CVE-2015-1593 – kernel: Linux stack ASLR implementation Integer overflow
https://notcve.org/view.php?id=CVE-2015-1593
The stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c. La característica de aleatoriedad de la pila en el Kernel de Linux anterior a 3.19.1 en plataformas de 64-bits utiliza un tipo de datos incorrecto por el resultado de operaciones de bitwise left-shift, lo que hace que sea más fácil para atacantes evadir el mecanismo de protección ASLR prediciendo direcciones del tope de la pila, relacionado con la función andomize_stack_top en fs/binfmt_elf.c y la función stack_maxrandom_size en arch/x86/mm/mmap.c. An integer overflow flaw was found in the way the Linux kernel randomized the stack for processes on certain 64-bit architecture systems, such as x86-64, causing the stack entropy to be reduced by four. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 http://hmarco.org/bugs/linux-ASLR-integer-overflow.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://rhn.redhat.com/errata/RHSA-2015-1137.html http://rhn.redhat.com/errata/RHSA-2015-1138.html http://rhn.redhat.com/errata/RHSA-2015-1221.html http://www.debi • CWE-190: Integer Overflow or Wraparound CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-5332
https://notcve.org/view.php?id=CVE-2014-5332
Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local users to gain privileges via a crafted NVMAP_IOC_CREATE IOCTL call, which triggers a use-after-free error, as demonstrated by using a race condition to escape the Chrome sandbox. Condición de carrera en NVMap en NVIDIA Tegra Linux Kernel 3.10 permite a usuarios locales obtener privilegios a través de una llamada IOCTL NVMAP_IOC_CREATE manipulada, lo que desencadena un error de uso después de liberación de memoria, según lo demostrado mediante el uso de una condición de carrera para escapar del sandbox de Chrome. • http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escape-chrome.html http://nvidia.custhelp.com/app/answers/detail/a_id/3618 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2014-7822 – Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service
https://notcve.org/view.php?id=CVE-2014-7822
The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem. La implementación de ciertas operaciones de archivo splice_write en el kernel de Linux anterior a 3.16 no fuerza una restricción en el tamaño máximo de un archivo, lo que permite a usaurios locales causar una denegación de servicio (caída del sistema) o la posibilidad de tener otro impacto no especificado a través de llamadas anidadas al sistema modificadas, como se ha demostrado mediante el uso de un archivo descriptor asociado con sistemas de ficheros ext4. A flaw was found in the way the Linux kernel's splice() system call validated its parameters. On certain file systems, a local, unprivileged user could use this flaw to write past the maximum file size, and thus crash the system. • https://www.exploit-db.com/exploits/36743 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8d0207652cbe27d1f962050737848e5ad4671958 http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00008.html http://lists.opensuse.org/opensuse-security-ann • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-9584 – kernel: isofs: unchecked printing of ER records
https://notcve.org/view.php?id=CVE-2014-9584
The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image. La función parse_rock_ridge_inode_internal en fs/isofs/rock.c en el kernel de Linux anterior a 3.18.2 no valida un valor de longitud en el campo Extensions Reference (ER) System Use, lo que permite a usuarios locales obtener información sensible de la memoria del kernel a través de una imagen iso9660 manipulada. An information leak flaw was found in the way the Linux kernel's ISO9660 file system implementation accessed data on an ISO9660 image with RockRidge Extension Reference (ER) records. An attacker with physical access to the system could use this flaw to disclose up to 255 bytes of kernel memory. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=4e2024624e678f0ebb916e6192bd23c1f9fdf696 http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html http://lists.o • CWE-20: Improper Input Validation •
CVE-2014-9585 – kernel: ASLR bruteforce possible for vdso library
https://notcve.org/view.php?id=CVE-2014-9585
The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD. La función vdso_addr en arch/x86/vdso/vma.c en el kernel de Linux hasta 3.18.2 no elige correctamente localizaciones de memoria para la área vDSO, lo que facilita a usuarios locales evadir el mecanismo de protección ASLR mediante la adivinación de una localización al final de un PMD. An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. • http://git.kernel.org/?p=linux/kernel/git/luto/linux.git%3Ba=commit%3Bh=bc3b94c31d65e761ddfe150d02932c65971b74e2 http://git.kernel.org/?p=linux/kernel/git/tip/tip.git%3Ba=commit%3Bh=fbe1bf140671619508dfa575d74a185ae53c5dbb http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148480.html http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg0 •