kernel-linus update provides 4.14 series and fixes security vulnerabilities
Publication date: 06 Jan 2018Modification date: 17 Feb 2022
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-0786 , CVE-2017-0861 , CVE-2017-7518 , CVE-2017-12188 , CVE-2017-12190 , CVE-2017-12193 , CVE-2017-13080 , CVE-2017-15115 , CVE-2017-15265 , CVE-2017-15299 , CVE-2017-16939 , CVE-2017-16994 , CVE-2017-16995 , CVE-2017-16996 , CVE-2017-17852 , CVE-2017-17853 , CVE-2017-17854 , CVE-2017-17855 , CVE-2017-17856 , CVE-2017-17857 , CVE-2017-17862 , CVE-2017-17863 , CVE-2017-17864 , CVE-2017-18344 , CVE-2017-1000407
Description
This kernel-linus update provides an upgrade to the 4.14 longterm branch, currently based on 4.14.10. It also fixes at least the following security issues: An elevation of privilege vulnerability in the Broadcom wi-fi driver (CVE-2017-0786). Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors (CVE-2017-0861). Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) support is vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction. A user/process inside guest could use this flaw to potentially escalate their privileges inside guest. Linux guests are not affected.(CVE-2017-7518). arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an "MMU potential stack buffer overrun" (CVE-2017-12188). The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (CVE-2017-12190). The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (CVE-2017-12193). Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (CVE-2017-13080). The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (CVE-2017-15115). Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (CVE-2017-15265) The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key for a key that already exists but is uninstantiated, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (CVE-2017-15299). The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (CVE-2017-16939). The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call (CVE-2017-16994). The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension (CVE-2017-16995). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling (CVE-2017-16996). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops (CVE-2017-17852). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations (CVE-2017-17853). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic (CVE-2017-17854). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars (CVE-2017-17855). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement (CVE-2017-17856). The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations (CVE-2017-17857). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (CVE-2017-17862). kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact (CVE-2017-17863). kernel/bpf/verifier.c in the Linux kernel before 4.14 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a "pointer leak" (CVE-2017-17864). The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE)(CVE-2017-18344). The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic (CVE-2017-1000407). For other changes in this update, read the referenced changelogs.
References
- https://bugs.mageia.org/show_bug.cgi?id=22269
- https://kernelnewbies.org/Linux_4.10
- https://kernelnewbies.org/Linux_4.11
- https://kernelnewbies.org/Linux_4.12
- https://kernelnewbies.org/Linux_4.13
- https://kernelnewbies.org/Linux_4.14
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.1
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.2
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.3
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.4
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.5
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.6
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.7
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.8
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.9
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.10
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0786
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0861
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7518
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12188
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12190
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12193
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15115
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15265
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15299
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16939
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16994
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16996
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17852
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17853
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17854
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17855
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17856
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17857
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17862
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17863
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17864
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18344
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000407
SRPMS
6/core
- kernel-linus-4.14.10-1.mga6