ID CVE-2013-2141
Summary The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.
References
Vulnerable Configurations
  • Linux Kernel 3.8.0
    cpe:2.3:o:linux:linux_kernel:3.8.0
  • Linux Kernel 3.8.1
    cpe:2.3:o:linux:linux_kernel:3.8.1
  • Linux Kernel 3.8.2
    cpe:2.3:o:linux:linux_kernel:3.8.2
  • Linux Kernel 3.8.3
    cpe:2.3:o:linux:linux_kernel:3.8.3
  • Linux Kernel 3.8.4
    cpe:2.3:o:linux:linux_kernel:3.8.4
  • Linux Kernel 3.8.5
    cpe:2.3:o:linux:linux_kernel:3.8.5
  • Linux Kernel 3.8.6
    cpe:2.3:o:linux:linux_kernel:3.8.6
  • Linux Kernel 3.8.7
    cpe:2.3:o:linux:linux_kernel:3.8.7
  • Linux Kernel 3.8.8
    cpe:2.3:o:linux:linux_kernel:3.8.8
CVSS
Base: 2.1 (as of 07-06-2013 - 13:42)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-176.NASL
    description Multiple vulnerabilities has been found and corrected in the Linux kernel : The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application. (CVE-2013-1979) The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3232) net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3235) The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3234) The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable and a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3233) The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3231) The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3229) The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3228) The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3227) The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3225) The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3224) The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3223) The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3222) Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program. (CVE-2013-2596) arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8.9, when the Performance Events Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of service (general protection fault and system crash) by attempting to set a reserved bit. (CVE-2013-2146) The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call. (CVE-2013-2094) The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. (CVE-2013-1798) Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (CVE-2013-1797) The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. (CVE-2013-1796) The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. (CVE-2013-2141) Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure. (CVE-2013-1929) The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669. (CVE-2012-5532) The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (CVE-2012-6548) The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (CVE-2012-6549) net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2013-2634) The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2013-2635) fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application. (CVE-2013-1848) The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (CVE-2013-0914) Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device. (CVE-2013-1860) Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (CVE-2013-1792) The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2546) The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2547) The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2548) The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges. (CVE-2013-0311) Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message. (CVE-2013-1763) The __skb_recv_datagram function in net/core/datagram.c in the Linux kernel before 3.8 does not properly handle the MSG_PEEK flag with zero-length data, which allows local users to cause a denial of service (infinite loop and system hang) via a crafted application. (CVE-2013-0290) Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (CVE-2013-1767) The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application. (CVE-2013-0228) Memory leak in drivers/net/xen-netback/netback.c in the Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (memory consumption) by triggering certain error conditions. (CVE-2013-0217) The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. (CVE-2013-0216) The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (CVE-2012-6547) The updated packages provides a solution for these security issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 66975
    published 2013-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66975
    title Mandriva Linux Security Advisory : kernel (MDVSA-2013:176)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2013-1832-1.NASL
    description The SUSE Linux Enterprise Server 10 SP3 LTSS kernel received a roll up update to fix lots of moderate security issues and several bugs. The Following security issues have been fixed : CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel did not properly handle recursion, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password. CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. CVE-2013-0160: The Linux kernel allowed local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device. CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel did not properly initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3235: net/tipc/socket.c in the Linux kernel did not initialize a certain data structure and a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-1827: net/dccp/ccid.h in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application. CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6546: The ATM implementation in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel memory via a crafted application. CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel had an incorrect return value in certain circumstances, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel did not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel preserved the value of the sa_restorer field across an exec operation, which made it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. CVE-2011-2492: The bluetooth subsystem in the Linux kernel did not properly initialize certain data structures, which allowed local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel did not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel allowed remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel on unspecified architectures lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel allowed local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and 'updating a negative key into a fully instantiated key.' CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. CVE-2009-4020: Stack-based buffer overflow in the hfs subsystem in the Linux kernel allowed remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c. CVE-2011-2928: The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem. CVE-2011-4077: Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel, when CONFIG_XFS_DEBUG is disabled, allowed local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname. CVE-2011-4324: The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem. CVE-2011-4330: Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field. CVE-2011-1172: net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. CVE-2011-2525: The qdisc_notify function in net/sched/sch_api.c in the Linux kernel did not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call. CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets. CVE-2011-1171: net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. CVE-2011-1170: net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. CVE-2011-3209: The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel on the x86 platform allowed local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call. CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880. CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating 0 character. CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets. CVE-2011-2203: The hfs_find_init function in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record. CVE-2009-4067: A USB string descriptor overflow in the auerwald USB driver was fixed, which could be used by physically proximate attackers to cause a kernel crash. CVE-2011-3363: The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel did not properly handle DFS referrals, which allowed remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share. CVE-2011-2484: The add_del_listener function in kernel/taskstats.c in the Linux kernel did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application. CVE-2011-4132: The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel allowed local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an 'invalid log first block value.' CVE-2010-4249: The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets. The following bugs have been fixed : patches.fixes/allow-executables-larger-than-2GB.patch: Allow executables larger than 2GB (bnc#836856). cio: prevent kernel panic after unexpected I/O interrupt (bnc#649868,LTC#67975). - cio: Add timeouts for internal IO (bnc#701550,LTC#72691). kernel: first time swap use results in heavy swapping (bnc#701550,LTC#73132). qla2xxx: Do not be so verbose on underrun detected patches.arch/i386-run-tsc-calibration-5-times.patch: Fix the patch, the logic was wrong (bnc#537165, bnc#826551). xfs: Do not reclaim new inodes in xfs_sync_inodes() (bnc#770980 bnc#811752). kbuild: Fix gcc -x syntax (bnc#773831). e1000e: stop cleaning when we reach tx_ring->next_to_use (bnc#762825). Fix race condition about network device name allocation (bnc#747576). kdump: bootmem map over crash reserved region (bnc#749168, bnc#722400, bnc#742881). tcp: fix race condition leading to premature termination of sockets in FIN_WAIT2 state and connection being reset (bnc#745760) tcp: drop SYN+FIN messages (bnc#765102). net/linkwatch: Handle jiffies wrap-around (bnc#740131). patches.fixes/vm-dirty-bytes: Provide /proc/sys/vm/dirty_{background_,}bytes for tuning (bnc#727597). ipmi: Fix deadlock in start_next_msg() (bnc#730749). cpu-hotplug: release workqueue_mutex properly on CPU hot-remove (bnc#733407). libiscsi: handle init task failures (bnc#721351). NFS/sunrpc: do not use a credential with extra groups (bnc#725878). x86_64: fix reboot hang when 'reboot=b' is passed to the kernel (bnc#721267). nf_nat: do not add NAT extension for confirmed conntracks (bnc#709213). xfs: fix memory reclaim recursion deadlock on locked inode buffer (bnc#699355 bnc#699354 bnc#721830). ipmi: do not grab locks in run-to-completion mode (bnc#717421). cciss: do not attempt to read from a write-only register (bnc#683101). qla2xxx: Disable MSI-X initialization (bnc#693513). Allow balance_dirty_pages to help other filesystems (bnc#709369). - nfs: fix congestion control (bnc#709369). - NFS: Separate metadata and page cache revalidation mechanisms (bnc#709369). knfsd: nfsd4: fix laundromat shutdown race (bnc#752556). x87: Do not synchronize TSCs across cores if they already should be synchronized by HW (bnc#615418 bnc#609220). reiserfs: Fix int overflow while calculating free space (bnc#795075). af_unix: limit recursion level (bnc#656153). bcm43xx: netlink deadlock fix (bnc#850241). jbd: Issue cache flush after checkpointing (bnc#731770). cfq: Fix infinite loop in cfq_preempt_queue() (bnc#724692). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 83603
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83603
    title SUSE SLES10 Security Update : kernel (SUSE-SU-2013:1832-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0287-1.NASL
