ESB-2018.3374 - [RedHat] kernel-rt: Multiple vulnerabilities 2018-10-31

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3374
      Important: kernel-rt security, bug fix, and enhancement update
                              31 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel-rt
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
Impact/Access:     Root Compromise        -- Existing Account      
                   Access Privileged Data -- Existing Account      
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000026 CVE-2018-13405 CVE-2018-10940
                   CVE-2018-10902 CVE-2018-10883 CVE-2018-10881
                   CVE-2018-10879 CVE-2018-10878 CVE-2018-10322
                   CVE-2018-8781 CVE-2018-7757 CVE-2018-7740
                   CVE-2018-5848 CVE-2018-5803 CVE-2018-5391
                   CVE-2018-5344 CVE-2018-1130 CVE-2018-1120
                   CVE-2018-1118 CVE-2018-1094 CVE-2018-1092
                   CVE-2017-18344 CVE-2017-18232 CVE-2017-18208
                   CVE-2017-17805 CVE-2017-10661 CVE-2017-0861
                   CVE-2016-4913 CVE-2015-8830 

Reference:         ASB-2018.0190
                   ESB-2018.3269
                   ESB-2018.3166
                   ESB-2018.3140
                   ESB-2018.3130
                   ESB-2018.3060
                   ESB-2018.3054
                   ASB-2018.0222.2

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:3096

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:3096-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:3096
Issue date:        2018-10-30
CVE Names:         CVE-2015-8830 CVE-2016-4913 CVE-2017-0861 
                   CVE-2017-10661 CVE-2017-17805 CVE-2017-18208 
                   CVE-2017-18232 CVE-2017-18344 CVE-2018-1092 
                   CVE-2018-1094 CVE-2018-1118 CVE-2018-1120 
                   CVE-2018-1130 CVE-2018-5344 CVE-2018-5391 
                   CVE-2018-5803 CVE-2018-5848 CVE-2018-7740 
                   CVE-2018-7757 CVE-2018-8781 CVE-2018-10322 
                   CVE-2018-10878 CVE-2018-10879 CVE-2018-10881 
                   CVE-2018-10883 CVE-2018-10902 CVE-2018-10940 
                   CVE-2018-13405 CVE-2018-1000026 
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64
Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* A flaw named FragmentSmack was found in the way the Linux kernel handled
reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use
this flaw to trigger time and calculation expensive fragment reassembly
algorithm by sending specially crafted packets which could lead to a CPU
saturation and hence a denial of service on the system. (CVE-2018-5391)

* kernel: out-of-bounds access in the show_timer function in
kernel/time/posix-timers.c (CVE-2017-18344)

* kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute
code in kernel space (CVE-2018-8781)

* kernel: MIDI driver race condition leads to a double-free
(CVE-2018-10902)

* kernel: Missing check in inode_init_owner() does not clear SGID bit on
non-directories for non-members (CVE-2018-13405)

* kernel: AIO write triggers integer overflow in some protocols
(CVE-2015-8830)

* kernel: Use-after-free in snd_pcm_info function in ALSA subsystem
potentially leads to privilege escalation (CVE-2017-0861)

* kernel: Handling of might_cancel queueing is not properly pretected
against race (CVE-2017-10661)

* kernel: Salsa20 encryption algorithm does not correctly handle
zero-length inputs allowing local attackers to cause denial of service
(CVE-2017-17805)

* kernel: Inifinite loop vulnerability in madvise_willneed() function
allows local denial of service (CVE-2017-18208)

* kernel: fuse-backed file mmap-ed onto process cmdline arguments causes
denial of service (CVE-2018-1120)

* kernel: a null pointer dereference in dccp_write_xmit() leads to a system
crash (CVE-2018-1130)

* kernel: drivers/block/loop.c mishandles lo_release serialization allowing
denial of service (CVE-2018-5344)

* kernel: Missing length check of payload in _sctp_make_chunk() function
allows denial of service (CVE-2018-5803)

* kernel: buffer overflow in
drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory
corruption (CVE-2018-5848)

* kernel: out-of-bound write in ext4_init_block_bitmap function with a
crafted ext4 image (CVE-2018-10878)

* kernel: Improper validation in bnx2x network card driver can allow for
denial of service attacks via crafted packet (CVE-2018-1000026)

* kernel: Information leak when handling NM entries containing NUL
(CVE-2016-4913)

* kernel: Mishandling mutex within libsas allowing local Denial of Service
(CVE-2017-18232)

* kernel: NULL pointer dereference in ext4_process_freed_data() when
mounting crafted ext4 image (CVE-2018-1092)

* kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash
with crafted ext4 image (CVE-2018-1094)

* kernel: vhost: Information disclosure in vhost.c:vhost_new_msg()
(CVE-2018-1118)

* kernel: Denial of service in resv_map_release function in mm/hugetlb.c
(CVE-2018-7740)

* kernel: Memory leak in the sas_smp_get_phy_events function in
drivers/scsi/libsas/sas_expander.c (CVE-2018-7757)

* kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when
mounting crafted xfs image allowing denial of service (CVE-2018-10322)

* kernel: use-after-free detected in ext4_xattr_set_entry with a crafted
file (CVE-2018-10879)

* kernel: out-of-bound access in ext4_get_group_info() when mounting and
operating a crafted ext4 image (CVE-2018-10881)

* kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function
(CVE-2018-10883)

* kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
(CVE-2018-10940)

Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department
of Communications and Networking and Nokia Bell Labs) for reporting
CVE-2018-5391; Trend Micro Zero Day Initiative for reporting
CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii
Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for
reporting CVE-2018-1092 and CVE-2018-1094.

4. Solution:

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.6 Release Notes linked from the References section.

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1314275 - CVE-2015-8830 kernel: AIO write triggers integer overflow in some protocols
1337528 - CVE-2016-4913 kernel: Information leak when handling NM entries containing NUL
1481136 - CVE-2017-10661 kernel: Handling of might_cancel queueing is not properly pretected against race
1510602 - locking: bring in upstream PREEMPT_RT rtlock patches to fix single-reader limitation
1512875 - WARNING: CPU: 7 PID: 1090 at drivers/target/target_core_transport.c:3009 __transport_check_aborted_status+0x153/0x190 [target_core_mod]
1528312 - CVE-2017-17805 kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial-of-service
1533909 - CVE-2018-5344 kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service
1541846 - CVE-2018-1000026 kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet
1551051 - CVE-2018-5803 kernel: Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service
1551565 - CVE-2017-18208 kernel: Inifinite loop vulnerability in mm/madvise.c:madvise_willneed() function allows local denial of service
1552867 - CVE-2018-7740 kernel: Denial of service in resv_map_release function in mm/hugetlb.c
1553351 - RT: update kernel-rt source tree to match RHEL 7.6 tree
1553361 - CVE-2018-7757 kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c
1558066 - CVE-2017-18232 kernel: Mishandling mutex within libsas allowing local Denial of Service
1560777 - CVE-2018-1092 kernel: NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image
1560788 - CVE-2018-1094 kernel: NULL pointer dereference in ext4/xattr.c:ext4_xattr_inode_hash() causes crash with crafted ext4 image
1563994 - CVE-2017-0861 kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation
1569910 - Call Trace shows in guest when running determine_maximum_mpps.sh
1571062 - CVE-2018-8781 kernel: Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space
1571623 - CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service
1573699 - CVE-2018-1118 kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg()
1575472 - CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
1576419 - CVE-2018-1130 kernel: a null pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash
1577408 - CVE-2018-10940 kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
1590720 - CVE-2018-10902 kernel: MIDI driver race condition leads to a double-free
1590799 - CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption
1596802 - CVE-2018-10878 kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image
1596806 - CVE-2018-10879 kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file
1596828 - CVE-2018-10881 kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image
1596846 - CVE-2018-10883 kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function
1599161 - CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members
1608672 - RT system hang due to wrong of rq's nr_running
1609664 - CVE-2018-5391 kernel: IP fragments with random offsets allow a remote denial of service (FragmentSmack)
1610958 - CVE-2017-18344 kernel: out-of-bounds access in the show_timer function in kernel/time/posix-timers.c

6. Package List:

Red Hat Enterprise Linux for Real Time for NFV (v. 7):

Source:
kernel-rt-3.10.0-957.rt56.910.el7.src.rpm

noarch:
kernel-rt-doc-3.10.0-957.rt56.910.el7.noarch.rpm

x86_64:
kernel-rt-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-debug-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-debug-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-debug-devel-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-debug-kvm-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-debug-kvm-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-devel-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-kvm-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-kvm-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-trace-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-trace-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-trace-devel-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-trace-kvm-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-trace-kvm-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm

Red Hat Enterprise Linux for Real Time (v. 7):

