CVE-2017-12190 – kernel: memory leak when merging buffers in SCSI IO vectors
https://notcve.org/view.php?id=CVE-2017-12190
The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition. Las funciones bio_map_user_iov y bio_unmap_user en block/bio.c en el kernel de Linux en versiones anteriores a la 4.13.8 realizan un refcount no equilibrado cuando un vector SCSI I/O tiene búferes pequeños consecutivos que pertenecen a la misma página. La función bio_add_pc_page los combina en uno solo, pero la referencia de la página nunca se anula. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95d78c28b5a85bacbc29b8dba7c04babb9b0d467 http://seclists.org/oss-sec/2017/q4/52 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.8 http://www.securityfocus.com/bid/101911 https://access.redhat.com/errata/RHSA-2018:0654 https://access.redhat.com/errata/RHSA-2018:0676 https://access.redhat • CWE-400: Uncontrolled Resource Consumption CWE-772: Missing Release of Resource after Effective Lifetime •
CVE-2017-15115
https://notcve.org/view.php?id=CVE-2017-15115
The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls. La función sctp_do_peeloff en net/sctp/socket.c en el kernel de Linux en versiones anteriores a la 4.14 no comprueba si el netns planeado se emplea en una acción peel-off, lo que permite que usuarios locales provoquen una denegación de servicio (uso de memoria previamente liberada y cierre inesperado del sistema) o, posiblemente, otro impacto sin especificar mediante llamadas del sistema manipuladas. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html http://seclists.org/oss-sec/2017/q4/282 http://www.securityfocus.com/bid/101877 https://bugzilla.redhat.com/show_bug.cgi?id=1513345 https://github.com/torvalds/linux/commit/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html https://patchwork.ozlabs.org/patch • CWE-416: Use After Free •
CVE-2017-15102
https://notcve.org/view.php?id=CVE-2017-15102
The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference. La función tower_probe en drivers/usb/misc/legousbtower.c en el kernel de Linux en versiones anteriores a la 4.8.1 permite que usuarios locales (que estén tan cerca físicamente como para insertar un dispositivo USB manipulado) obtengan privilegios aprovechando una condición de write-what-where que ocurre tras una condición de carrera y una desreferencia de puntero NULL • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2fae9e5a7babada041e2e161699ade2447a01989 http://seclists.org/oss-sec/2017/q4/238 http://www.securityfocus.com/bid/101790 https://bugzilla.redhat.com/show_bug.cgi?id=1505905 https://github.com/torvalds/linux/commit/2fae9e5a7babada041e2e161699ade2447a01989 https://usn.ubuntu.com/3583-1 https://usn.ubuntu.com/3583-2 • CWE-476: NULL Pointer Dereference •
CVE-2017-16648 – kernel: Use-after-free in drivers/media/dvb-core/dvb_frontend.c
https://notcve.org/view.php?id=CVE-2017-16648
The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. NOTE: the function was later renamed __dvb_frontend_free. La función dvb_frontend_free en drivers/media/dvb-core/dvb_frontend.c en el kernel de Linux, en versiones hasta la 4.13.11, permite que los usuarios locales provoquen una denegación de servicio (uso de memoria previamente liberada y cierre inesperado del sistema) o, posiblemente, causen otros impactos no especificados mediante un dispositivo USB manipulado. NOTA: la función fue posteriormente renombrada como __dvb_frontend_free. The dvb frontend management subsystem in the Linux kernel contains a use-after-free which can allow a malicious user to write to memory that may be assigned to another kernel structure. • http://www.securityfocus.com/bid/101758 https://access.redhat.com/errata/RHSA-2018:2948 https://groups.google.com/d/msg/syzkaller/0HJQqTm0G_g/T931ItskBAAJ https://patchwork.kernel.org/patch/10046189 https://access.redhat.com/security/cve/CVE-2017-16648 https://bugzilla.redhat.com/show_bug.cgi?id=1516257 • CWE-416: Use After Free •
CVE-2017-16644
https://notcve.org/view.php?id=CVE-2017-16644
The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device. La función hdpvr_probe en drivers/media/usb/hdpvr/hdpvr-core.c en el kernel de Linux, en versiones hasta la 4.13.11, permite que los usuarios locales provoquen una denegación de servicio (gestión incorrecta de errores y cierre inesperado del sistema) o, posiblemente, causen otros impactos no especificados mediante un dispositivo USB manipulado. • http://www.securityfocus.com/bid/101842 https://groups.google.com/d/msg/syzkaller/ngC5SLvxPm4/gduhCARhAwAJ https://patchwork.kernel.org/patch/9966135 https://usn.ubuntu.com/3754-1 https://www.debian.org/security/2017/dsa-4073 • CWE-388: 7PK - Errors •