    description This is a SUSE Linux Enterprise Server 11 SP1 LTSS roll up update to fix a lot of security issues and non-security bugs. The following security bugs have been fixed : CVE-2011-3593: A certain Red Hat patch to the vlan_hwaccel_do_receive function in net/8021q/vlan_core.c in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows remote attackers to cause a denial of service (system crash) via priority-tagged VLAN frames. (bnc#735347) CVE-2012-1601: The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. (bnc#754898) CVE-2012-2137: Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function. (bnc#767612) CVE-2012-2372: The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interfaces own IP address, as demonstrated by rds-ping. (bnc#767610) CVE-2012-2745: The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call. (bnc#770695) CVE-2012-3375: The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before 3.2.24 does not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allows local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1083. (bnc#769896) CVE-2012-3412: The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value. (bnc#774523) CVE-2012-3430: The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket. (bnc#773383) CVE-2012-3511: Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call. (bnc#776885) CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. (bnc#789831) CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#786013) CVE-2012-4565: The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats. (bnc#787576) CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6538: The copy_to_user_auth function in net/xfrm/xfrm_user.c in the Linux kernel before 3.6 uses an incorrect C library function for copying a string, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809891) CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809892) CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809893) CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. (bnc#809894) CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. (bnc#809898) CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. (bnc#809899) CVE-2012-6546: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809900) CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809901) CVE-2012-6548: The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809902) CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809903) CVE-2013-0160: The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device. (bnc#797175) CVE-2013-0216: The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. (bnc#800280)(XSA-39) CVE-2013-0231: The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third-party information. (bnc#801178)(XSA-43) CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. (bnc#802642) CVE-2013-0310: The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call. (bnc#804653) CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226) CVE-2013-0349: The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call. (bnc#805227) CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. (bnc#804154) CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (bnc#808827) CVE-2013-1767: Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (bnc#806138) CVE-2013-1773: Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion. (bnc#806977) CVE-2013-1774: The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (bnc#806976) CVE-2013-1792: Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (bnc#808358) CVE-2013-1796: The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. (bnc#806980) CVE-2013-1797: Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (bnc#806980) CVE-2013-1798: The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. (bnc#806980) CVE-2013-1827: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. (bnc#811354) CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. (bnc#813735) CVE-2013-1943: The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guests physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c. (bnc#828012) CVE-2013-2015: The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test. (bnc#817377) CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. (bnc#823267) CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. (bnc#823260) CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (bnc#824295) CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (bnc#827750) CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (bnc#827749) CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (bnc#828119) CVE-2013-2634: net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#810473) CVE-2013-2851: Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (bnc#822575) CVE-2013-2852: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. (bnc#822579) CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839) CVE-2013-2889: drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839) CVE-2013-2892: drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839) CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839) CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839) CVE-2013-2929: The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. (bnc#847652) CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3225: The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3235: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-4345: Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data. (bnc#840226) CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321) CVE-2013-4511: Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c. (bnc#849021) CVE-2013-4587: Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. (bnc#853050) CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095) CVE-2013-4591: Buffer overflow in the __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a getxattr system call for the system.nfs4_acl extended attribute of a pathname on an NFSv4 filesystem. (bnc#851103) CVE-2013-6367: The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (bnc#853051) CVE-2013-6368: The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (bnc#853052) CVE-2013-6378: The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. (bnc#852559) CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558) CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) Also the following non-security bugs have been fixed : - x86: Clear HPET configuration registers on startup (bnc#748896). - sched: fix divide by zero in task_utime() (bnc#761774). - sched: Fix pick_next_highest_task_rt() for cgroups (bnc#760596). - mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables. - mm: hugetlbfs: Correctly detect if page tables have just been shared. (Fix bad PMD message displayed while using hugetlbfs (bnc#762366)). - cpumask: Partition_sched_domains takes array of cpumask_var_t (bnc#812364). - cpumask: Simplify sched_rt.c (bnc#812364). - kabi: protect bind_conflict callback in struct inet_connection_sock_af_ops (bnc#823618). - memcg: fix init_section_page_cgroup pfn alignment (bnc#835481). - tty: fix up atime/mtime mess, take three (bnc#797175). - tty: fix atime/mtime regression (bnc#815745). - ptrace: ptrace_resume() should not wake up !TASK_TRACED thread (bnc#804154). - kbuild: Fix gcc -x syntax (bnc#773831). - ftrace: Disable function tracing during suspend/resume and hibernation, again (bnc#768668). proc: fix pagemap_read() error case (bnc#787573). net: Upgrade device features irrespective of mask (bnc#715250). - tcp: bind() fix autoselection to share ports (bnc#823618). - tcp: bind() use stronger condition for bind_conflict (bnc#823618). - tcp: ipv6: bind() use stronger condition for bind_conflict (bnc#823618). - netfilter: use RCU safe kfree for conntrack extensions (bnc#827416). - netfilter: prevent race condition breaking net reference counting (bnc#835094). - netfilter: send ICMPv6 message on fragment reassembly timeout (bnc#773577). - netfilter: fix sending ICMPv6 on netfilter reassembly timeout (bnc#773577). - tcp_cubic: limit delayed_ack ratio to prevent divide error (bnc#810045). bonding: in balance-rr mode, set curr_active_slave only if it is up (bnc#789648). scsi: Add 'eh_deadline' to limit SCSI EH runtime (bnc#798050). - scsi: Allow error handling timeout to be specified (bnc#798050). - scsi: Fixup compilation warning (bnc#798050). - scsi: Retry failfast commands after EH (bnc#798050). - scsi: Warn on invalid command completion (bnc#798050). - scsi: Always retry internal target error (bnc#745640, bnc#825227). - scsi: kABI fixes (bnc#798050). - scsi: remove check for 'resetting' (bnc#798050). - scsi: Eliminate error handler overload of the SCSI serial number (bnc#798050). - scsi: Reduce error recovery time by reducing use of TURs (bnc#798050). - scsi: Reduce sequential pointer derefs in scsi_error.c and reduce size as well (bnc#798050). - scsi: cleanup setting task state in scsi_error_handler() (bnc#798050). - scsi: fix eh wakeup (scsi_schedule_eh vs scsi_restart_operations) (bnc#798050). scsi: fix id computation in scsi_eh_target_reset() (bnc#798050). advansys: Remove 'last_reset' references (bnc#798050). - dc395: Move 'last_reset' into internal host structure (bnc#798050). - dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050). - dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset (bnc#798050). - fc class: fix scanning when devs are offline (bnc#798050). tmscsim: Move 'last_reset' into host structure (bnc#798050). st: Store page order before driver buffer allocation (bnc#769644). - st: Increase success probability in driver buffer allocation (bnc#769644). st: work around broken __bio_add_page logic (bnc#769644). avoid race by ignoring flush_time in cache_check (bnc#814363). writeback: remove the internal 5% low bound on dirty_ratio - writeback: skip balance_dirty_pages() for in-memory fs (Do not dirty throttle ram-based filesystems (bnc#840858)). writeback: Do not sync data dirtied after sync start (bnc#833820). blkdev_max_block: make private to fs/buffer.c (bnc#820338). - vfs: avoid 'attempt to access beyond end of device' warnings (bnc#820338). vfs: fix O_DIRECT read past end of block device (bnc#820338). lib/radix-tree.c: make radix_tree_node_alloc() work correctly within interrupt (bnc#763463). xfs: allow writeback from kswapd (bnc#826707). - xfs: skip writeback from reclaim context (bnc#826707). - xfs: Serialize file-extending direct IO (bnc#818371). - xfs: Avoid pathological backwards allocation (bnc#805945). xfs: fix inode lookup race (bnc#763463). cifs: clarify the meaning of tcpStatus == CifsGood (bnc#776024). cifs: do not allow cifs_reconnect to exit with NULL socket pointer (bnc#776024). ocfs2: Add a missing journal credit in ocfs2_link_credits() -v2 (bnc#773320). usb: Fix deadlock in hid_reset when Dell iDRAC is reset (bnc#814716). usb: xhci: Fix command completion after a drop endpoint (bnc#807320). netiucv: Hold rtnl between name allocation and device registration (bnc#824159). rwsem: Test for no active locks in __rwsem_do_wake undo code (bnc#813276). nfs: NFSv3/v2: Fix data corruption with NFS short reads (bnc#818337). - nfs: Allow sec=none mounts in certain cases (bnc#795354). - nfs: Make nfsiod a multi-thread queue (bnc#815352). - nfs: increase number of permitted callback connections (bnc#771706). - nfs: Fix Oops in nfs_lookup_revalidate (bnc#780008). - nfs: do not allow TASK_KILLABLE sleeps to block the freezer (bnc#775182). nfs: Avoid race in d_splice_alias and vfs_rmdir (bnc#845028). svcrpc: take lock on turning entry NEGATIVE in cache_check (bnc#803320). - svcrpc: ensure cache_check caller sees updated entry (bnc#803320). - sunrpc/cache: remove races with queuing an upcall (bnc#803320). - sunrpc/cache: use cache_fresh_unlocked consistently and correctly (bnc#803320). - sunrpc/cache: ensure items removed from cache do not have pending upcalls (bnc#803320). - sunrpc/cache: do not schedule update on cache item that has been replaced (bnc#803320). sunrpc/cache: fix test in try_to_negate (bnc#803320). xenbus: fix overflow check in xenbus_dev_write(). - x86: do not corrupt %eip when returning from a signal handler. - scsiback/usbback: move cond_resched() invocations to proper place. netback: fix netbk_count_requests(). dm: add dm_deleting_md function (bnc#785016). - dm: bind new table before destroying old (bnc#785016). - dm: keep old table until after resume succeeded (bnc#785016). dm: rename dm_get_table to dm_get_live_table (bnc#785016). drm/edid: Fix up partially corrupted headers (bnc#780004). drm/edid: Retry EDID fetch up to four times (bnc#780004). i2c-algo-bit: Fix spurious SCL timeouts under heavy load (bnc#780004). hpilo: remove pci_disable_device (bnc#752544). mptsas: handle 'Initializing Command Required' ASCQ (bnc#782178). mpt2sas: Fix race on shutdown (bnc#856917). ipmi: decrease the IPMI message transaction time in interrupt mode (bnc#763654). - ipmi: simplify locking (bnc#763654). ipmi: use a tasklet for handling received messages (bnc#763654). bnx2x: bug fix when loading after SAN boot (bnc#714906). bnx2x: previous driver unload revised (bnc#714906). ixgbe: Address fact that RSC was not setting GSO size for incoming frames (bnc#776144). ixgbe: pull PSRTYPE configuration into a separate function (bnc#780572 bnc#773640 bnc#776144). e1000e: clear REQ and GNT in EECD (82571 && 82572) (bnc#762099). hpsa: do not attempt to read from a write-only register (bnc#777473). aio: Fixup kABI for the aio-implement-request-batching patch (bnc#772849). - aio: bump i_count instead of using igrab (bnc#772849). aio: implement request batching (bnc#772849). Driver core: Do not remove kobjects in device_shutdown (bnc#771992). resources: fix call to alignf() in allocate_resource() (bnc#744955). - resources: when allocate_resource() fails, leave resource untouched (bnc#744955). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83611
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83611
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2014:0287-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1292-1.NASL
    description From Red Hat Security Advisory 2013:1292 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate) * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-4162, Moderate) * An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2013-2141, Low) Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4162. This update also fixes the following bugs : * A bug in the be2net driver prevented communication between NICs using be2net. This update applies a patch addressing this problem along with several other upstream patches that fix various other problems. Traffic between NICs using the be2net driver now proceeds as expected. (BZ#983864) * A recent patch fixing a problem that prevented communication between NICs using the be2net driver caused the firmware of NICs to become unresponsive, and thus triggered a kernel panic. The problem was caused by unnecessary usage of a hardware workaround that allows skipping VLAN tag insertion. A patch has been applied and the workaround is now used only when the multi-channel configuration is enabled on the NIC. Note that the bug only affected the NICs with firmware version 4.2.xxxx. (BZ#999819) * A bug in the autofs4 mount expiration code could cause the autofs4 module to falsely report a busy tree of NFS mounts as 'not in use'. Consequently, automount attempted to unmount the tree and failed with a 'failed to umount offset' error, leaving the mount tree to appear as empty directories. A patch has been applied to remove an incorrectly used autofs dentry mount check and the aforementioned problem no longer occurs. (BZ#1001488) * A race condition in the be_open function in the be2net driver could trigger the BUG_ON() macro, which resulted in a kernel panic. A patch addressing this problem has been applied and the race condition is now avoided by enabling polling before enabling interrupts globally. The kernel no longer panics in this situation. (BZ#1005239) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 70186
    published 2013-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70186
    title Oracle Linux 5 : kernel (ELSA-2013-1292-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0536-1.NASL
    description The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS kernel has been updated to fix various security issues and several bugs. The following security issues have been addressed : CVE-2011-2492: The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. (bnc#702014) CVE-2011-2494: kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password. (bnc#703156) CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809891) CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809892) CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809893) CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. (bnc#809894) CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. (bnc#809898) CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. (bnc#809899) CVE-2012-6546: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809900) CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809901) CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809903) CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226) CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (bnc#808827) CVE-2013-1827: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. (bnc#811354) CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. (bnc#823267) CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (bnc#824295) CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. (bnc#826102) CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (bnc#827750) CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (bnc#827749) CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (bnc#828119) CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839) CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839) CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839) CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3235: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-4162: The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (bnc#831058) CVE-2013-4387: net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. (bnc#843430) CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321) CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095) CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558) CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) Also the following non-security bugs have been fixed : - kernel: Remove newline from execve audit log (bnc#827855). - kernel: sclp console hangs (bnc#830344, LTC#95711). - kernel: fix flush_tlb_kernel_range (bnc#825052, LTC#94745). kernel: lost IPIs on CPU hotplug (bnc#825052, LTC#94784). sctp: deal with multiple COOKIE_ECHO chunks (bnc#826102). - net: Uninline kfree_skb and allow NULL argument (bnc#853501). - netback: don't disconnect frontend when seeing oversize packet. netfront: reduce gso_max_size to account for max TCP header. fs/dcache: Avoid race in d_splice_alias and vfs_rmdir (bnc#845028). - fs/proc: proc_task_lookup() fix memory pinning (bnc#827362 bnc#849765). - blkdev_max_block: make private to fs/buffer.c (bnc#820338). - vfs: avoid 'attempt to access beyond end of device' warnings (bnc#820338). - vfs: fix O_DIRECT read past end of block device (bnc#820338). - cifs: don't use CIFSGetSrvInodeNumber in is_path_accessible (bnc#832603). - xfs: Fix kABI breakage caused by AIL list transformation (bnc#806219). - xfs: Replace custom AIL linked-list code with struct list_head (bnc#806219). - reiserfs: fix problems with chowning setuid file w/ xattrs (bnc#790920). - reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry (bnc#822722). jbd: Fix forever sleeping process in do_get_write_access() (bnc#827983). HID: check for NULL field when setting values (bnc#835839). - HID: provide a helper for validating hid reports (bnc#835839). - bcm43xx: netlink deadlock fix (bnc#850241). - bnx2: Close device if tx_timeout reset fails (bnc#857597). - xfrm: invalidate dst on policy insertion/deletion (bnc#842239). - xfrm: prevent ipcomp scratch buffer race condition (bnc#842239). - lpfc: Update to 8.2.0.106 (bnc#798050). - Make lpfc task management timeout configurable (bnc#798050). - dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050). - dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset (bnc#798050). - advansys: Remove 'last_reset' references (bnc#798050). - tmscsim: Move 'last_reset' into host structure (bnc#798050). dc395: Move 'last_reset' into internal host structure (bnc#798050). scsi: remove check for 'resetting' (bnc#798050). - scsi: Allow error handling timeout to be specified (bnc#798050). - scsi: Eliminate error handler overload of the SCSI serial number (bnc#798050). - scsi: Reduce sequential pointer derefs in scsi_error.c and reduce size as well (bnc#798050). - scsi: Reduce error recovery time by reducing use of TURs (bnc#798050). - scsi: fix eh wakeup (scsi_schedule_eh vs scsi_restart_operations) - scsi: cleanup setting task state in scsi_error_handler() (bnc#798050). - scsi: Add 'eh_deadline' to limit SCSI EH runtime (bnc#798050). - scsi: Fixup compilation warning (bnc#798050). - scsi: fc class: fix scanning when devs are offline (bnc#798050). - scsi: Warn on invalid command completion (bnc#798050). - scsi: Retry failfast commands after EH (bnc#798050). - scsi: kABI fixes (bnc#798050). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 83618
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83618
    title SUSE SLES10 Security Update : kernel (SUSE-SU-2014:0536-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1292.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate) * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-4162, Moderate) * An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2013-2141, Low) Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4162. This update also fixes the following bugs : * A bug in the be2net driver prevented communication between NICs using be2net. This update applies a patch addressing this problem along with several other upstream patches that fix various other problems. Traffic between NICs using the be2net driver now proceeds as expected. (BZ#983864) * A recent patch fixing a problem that prevented communication between NICs using the be2net driver caused the firmware of NICs to become unresponsive, and thus triggered a kernel panic. The problem was caused by unnecessary usage of a hardware workaround that allows skipping VLAN tag insertion. A patch has been applied and the workaround is now used only when the multi-channel configuration is enabled on the NIC. Note that the bug only affected the NICs with firmware version 4.2.xxxx. (BZ#999819) * A bug in the autofs4 mount expiration code could cause the autofs4 module to falsely report a busy tree of NFS mounts as 'not in use'. Consequently, automount attempted to unmount the tree and failed with a 'failed to umount offset' error, leaving the mount tree to appear as empty directories. A patch has been applied to remove an incorrectly used autofs dentry mount check and the aforementioned problem no longer occurs. (BZ#1001488) * A race condition in the be_open function in the be2net driver could trigger the BUG_ON() macro, which resulted in a kernel panic. A patch addressing this problem has been applied and the race condition is now avoided by enabling polling before enabling interrupts globally. The kernel no longer panics in this situation. (BZ#1005239) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 70179
    published 2013-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70179
    title CentOS 5 : kernel (CESA-2013:1292)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1899-1.NASL
    description Dmitry Monakhov reported a race condition flaw the Linux ext4 filesystem that can expose stale data. An unprivileged user could exploit this flaw to cause an information leak. (CVE-2012-4508) An information leak was discovered in the Linux kernel's tkill and tgkill system calls when used from compat processes. A local user could exploit this flaw to examine potentially sensitive kernel memory. (CVE-2013-2141) Kees Cook discovered a format string vulnerability in the Broadcom B43 wireless driver for the Linux kernel. A local user could exploit this flaw to gain administrative privileges. (CVE-2013-2852). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 67190
    published 2013-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67190
    title Ubuntu 10.04 LTS : linux vulnerabilities (USN-1899-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-1034.NASL
    description The Linux Kernel was updated to fix various security issues and bugs. - sctp: Use correct sideffect command in duplicate cookie handling (bnc#826102, CVE-2013-2206). - Drivers: hv: util: Fix a bug in util version negotiation code (bnc#838346). - vmxnet3: prevent div-by-zero panic when ring resizing uninitialized dev (bnc#833321). - md/raid1,5,10: Disable WRITE SAME until a recovery strategy is in place (bnc#813889). - netback: don't disconnect frontend when seeing oversize packet (bnc#823342). - netfront: reduce gso_max_size to account for max TCP header. - netfront: fix kABI after 'reduce gso_max_size to account for max TCP header'. - backends: Check for insane amounts of requests on the ring. - Refresh other Xen patches (bnc#804198, bnc#814211, bnc#826374). - Fix TLB gather virtual address range invalidation corner cases (TLB gather memory corruption). - mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots (TLB gather memory corruption). - bnx2x: protect different statistics flows (bnc#814336). - Drivers: hv: util: Fix a bug in version negotiation code for util services (bnc#828714). - kabi/severities: Ignore changes in drivers/hv - e1000e: workaround DMA unit hang on I218 (bnc#834647). - e1000e: unexpected 'Reset adapter' message when cable pulled (bnc#834647). - e1000e: 82577: workaround for link drop issue (bnc#834647). - e1000e: helper functions for accessing EMI registers (bnc#834647). - atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring (bnc#812116). - reiserfs: Fixed double unlock in reiserfs_setattr failure path. - reiserfs: locking, release lock around quota operations (bnc#815320). - reiserfs: locking, handle nested locks properly (bnc#815320). - reiserfs: locking, push write lock out of xattr code (bnc#815320). - af_key: fix info leaks in notify messages (bnc#827749 CVE-2013-2234). - af_key: initialize satype in key_notify_policy_flush() (bnc#828119 CVE-2013-2237). - kernel/signal.c: stop info leak via the tkill and the tgkill syscalls (bnc#823267 CVE-2013-2141). - b43: stop format string leaking into error msgs (bnc#822579 CVE-2013-2852). - net: fix incorrect credentials passing (bnc#816708 CVE-2013-1979). - tipc: fix info leaks via msg_name in recv_msg/recv_stream (bnc#816668 CVE-2013-3235). - rose: fix info leak via msg_name in rose_recvmsg() (bnc#816668 CVE-2013-3234). - NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() (bnc#816668 CVE-2013-3233). - netrom: fix info leak via msg_name in nr_recvmsg() (bnc#816668 CVE-2013-3232). - llc: Fix missing msg_namelen update in llc_ui_recvmsg() (bnc#816668 CVE-2013-3231). - l2tp: fix info leak in l2tp_ip6_recvmsg() (bnc#816668 CVE-2013-3230). - iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (bnc#816668 CVE-2013-3229). - irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (bnc#816668 CVE-2013-3228). - caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() (bnc#816668 CVE-2013-3227). - Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg() (bnc#816668 CVE-2013-3226). - Bluetooth: fix possible info leak in bt_sock_recvmsg() (bnc#816668 CVE-2013-3224). - ax25: fix info leak via msg_name in ax25_recvmsg() (bnc#816668 CVE-2013-3223). - atm: update msg_namelen in vcc_recvmsg() (bnc#816668 CVE-2013-3222). - ipv6: call udp_push_pending_frames when uncorking a socket with (bnc#831058, CVE-2013-4162). - tracing: Fix possible NULL pointer dereferences (bnc#815256 CVE-2013-3301). - tg3: fix length overflow in VPD firmware parsing (bnc#813733 CVE-2013-1929). - dcbnl: fix various netlink info leaks (bnc#810473 CVE-2013-2634). - rtnl: fix info leak on RTM_GETLINK request for VF devices (bnc#810473 CVE-2013-2635). - crypto: user - fix info leaks in report API (bnc#809906 CVE-2013-2546 CVE-2013-2547 CVE-2013-2548). - kernel/signal.c: use __ARCH_HAS_SA_RESTORER instead of SA_RESTORER (bnc#808827 CVE-2013-0914). - signal: always clear sa_restorer on execve (bnc#808827 CVE-2013-0914). - signal: Define __ARCH_HAS_SA_RESTORER so we know whether to clear sa_restorer (bnc#808827 CVE-2013-0914). - ipv6: ip6_sk_dst_check() must not assume ipv6 dst (bnc#827750, CVE-2013-2232). - xfs: fix _xfs_buf_find oops on blocks beyond the filesystem end (CVE-2013-1819 bnc#807471). - blk: avoid divide-by-zero with zero discard granularity (bnc#832615). - dlm: check the write size from user (bnc#831956). - drm/i915: Serialize almost all register access (bnc#823633). - drm/i915: initialize gt_lock early with other spin locks (bnc#801341). - drm/i915: fix up gt init sequence fallout (bnc#801341). - drm/nouveau/hwmon: s/fan0/fan1/. - Drivers: hv: balloon: Do not post pressure status if interrupted (bnc#829539). - drm/i915: Clear FORCEWAKE when taking over from BIOS (bnc#801341). - drm/i915: Apply alignment restrictions on scanout surfaces for VT-d (bnc#818561). - fs/notify/inode_mark.c: make fsnotify_find_inode_mark_locked() static (bnc#807188). - fsnotify: change locking order (bnc#807188). - fsnotify: dont put marks on temporary list when clearing marks by group (bnc#807188). - fsnotify: introduce locked versions of fsnotify_add_mark() and fsnotify_remove_mark() (bnc#807188). - fsnotify: pass group to fsnotify_destroy_mark() (bnc#807188). - fsnotify: use a mutex instead of a spinlock to protect a groups mark list (bnc#807188). - fanotify: add an extra flag to mark_remove_from_mask that indicates wheather a mark should be destroyed (bnc#807188). - fsnotify: take groups mark_lock before mark lock (bnc#807188). - fsnotify: use reference counting for groups (bnc#807188). - fsnotify: introduce fsnotify_get_group() (bnc#807188). - inotify, fanotify: replace fsnotify_put_group() with fsnotify_destroy_group() (bnc#807188). - drm/i915: fix long-standing SNB regression in power consumption after resume v2 (bnc#801341). - drm/nouveau: use vmalloc for pgt allocation (bnc#802347). - USB: xhci: correctly enable interrupts (bnc#828191). - drm/i915: Resurrect ring kicking for semaphores, selectively (bnc#823633,bnc#799516). - ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam c310 (bnc#821735). - ALSA: usb-audio - Fix invalid volume resolution on Logitech HD webcam c270 (bnc#821735). - config: sync up config options added with btrfs update - xfs: xfs: fallback to vmalloc for large buffers in xfs_compat_attrlist_by_handle (bnc#818053 bnc#807153). - xfs: fallback to vmalloc for large buffers in xfs_attrlist_by_handle (bnc#818053 bnc#807153). - btrfs: update to v3.10. - block: Add bio_end_sector(). - block: Use bio_sectors() more consistently. - btrfs: handle lookup errors after subvol/snapshot creation. - btrfs: add new ioctl to determine size of compressed file (FATE#306586). - btrfs: reduce btrfs_path size (FATE#306586). - btrfs: simplify move_pages and copy_pages (FATE#306586). - Prefix mount messages with btrfs: for clarity (FATE#306586). - Btrfs: forced readonly when free_log_tree fails (FATE#306586). - Btrfs: forced readonly when orphan_del fails (FATE#306586). - btrfs: abort unlink trans in missed error case. - btrfs: access superblock via pagecache in scan_one_device. - Btrfs: account for orphan inodes properly during cleanup. - Btrfs: add a comment for fs_info->max_inline. - Btrfs: add a incompatible format change for smaller metadata extent refs. - Btrfs: Add a new ioctl to get the label of a mounted file system. - Btrfs: add a plugging callback to raid56 writes. - Btrfs: add a rb_tree to improve performance of ulist search. - Btrfs: Add a stripe cache to raid56. - Btrfs: Add ACCESS_ONCE() to transaction->abort accesses. - Btrfs: add all ioctl checks before user change for quota operations. - Btrfs: add btrfs_scratch_superblock() function. - btrfs: add cancellation points to defrag. - Btrfs: add code to scrub to copy read data to another disk. - btrfs: add debug check for extent_io range alignment. - Btrfs: add fiemap's flag check. - Btrfs: add ioctl to wait for qgroup rescan completion. - btrfs: add missing break in btrfs_print_leaf(). - Btrfs: add new sources for device replace code. - btrfs: add 'no file data' flag to btrfs send ioctl. - Btrfs: add orphan before truncating pagecache. - Btrfs: add path->really_keep_locks. - btrfs: add prefix to sanity tests messages. - Btrfs: add rw argument to merge_bio_hook(). - Btrfs: add some free space cache tests. - Btrfs: add some missing iput()'s in btrfs_orphan_cleanup. - Btrfs: add support for device replace ioctls. - Btrfs: add tree block level sanity check. - Btrfs: add two more find_device() methods. - Btrfs: allocate new chunks if the space is not enough for global rsv. - Btrfs: allow file data clone within a file. - Btrfs: allow for selecting only completely empty chunks. - Btrfs: allow omitting stream header and end-cmd for btrfs send. - Btrfs: allow repair code to include target disk when searching mirrors. - Btrfs: allow running defrag in parallel to administrative tasks. - Btrfs: allow superblock mismatch from older mkfs. - btrfs: annotate intentional switch case fallthroughs. - btrfs: annotate quota tree for lockdep. - Btrfs: automatic rescan after 'quota enable' command. - Btrfs: avoid deadlock on transaction waiting list. - Btrfs: avoid double free of fs_info->qgroup_ulist. - Btrfs: avoid risk of a deadlock in btrfs_handle_error. - Btrfs: bring back balance pause/resume logic. - Btrfs: build up error handling for merge_reloc_roots. - Btrfs: change core code of btrfs to support the device replace operations. - Btrfs: changes to live filesystem are also written to replacement disk. - Btrfs: Check CAP_DAC_READ_SEARCH for BTRFS_IOC_INO_PATHS. - Btrfs: check for actual acls rather than just xattrs when caching no acl. - Btrfs: check for NULL pointer in updating reloc roots. - Btrfs: check if leaf's parent exists before pushing items around. - Btrfs: check if we can nocow if we don't have data space. - Btrfs: check return value of commit when recovering log. - Btrfs: check the return value of btrfs_run_ordered_operations(). - Btrfs: check the return value of btrfs_start_delalloc_inodes(). - btrfs: clean snapshots one by one. - btrfs: clean up transaction abort messages. - Btrfs: cleanup backref search commit root flag stuff. - Btrfs: cleanup, btrfs_read_fs_root_no_name() doesn't return NULL. - Btrfs: cleanup destroy_marked_extents. - Btrfs: cleanup: don't check the same thing twice. - Btrfs: cleanup duplicated division functions. - Btrfs: cleanup for btrfs_btree_balance_dirty. - Btrfs: cleanup for btrfs_wait_order_range. - btrfs: cleanup for open-coded alignment. - Btrfs: cleanup fs roots if we fail to mount. - Btrfs: cleanup of function where btrfs_extend_item() is called. - Btrfs: cleanup of function where fixup_low_keys() is called. - Btrfs: cleanup orphan reservation if truncate fails. - Btrfs: cleanup orphaned root orphan item. - Btrfs: cleanup redundant code in btrfs_submit_direct(). - Btrfs: cleanup scrub bio and worker wait code. - Btrfs: cleanup similar code in delayed inode. - btrfs: Cleanup some redundant codes in btrfs_log_inode(). - btrfs: Cleanup some redundant codes in btrfs_lookup_csums_range(). - Btrfs: cleanup the code of copy_nocow_pages_for_inode(). - Btrfs: cleanup the similar code of the fs root read. - Btrfs: cleanup to make the function btrfs_delalloc_reserve_metadata more logic. - Btrfs: cleanup to remove reduplicate code in transaction.c. - Btrfs: cleanup unnecessary assignment when cleaning up all the residual transaction. - Btrfs: cleanup unnecessary clear when freeing a transaction or a trans handle. - Btrfs: cleanup unused arguments. - Btrfs: cleanup unused arguments in send.c. - Btrfs: cleanup unused arguments of btrfs_csum_data. - Btrfs: cleanup unused function. - Btrfs: clear received_uuid field for new writable snapshots. - Btrfs: Cocci spatch 'memdup.spatch'. - Btrfs: Cocci spatch 'ptr_ret.spatch'. - Btrfs: compare relevant parts of delayed tree refs. - Btrfs: copy everything if we've created an inline extent. - btrfs: cover more error codes in btrfs_decode_error. - Btrfs: creating the subvolume qgroup automatically when enabling quota. - Btrfs: deal with bad mappings in btrfs_map_block. - Btrfs: deal with errors in write_dev_supers. - Btrfs: deal with free space cache errors while replaying log. - btrfs: define BTRFS_MAGIC as a u64 value. - Btrfs: delete inline extents when we find them during logging. - Btrfs: delete unused function. - Btrfs: delete unused parameter to btrfs_read_root_item(). - btrfs: deprecate subvolrootid mount option. - btrfs: device delete to get errors from the kernel. - Btrfs: disable qgroup id 0. - Btrfs: disallow mutually exclusive admin operations from user mode. - Btrfs: disallow some operations on the device replace target device. - btrfs: do away with non-whole_page extent I/O. - Btrfs: do delay iput in sync_fs. - Btrfs: do not allow logged extents to be merged or removed. - Btrfs: do not BUG_ON in prepare_to_reloc. - Btrfs: do not BUG_ON on aborted situation. - Btrfs: do not call file_update_time in aio_write. - Btrfs: do not change inode flags in rename. - Btrfs: do not continue if out of memory happens. - Btrfs: do not delete a subvolume which is in a R/O subvolume. - Btrfs: do not log extents when we only log new names. - Btrfs: do not mark ems as prealloc if we are writing to them. - Btrfs: do not merge logged extents if we've removed them from the tree. - Btrfs: do not overcommit if we don't have enough space for global rsv. - Btrfs: do not pin while under spin lock. - Btrfs: do not warn_on io_ctl->cur in io_ctl_map_page. - Btrfs: don't abort the current transaction if there is no enough space for inode cache. - Btrfs: don't add a NULL extended attribute. - Btrfs: don't allow degraded mount if too many devices are missing. - Btrfs: don't allow device replace on RAID5/RAID6. - Btrfs: don't auto defrag a file when doing directIO. - Btrfs: don't bother copying if we're only logging the inode. - Btrfs: don't BUG_ON() in btrfs_num_copies. - Btrfs: don't call btrfs_qgroup_free if just btrfs_qgroup_reserve fails. - Btrfs: don't call readahead hook until we have read the entire eb. - Btrfs: don't delete fs_roots until after we cleanup the transaction. - Btrfs: don't drop path when printing out tree errors in scrub. - Btrfs: don't flush the delalloc inodes in the while loop if flushoncommit is set. - Btrfs: don't force pages under writeback to finish when aborting. - Btrfs: don't invoke btrfs_invalidate_inodes() in the spin lock context. - Btrfs: don't memset new tokens. - Btrfs: don't NULL pointer deref on abort. - Btrfs: don't panic if we're trying to drop too many refs. - Btrfs: don't re-enter when allocating a chunk. - Btrfs: don't start a new transaction when starting sync. - Btrfs: don't steal the reserved space from the global reserve if their space type is different. - btrfs: don't stop searching after encountering the wrong item. - Btrfs: don't take inode delalloc mutex if we're a free space inode. - Btrfs: don't traverse the ordered operation list repeatedly. - Btrfs: Don't trust the superblock label and simply printk('%s') it. - Btrfs: don't try and free ebs twice in log replay. - btrfs: don't try to notify udev about missing devices. - Btrfs: don't use global block reservation for inode cache truncation. - Btrfs: don't wait for all the writers circularly during the transaction commit. - Btrfs: don't wait on ordered extents if we have a trans open. - Btrfs: dont do log_removal in insert_new_root. - btrfs: Drop inode if inode root is NULL. - Btrfs: eliminate a use-after-free in btrfs_balance(). - Btrfs: enforce min_bytes parameter during extent allocation. - Btrfs: enhance btrfs structures for device replace support. - btrfs: enhance superblock checks. - btrfs: ensure we don't overrun devices_info in __btrfs_alloc_chunk. - Btrfs: exclude logged extents before replying when we are mixed. - Btrfs: explicitly use global_block_rsv for quota_tree. - Btrfs: extend the checksum item as much as possible. - btrfs: fall back to global reservation when removing subvolumes. - Btrfs: fill the global reserve when unpinning space. - Btrfs: fix a bug of per-file nocow. - Btrfs: fix a bug when llseek for delalloc bytes behind prealloc extents. - Btrfs: fix a build warning for an unused label. - Btrfs: fix a deadlock in aborting transaction due to ENOSPC. - Btrfs: fix a double free on pending snapshots in error handling. - Btrfs: fix a mismerge in btrfs_balance(). - Btrfs: fix a regression in balance usage filter. - Btrfs: fix a scrub regression in case of write errors. - Btrfs: fix a warning when disabling quota. - Btrfs: fix a warning when updating qgroup limit. - Btrfs: fix accessing a freed tree root. - Btrfs: fix accessing the root pointer in tree mod log functions. - Btrfs: fix all callers of read_tree_block. - Btrfs: fix an while-loop of listxattr. - Btrfs: fix autodefrag and umount lockup. - Btrfs: fix backref walking race with tree deletions. - Btrfs: fix bad extent logging. - Btrfs: fix broken nocow after balance. - btrfs: fix btrfs_cont_expand() freeing IS_ERR em. - btrfs: fix btrfs_extend_item() comment. - Btrfs: fix BUG() in scrub when first superblock reading gives EIO. - Btrfs: fix check on same raid type flag twice. - Btrfs: fix chunk allocation error handling. - Btrfs: fix cleaner thread not working with inode cache option. - Btrfs: fix cluster alignment for mount -o ssd. - btrfs: fix comment typos. - Btrfs: fix confusing edquot happening case. - Btrfs: fix crash in log replay with qgroups enabled. - Btrfs: fix crash regarding to ulist_add_merge. - Btrfs: fix deadlock due to unsubmitted. - Btrfs: fix double free in the btrfs_qgroup_account_ref(). - Btrfs: fix double free in the iterate_extent_inodes(). - Btrfs: fix EDQUOT handling in btrfs_delalloc_reserve_metadata. - Btrfs: fix EIO from btrfs send in is_extent_unchanged for punched holes. - Btrfs: fix error handling in btrfs_ioctl_send(). - Btrfs: fix error handling in make/read block group. - Btrfs: fix estale with btrfs send. - Btrfs: fix extent logging with O_DIRECT into prealloc. - Btrfs: fix freeing delayed ref head while still holding its mutex. - Btrfs: fix freeze vs auto defrag. - Btrfs: fix hash overflow handling. - Btrfs: fix how we discard outstanding ordered extents on abort. - Btrfs: fix infinite loop when we abort on mount. - Btrfs: fix joining the same transaction handler more than 2 times. - Btrfs: fix lockdep warning. - Btrfs: fix locking on ROOT_REPLACE operations in tree mod log. - Btrfs: fix lots of orphan inodes when the space is not enough. - Btrfs: fix max chunk size on raid5/6. - Btrfs: fix memory leak in btrfs_create_tree(). - Btrfs: fix memory leak in name_cache_insert(). - Btrfs: fix memory leak of log roots. - Btrfs: fix memory leak of pending_snapshot->inherit. - Btrfs: fix memory patcher through fs_info->qgroup_ulist. - btrfs: fix minor typo in comment. - btrfs: fix misleading variable name for flags. - Btrfs: fix missed transaction->aborted check. - Btrfs: fix missing check about ulist_add() in qgroup.c. - Btrfs: fix missing check before creating a qgroup relation. - Btrfs: fix missing check before disabling quota. - Btrfs: fix missing check in the btrfs_qgroup_inherit(). - Btrfs: fix missing deleted items in btrfs_clean_quota_tree. - Btrfs: fix missing flush when committing a transaction. - Btrfs: fix missing i_size update. - Btrfs: fix missing log when BTRFS_INODE_NEEDS_FULL_SYNC is set. - Btrfs: fix missing qgroup reservation before fallocating. - Btrfs: fix missing release of qgroup reservation in commit_transaction(). - Btrfs: fix missing release of the space/qgroup reservation in start_transaction(). - Btrfs: fix missing reserved space release in error path of delalloc reservation. - Btrfs: fix missing write access release in btrfs_ioctl_resize(). - Btrfs: fix 'mutually exclusive op is running' error code. - Btrfs: fix not being able to find skinny extents during relocate. - Btrfs: fix NULL pointer after aborting a transaction. - Btrfs: fix off-by-one error of the reserved size of btrfs_allocate(). - Btrfs: fix off-by-one error of the same page check in btrfs_punch_hole(). - Btrfs: fix off-by-one in fiemap. - Btrfs: fix off-by-one in lseek. - Btrfs: fix oops when recovering the file data by scrub function. - Btrfs: fix panic when recovering tree log. - Btrfs: fix permissions of empty files not affected by umask. - Btrfs: fix permissions of empty files not affected by umask. - Btrfs: fix possible infinite loop in slow caching. - Btrfs: fix possible memory leak in replace_path(). - Btrfs: fix possible memory leak in the find_parent_nodes(). - Btrfs: fix possible stale data exposure. - Btrfs: Fix printk and variable name. - Btrfs: fix qgroup rescan resume on mount. - Btrfs: fix race between mmap writes and compression. - Btrfs: fix race between snapshot deletion and getting inode. - Btrfs: fix race in check-integrity caused by usage of bitfield. - Btrfs: fix reada debug code compilation. - Btrfs: fix remount vs autodefrag. - Btrfs: fix repeated delalloc work allocation. - Btrfs: fix resize a readonly device. - Btrfs: fix several potential problems in copy_nocow_pages_for_inode. - Btrfs: fix space accounting for unlink and rename. - Btrfs: fix space leak when we fail to reserve metadata space. - btrfs: fix the code comments for LZO compression workspace. - Btrfs: fix the comment typo for btrfs_attach_transaction_barrier. - Btrfs: fix the deadlock between the transaction start/attach and commit. - Btrfs: fix the page that is beyond EOF. - Btrfs: fix the qgroup reserved space is released prematurely. - Btrfs: fix the race between bio and btrfs_stop_workers. - Btrfs: fix transaction throttling for delayed refs. - Btrfs: fix tree mod log regression on root split operations. - Btrfs: fix trivial error in btrfs_ioctl_resize(). - Btrfs: Fix typo in fs/btrfs. - Btrfs: fix unblocked autodefraggers when remount. - Btrfs: fix unclosed transaction handler when the async transaction commitment fails. - Btrfs: fix uncompleted transaction. - Btrfs: fix unlock after free on rewinded tree blocks. - Btrfs: fix unlock order in btrfs_ioctl_resize. - Btrfs: fix unlock order in btrfs_ioctl_rm_dev. - Btrfs: fix unnecessary while loop when search the free space, cache. - Btrfs: fix unprotected defragable inode insertion. - Btrfs: fix unprotected extent map operation when logging file extents. - Btrfs: fix unprotected root node of the subvolume's inode rb-tree. - Btrfs: fix use-after-free bug during umount. - btrfs: fix varargs in __btrfs_std_error. - Btrfs: fix warning of free_extent_map. - Btrfs: fix warning when creating snapshots. - Btrfs: fix wrong comment in can_overcommit(). - Btrfs: fix wrong file extent length. - Btrfs: fix wrong handle at error path of create_snapshot() when the commit fails. - Btrfs: fix wrong max device number for single profile. - Btrfs: fix wrong mirror number tuning. - Btrfs: fix wrong outstanding_extents when doing DIO write. - Btrfs: fix wrong reservation of csums. - Btrfs: fix wrong reserved space in qgroup during snap/subv creation. - Btrfs: fix wrong reserved space when deleting a snapshot/subvolume. - Btrfs: fix wrong return value of btrfs_lookup_csum(). - Btrfs: fix wrong return value of btrfs_truncate_page(). - Btrfs: fix wrong return value of btrfs_wait_for_commit(). - Btrfs: fix wrong sync_writers decrement in btrfs_file_aio_write(). - btrfs: fixup/remove module.h usage as required. - Btrfs: flush all dirty inodes if writeback can not start. - Btrfs: free all recorded tree blocks on error. - Btrfs: free csums when we're done scrubbing an extent. - Btrfs: get better concurrency for snapshot-aware defrag work. - Btrfs: get right arguments for btrfs_wait_ordered_range. - btrfs: get the device in write mode when deleting it. - Btrfs: get write access for qgroup operations. - Btrfs: get write access for scrub. - Btrfs: get write access when doing resize fs. - Btrfs: get write access when removing a device. - Btrfs: get write access when setting the default subvolume. - Btrfs: handle a bogus chunk tree nicely. - Btrfs: handle errors from btrfs_map_bio() everywhere. - Btrfs: handle errors in compression submission path. - btrfs: handle errors returned from get_tree_block_key. - btrfs: handle null fs_info in btrfs_panic(). - Btrfs: handle running extent ops with skinny metadata. - Btrfs: hold the ordered operations mutex when waiting on ordered extents. - Btrfs: hold the tree mod lock in __tree_mod_log_rewind. - Btrfs: if we aren't committing just end the transaction if we error out. - btrfs: ignore device open failures in __btrfs_open_devices. - Btrfs: ignore orphan qgroup relations. - Btrfs: implement unlocked dio write. - Btrfs: improve the delayed inode throttling. - Btrfs: improve the loop of scrub_stripe. - Btrfs: improve the noflush reservation. - Btrfs: improve the performance of the csums lookup. - Btrfs: in scrub repair code, optimize the reading of mirrors. - Btrfs: in scrub repair code, simplify alloc error handling. - Btrfs: Include the device in most error printk()s. - Btrfs: increase BTRFS_MAX_MIRRORS by one for dev replace. - btrfs: Init io_lock after cloning btrfs device struct. - Btrfs: init relocate extent_io_tree with a mapping. - Btrfs: inline csums if we're fsyncing. - Btrfs: introduce a btrfs_dev_replace_item type. - Btrfs: introduce a mutex lock for btrfs quota operations. - Btrfs: introduce GET_READ_MIRRORS functionality for btrfs_map_block(). - Btrfs: introduce grab/put functions for the root of the fs/file tree. - Btrfs: introduce per-subvolume delalloc inode list. - Btrfs: introduce per-subvolume ordered extent list. - Btrfs: introduce qgroup_ulist to avoid frequently allocating/freeing ulist. - Btrfs: just flush the delalloc inodes in the source tree before snapshot creation. - Btrfs: keep track of the extents original block length. - Btrfs: kill replicate code in replay_one_buffer. - Btrfs: kill some BUG_ONs() in the find_parent_nodes(). - Btrfs: kill unnecessary arguments in del_ptr. - Btrfs: kill unused argument of btrfs_pin_extent_for_log_replay. - Btrfs: kill unused argument of update_block_group. - Btrfs: kill unused arguments of cache_block_group. - Btrfs: let allocation start from the right raid type. - btrfs: limit fallocate extent reservation to 256MB. - Btrfs: limit the global reserve to 512mb. - btrfs: list_entry can't return NULL. - Btrfs: log changed inodes based on the extent map tree. - Btrfs: log ram bytes properly. - Btrfs: make __merge_refs() return type be void. - Btrfs: make backref walking code handle skinny metadata. - Btrfs: make delalloc inodes be flushed by multi-task. - Btrfs: make delayed ref lock logic more readable. - Btrfs: make ordered extent be flushed by multi-task. - Btrfs: make ordered operations be handled by multi-task. - btrfs: make orphan cleanup less verbose. - Btrfs: make raid attr array more readable. - btrfs: make static code static & remove dead code. - btrfs: make subvol creation/deletion killable in the early stages. - Btrfs: make sure nbytes are right after log replay. - Btrfs: make sure NODATACOW also gets NODATASUM set. - Btrfs: make sure roots are assigned before freeing their nodes. - Btrfs: make the chunk allocator completely tree lockless. - Btrfs: make the cleaner complete early when the fs is going to be umounted. - Btrfs: make the scrub page array dynamically allocated. - Btrfs: make the snap/subv deletion end more early when the fs is R/O. - Btrfs: make the state of the transaction more readable. - Btrfs: merge inode_list in __merge_refs. - Btrfs: merge pending IO for tree log write back. - btrfs: merge save_error_info helpers into one. - Btrfs: MOD_LOG_KEY_REMOVE_WHILE_MOVING never change node's nritems. - btrfs: more open-coded file_inode(). - Btrfs: move btrfs_truncate_page to btrfs_cont_expand instead of btrfs_truncate. - Btrfs: move checks in set_page_dirty under DEBUG. - Btrfs: move d_instantiate outside the transaction during mksubvol. - Btrfs: move fs/btrfs/ioctl.h to include/uapi/linux/btrfs.h. - btrfs: move ifdef around sanity checks out of init_btrfs_fs. - btrfs: move leak debug code to functions. - Btrfs: move some common code into a subfunction. - Btrfs: move the R/O check out of btrfs_clean_one_deleted_snapshot(). - btrfs: Notify udev when removing device. - Btrfs: only clear dirty on the buffer if it is marked as dirty. - Btrfs: only do the tree_mod_log_free_eb if this is our last ref. - Btrfs: only exclude supers in the range of our block group. - Btrfs: only log the inode item if we can get away with it. - Btrfs: only unlock and relock if we have to. - Btrfs: optimize leaf_space_used. - Btrfs: optimize read_block_for_search. - Btrfs: optimize reada_for_balance. - Btrfs: optimize the error handle of use_block_rsv(). - Btrfs: optionally avoid reads from device replace source drive. - Btrfs: pass fs_info instead of root. - Btrfs: pass fs_info to btrfs_map_block() instead of mapping_tree. - Btrfs: Pass fs_info to btrfs_num_copies() instead of mapping_tree. - Btrfs: pass NULL instead of 0. - Btrfs: pass root object into btrfs_ioctl_{start, wait}_sync(). - Btrfs: pause the space balance when remounting to R/O. - Btrfs: place ordered operations on a per transaction list. - Btrfs: prevent qgroup destroy when there are still relations. - Btrfs: protect devices list with its mutex. - Btrfs: protect fs_info->alloc_start. - Btrfs: punch hole past the end of the file. - Btrfs: put csums on the right ordered extent. - Btrfs: put our inode if orphan cleanup fails. - Btrfs: put raid properties into global table. - btrfs: put some enospc messages under enospc_debug. - Btrfs: RAID5 and RAID6. - btrfs/raid56: Add missing #include . - btrfs: read entire device info under lock. - Btrfs: recheck bio against block device when we map the bio. - Btrfs: record first logical byte in memory. - Btrfs: reduce CPU contention while waiting for delayed extent operations. - Btrfs: reduce lock contention on extent buffer locks. - Btrfs: refactor error handling to drop inode in btrfs_create(). - Btrfs: relax the block group size limit for bitmaps. - btrfs: remove a printk from scan_one_device. - Btrfs: remove almost all of the BUG()'s from tree-log.c. - Btrfs: remove btrfs_sector_sum structure. - Btrfs: remove btrfs_try_spin_lock. - Btrfs: remove BUG_ON() in btrfs_read_fs_tree_no_radix(). - btrfs: remove cache only arguments from defrag path. - Btrfs: remove conflicting check for minimum number of devices in raid56. - Btrfs: remove deprecated comments. - Btrfs: remove extent mapping if we fail to add chunk. - Btrfs: remove reduplicate check about root in the function btrfs_clean_quota_tree. - Btrfs: remove some BUG_ONs() when walking backref tree. - Btrfs: remove some unnecessary spin_lock usages. - Btrfs: remove the block device pointer from the scrub context struct. - Btrfs: remove the code for the impossible case in cleanup_transaction(). - Btrfs: Remove the invalid shrink size check up from btrfs_shrink_dev(). - Btrfs: remove the time check in btrfs_commit_transaction(). - btrfs: remove unnecessary cur_trans set before goto loop in join_transaction. - btrfs: remove unnecessary DEFINE_WAIT() declarations. - Btrfs: remove unnecessary dget_parent/dput when creating the pending snapshot. - Btrfs: remove unnecessary ->s_umount in cleaner_kthread(). - Btrfs: remove unnecessary varient ->num_joined in btrfs_transaction structure. - Btrfs: remove unused argument of btrfs_extend_item(). - Btrfs: remove unused argument of fixup_low_keys(). - Btrfs: remove unused code in btrfs_del_root. - Btrfs: remove unused extent io tree ops V2. - btrfs: remove unused fd in btrfs_ioctl_send(). - btrfs: remove unused fs_info from btrfs_decode_error(). - btrfs: remove unused gfp mask parameter from release_extent_buffer callchain. - btrfs: remove unused 'item' in btrfs_insert_delayed_item(). - Btrfs: remove unused variable in __process_changed_new_xattr(). - Btrfs: remove unused variable in the iterate_extent_inodes(). - Btrfs: remove useless copy in quota_ctl. - Btrfs: remove warn on in free space cache writeout. - Btrfs: rename root_times_lock to root_item_lock. - Btrfs: rename the scrub context structure. - Btrfs: reorder locks and sanity checks in btrfs_ioctl_defrag. - Btrfs: reorder tree mod log operations in deleting a pointer. - Btrfs: rescan for qgroups. - Btrfs: reset path lock state to zero. - Btrfs: restructure btrfs_run_defrag_inodes(). - Btrfs: return as soon as possible when edquot happens. - Btrfs: return EIO if we have extent tree corruption. - Btrfs: return ENOMEM rather than use BUG_ON when btrfs_alloc_path fails. - Btrfs: return errno if possible when we fail to allocate memory. - Btrfs: return error code in btrfs_check_trunc_cache_free_space(). - Btrfs: return error when we specify wrong start to defrag. - Btrfs: return free space in cow error path. - Btrfs: rework the overcommit logic to be based on the total size. - Btrfs: save us a read_lock. - Btrfs: select XOR_BLOCKS in Kconfig. - Btrfs: separate sequence numbers for delayed ref tracking and tree mod log. - Btrfs: serialize unlocked dio reads with truncate. - Btrfs: set/change the label of a mounted file system. - Btrfs: set flushing if we're limited flushing. - Btrfs: set hole punching time properly. - Btrfs: set UUID in root_item for created trees. - Btrfs: share stop worker code. - btrfs: show compiled-in config features at module load time. - Btrfs: simplify unlink reservations. - Btrfs: skip adding an acl attribute if we don't have to. - Btrfs: snapshot-aware defrag. - Btrfs: split btrfs_qgroup_account_ref into four functions. - Btrfs: steal from global reserve if we are cleaning up orphans. - Btrfs: stop all workers before cleaning up roots. - Btrfs: stop using try_to_writeback_inodes_sb_nr to flush delalloc. - Btrfs: stop waiting on current trans if we aborted. - Btrfs: traverse and flush the delalloc inodes once. - btrfs: try harder to allocate raid56 stripe cache. - Btrfs: unlock extent range on enospc in compressed submit. - btrfs: unpin_extent_cache: fix the typo and unnecessary arguements. - Btrfs: unreserve space if our ordered extent fails to work. - btrfs: update kconfig title. - Btrfs: update the global reserve if it is empty. - btrfs: update timestamps on truncate(). - Btrfs: update to use fs_state bit. - Btrfs: use a btrfs bioset instead of abusing bio internals. - Btrfs: use a lock to protect incompat/compat flag of the super block. - Btrfs: use a percpu to keep track of possibly pinned bytes. - Btrfs: use bit operation for ->fs_state. - Btrfs: use common work instead of delayed work. - Btrfs: use ctl->unit for free space calculation instead of block_group->sectorsize. - Btrfs: use existing align macros in btrfs_allocate(). - Btrfs: use helper to cleanup tree roots. - btrfs: use only inline_pages from extent buffer. - Btrfs: use percpu counter for dirty metadata count. - Btrfs: use percpu counter for fs_info->delalloc_bytes. - btrfs: use rcu_barrier() to wait for bdev puts at unmount. - Btrfs: use REQ_META for all metadata IO. - Btrfs: use reserved space for creating a snapshot. - Btrfs: use right range to find checksum for compressed extents. - Btrfs: use seqlock to protect fs_info->avail_{data, metadata, system}_alloc_bits. - Btrfs: use set_nlink if our i_nlink is 0. - Btrfs: use slabs for auto defrag allocation. - Btrfs: use slabs for delayed reference allocation. - Btrfs: use the inode own lock to protect its delalloc_bytes. - Btrfs: use token to avoid times mapping extent buffer. - Btrfs: use tokens where we can in the tree log. - Btrfs: use tree_root to avoid edquot when disabling quota. - btrfs: use unsigned long type for extent state bits. - Btrfs: use wrapper page_offset. - Btrfs: various abort cleanups. - Btrfs: wait on ordered extents at the last possible moment. - Btrfs: wait ordered range before doing direct io. - Btrfs: wake up delayed ref flushing waiters on abort. - clear chunk_alloc flag on retryable failure. - Correct allowed raid levels on balance. - Fix misspellings of 'whether' in comments. - fs/btrfs: drop if around WARN_ON. - fs/btrfs: remove depends on CONFIG_EXPERIMENTAL. - fs/btrfs: use WARN. - Minor format cleanup. - new helper: file_inode(file). - Revert 'Btrfs: fix permissions of empty files not affected by umask'. - Revert 'Btrfs: MOD_LOG_KEY_REMOVE_WHILE_MOVING never change node's nritems'. - Revert 'Btrfs: reorder tree mod log operations in deleting a pointer'. - treewide: Fix typo in printk. - writeback: remove nr_pages_dirtied arg from balance_dirty_pages_ratelimited_nr(). - drivers/cdrom/cdrom.c: use kzalloc() for failing hardware (bnc#824295, CVE-2013-2164). - fanotify: info leak in copy_event_to_user() (CVE-2013-2148 bnc#823517). - block: do not pass disk names as format strings (bnc#822575 CVE-2013-2851). - libceph: Fix NULL pointer dereference in auth client code. (CVE-2013-1059, bnc#826350) - Update patches.drivers/media-rtl28xxu-01-add-NOXON-DAB-DAB-USB- dongle-rev-2.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-02-1b80-d3a8-ASUS-My-Cine ma-U3100Mini-Pl.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-03-add-Gigabyte-U7300-DVB -T-Dongle.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-04-correct-some-device-na mes.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-05-Support-Digivox-Mini-H D.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-06-Add-USB-IDs-for-Compro -VideoMate-U620.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-07-Add-USB-ID-for-MaxMedi a-HU394-T.patch (bnc#811882). Correct the bnc reference. - Update patches.fixes/block-discard-granularity-might-not-be-pow er-of-2.patch (bnc#823797). - block: discard granularity might not be power of 2. - USB: reset resume quirk needed by a hub (bnc#810144). - NFS: Fix keytabless mounts (bnc#817651). - ipv4: fix redirect handling for TCP packets (bnc#814510). - Always include the git commit in KOTD builds This allows us not to set it explicitly in builds submitted to the official distribution (bnc#821612, bnc#824171). - Btrfs: relocate csums properly with prealloc extents. - gcc4: disable __compiletime_object_size for GCC 4.6+ (bnc#837258). - ALSA: hda - Add Toshiba Satellite C870 to MSI blacklist (bnc#833585).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74878
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74878
    title openSUSE Security Update : kernel (openSUSE-SU-2013:1971-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20131212_KERNEL_ON_SL6_X.NASL
    description * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled sending of certain UDP packets over sockets that used the UDP_CORK option when the UDP Fragmentation Offload (UFO) feature was enabled on the output device. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-4470, Important) * A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's Local Advanced Programmable Interrupt Controller (LAPIC) implementation. A privileged guest user could use this flaw to crash the host. (CVE-2013-6367, Important) * A memory corruption flaw was discovered in the way KVM handled virtual APIC accesses that crossed a page boundary. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-6368, Important) * An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user space. (CVE-2013-2141, Low) This update also fixes several bugs and adds two enhancements. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 71491
