check if the underlying file structures were valid, which could lead to use-after-free. A local unprivileged user could exploit this to crash the kernel by executing a special sequence of system calls.

It was discovered that a race condition between packet_do_bind() and packet_notifier() in the implementation of AF_PACKET could lead to use-after-free. An unprivileged user on the host or in a container could exploit this to crash the kernel or, potentially, to escalate their privileges in the system.

An integer overflow flaw was found in create_elf_tables(). An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system.

The Linux kernel imposes a size limit on the memory needed to store the arguments and environment variables of a process, 1/4 of the maximum stack size (RLIMIT_STACK). However, the pointers to these data were not taken into account, which allowed attackers to bypass the limit and even exhaust the stack of the process.

It was found that the implementation of high resolution timers ('hrtimer' subsystem) did not handle the situation when a timer was started simultaneously with its restart in another thread. As a result, a BUG_ON() could trigger in __run_hrtimer() leading to kernel crash.

If an error occurred during execution of xfrm_net_init() when a new network namespace was created, xfrm_policy_lock could remain uninitialized. As a result, soft lockup could happen in xfrm_policy_flush() if it tried to acquire the lock after that.

It was found that the implementation of ploop did not handle errors reported by kthread_create() properly. This could lead to a kernel crash in dio_open().

It was discovered that a container with NFS mounts could keep the files /var/lib/nfs/rpc_pipefs/nfs/clntX open, even if no NFS server was running there. As a result, CRIU reported errors when the users tried to migrate the container.

It was found that rpc_get_hdr() function from 'fuse_kio_pcs' module did not return valid values in 'msg_size' in some cases. As a result, the processes using large FUSE KIO messages could get stuck in an unkillable state.

Kernel module 'ip_set' tried to allocate physically contiguous memory areas for its array of pointers to 'ip_set' structures in ip_set_net_init(). If large enough maximum number of IP sets was requested from the user space, memory allocation would fail. Containers would fail to start as a result.

The implementation of timer_create system call in the Linux kernel before 4.14.8 doesn't properly validate the sigevent::sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).