Issue metadata
Sign in to add a comment
|
Multiple Linux Kernel CVE vulnerability reports |
||||||||||||||||||||||
Issue descriptionAdvisory: CVE-2016-9806 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-9806 CVSS severity score: 7.2/10.0 Description: Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3 allows local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that makes sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated. Advisory: CVE-2016-9794 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-9794 CVSS severity score: 4.6/10.0 Description: Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command. Advisory: CVE-2016-9777 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-9777 CVSS severity score: 6.9/10.0 Description: KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h. Advisory: CVE-2016-9755 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-9755 CVSS severity score: 4.6/10.0 Description: The netfilter subsystem in the Linux kernel before 4.9 mishandles IPv6 reassembly, which allows local users to cause a denial of service (integer overflow, out-of-bounds write, and GPF) or possibly have unspecified other impact via a crafted application that makes socket, connect, and writev system calls, related to net/ipv6/netfilter/nf_conntrack_reasm.c and net/ipv6/netfilter/nf_defrag_ipv6_hooks.c. Advisory: CVE-2016-9756 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-9756 CVSS severity score: 2.1/10.0 Description: arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. Advisory: CVE-2016-9685 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-9685 CVSS severity score: 4.9/10.0 Description: Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations. Advisory: CVE-2016-9588 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-9588 CVSS severity score: 2.1/10.0 Description: arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest. Advisory: CVE-2016-9576 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-9576 CVSS severity score: 7.2/10.0 Description: The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device. Advisory: CVE-2016-6787 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-6787 CVSS severity score: 6.9/10.0 Description: kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 31095224. Advisory: CVE-2016-6786 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-6786 CVSS severity score: 6.9/10.0 Description: kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 30955111. Advisory: CVE-2016-6213 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-6213 CVSS severity score: 4.7/10.0 Description: fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts. Advisory: CVE-2014-8709 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2014-8709 CVSS severity score: 5/10.0 Description: The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets.
,
Jan 2 2017
These got caught by vomit, but weren't reported to our bug tracker. I've only included the ones that weren't obviously irrelevant and/or already addressed. We'll need to go through the list with a finer-grained comb, figure out which issues to address, and file separate bugs for them.
,
Jan 2 2017
Two more: Advisory: CVE-2016-9919 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-9919 CVSS severity score: 7.8/10.0 Description: The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through 4.8.12 omits a certain check of the dst data structure, which allows remote attackers to cause a denial of service (panic) via a fragmented IPv6 packet. Advisory: CVE-2015-8967 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2015-8967 CVSS severity score: 9.3/10.0 Description: arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local users to bypass the "strict page permissions" protection mechanism and modify the system-call table, and consequently gain privileges, by leveraging write access.
,
Jan 2 2017
,
Jan 2 2017
,
Jan 2 2017
,
Jan 2 2017
Given groeck@ is helping while mnissler@ is out on leave, please change ownership to groeck@
,
Jan 3 2017
,
Jan 3 2017
Individual bugs submitted: chromium-678000 CVE-2015-8967 chromium:677999 CVE-2016-9919 chromium:677998 CVE-2014-8709 chromium:677997 CVE-2016-6213 chromium:677996 CVE-2016-6786 chromium:677995 CVE-2016-6787 chromium:677994 CVE-2016-9576 chromium:677993 CVE-2016-9588 chromium:677992 CVE-2016-9685 chromium:677991 CVE-2016-9756 chromium:677990 CVE-2016-9755 chromium:677989 CVE-2016-9777 chromium:677988 CVE-2016-9794 chromium:677987 CVE-2016-9806
,
Jan 3 2017
There's something really messy about the ACL for these bugs. This bug is only readable by my @google.com address (since that is a member of chromeos-kernel-security-bug-access) while the dependent bugs that groeck@ just created are not yet locked down. We probably should. However, I don't like the fact that we can't modify the meta data here. Who do I need to work with to give the chromeos-kernel-security-bug-access@google.com group the right privs?
,
Jan 3 2017
I'll lock them all down.
,
Jan 3 2017
Re comment #10: 1) I'll add you to an internal mail thread on which we discussed the ACL solution. 2) All security bugs should be filed with Type=Bug-Security, this will automatically add the required lockdown automatically. If you file with Component:OS>Kernel, chromeos-kernel-security-bug-access@ will be auto-cc'ed.
,
Jan 4 2017
,
Jan 14 2017
All fixed.
,
Jan 15 2017
,
Jan 24 2017
,
Apr 23 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 30 2017
,
Aug 1 2017
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mnissler@chromium.org
, Jan 2 2017