CVE-2017-12192 – kernel: NULL pointer dereference due to KEYCTL_READ on negative key
https://notcve.org/view.php?id=CVE-2017-12192
The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation. La función keyctl_read_key en security/keys/keyctl.c en el subcomponente Key Management en el kernel de Linux en versiones anteriores a la 4.13.5 no considera correctamente que se puede tener una clave instanciada negativamente, lo que permite que los usuarios locales provoquen una denegación de servicio (OOPS y cierre inesperado del sistema) mediante una operación KEYCTL_READ manipulada. A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on a negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=37863c43b2c6464f252862bf2e9768264e961678 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5 https://access.redhat.com/errata/RHSA-2018:0151 https://bugzilla.redhat.com/show_bug.cgi?id=1493435 https://github.com/torvalds/linux/commit/37863c43b2c6464f252862bf2e9768264e961678 https://lkml.org/lkml/2017/9/18/764 https://usn.ubuntu.com/3583-1 https://usn.ubuntu.com/3583-2 https://access.redhat.com • CWE-476: NULL Pointer Dereference •
CVE-2017-14991
https://notcve.org/view.php?id=CVE-2017-14991
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0. La función sg_ioctl en drivers/scsi/sg.c en el kernel de Linux en versiones anteriores a la 4.13.4 permite que los usuarios locales obtengan información sensible de zonas de la memoria dinámica del kernek no inicializadas mediante una llamada IOCTL SG_GET_REQUEST_TABLE a /dev/sg0. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3e0097499839e0fe3af380410eababe5a47c4cf9 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.4 http://www.securityfocus.com/bid/101187 https://github.com/torvalds/linux/commit/3e0097499839e0fe3af380410eababe5a47c4cf9 https://usn.ubuntu.com/3754-1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-14954
https://notcve.org/view.php?id=CVE-2017-14954
The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call. La implementación waitid en kernel/exit.c en el kernel de Linux hasta la versión 4.13.4 accede a estructuras de datos rusage en casos que no debería, lo que permite a los usuarios locales obtener información sensible y omitir el mecanismo de protección KASLR mediante una llamada al sistema manipulada. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 https://github.com/torvalds/linux/commit/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 https://grsecurity.net/~spender/exploits/wait_for_kaslr_to_be_effective.c https://twitter.com/_argp/status/914021130712870912 https://twitter.com/grsecurity/status/914079864478666753 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-1000252 – kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ
https://notcve.org/view.php?id=CVE-2017-1000252
The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c. El subsistema KVM en el kernel de Linux hasta la versión 4.13.3 permite que los usuarios invitados del sistema operativo provoquen una denegación de servicio (fallo de aserción y bloqueo o cierre inesperado del hipervisor) mediante un valor guest_irq fuera de límites, relacionado con arch/x86/kvm/vmx.c y virt/kvm/eventfd.c. A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=36ae3c0a36b7456432fedce38ae2f7bd3e01a563 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb http://www.debian.org/security/2017/dsa-3981 http://www.openwall.com/lists/oss-security/2017/09/15/4 http://www.securityfocus.com/bid/101022 https://access.redhat.com/errata/RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:1062 https://access.redhat.com& • CWE-20: Improper Input Validation CWE-617: Reachable Assertion •
CVE-2017-12154 – Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register
https://notcve.org/view.php?id=CVE-2017-12154
The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the "CR8-load exiting" and "CR8-store exiting" L0 vmcs02 controls exist in cases where L1 omits the "use TPR shadow" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register. La función prepare_vmcs02 en arch/x86/kvm/vmx.c en el kernel de Linux hasta la versión 4.13.3 no asegura que los controles L0 vmcs02 "CR8-load exiting" y "CR8-store exiting" existan en casos en los que L1 omite el control vmcs12 "use TPR shadow". Esto permite que los usuarios invitados del sistema operativo obtengan acceso de lectura y escritura al registro CR8 del hardware. Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization (nVMX) feature enabled (nested=1), is vulnerable to a crash due to disabled external interrupts. As L2 guest could access (r/w) hardware CR8 register of the host(L0). • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=51aa68e7d57e3217192d88ce90fd5b8ef29ec94f http://www.debian.org/security/2017/dsa-3981 http://www.securityfocus.com/bid/100856 https://access.redhat.com/errata/RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2019:1946 https://bugzilla.redhat.com/show_bug.cgi?id=1491224 https://github.com/torvalds/linux/commit/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f https://usn.ubuntu.c • CWE-284: Improper Access Control •