CVE-2017-7308 – Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-7308
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls. La función packet_set_ring en el archivo net/packet/af_packet.c en el kernel de Linux hasta versión 4.10.6, no comprueba apropiadamente ciertos datos de tamaño de bloque, lo que permite a los usuarios locales causar una denegación de servicio (error de firma de enteros y escritura fuera de límites), y alcanzar privilegios (si se mantiene la capacidad CAP_NET_RAW), por medio de llamadas de sistema diseñadas. It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow resulting in a system crash or a privilege escalation. • https://www.exploit-db.com/exploits/44654 https://www.exploit-db.com/exploits/41994 https://www.exploit-db.com/exploits/47168 https://github.com/anldori/CVE-2017-7308 http://www.securityfocus.com/bid/97234 https://access.redhat.com/errata/RHSA-2017:1297 https://access.redhat.com/errata/RHSA-2017:1298 https://access.redhat.com/errata/RHSA-2017:1308 https://access.redhat.com/errata/RHSA-2018:1854 https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-pa • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-681: Incorrect Conversion between Numeric Types CWE-787: Out-of-bounds Write •
CVE-2017-7294 – kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
https://notcve.org/view.php?id=CVE-2017-7294
The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device. La función vmw_surface_define_ioctl en drivers/gpu/drm/vmwgfx/vmwgfx_surface.c en el kernel de Linux hasta la versión 4.10.6 no valida adicción de ciertos niveles de datos, lo que permite a usuarios locales activar un desbordamiento de entero y lectura de fuera de límites, y provocar una denegación de servicio (bloqueo del sistema o caída) o posiblemente ganar privilegios, a través de una llamada ioctl manipulada para un dispositivo /dev/dri/renderD*. An out-of-bounds write vulnerability was found in the Linux kernel's vmw_surface_define_ioctl() function, in the 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. • http://www.securityfocus.com/bid/97177 https://access.redhat.com/errata/RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:1062 https://bugzilla.redhat.com/show_bug.cgi?id=1436798 https://lists.freedesktop.org/archives/dri-devel/2017-March/137094.html https://access.redhat.com/security/cve/CVE-2017-7294 • CWE-20: Improper Input Validation CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVE-2017-7277
https://notcve.org/view.php?id=CVE-2017-7277
The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TIMESTAMPING_OPT_STATS feature, which allows local users to obtain sensitive information from the kernel's internal socket data structures or cause a denial of service (out-of-bounds read) via crafted system calls, related to net/core/skbuff.c and net/socket.c. La pila TCP en el kernel de Linux hasta la versión 4.10.6 no maneja adecuadamente la funcionalidad SCM_TIMESTAMPING_OPT_STATS, lo que permite a usuarios locales obtener información sensible de la estructuras internas de datos del socket del kernel o provocar una denegación de servicio (lectura fuera de límites) a través de llamadas al sistema manipuladas, relacionado con net/core/skbuff.c y net/socket.c. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4ef1b2869447411ad3ef91ad7d4891a83c1a509a http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8605330aac5a5785630aec8f64378a54891937cc http://www.securityfocus.com/bid/97141 https://github.com/torvalds/linux/commit/4ef1b2869447411ad3ef91ad7d4891a83c1a509a https://github.com/torvalds/linux/commit/8605330aac5a5785630aec8f64378a54891937cc https://lkml.org/lkml/2017/3/15/485 https://patchwork.ozlabs.org/patch/740636 https://patchwor • CWE-125: Out-of-bounds Read •
CVE-2017-7261
https://notcve.org/view.php?id=CVE-2017-7261
The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device. La función vmw_surface_define_ioctl en drivers/gpu/drm/vmwgfx/vmwgfx_surface.c en el kernel de Linux hasta la versión 4.10.5 no verifica el valor cero de ciertos niveles de datos, lo que permite a los usuarios locales provocar una denegación de servicio (referencia ZERO_SIZE_PTR y GPF y posiblemente pánico) a través de una llamada ioctl manipulada para un dispositivo /dev/dri/renderD*. • http://marc.info/?t=149037004200005&r=1&w=2 http://www.securityfocus.com/bid/97096 https://bugzilla.redhat.com/show_bug.cgi?id=1435719 https://lists.freedesktop.org/archives/dri-devel/2017-March/136814.html • CWE-20: Improper Input Validation •
CVE-2017-7187 – kernel: scsi: Stack-based buffer overflow in sg_ioctl function
https://notcve.org/view.php?id=CVE-2017-7187
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function. La función sg_ioctl en drivers/scsi/sg.c en el kernel de Linux hasta la versión 4.10.4 permite a usuarios locales provocar una denegación de servicio (desbordamiento de búfer basado en pila) o posiblemente tener otro impacto no especificado a través de un gran tamaño de comando en una llamada SG_NEXT_CMD_LEN ioctl, conduciendo a acceso de escritura fuera de límites en la función sg_write. The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impacts via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function. • http://www.securityfocus.com/bid/96989 http://www.securitytracker.com/id/1038086 https://access.redhat.com/errata/RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2669 https://gist.github.com/dvyukov/48ad14e84de45b0be92b7f0eda20ff1b https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.11/scsi-fixes&id=bf33f87dd04c371ea33feb821b60d63d754e3124 https://source.android.com/security/bulletin/pixel/2017-10-01 https:/ • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •