CVE-2018-12232 – kernel: NULL pointer dereference if close and fchownat system calls share a socket file descriptor
https://notcve.org/view.php?id=CVE-2018-12232
In net/socket.c in the Linux kernel through 4.17.1, there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat does not increment the file descriptor reference count, which allows close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash. En net/socket.c en el kernel de Linux hasta la versión 4.17.1, hay una condición de carrera entre fchownat y close en los casos en los que apuntan al mismo descriptor de archivo socket. Esto está relacionado con las funciones sock_close y sockfs_setattr. fchownat no incrementa el conteo de referencia del descriptor de archivos, lo que permite que close establezca el socket como NULL durante la ejecución de fchownat lo que conduce a una desreferencia de puntero NULL y a un cierre inesperado del sistema. A NULL pointer dereference issue was found in the Linux kernel. If the close() and fchownat() system calls share a socket file descriptor as an argument, then the two calls can race and trigger a NULL pointer dereference leading to a system crash and a denial of service. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6d8c50dcb029872b298eea68cc6209c866fd3e14 http://www.securityfocus.com/bid/104453 https://access.redhat.com/errata/RHSA-2018:2948 https://github.com/torvalds/linux/commit/6d8c50dcb029872b298eea68cc6209c866fd3e14 https://lkml.org/lkml/2018/6/5/14 https://patchwork.ozlabs.org/patch/926519 https://usn.ubuntu.com/3752-1 https://usn.ubuntu.com/3752-2 https://usn.ubuntu.com/3752-3 https://access.redhat.com/security • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-476: NULL Pointer Dereference •
CVE-2018-1000200 – kernel: NULL pointer dereference on OOM kill of large mlocked process
https://notcve.org/view.php?id=CVE-2018-1000200
The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dereference which can result in an out of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process's final thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas.This can happen synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before munlocking (to determine if any other vmas share the memory and are mlocked). Las versiones 4.14, 4.15 y 4.16 del kernel de Linux tienen una desreferencia de puntero NULL que puede resultar en agotamiento de memoria (OOM), cerrando grandes procesos bloqueados. El problema surge del hilo final de un proceso finalizado por un OOM que llama a exit_mmap(), el cual llama a munlock_vma_pages_all() para mlocked vmas. Esto puede ocurrir en sincronía con el rango unmap_page_range() del oom reaper ya que el bit VM_LOCKED del vma se borra antes del munlocking (para determinar si otros vmas comparten la memoria y son bloqueados). • http://seclists.org/oss-sec/2018/q2/67 http://www.securityfocus.com/bid/104397 https://access.redhat.com/errata/RHSA-2018:2948 https://access.redhat.com/security/cve/cve-2018-1000200 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=27ae357fa82be5ab73b2ef8d39dcb8ca2563483a https://marc.info/?l=linux-kernel&m=152400522806945 https://marc.info/?l=linux-kernel&m=152460926619256 https://usn.ubuntu.com/3752-1 https://usn.ubuntu.com/3752-2 https: • CWE-476: NULL Pointer Dereference •
CVE-2018-11508 – Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer
https://notcve.org/view.php?id=CVE-2018-11508
The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex. Se ha descubierto un problema en Moodle 3.x. Al sustituir URL en los portfolios, los usuarios pueden instanciar cualquier clase. Esto también puede ser explotado por usuarios que hayan iniciado sesión como invitados para lanzar un ataque DDoS. Linux kernel version 4.13 suffers from a compat_get_timex() kernel pointer leak vulnerability. • https://www.exploit-db.com/exploits/46208 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0a0b98734479aa5b3c671d5190e86273372cab95 http://www.securityfocus.com/bid/104292 https://bugs.chromium.org/p/project-zero/issues/detail?id=1574 https://github.com/torvalds/linux/commit/0a0b98734479aa5b3c671d5190e86273372cab95 https://usn.ubuntu.com/3695-1 https://usn.ubuntu.com/3695-2 https://usn.ubuntu.com/3697-1 https://usn.ubuntu.com/3697-2 https://www.kernel.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-11506 – kernel: Stack-based buffer overflow in drivers/scsi/sr_ioctl.c allows denial of service or other unspecified impact
https://notcve.org/view.php?id=CVE-2018-11506
The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call. La función sr_do_ioctl en drivers/scsi/sr_ioctl.c en el kernel de Linux hasta 4.16.12 permite a los usuarios locales causar una denegación de servicio (desbordamiento de búfer basado en pila) o, posiblemente, provocar otro impacto no especificado debido a que los búferes de sentido tienen diferentes tamaños en la capa de CDROM y en la capa SCSI, tal y como queda demostrado con una llamada ioctl CDROMREADMODE2. The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel allows local users to cause a denial of service via a stack-based buffer overflow or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f7068114d45ec55996b9040e98111afa56e010fe https://access.redhat.com/errata/RHSA-2018:2948 https://github.com/torvalds/linux/commit/f7068114d45ec55996b9040e98111afa56e010fe https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html https://twitter.com/efrmv/status/1001574894273007616 https://usn& • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2018-11412 – Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption
https://notcve.org/view.php?id=CVE-2018-11412
In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. En el kernel de Linux de la versión 4.13 hasta la 4.16.11, ext4_read_inline_data() en fs/ext4/inline.c realiza un memcpy con un valor de longitud no fiable en ciertas circunstancias que implica un sistema de archivos manipulado que almacena el valor de atributo extendido system.data en un nodo dedicado. The fs/ext4/inline.c:ext4_read_inline_data() function in the Linux kernel performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. The unbound copy can cause memory corruption or possible privilege escalation. Linux Kernel versions prior to 4.16.11 suffer from an ext4_read_inline_data() memory corruption vulnerability. • https://www.exploit-db.com/exploits/44832 http://www.securityfocus.com/bid/104291 https://access.redhat.com/errata/RHSA-2019:0525 https://bugs.chromium.org/p/project-zero/issues/detail?id=1580 https://bugzilla.kernel.org/show_bug.cgi?id=199803 https://usn.ubuntu.com/3752-1 https://usn.ubuntu.com/3752-2 https://usn.ubuntu.com/3752-3 https://access.redhat.com/security/cve/CVE-2018-11412 https://bugzilla.redhat.com/show_bug.cgi?id=1582358 • CWE-416: Use After Free CWE-805: Buffer Access with Incorrect Length Value •