-
CVE-2018-16884
NFS: use-after-free in svc_process_common().
A flaw was found in the implementation of NFS v4.1 in the Linux kernel. NFS v4.1 shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. A malicious user in a container can exploit this to cause a host kernel memory corruption and a system crash.
https://bugzilla.redhat.com/show_bug.cgi?id=1660375
-
CVE-2018-9568
Memory corruption due to incorrect socket cloning.
Transforming an IPv6-socket to an IPv4, and then transforming it back to a listening socket could result in a kernel memory corruption. An unprivileged user on the host or in a container could exploit this to crash the kernel.
https://bugzilla.redhat.com/show_bug.cgi?id=1655904
-
CVE-2018-14646
NULL pointer dereference in af_netlink.c: __netlink_ns_capable() allows for denial of service.
The Linux kernel was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.
https://bugzilla.redhat.com/show_bug.cgi?id=1630124
-
PSBM-90052
Asynchronous discard requests could fail with EIO because ploop did not properly align them.
-
PSBM-90024
Some operations with NFS server running in a container could crash the host kernel.
It was discovered that a special sequence of operations involving NFS server in a container with FEATURES="nfsd=on" could crash the host kernel.
-
PSBM-89856
Data corruption after online resize of an empty ploop image located on Virtuozzo Storage.
-
CVE-2018-16862
cleancache: missing invalidation of an inode could cause data corruption.
-
PSBM-89583
Errors in the implementation of online resize in ext4 caused failures of ploop resize operations.
-
PSBM-89323
Potential kernel crash in cbt_flush_cpu_cache().
-
PSBM-89725
Ploop: integer overflow in the implementation of direct IO could lead to errors when resizing the ploop image.
-
PSBM-89520
Incorrect accounting of network namespaces in the error paths in copy_net_ns().
-
PSBM-89717
Use-after-free in the implementation of the shared memory.
A flaw was found in the implementation of the shared memory in the Linux kernel. shm_mmap() function did not always check if the underlying file structures were valid, which could lead to use-after-free. A local unprivileged user could exploit this to crash the kernel by executing a special sequence of system calls.
-
CVE-2018-18559
Use-after-free due to race condition in AF_PACKET implementation.
It was discovered that a race condition between packet_do_bind() and packet_notifier() in the implementation of AF_PACKET could lead to use-after-free. An unprivileged user on the host or in a container could exploit this to crash the kernel or, potentially, to escalate their privileges in the system.
https://bugzilla.redhat.com/show_bug.cgi?id=1641878
-
PSBM-88809
Potential kernel crash in ext4_close_pfcache().
-
CVE-2018-14634
Integer overflow in create_elf_tables() function.
An integer overflow flaw was found in create_elf_tables(). An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14634
-
CVE-2017-1000365
Bypass of the size restriction on the arguments and environment variables of a process.
The Linux kernel imposes a size limit on the memory needed to store the arguments and environment variables of a process, 1/4 of the maximum stack size (RLIMIT_STACK). However, the pointers to these data were not taken into account, which allowed attackers to bypass the limit and even exhaust the stack of the process.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000365
-
PSBM-88818
Kernel crash in __run_hrtimer().
It was found that the implementation of high resolution timers ('hrtimer' subsystem) did not handle the situation when a timer was started simultaneously with its restart in another thread. As a result, a BUG_ON() could trigger in __run_hrtimer() leading to kernel crash.
-
PSBM-88577
Soft lockup in xfrm_policy_flush().
If an error occurred during execution of xfrm_net_init() when a new network namespace was created, xfrm_policy_lock could remain uninitialized. As a result, soft lockup could happen in xfrm_policy_flush() if it tried to acquire the lock after that.
-
PSBM-88561
ploop: kernel crash in dio_open().
It was found that the implementation of ploop did not handle errors reported by kthread_create() properly. This could lead to a kernel crash in dio_open().
-
PSBM-87836
Containers with NFS mounts failed to migrate: CRIU complained about nfs/clntX files.
It was discovered that a container with NFS mounts could keep the files /var/lib/nfs/rpc_pipefs/nfs/clntX open, even if no NFS server was running there. As a result, CRIU reported errors when the users tried to migrate the container.
-
PSBM-88082
File systems: insufficient error handling in sget() could lead to excessive memory consumption.
-
PSBM-73001
sunrpc: potential kernel crash (use after free) in svc_process_common().
-
PSBM-87649
Potential out-of-bounds read in fuse_dev_splice_write().
-
PSBM-87877
Processes could get stuck in an unkillable state when using large FUSE KIO messages.
It was found that rpc_get_hdr() function from 'fuse_kio_pcs' module did not return valid values in 'msg_size' in some cases. As a result, the processes using large FUSE KIO messages could get stuck in an unkillable state.