CVE-2017-15299 – kernel: Incorrect updates of uninstantiated keys crash the kernel
https://notcve.org/view.php?id=CVE-2017-15299
The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key for a key that already exists but is uninstantiated, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call. El subsistema de claves KEYS en el kernel Linux hasta la versión 4.13.7 gestiona de manera incorrecta el uso de add_key para una clave que ya existe, pero no se ha probado, lo que permite que usuarios locales provoquen una denegación de servicio (desreferencia de puntero NULL y cierre inesperado del sistema) o que tengan un impacto sin especificar mediante una llamada del sistema manipulada. A vulnerability was found in the key management subsystem of the Linux kernel. An update on an uninstantiated key could cause a kernel panic, leading to denial of service (DoS). • https://access.redhat.com/errata/RHSA-2018:0654 https://bugzilla.redhat.com/show_bug.cgi?id=1498016 https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html https://marc.info/?t=150654188100001&r=1&w=2 https://marc.info/?t=150783958600011&r=1&w=2 https://usn.ubuntu.com/3798-1 https://usn.ubuntu.com/3798-2 https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg1499828.html https://access.redhat.com/security/cve/CVE-2017-15299 • CWE-476: NULL Pointer Dereference •
CVE-2017-15274 – kernel: dereferencing NULL payload with nonzero length
https://notcve.org/view.php?id=CVE-2017-15274
security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192. security/keys/keyctl.c en el kernel de Linux en versiones anteriores a la 4.11.5 no tiene en cuenta el caso de una carga útil NULL junto con un valor de longitud que no sea cero, lo que permite a usuarios locales provocar una denegación de servicio (desreferencia de puntero NULL and OOPS) mediante una llamada de sistema add_key o keyctl manipulada. Esta es una vulnerabilidad diferente a CVE-2017-12192. A flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops). • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5649645d725c73df4302428ee4e02c869248b4c5 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.5 http://www.securityfocus.com/bid/101292 https://access.redhat.com/errata/RHSA-2019:1946 https://bugzilla.suse.com/show_bug.cgi?id=1045327 https://github.com/torvalds/linux/commit/5649645d725c73df4302428ee4e02c869248b4c5 https://patchwork.kernel.org/patch/9781573 https://usn.ubuntu.com/3583-1 https://usn.ubuntu.com • CWE-476: NULL Pointer Dereference •
CVE-2017-12192 – kernel: NULL pointer dereference due to KEYCTL_READ on negative key
https://notcve.org/view.php?id=CVE-2017-12192
The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation. La función keyctl_read_key en security/keys/keyctl.c en el subcomponente Key Management en el kernel de Linux en versiones anteriores a la 4.13.5 no considera correctamente que se puede tener una clave instanciada negativamente, lo que permite que los usuarios locales provoquen una denegación de servicio (OOPS y cierre inesperado del sistema) mediante una operación KEYCTL_READ manipulada. A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on a negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=37863c43b2c6464f252862bf2e9768264e961678 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5 https://access.redhat.com/errata/RHSA-2018:0151 https://bugzilla.redhat.com/show_bug.cgi?id=1493435 https://github.com/torvalds/linux/commit/37863c43b2c6464f252862bf2e9768264e961678 https://lkml.org/lkml/2017/9/18/764 https://usn.ubuntu.com/3583-1 https://usn.ubuntu.com/3583-2 https://access.redhat.com • CWE-476: NULL Pointer Dereference •
CVE-2017-12188 – Kernel: KVM: MMU potential stack buffer overrun during page walks
https://notcve.org/view.php?id=CVE-2017-12188
arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an "MMU potential stack buffer overrun." arch/x86/kvm/mmu.c en el kernel de Linux hasta 4.13.5, cuando se utiliza la virtualización anidada, no atraviesa adecuadamente las entradas de la tabla de páginas invitadas para resolver una dirección virtual invitada, lo que permite a los usuarios del sistema operativo invitado L1 ejecutar código arbitrario en el sistema operativo host o provocar una denegación de servicio (índice incorrecto durante el recorrido de la página y falla del sistema operativo host), también conocido como "potencial desbordamiento de búfer en la región stack de la memoria de MMU". The Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization(nVMX) feature enabled (nested=1), was vulnerable to a stack buffer overflow issue. The vulnerability could occur while traversing guest page table entries to resolve guest virtual address(gva). An L1 guest could use this flaw to crash the host kernel resulting in denial of service (DoS) or potentially execute arbitrary code on the host to gain privileges on the system. • http://www.securityfocus.com/bid/101267 https://access.redhat.com/errata/RHSA-2018:0395 https://access.redhat.com/errata/RHSA-2018:0412 https://bugzilla.redhat.com/show_bug.cgi?id=1500380 https://patchwork.kernel.org/patch/9996579 https://patchwork.kernel.org/patch/9996587 https://access.redhat.com/security/cve/CVE-2017-12188 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-121: Stack-based Buffer Overflow •
CVE-2017-14991
https://notcve.org/view.php?id=CVE-2017-14991
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0. La función sg_ioctl en drivers/scsi/sg.c en el kernel de Linux en versiones anteriores a la 4.13.4 permite que los usuarios locales obtengan información sensible de zonas de la memoria dinámica del kernek no inicializadas mediante una llamada IOCTL SG_GET_REQUEST_TABLE a /dev/sg0. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3e0097499839e0fe3af380410eababe5a47c4cf9 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.4 http://www.securityfocus.com/bid/101187 https://github.com/torvalds/linux/commit/3e0097499839e0fe3af380410eababe5a47c4cf9 https://usn.ubuntu.com/3754-1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •