Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
None
-
3
-
9223372036854775807
Description
This update fixes the following security issues:
A flaw was found in the Linux kernel's key management system where it was possible for an attacker to escalate privileges or crash the machine. If a user key gets negatively instantiated, an error code is cached in the payload area. A negatively instantiated key may be then be positively instantiated by updating it with valid data. However, the ->update key type method must be aware that the error code may be there. (CVE-2015-8539, Important)
It was found that fanout_add() in 'net/packet/af_packet.c' in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug. (CVE-2017-15649, Important)
A vulnerability was found in the Linux kernel where the keyctl_set_reqkey_keyring() function leaks the thread keyring. This allows an unprivileged local user to exhaust kernel memory and thus cause a DoS. (CVE-2017-7472, Moderate)
A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on a negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel. (CVE-2017-12192, Moderate)
A flaw was found in the Linux kernel's implementation of associative arrays introduced in 3.13. This functionality was backported to the 3.10 kernels in Red Hat Enterprise Linux 7. The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation. This affects the keyring key type and thus key addition and link creation operations may cause the kernel to panic. (CVE-2017-12193, Moderate)
Red Hat would like to thank Fan Wu (University of Hong Kong), Haoran Qiu (University of Hong Kong), Shixiong Zhao (University of Hong Kong), and Heming Cui (University of Hong Kong) for reporting CVE-2017-12193, Dmitry Vyukov (Google engineering) for reporting CVE-2015-8539.
This update also fixes the following bugs:
Previously, the Reverse Path Filtering enabled by the rp_filter directive did not apply to enter multicast traffic, if the early demux feature was enabled. Both rp-filter and early demux are enabled by default on Red Hat Enterprise Linux systems. Consequently, a multicast receiver designed to receive traffic from a sender in a single network, received the traffic from a sender outside that network as well, and such traffic was visible at the IP socket level. This update fixes the User Datagram Protocol for IPv4 (udp), and rp_filter now filters the traffic correctly under the described circumstances. (BZ#1506530)
Some storage arrays do not conform properly to the SCSI specification in reporting the limit for certain thin provisioning commands. Consequently, when an array reported the limit incorrectly, the kernel issued commands which could not be performed by the array and were rejected. This update adds a new blacklist option permitting the kernel to work with a storage array under the described circumstances. (BZ#1507043)
Previously, allocation of memory in the tty3270 driver did not work correctly on z/VM systems. Consequently, a kernel crash occurred when attempting to connect IBM 3270 terminals. This update fixes the memory corruption in tty3270. As a result, the kernel no longer crashes due to this behavior, and connecting the IBM 3270 terminal now works as expected. (BZ#1508355)
With this update, the rule for iptables reloading has been optimized to complete faster. (BZ#1509176)
When attempting to reread parent blocks in btree traversal, the xfs code which deletes extended attributes from an inode assumed that the parent blocks were still on the cache. Under memory pressure and memory reclaim, such parent blocks were sometimes removed from the cache. Consequently, attempts to reread previously cached parent blocks caused the file system to read invalid memory. This update fixes xfs to reinitialize the pointer to the parent block buffers after the block has been reread. As a result, pointers to btree blocks now point to valid memory, and the kernel no longer crashes due to an invalid memory access. (BZ#1512812)
The write access check for huge pages did not function correctly on IBM z Systems. Consequently, if asynchronous I/O reads were used, buffers sometimes contained zeroes rather than data from a file, even when the io_getevents() system call reported that the associated read had finished successfully. This update fixes the write access check in the gup_huge_pmd() function in memory management, and read data is stored in asynchronous I/O buffers properly. (BZ#1513316)
Calling the __memcg_kmem_get_cache() function with the kmem_cache->memcg_params pointer not yet allocated caused a null pointer dereference. Consequently, a kernel panicked with the following error message:
Raw
Unable to handle kernel NULL pointer dereference at 0000000000000008 in __memcg_kmem_get_cache().
This update addresses the issue by adding the check if s->memcg_params == NULL, and entering the kzalloc() function if it is true. As a result, the kernel no longer panics due to this behavior. (BZ#1515105)
When running heavy I/O workloads on virtio-scsi disks, the virtio-scsi driver attempted to do exception handling after the default 30 seconds timeout expired. Consequently, the disks sometimes went offline. This update fixes the driver to disable exception handling in the guest. As a result, disks are not brought offline, and exception handling is still done in the host if applicable under the described circumstances. (BZ#1515107)
Previously, the skx_edac driver did not handle systems with segmented PCI bus correctly. Consequently, the operating system failed to boot with the following error message:
Raw
Unable to handle kernel NULL pointer dereference at 0000000000000038.
This update fixes skx_edac to also check segment matches when deciding how to group memory controller PCI devices to CPU sockets. As a result, skx_edac no longer causes the kernel panic when booting the systems having PCI bus with multiple segments. (BZ#1515111)
Due to a read beyond error, where the code attempted to read memory outside of it's boundary, the sha1-avx2 encryption algorithm was previously disabled. This update resolves the problem and re-enables sha1-avx2 again. (BZ#1515838)
If the rtnl_trylock() function failed, the slave devices could become permanently stuck in the BOND_LINK_FAIL state. Consequently, when running the Master ICM Poweroff test on a bonding interface with multiple enslaved interfaces using "active backup" mode, the bonding interface failed to pass any traffic and was left with no active interface. This update fixes the slave stuck in BOND_LINK_FAIL in the bonding driver. As a result, under the described circumstances, the bonding interface now picks up another backup interface which already has Link UP with no LINK failure count. (BZ#1516169)
If an application opened multiple streams to the same destination IP and port, the xmit_hash_policy bonding parameter based on the layer 3+4 addressing always hashed all these streams to the same interface. Consequently, all outbound connections used an even-ephemeral port. This update fixes the bonding driver to discard the lowest hash bit for 802.3ad layer 3+4. As a result, ephemeral port selection is now a random mix of odd and even port numbers, and network traffic is balanced between the slaves. (BZ#1517797)
If a large number of cores on all sockets were disabled in firmware, the number of sockets available was previously calculated incorrectly on AMD64 and Intel 64 systems. Consequently, the operating system panicked on boot. This update fixes the calculation of the number of sockets, and the operating system now boots as expected under the described circumstances. (BZ#1517803)
Previously, the SGID bit of a directory was not set properly. Consequently, if a user was not a member of parent directory's owning group, a subdirectory created by this user failed to inherit the SGID bit, and the xfstrests test case generic/444 failed with the following error messages:
Raw
QA output created by 444
drwxrwsr-x
drwxrwxr-x <--- the SGID bit was dropped.
This update fixes the ext4 file system to not clear SGID when inheriting Access Control Lists (ACLs). As a result, a subdirectory created by a user who is not a member of parent directory's owning group now successfully inherits the SGID bit, and the xfstrests test case generic/444 passes as expected. (BZ#1517829)
If a TCP session, which had been disconnected without resetting the routing destination entry (DST) for the socket, was reconnected again, the socket DST reference was overridden during the new TCP connection and the old DST entry was not freed. Consequently, the DST entry leak led to a loopback device reference count leak, which had multiple side effects including an inability to remove network name spaces in which certain types of TCP traffic has occurred. This update resolves the DST entry leak, and the loopback reference count leak with its side effects no longer occurs. (BZ#1520296)
If the Extensible Firmware Interface (EFI) created a new set of page tables and mapped a segment of code at a low address, the operating system (OS) failed to boot. This update fixes the EFI code, and the OS now boots as expected under the described circumstances. (BZ#1532989)
The calculation of the number of sockets included in the uncore functions was previously incorrect. Consequently, a kernel panic could occur. This update fixes uncore to calculate the number of sockets correctly, and the kernel no longer panics due to this behavior. (BZ#1533022)