    published 2013-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71491
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1264.NASL
    description Updated kernel-rt packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise MRG 2.3. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A heap-based buffer overflow flaw was found in the Linux kernel's iSCSI target subsystem. A remote attacker could use a specially crafted iSCSI request to cause a denial of service on a system or, potentially, escalate their privileges on that system. (CVE-2013-2850, Important) * A flaw was found in the Linux kernel's Performance Events implementation. On systems with certain Intel processors, a local, unprivileged user could use this flaw to cause a denial of service by leveraging the perf subsystem to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers. (CVE-2013-2146, Moderate) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Two flaws were found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use these flaws to cause a denial of service. (CVE-2013-4162, CVE-2013-4163, Moderate) * A flaw was found in the Linux kernel's Chipidea USB driver. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-2058, Low) * Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2147, CVE-2013-2164, CVE-2013-2234, CVE-2013-2237, Low) * Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2013-2141, CVE-2013-2148, Low) * A format string flaw was found in the Linux kernel's block layer. A privileged, local user could potentially use this flaw to escalate their privileges to kernel level (ring0). (CVE-2013-2851, Low) * A format string flaw was found in the b43_do_request_fw() function in the Linux kernel's b43 driver implementation. A local user who is able to specify the 'fwpostfix' b43 module parameter could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-2852, Low) * A NULL pointer dereference flaw was found in the Linux kernel's ftrace and function tracer implementations. A local user who has the CAP_SYS_ADMIN capability could use this flaw to cause a denial of service. (CVE-2013-3301, Low) Red Hat would like to thank Kees Cook for reporting CVE-2013-2850, CVE-2013-2851, and CVE-2013-2852; and Hannes Frederic Sowa for reporting CVE-2013-4162 and CVE-2013-4163. This update also fixes the following bugs : * The following drivers have been updated, fixing a number of bugs: myri10ge, bna, enic, mlx4, bgmac, bcma, cxgb3, cxgb4, qlcnic, r8169, be2net, e100, e1000, e1000e, igb, ixgbe, brcm80211, cpsw, pch_gbe, bfin_mac, bnx2x, bnx2, cnic, tg3, and sfc. (BZ#974138) * The realtime kernel was not built with the CONFIG_NET_DROP_WATCH kernel configuration option enabled. As such, attempting to run the dropwatch command resulted in the following error : Unable to find NET_DM family, dropwatch can't work Cleaning up on socket creation error With this update, the realtime kernel is built with the CONFIG_NET_DROP_WATCH option, allowing dropwatch to work as expected. (BZ#979417) Users should upgrade to these updated packages, which upgrade the kernel-rt kernel to version kernel-rt-3.6.11.5-rt37, and correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 76665
    published 2014-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76665
    title RHEL 6 : MRG (RHSA-2013:1264)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1801.NASL
    description Updated kernel packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled sending of certain UDP packets over sockets that used the UDP_CORK option when the UDP Fragmentation Offload (UFO) feature was enabled on the output device. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-4470, Important) * A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's Local Advanced Programmable Interrupt Controller (LAPIC) implementation. A privileged guest user could use this flaw to crash the host. (CVE-2013-6367, Important) * A memory corruption flaw was discovered in the way KVM handled virtual APIC accesses that crossed a page boundary. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-6368, Important) * An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user space. (CVE-2013-2141, Low) Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4470, and Andrew Honig of Google for reporting CVE-2013-6367 and CVE-2013-6368. This update also fixes several bugs and adds two enhancements. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 71389
    published 2013-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71389
    title RHEL 6 : kernel (RHSA-2013:1801)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130926_KERNEL_ON_SL5_X.NASL
    description This update fixes the following security issues : - A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate) - A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-4162, Moderate) - An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2013-2141, Low) This update also fixes the following bugs : - A bug in the be2net driver prevented communication between NICs using be2net. This update applies a patch addressing this problem along with several other upstream patches that fix various other problems. Traffic between NICs using the be2net driver now proceeds as expected. - A recent patch fixing a problem that prevented communication between NICs using the be2net driver caused the firmware of NICs to become unresponsive, and thus triggered a kernel panic. The problem was caused by unnecessary usage of a hardware workaround that allows skipping VLAN tag insertion. A patch has been applied and the workaround is now used only when the multi-channel configuration is enabled on the NIC. Note that the bug only affected the NICs with firmware version 4.2.xxxx. - A bug in the autofs4 mount expiration code could cause the autofs4 module to falsely report a busy tree of NFS mounts as 'not in use'. Consequently, automount attempted to unmount the tree and failed with a 'failed to umount offset' error, leaving the mount tree to appear as empty directories. A patch has been applied to remove an incorrectly used autofs dentry mount check and the aforementioned problem no longer occurs. - A race condition in the be_open function in the be2net driver could trigger the BUG_ON() macro, which resulted in a kernel panic. A patch addressing this problem has been applied and the race condition is now avoided by enabling polling before enabling interrupts globally. The kernel no longer panics in this situation. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 70188
    published 2013-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70188
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1292.NASL
    description From Red Hat Security Advisory 2013:1292 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate) * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-4162, Moderate) * An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2013-2141, Low) Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4162. This update also fixes the following bugs : * A bug in the be2net driver prevented communication between NICs using be2net. This update applies a patch addressing this problem along with several other upstream patches that fix various other problems. Traffic between NICs using the be2net driver now proceeds as expected. (BZ#983864) * A recent patch fixing a problem that prevented communication between NICs using the be2net driver caused the firmware of NICs to become unresponsive, and thus triggered a kernel panic. The problem was caused by unnecessary usage of a hardware workaround that allows skipping VLAN tag insertion. A patch has been applied and the workaround is now used only when the multi-channel configuration is enabled on the NIC. Note that the bug only affected the NICs with firmware version 4.2.xxxx. (BZ#999819) * A bug in the autofs4 mount expiration code could cause the autofs4 module to falsely report a busy tree of NFS mounts as 'not in use'. Consequently, automount attempted to unmount the tree and failed with a 'failed to umount offset' error, leaving the mount tree to appear as empty directories. A patch has been applied to remove an incorrectly used autofs dentry mount check and the aforementioned problem no longer occurs. (BZ#1001488) * A race condition in the be_open function in the be2net driver could trigger the BUG_ON() macro, which resulted in a kernel panic. A patch addressing this problem has been applied and the race condition is now avoided by enabling polling before enabling interrupts globally. The kernel no longer panics in this situation. (BZ#1005239) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 70187
    published 2013-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70187
    title Oracle Linux 5 : kernel (ELSA-2013-1292)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-233.NASL
    description The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 does not set a certain killable attribute, which allows local users to cause a denial of service (memory consumption) via a crafted application. Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 70569
    published 2013-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70569
    title Amazon Linux AMI : kernel (ALAS-2013-233)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1880-1.NASL
    description An information leak was discovered in the Linux kernel when inotify is used to monitor the /dev/ptmx device. A local user could exploit this flaw to discover keystroke timing and potentially discover sensitive information like password length. (CVE-2013-0160) An information leak was discovered in the Linux kernel's tkill and tgkill system calls when used from compat processes. A local user could exploit this flaw to examine potentially sensitive kernel memory. (CVE-2013-2141) A flaw was discovered in the Linux kernel's perf events subsystem for Intel Sandy Bridge and Ivy Bridge processors. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-2146) An information leak was discovered in the Linux kernel's crypto API. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3076) An information leak was discovered in the Linux kernel's rcvmsg path for ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3222) An information leak was discovered in the Linux kernel's recvmsg path for ax25 address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3223) An information leak was discovered in the Linux kernel's recvmsg path for the bluetooth address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3224) An information leak was discovered in the Linux kernel's bluetooth rfcomm protocol support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3225) An information leak was discovered in the Linux kernel's CAIF protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3227) An information leak was discovered in the Linux kernel's IRDA (infrared) support subsystem. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3228) An information leak was discovered in the Linux kernel's s390 - z/VM support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3229) An information leak was discovered in the Linux kernel's l2tp (Layer Two Tunneling Protocol) implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3230) An information leak was discovered in the Linux kernel's llc (Logical Link Layer 2) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3231) An information leak was discovered in the Linux kernel's receive message handling for the netrom address family. A local user could exploit this flaw to obtain sensitive information from the kernel's stack memory. (CVE-2013-3232) An information leak was discovered in the Linux kernel's nfc (near field communication) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3233) An information leak was discovered in the Linux kernel's Rose X.25 protocol layer. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3234) An information leak was discovered in the Linux kernel's TIPC (Transparent Inter Process Communication) protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3235). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 66903
    published 2013-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66903
    title Ubuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-1880-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1881-1.NASL