Source:
kernel-rt-3.10.0-957.rt56.910.el7.src.rpm

noarch:
kernel-rt-doc-3.10.0-957.rt56.910.el7.noarch.rpm

x86_64:
kernel-rt-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-debug-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-debug-devel-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-devel-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-trace-3.10.0-957.rt56.910.el7.x86_64.rpm
kernel-rt-trace-devel-3.10.0-957.rt56.910.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-8830
https://access.redhat.com/security/cve/CVE-2016-4913
https://access.redhat.com/security/cve/CVE-2017-0861
https://access.redhat.com/security/cve/CVE-2017-10661
https://access.redhat.com/security/cve/CVE-2017-17805
https://access.redhat.com/security/cve/CVE-2017-18208
https://access.redhat.com/security/cve/CVE-2017-18232
https://access.redhat.com/security/cve/CVE-2017-18344
https://access.redhat.com/security/cve/CVE-2018-1092
https://access.redhat.com/security/cve/CVE-2018-1094
https://access.redhat.com/security/cve/CVE-2018-1118
https://access.redhat.com/security/cve/CVE-2018-1120
https://access.redhat.com/security/cve/CVE-2018-1130
https://access.redhat.com/security/cve/CVE-2018-5344
https://access.redhat.com/security/cve/CVE-2018-5391
https://access.redhat.com/security/cve/CVE-2018-5803
https://access.redhat.com/security/cve/CVE-2018-5848
https://access.redhat.com/security/cve/CVE-2018-7740
https://access.redhat.com/security/cve/CVE-2018-7757
https://access.redhat.com/security/cve/CVE-2018-8781
https://access.redhat.com/security/cve/CVE-2018-10322
https://access.redhat.com/security/cve/CVE-2018-10878
https://access.redhat.com/security/cve/CVE-2018-10879
https://access.redhat.com/security/cve/CVE-2018-10881
https://access.redhat.com/security/cve/CVE-2018-10883
https://access.redhat.com/security/cve/CVE-2018-10902
https://access.redhat.com/security/cve/CVE-2018-10940
https://access.redhat.com/security/cve/CVE-2018-13405
https://access.redhat.com/security/cve/CVE-2018-1000026
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/articles/3553061
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.6_Release_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW9gRpNzjgjWX9erEAQim6xAAl0my7Mu97zvsTFUj9Tq4Lpj7kJ2fkPcW
4GfKQWeJwCBY3LAeeRFvaU0v7eHA7ddI3hXC0sRLRfz53aebtq/hG126VvRo3jMD
fEO0m5s49sNazMKYlnYGhca8/XTzuyS5ar44rIBgeJ2p4aUzhk8G3Oi8sDYLXElq
bMs1va0oB4vwqqcY+Oc9XB6Wg4t1+OrsmBlm9+Wqeu4qt9R2f9B31TMcBIlNqr+M
fH2hSKw/G/E0KL7ODK4LkyP5d9i9GW/GuCdF3QMPv/2rVwI0OpK4wVxOAQJ4o8/Q
U0tqAVCLkn2i5qZ5Y1x0+9OdTnHIfZnypJeZ+VWD4Y0PKcokNFYu7FBbcMfQBCkg
7xD0PTPjayeilUsNlRYIXFjmUQ9n+UGJEuP0LhJ6150zuSvPJl15FS6IMkAk6bYr
3u3I1ZTcPiCm/7oiC9MHnjIiuld8UgsILkYvG3xK9QMnhl41r/Nr4jb2vtrDgw5R
e9GF4vwievFDmp7tnENUHrL7VgAZ0jS07fyi3IRl/YbaJX8IuUGhMv08GCbb7qgr
DuTLLTlU0wvLaJ6qNU01RAeYz7GZiJYRrPdRhGgxSnNWcIULy4PRSk9Zd1tlflBP
cAOPIHJV2Kf3kKj/wIVs2WzcSV2uEKY1EW4vptl5t5jX1ZUUtHFL0tpFFjJkJGD1
lq8DIVubbnc=
=1RFn
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW9kiM2aOgq3Tt24GAQjOlQ//eyhON47Uxovy2aEL5GiHyVn/9uZ71P85
iNMK7niBMq0ozd7i49WfeY8A72PNa1jCxTHC5eaqGa7BEZA8q8YV04PFgAdC1CfG
cFaaQHwN1yNAaoz00mt6cPQe2YuHoR2JCqKwh3d1lGA17WQdg3uz5IkoGD5h9kDw
G5bUyF4UBMJLhup9c50sy6Sk/AxkycHTVNwoXQVpH7FdEPql5JWhNEgE+3DF7Ie/
3mheI/PdYqY4sBT3kDPKNLPdp2NUc8XFZS92xlKUKtwy7OHTsNsQ6Oa9FnV3rMYm
s1FzttcYu72MBZ6iJ6BRAxe3+ZaRbECLYKqaBIO+pOI0An3EgHVStI0QSf+GZAZQ
NKUKlUD9mvSRNLwPxuZgARlavKt6zRaUVhOhfu2SKcUuSfU56u8C7SM96VsMxSp3
B4StVxlMXVDSvRtDedABlaHcyiXjEK+CWzbefHTm4zxLsIX2KWMPJrNWfT3LYDoQ
yxv8BF0iHG+1pnl6hpUek3srLqWs+2AGsm+jwwfZJUPgq4EgIIOAz+CQsWEVaXeg
mhgZgBXLyk1HN8JfYKzSCWXLhVYWEFnvJrl3flDP0Kb2Ee6XuKvuPhyOXvzqLy3g
utHODVrLwq6CyHhTpPGaLH1g649COH1LvZFoq+rwceCZQ2Wb5O4XWqSTyUkCS4s8
yZlxF6LFTZQ=
=/N5t
-----END PGP SIGNATURE-----

« Back to bulletins