Page 523 of 4720 results (0.013 seconds)

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 1

An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls. • https://bugzilla.kernel.org/show_bug.cgi?id=200189 https://github.com/lcytxw/bug_repro/tree/master/bug_200189 https://github.com/torvalds/linux/commit/78c9c4dfbf8c04883941445a195276bb4bb92c76 https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html https://usn.ubuntu.com/3847-1 https://usn.ubuntu.com/3847-2 https://usn.ubuntu.com/3847- • CWE-190: Integer Overflow or Wraparound •

CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0

The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used. La función alarm_timer_nsleep en kernel/time/alarmtimer.c en el kernel de Linux hasta la versión 4.17.3 tiene un desbordamiento de enteros a través de un tiempo de espera relativo grande porque no se utiliza ktime_add_safe. A flaw was found in the alarm_timer_nsleep() function in kernel/time/alarmtimer.c in the Linux kernel. The ktime_add_safe() function is not used and an integer overflow can happen causing an alarm not to fire or possibly a denial-of-service if using a large relative timeout. • http://www.securityfocus.com/bid/104671 https://access.redhat.com/errata/RHSA-2019:0831 https://access.redhat.com/errata/RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2043 https://bugzilla.kernel.org/show_bug.cgi?id=200303 https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=5f936e19cc0ef97dbe3a56e9498922ad5ba1edef https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html https • CWE-190: Integer Overflow or Wraparound •

CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 2

In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL. En arch/x86/kvm/vmx.c en el kernel de Linux en versiones anteriores a la 4.17.2, cuando se emplea la virtualización anidada, los atacantes locales podrían hacer que los invitados L1 KVM realizasen un VMEXIT, permitiendo escalados de privilegios y ataques de denegación de servicio (DoS) debido a la falta de comprobación de CPL. • https://www.exploit-db.com/exploits/44944 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=727ba748e110b4de50d142edca9d6a9b7e6111d8 https://bugs.chromium.org/p/project-zero/issues/detail?id=1589 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.2 https://github.com/torvalds/linux/commit/727ba748e110b4de50d142edca9d6a9b7e6111d8 https://usn.ubuntu.com/3752-1 https://usn.ubuntu.com/3752-2 https://usn.ubuntu.com/3752-3 •

CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0

Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00043.html http://www.openwall.com/lists/oss-security/2018/06/26/3 https://access.redhat.com/errata/RHSA-2018:2948 https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html https://usn.ubuntu.com/3696-1& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0

An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the same user data twice with copy_from_user. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables (hdr.size_in and hdr.size_out) in the header between the two fetches because of a race condition, leading to severe kernel errors, such as buffer over-accesses. This bug can cause a local denial of service and information leakage. Se ha descubierto un problema en el kernel de Linux hasta la versión 4.17.2. vbg_misc_device_ioctl() en drivers/virt/vboxguest/vboxguest_linux.c lee los mismos datos de usuario dos veces con copy_from_user. La cabecera de los datos de usuario es de tipo double-fetch y un hilo de usuario malicioso puede falsificar las variables críticas (hdr.size_in y hdr.size_out) en la cabecera entre los dos fetch debido a una condición de carrera. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd23a7269834dc7c1f93e83535d16ebc44b75eba https://bugzilla.kernel.org/show_bug.cgi?id=200131 https://github.com/torvalds/linux/commit/bd23a7269834dc7c1f93e83535d16ebc44b75eba • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •