CVE-2019-6974 – Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference
https://notcve.org/view.php?id=CVE-2019-6974
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free. En el kernel de Linux en versiones anteriores a la 4.20.8, kvm_ioctl_create_device en virt/kvm/kvm_main.c gestiona de manera incorrecta el conteo de referencias debido a una condición de carrera, lo que conduce a un uso de memoria previamente liberada. A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), the device holds a reference to a VM object, later this reference is transferred to the caller's file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to a use-after-free issue. • https://www.exploit-db.com/exploits/46388 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cfa39381173d5f969daf43582c95ad679189cbc9 http://www.securityfocus.com/bid/107127 https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:0818 https://access.redhat.com/errata/RHSA-2019:0833 https://access.redhat.com/errata/RHSA-2019:2809 https://access.redhat.com/errata/RHSA-2019:3967 https://access.redhat.com/errata/RHSA-2020:0103 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVE-2019-7308 – Linux Insufficient eBPF Spectre V1 Mitigation
https://notcve.org/view.php?id=CVE-2019-7308
kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks. En el kernel de Linux, en versiones anteriores a la 4.20.6, "kernel/bpf/verifier.c" realiza especulaciones fuera de límites no deseables en la aritmética de punteros en varias ocasiones, incluyendo casos de diferentes ramas con distintos estados o límites que hay que sanear, conduciendo a ataques de canal lateral. It has been discovered that the Linux eBPF Spectre v1 mitigation is insufficient. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=979d63d50c0c0f7bc537bf821e056cc9fe5abd38 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d3bd7413e0ca40b60cf60d4003246d067cafdeda http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00052.html http://www.securityfocus.com/bid/106827 https://bugs.chromium.org/p/project-zero/issues/detail?id=1711 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.6 https://github.com/torvalds/ • CWE-189: Numeric Errors •
CVE-2018-19985 – kernel: oob memory read in hso_probe in drivers/net/usb/hso.c
https://notcve.org/view.php?id=CVE-2018-19985
The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space. La función hso_get_config_data en drivers/net/usb/hso.c en el kernel de Linux, hasta la versión 4.19.8, lee if_num desde el dispositivo USB (como un u8) y lo emplea para indexar un array pequeño, lo que resulta en una lectura de objetos fuera de límites (OOB) que podría permitir la lectura arbitraria en el espacio de direcciones del kernel. A flaw was found in the Linux kernel in the function hso_probe() which reads if_num value from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read in hso_probe() or hso_get_config_data(). An attacker with a forged USB device and physical access to a system (needed to connect such a device) can cause a system crash and a denial of service. • http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00007.html http://packetstormsecurity.com/files/151420/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3517 https://hexhive.epfl.ch/projects/perifuzz https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html https://lists.debian.org/debian-lts-an • CWE-125: Out-of-bounds Read •
CVE-2017-18360 – kernel: Division by zero in change_port_settings in drivers/usb/serial/io_ti.c resulting in a denial of service
https://notcve.org/view.php?id=CVE-2017-18360
In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates. En change_port_settings en drivers/usb/serial/io_ti.c en el kernel de Linux, en versiones anteriores a la 4.11.3, los usuarios locales podrían provocar una denegación de servicio (DoS) por medio de una división entre cero en la capa del dispositivo en serie intentando establecer tasas de baudio muy altas. A division-by-zero in set_termios(), when debugging is enabled, was found in the Linux kernel. When the [io_ti] driver is loaded, a local unprivileged attacker can request incorrect high transfer speed in the change_port_settings() in the drivers/usb/serial/io_ti.c so that the divisor value becomes zero and causes a system crash resulting in a denial of service. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6aeb75e6adfaed16e58780309613a578fe1ee90b http://www.securityfocus.com/bid/106802 https://bugzilla.suse.com/show_bug.cgi?id=1123706 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.3 https://github.com/torvalds/linux/commit/6aeb75e6adfaed16e58780309613a578fe1ee90b https://usn.ubuntu.com/3933-1 https://usn.ubuntu.com/3933-2 https://access.redhat.com/security/cve/CVE-2017-18360 https://bugzilla.redhat.co • CWE-369: Divide By Zero •
CVE-2019-5489 – Kernel: page cache side channel attacks
https://notcve.org/view.php?id=CVE-2019-5489
The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. La implementación mincore() en mm/mincore.c en el kernel de Linux hasta la versión 4.19.13 permitía a los atacantes observar patrones de acceso a las páginas de caché de otros procesos en el mismo sistema, permitiendo el esnifado de información secreta. (Su arreglo afecta a la salida del programa fincore.) • https://github.com/mmxsrup/CVE-2019-5489 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=574823bfab82d9d8fa47f422778043fbb4b4f50e http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00071.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00048.html http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-pagecache-en http://www.securityfocus.com/bid/106478 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-319: Cleartext Transmission of Sensitive Information •