1. Release Notes for Unbreakable Enterprise Kernel Release 4 Update 7
  2. Security Fixes for CVEs
  3. List of CVEs fixed in this release

List of CVEs fixed in this release

The following list describes the CVEs that are fixed in this release. The content provided here is automatically generated and includes the CVE identifier and a summary of the issue. The associated internal Oracle bug identifiers are also included to reference work that was carried out to address each issue.

  • CVE-2016-10318

    A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel before 4.7.4 allows a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service. (Bug: 25883175)

    See https://linux.oracle.com/cve/CVE-2016-10318.html for more information.

  • CVE-2016-9191

    The cgroup offline implementation in the Linux kernel through 4.8.11 mishandles certain drain operations, which allows local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity. (Bug: 25062944 27841944)

    See https://linux.oracle.com/cve/CVE-2016-9191.html for more information.

  • CVE-2017-0861

    Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors. (Bug: 27344839 )

    See https://linux.oracle.com/cve/CVE-2017-0861.html for more information.

  • CVE-2017-1000112

    Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005. (Bug: 26921303 )

    See https://linux.oracle.com/cve/CVE-2017-1000112.html for more information.

  • CVE-2017-1000405

    The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp. (Bug: 27165913)

    See https://linux.oracle.com/cve/CVE-2017-1000405.html for more information.

  • CVE-2017-1000407

    The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic. (Bug: 27206805)

    See https://linux.oracle.com/cve/CVE-2017-1000407.html for more information.

  • CVE-2017-10661

    Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing. (Bug: 26673877)

    See https://linux.oracle.com/cve/CVE-2017-10661.html for more information.

  • CVE-2017-12154

    The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the "CR8-load exiting" and "CR8-store exiting" L0 vmcs02 controls exist in cases where L1 omits the "use TPR shadow" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register.

    See https://linux.oracle.com/cve/CVE-2017-12154.html for more information.

  • CVE-2017-12190

    The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition. (Bug: 27062562)

    See https://linux.oracle.com/cve/CVE-2017-12190.html for more information.

  • CVE-2017-12192

    The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation. (Bug: 27049926)

    See https://linux.oracle.com/cve/CVE-2017-12192.html for more information.

  • CVE-2017-12193

    The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations. (Bug: 27364588)

    See https://linux.oracle.com/cve/CVE-2017-12193.html for more information.

  • CVE-2017-14106

    The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. (Bug: 26796038)

    See https://linux.oracle.com/cve/CVE-2017-14106.html for more information.

  • CVE-2017-14140

    The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR. (Bug: 27364683)

    See https://linux.oracle.com/cve/CVE-2017-14140.html for more information.

  • CVE-2017-14489

    The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation. (Bug: 26828494)

    See https://linux.oracle.com/cve/CVE-2017-14489.html for more information.

  • CVE-2017-15115

    The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls. (Bug: 27386997)

    See https://linux.oracle.com/cve/CVE-2017-15115.html for more information.

  • CVE-2017-15537

    The x86/fpu (Floating Point Unit) subsystem in the Linux kernel before 4.13.5, when a processor supports the xsave feature but not the xsaves feature, does not correctly handle attempts to set reserved bits in the xstate header via the ptrace() or rt_sigreturn() system call, allowing local users to read the FPU registers of other processes on the system, related to arch/x86/kernel/fpu/regset.c and arch/x86/kernel/fpu/signal.c. (Bug: 27050688)

  • CVE-2017-15649

    net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346. (Bug: 27050772)

    See https://linux.oracle.com/cve/CVE-2017-15649.html for more information.

  • CVE-2017-16525

    The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup. (Bug: 27206824)

    See https://linux.oracle.com/cve/CVE-2017-16525.html for more information.

  • CVE-2017-16526

    drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device. (Bug: 27206874)

    See https://linux.oracle.com/cve/CVE-2017-16526.html for more information.

  • CVE-2017-16527

    sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. (Bug: 27117850)

    See https://linux.oracle.com/cve/CVE-2017-16527.html for more information.

  • CVE-2017-16529

    The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (Bug: 27206916 )

    See https://linux.oracle.com/cve/CVE-2017-16529.html for more information.

  • CVE-2017-16530

    The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c. (Bug: 27206993)

    See https://linux.oracle.com/cve/CVE-2017-16530.html for more information.

  • CVE-2017-16531

    drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor. (Bug: 27207211)

    See https://linux.oracle.com/cve/CVE-2017-16531.html for more information.

  • CVE-2017-16532

    The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (Bug: 27602322)

  • CVE-2017-16533

    The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (Bug: 27207901 )

    See https://linux.oracle.com/cve/CVE-2017-16533.html for more information.

  • CVE-2017-16535

    The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel before 4.13.10 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (Bug: 27207955)

    See https://linux.oracle.com/cve/CVE-2017-16535.html for more information.

  • CVE-2017-16536

    The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (Bug: 27208030)

    See https://linux.oracle.com/cve/CVE-2017-16536.html for more information.

  • CVE-2017-16646

    drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device. (Bug: 27215141)

  • CVE-2017-16649

    The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (Bug: 27841392)

  • CVE-2017-16650

    The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (Bug: 27215213 )

    See https://linux.oracle.com/cve/CVE-2017-16650.html for more information.

  • CVE-2017-17052

    The mm_init function in kernel/fork.c in the Linux kernel before 4.12.10 does not clear the ->exe_file member of a new process's mm_struct, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program. (Bug: 27648200)

    See https://linux.oracle.com/cve/CVE-2017-17052.html for more information.

  • CVE-2017-17712

    The raw_sendmsg() function in net/ipv4/raw.c in the Linux kernel through 4.14.6 has a race condition in inet->hdrincl that leads to uninitialized stack pointer usage; this allows a local user to execute code and gain privileges. (Bug: 27390679)

    See https://linux.oracle.com/cve/CVE-2017-17712.html for more information.

  • CVE-2017-2618

    A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. (Bug: 25660054)

    See https://linux.oracle.com/cve/CVE-2017-2618.html for more information.

  • CVE-2017-5715

    Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (Bug: 27344012, 27365575, 27461990, 27477743, 27542331 )

    See https://linux.oracle.com/cve/CVE-2017-5715.html for more information.

  • CVE-2017-5753

    Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (Bug: 27340445)

    See https://linux.oracle.com/cve/CVE-2017-5753.html for more information.

  • CVE-2017-5754

    Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. (Bug: 27333760, 27365431, 27378516)

    See https://linux.oracle.com/cve/CVE-2017-5754.html for more information.

  • CVE-2017-7482

    When a kerberos 5 ticket is being decoded so that it can be loaded into an rxrpc-type key, there are several places in which the length of a variable-length field is checked to make sure that it's not going to overrun the available data - but the data is padded to the nearest four-byte boundary and the code doesn't check for this extra. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. (Bug: 26376434)

    See https://linux.oracle.com/cve/CVE-2017-7482.html for more information.

  • CVE-2017-7518

    A flaw was found in the way the Linux KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this. (Bug: 27669904)

    See https://linux.oracle.com/cve/CVE-2017-7518.html for more information.

  • CVE-2017-7541

    The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet. (Bug: 26540118 )

    See https://linux.oracle.com/cve/CVE-2017-7541.html for more information.

  • CVE-2017-7542

    The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket. (Bug: 26540159)

    See https://linux.oracle.com/cve/CVE-2017-7542.html for more information.

  • CVE-2017-7618

    crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue. (Bug: 25882988)

    See https://linux.oracle.com/cve/CVE-2017-7618.html for more information.

  • CVE-2017-8824

    The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state. (Bug: 27290292)

    See https://linux.oracle.com/cve/CVE-2017-8824.html for more information.

  • CVE-2018-1068

    A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. (Bug: 27774012)