    description An information leak was discovered in the Linux kernel when inotify is used to monitor the /dev/ptmx device. A local user could exploit this flaw to discover keystroke timing and potentially discover sensitive information like password length. (CVE-2013-0160) An information leak was discovered in the Linux kernel's tkill and tgkill system calls when used from compat processes. A local user could exploit this flaw to examine potentially sensitive kernel memory. (CVE-2013-2141) A flaw was discovered in the Linux kernel's perf events subsystem for Intel Sandy Bridge and Ivy Bridge processors. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-2146) An information leak was discovered in the Linux kernel's crypto API. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3076) An information leak was discovered in the Linux kernel's rcvmsg path for ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3222) An information leak was discovered in the Linux kernel's recvmsg path for ax25 address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3223) An information leak was discovered in the Linux kernel's recvmsg path for the bluetooth address family. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3224) An information leak was discovered in the Linux kernel's bluetooth rfcomm protocol support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3225) An information leak was discovered in the Linux kernel's CAIF protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3227) An information leak was discovered in the Linux kernel's IRDA (infrared) support subsystem. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3228) An information leak was discovered in the Linux kernel's s390 - z/VM support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3229) An information leak was discovered in the Linux kernel's l2tp (Layer Two Tunneling Protocol) implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3230) An information leak was discovered in the Linux kernel's llc (Logical Link Layer 2) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3231) An information leak was discovered in the Linux kernel's receive message handling for the netrom address family. A local user could exploit this flaw to obtain sensitive information from the kernel's stack memory. (CVE-2013-3232) An information leak was discovered in the Linux kernel's nfc (near field communication) support. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3233) An information leak was discovered in the Linux kernel's Rose X.25 protocol layer. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3234) An information leak was discovered in the Linux kernel's TIPC (Transparent Inter Process Communication) protocol implementation. A local user could exploit this flaw to examine potentially sensitive information from the kernel's stack memory. (CVE-2013-3235). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 66904
    published 2013-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66904
    title Ubuntu 12.10 : linux vulnerabilities (USN-1881-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1292.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate) * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-4162, Moderate) * An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2013-2141, Low) Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4162. This update also fixes the following bugs : * A bug in the be2net driver prevented communication between NICs using be2net. This update applies a patch addressing this problem along with several other upstream patches that fix various other problems. Traffic between NICs using the be2net driver now proceeds as expected. (BZ#983864) * A recent patch fixing a problem that prevented communication between NICs using the be2net driver caused the firmware of NICs to become unresponsive, and thus triggered a kernel panic. The problem was caused by unnecessary usage of a hardware workaround that allows skipping VLAN tag insertion. A patch has been applied and the workaround is now used only when the multi-channel configuration is enabled on the NIC. Note that the bug only affected the NICs with firmware version 4.2.xxxx. (BZ#999819) * A bug in the autofs4 mount expiration code could cause the autofs4 module to falsely report a busy tree of NFS mounts as 'not in use'. Consequently, automount attempted to unmount the tree and failed with a 'failed to umount offset' error, leaving the mount tree to appear as empty directories. A patch has been applied to remove an incorrectly used autofs dentry mount check and the aforementioned problem no longer occurs. (BZ#1001488) * A race condition in the be_open function in the be2net driver could trigger the BUG_ON() macro, which resulted in a kernel panic. A patch addressing this problem has been applied and the race condition is now avoided by enabling polling before enabling interrupts globally. The kernel no longer panics in this situation. (BZ#1005239) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 70163
    published 2013-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70163
    title RHEL 5 : kernel (RHSA-2013:1292)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-2589.NASL
    description Description of changes: kernel-uek [2.6.32-400.33.4.el6uek] - kernel/signal.c: stop info leak via the tkill and the tgkill syscalls (Emese Revfy) [Orabug: 17951083] {CVE-2013-2141} - ip_output: do skb ufo init for peeked non ufo skb as well (Jiri Pirko) [Orabug: 17951078] {CVE-2013-4470} - KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) (Andy Honig) [Orabug: 17951073] {CVE-2013-6367}
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 71515
    published 2013-12-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71515
    title Oracle Linux 5 / 6 : unbreakable enterprise kernel (ELSA-2013-2589)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2766.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-2141 Emese Revfy provided a fix for an information leak in the tkill and tgkill system calls. A local user on a 64-bit system may be able to gain access to sensitive memory contents. - CVE-2013-2164 Jonathan Salwan reported an information leak in the CD-ROM driver. A local user on a system with a malfunctioning CD-ROM drive could gain access to sensitive memory. - CVE-2013-2206 Karl Heiss reported an issue in the Linux SCTP implementation. A remote user could cause a denial of service (system crash). - CVE-2013-2232 Dave Jones and Hannes Frederic Sowa resolved an issue in the IPv6 subsystem. Local users could cause a denial of service by using an AF_INET6 socket to connect to an IPv4 destination. - CVE-2013-2234 Mathias Krause reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. - CVE-2013-2237 Nicolas Dichtel reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. - CVE-2013-2239 Jonathan Salwan discovered multiple memory leaks in the openvz kernel flavor. Local users could gain access to sensitive kernel memory. - CVE-2013-2851 Kees Cook reported an issue in the block subsystem. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. - CVE-2013-2852 Kees Cook reported an issue in the b43 network driver for certain Broadcom wireless devices. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. - CVE-2013-2888 Kees Cook reported an issue in the HID driver subsystem. A local user, with the ability to attach a device, could cause a denial of service (system crash). - CVE-2013-2892 Kees Cook reported an issue in the pantherlord HID device driver. Local users with the ability to attach a device could cause a denial of service or possibly gain elevated privileges.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 70200
    published 2013-09-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70200
    title Debian DSA-2766-1 : linux-2.6 - privilege escalation/denial of service/information leak
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1900-1.NASL
    description Dmitry Monakhov reported a race condition flaw the Linux ext4 filesystem that can expose stale data. An unprivileged user could exploit this flaw to cause an information leak. (CVE-2012-4508) An information leak was discovered in the Linux kernel's tkill and tgkill system calls when used from compat processes. A local user could exploit this flaw to examine potentially sensitive kernel memory. (CVE-2013-2141) Kees Cook discovered a format string vulnerability in the Broadcom B43 wireless driver for the Linux kernel. A local user could exploit this flaw to gain administrative privileges. (CVE-2013-2852). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 67191
    published 2013-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67191
    title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1900-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1801.NASL
    description From Red Hat Security Advisory 2013:1801 : Updated kernel packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled sending of certain UDP packets over sockets that used the UDP_CORK option when the UDP Fragmentation Offload (UFO) feature was enabled on the output device. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-4470, Important) * A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's Local Advanced Programmable Interrupt Controller (LAPIC) implementation. A privileged guest user could use this flaw to crash the host. (CVE-2013-6367, Important) * A memory corruption flaw was discovered in the way KVM handled virtual APIC accesses that crossed a page boundary. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-6368, Important) * An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user space. (CVE-2013-2141, Low) Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4470, and Andrew Honig of Google for reporting CVE-2013-6367 and CVE-2013-6368. This update also fixes several bugs and adds two enhancements. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 71387
    published 2013-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71387
    title Oracle Linux 6 : kernel (ELSA-2013-1801)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1801.NASL
    description Updated kernel packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled sending of certain UDP packets over sockets that used the UDP_CORK option when the UDP Fragmentation Offload (UFO) feature was enabled on the output device. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-4470, Important) * A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's Local Advanced Programmable Interrupt Controller (LAPIC) implementation. A privileged guest user could use this flaw to crash the host. (CVE-2013-6367, Important) * A memory corruption flaw was discovered in the way KVM handled virtual APIC accesses that crossed a page boundary. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-6368, Important) * An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user space. (CVE-2013-2141, Low) Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4470, and Andrew Honig of Google for reporting CVE-2013-6367 and CVE-2013-6368. This update also fixes several bugs and adds two enhancements. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 71379
    published 2013-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71379
    title CentOS 6 : kernel (CESA-2013:1801)
redhat via4
advisories
rhsa
id RHSA-2013:1801
rpms
  • kernel-0:2.6.18-348.18.1.el5
  • kernel-PAE-0:2.6.18-348.18.1.el5
  • kernel-PAE-devel-0:2.6.18-348.18.1.el5
  • kernel-debug-0:2.6.18-348.18.1.el5
  • kernel-debug-devel-0:2.6.18-348.18.1.el5
  • kernel-devel-0:2.6.18-348.18.1.el5
  • kernel-doc-0:2.6.18-348.18.1.el5
  • kernel-headers-0:2.6.18-348.18.1.el5
  • kernel-kdump-0:2.6.18-348.18.1.el5
  • kernel-kdump-devel-0:2.6.18-348.18.1.el5
  • kernel-xen-0:2.6.18-348.18.1.el5
  • kernel-xen-devel-0:2.6.18-348.18.1.el5
  • kernel-0:2.6.32-431.1.2.el6
  • kernel-abi-whitelists-0:2.6.32-431.1.2.el6
  • kernel-bootwrapper-0:2.6.32-431.1.2.el6
  • kernel-debug-0:2.6.32-431.1.2.el6
  • kernel-debug-devel-0:2.6.32-431.1.2.el6
  • kernel-devel-0:2.6.32-431.1.2.el6
  • kernel-doc-0:2.6.32-431.1.2.el6
  • kernel-firmware-0:2.6.32-431.1.2.el6
  • kernel-headers-0:2.6.32-431.1.2.el6
  • kernel-kdump-0:2.6.32-431.1.2.el6
  • kernel-kdump-devel-0:2.6.32-431.1.2.el6
  • perf-0:2.6.32-431.1.2.el6
  • python-perf-0:2.6.32-431.1.2.el6
refmap via4
confirm
debian DSA-2766
mandriva MDVSA-2013:176
mlist [oss-security] 20130604 Re: CVE Request: kernel info leak in tkill/tgkill
secunia 55055
suse openSUSE-SU-2013:1971
ubuntu
  • USN-1899-1
  • USN-1900-1
Last major update 03-01-2014 - 23:46
Published 07-06-2013 - 10:03
Last modified 08-01-2018 - 21:29
Back to Top