ID CVE-2012-1601
Summary The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists.
References
Vulnerable Configurations
  • Linux Kernel 3.3.5
    cpe:2.3:o:linux:linux_kernel:3.3.5
CVSS
Base: 4.9 (as of 17-05-2012 - 13:42)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20120521_KVM_ON_SL5_X.NASL
    description KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Scientific Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. (CVE-2012-1601) A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121) This update also fixes the following bug : - An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver. All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note that the procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61315
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61315
    title Scientific Linux Security Update : kvm on SL5.x x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1445-1.NASL
    description A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 59188
    published 2012-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59188
    title Ubuntu 10.04 LTS : linux vulnerabilities (USN-1445-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0287-1.NASL
    description This is a SUSE Linux Enterprise Server 11 SP1 LTSS roll up update to fix a lot of security issues and non-security bugs. The following security bugs have been fixed : CVE-2011-3593: A certain Red Hat patch to the vlan_hwaccel_do_receive function in net/8021q/vlan_core.c in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows remote attackers to cause a denial of service (system crash) via priority-tagged VLAN frames. (bnc#735347) CVE-2012-1601: The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. (bnc#754898) CVE-2012-2137: Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function. (bnc#767612) CVE-2012-2372: The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interfaces own IP address, as demonstrated by rds-ping. (bnc#767610) CVE-2012-2745: The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call. (bnc#770695) CVE-2012-3375: The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before 3.2.24 does not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allows local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1083. (bnc#769896) CVE-2012-3412: The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value. (bnc#774523) CVE-2012-3430: The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket. (bnc#773383) CVE-2012-3511: Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call. (bnc#776885) CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. (bnc#789831) CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#786013) CVE-2012-4565: The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats. (bnc#787576) CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6538: The copy_to_user_auth function in net/xfrm/xfrm_user.c in the Linux kernel before 3.6 uses an incorrect C library function for copying a string, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809891) CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809892) CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809893) CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. (bnc#809894) CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. (bnc#809898) CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. (bnc#809899) CVE-2012-6546: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809900) CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809901) CVE-2012-6548: The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809902) CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809903) CVE-2013-0160: The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device. (bnc#797175) CVE-2013-0216: The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. (bnc#800280)(XSA-39) CVE-2013-0231: The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third-party information. (bnc#801178)(XSA-43) CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. (bnc#802642) CVE-2013-0310: The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call. (bnc#804653) CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226) CVE-2013-0349: The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call. (bnc#805227) CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. (bnc#804154) CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (bnc#808827) CVE-2013-1767: Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (bnc#806138) CVE-2013-1773: Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion. (bnc#806977) CVE-2013-1774: The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (bnc#806976) CVE-2013-1792: Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (bnc#808358) CVE-2013-1796: The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. (bnc#806980) CVE-2013-1797: Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (bnc#806980) CVE-2013-1798: The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. (bnc#806980) CVE-2013-1827: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. (bnc#811354) CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. (bnc#813735) CVE-2013-1943: The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guests physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c. (bnc#828012) CVE-2013-2015: The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test. (bnc#817377) CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. (bnc#823267) CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. (bnc#823260) CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (bnc#824295) CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (bnc#827750) CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (bnc#827749) CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (bnc#828119) CVE-2013-2634: net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#810473) CVE-2013-2851: Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (bnc#822575) CVE-2013-2852: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. (bnc#822579) CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839) CVE-2013-2889: drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839) CVE-2013-2892: drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839) CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839) CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839) CVE-2013-2929: The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. (bnc#847652) CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3225: The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3235: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-4345: Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data. (bnc#840226) CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321) CVE-2013-4511: Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c. (bnc#849021) CVE-2013-4587: Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. (bnc#853050) CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095) CVE-2013-4591: Buffer overflow in the __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a getxattr system call for the system.nfs4_acl extended attribute of a pathname on an NFSv4 filesystem. (bnc#851103) CVE-2013-6367: The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (bnc#853051) CVE-2013-6368: The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (bnc#853052) CVE-2013-6378: The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. (bnc#852559) CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558) CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) Also the following non-security bugs have been fixed : - x86: Clear HPET configuration registers on startup (bnc#748896). - sched: fix divide by zero in task_utime() (bnc#761774). - sched: Fix pick_next_highest_task_rt() for cgroups (bnc#760596). - mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables. - mm: hugetlbfs: Correctly detect if page tables have just been shared. (Fix bad PMD message displayed while using hugetlbfs (bnc#762366)). - cpumask: Partition_sched_domains takes array of cpumask_var_t (bnc#812364). - cpumask: Simplify sched_rt.c (bnc#812364). - kabi: protect bind_conflict callback in struct inet_connection_sock_af_ops (bnc#823618). - memcg: fix init_section_page_cgroup pfn alignment (bnc#835481). - tty: fix up atime/mtime mess, take three (bnc#797175). - tty: fix atime/mtime regression (bnc#815745). - ptrace: ptrace_resume() should not wake up !TASK_TRACED thread (bnc#804154). - kbuild: Fix gcc -x syntax (bnc#773831). - ftrace: Disable function tracing during suspend/resume and hibernation, again (bnc#768668). proc: fix pagemap_read() error case (bnc#787573). net: Upgrade device features irrespective of mask (bnc#715250). - tcp: bind() fix autoselection to share ports (bnc#823618). - tcp: bind() use stronger condition for bind_conflict (bnc#823618). - tcp: ipv6: bind() use stronger condition for bind_conflict (bnc#823618). - netfilter: use RCU safe kfree for conntrack extensions (bnc#827416). - netfilter: prevent race condition breaking net reference counting (bnc#835094). - netfilter: send ICMPv6 message on fragment reassembly timeout (bnc#773577). - netfilter: fix sending ICMPv6 on netfilter reassembly timeout (bnc#773577). - tcp_cubic: limit delayed_ack ratio to prevent divide error (bnc#810045). bonding: in balance-rr mode, set curr_active_slave only if it is up (bnc#789648). scsi: Add 'eh_deadline' to limit SCSI EH runtime (bnc#798050). - scsi: Allow error handling timeout to be specified (bnc#798050). - scsi: Fixup compilation warning (bnc#798050). - scsi: Retry failfast commands after EH (bnc#798050). - scsi: Warn on invalid command completion (bnc#798050). - scsi: Always retry internal target error (bnc#745640, bnc#825227). - scsi: kABI fixes (bnc#798050). - scsi: remove check for 'resetting' (bnc#798050). - scsi: Eliminate error handler overload of the SCSI serial number (bnc#798050). - scsi: Reduce error recovery time by reducing use of TURs (bnc#798050). - scsi: Reduce sequential pointer derefs in scsi_error.c and reduce size as well (bnc#798050). - scsi: cleanup setting task state in scsi_error_handler() (bnc#798050). - scsi: fix eh wakeup (scsi_schedule_eh vs scsi_restart_operations) (bnc#798050). scsi: fix id computation in scsi_eh_target_reset() (bnc#798050). advansys: Remove 'last_reset' references (bnc#798050). - dc395: Move 'last_reset' into internal host structure (bnc#798050). - dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050). - dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset (bnc#798050). - fc class: fix scanning when devs are offline (bnc#798050). tmscsim: Move 'last_reset' into host structure (bnc#798050). st: Store page order before driver buffer allocation (bnc#769644). - st: Increase success probability in driver buffer allocation (bnc#769644). st: work around broken __bio_add_page logic (bnc#769644). avoid race by ignoring flush_time in cache_check (bnc#814363). writeback: remove the internal 5% low bound on dirty_ratio - writeback: skip balance_dirty_pages() for in-memory fs (Do not dirty throttle ram-based filesystems (bnc#840858)). writeback: Do not sync data dirtied after sync start (bnc#833820). blkdev_max_block: make private to fs/buffer.c (bnc#820338). - vfs: avoid 'attempt to access beyond end of device' warnings (bnc#820338). vfs: fix O_DIRECT read past end of block device (bnc#820338). lib/radix-tree.c: make radix_tree_node_alloc() work correctly within interrupt (bnc#763463). xfs: allow writeback from kswapd (bnc#826707). - xfs: skip writeback from reclaim context (bnc#826707). - xfs: Serialize file-extending direct IO (bnc#818371). - xfs: Avoid pathological backwards allocation (bnc#805945). xfs: fix inode lookup race (bnc#763463). cifs: clarify the meaning of tcpStatus == CifsGood (bnc#776024). cifs: do not allow cifs_reconnect to exit with NULL socket pointer (bnc#776024). ocfs2: Add a missing journal credit in ocfs2_link_credits() -v2 (bnc#773320). usb: Fix deadlock in hid_reset when Dell iDRAC is reset (bnc#814716). usb: xhci: Fix command completion after a drop endpoint (bnc#807320). netiucv: Hold rtnl between name allocation and device registration (bnc#824159). rwsem: Test for no active locks in __rwsem_do_wake undo code (bnc#813276). nfs: NFSv3/v2: Fix data corruption with NFS short reads (bnc#818337). - nfs: Allow sec=none mounts in certain cases (bnc#795354). - nfs: Make nfsiod a multi-thread queue (bnc#815352). - nfs: increase number of permitted callback connections (bnc#771706). - nfs: Fix Oops in nfs_lookup_revalidate (bnc#780008). - nfs: do not allow TASK_KILLABLE sleeps to block the freezer (bnc#775182). nfs: Avoid race in d_splice_alias and vfs_rmdir (bnc#845028). svcrpc: take lock on turning entry NEGATIVE in cache_check (bnc#803320). - svcrpc: ensure cache_check caller sees updated entry (bnc#803320). - sunrpc/cache: remove races with queuing an upcall (bnc#803320). - sunrpc/cache: use cache_fresh_unlocked consistently and correctly (bnc#803320). - sunrpc/cache: ensure items removed from cache do not have pending upcalls (bnc#803320). - sunrpc/cache: do not schedule update on cache item that has been replaced (bnc#803320). sunrpc/cache: fix test in try_to_negate (bnc#803320). xenbus: fix overflow check in xenbus_dev_write(). - x86: do not corrupt %eip when returning from a signal handler. - scsiback/usbback: move cond_resched() invocations to proper place. netback: fix netbk_count_requests(). dm: add dm_deleting_md function (bnc#785016). - dm: bind new table before destroying old (bnc#785016). - dm: keep old table until after resume succeeded (bnc#785016). dm: rename dm_get_table to dm_get_live_table (bnc#785016). drm/edid: Fix up partially corrupted headers (bnc#780004). drm/edid: Retry EDID fetch up to four times (bnc#780004). i2c-algo-bit: Fix spurious SCL timeouts under heavy load (bnc#780004). hpilo: remove pci_disable_device (bnc#752544). mptsas: handle 'Initializing Command Required' ASCQ (bnc#782178). mpt2sas: Fix race on shutdown (bnc#856917). ipmi: decrease the IPMI message transaction time in interrupt mode (bnc#763654). - ipmi: simplify locking (bnc#763654). ipmi: use a tasklet for handling received messages (bnc#763654). bnx2x: bug fix when loading after SAN boot (bnc#714906). bnx2x: previous driver unload revised (bnc#714906). ixgbe: Address fact that RSC was not setting GSO size for incoming frames (bnc#776144). ixgbe: pull PSRTYPE configuration into a separate function (bnc#780572 bnc#773640 bnc#776144). e1000e: clear REQ and GNT in EECD (82571 && 82572) (bnc#762099). hpsa: do not attempt to read from a write-only register (bnc#777473). aio: Fixup kABI for the aio-implement-request-batching patch (bnc#772849). - aio: bump i_count instead of using igrab (bnc#772849). aio: implement request batching (bnc#772849). Driver core: Do not remove kobjects in device_shutdown (bnc#771992). resources: fix call to alignf() in allocate_resource() (bnc#744955). - resources: when allocate_resource() fails, leave resource untouched (bnc#744955). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83611
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83611
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2014:0287-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2012-0042.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix bug number for commit 'cciss: Update HPSA_BOUNDARY' (Joe Jin) [Orabug: 14681166] - cciss: Update HPSA_BOUNDARY. (Joe Jin) [Orabug: 14319765] - KVM: introduce kvm_for_each_memslot macro (Maxim Uvarov) [Bugdb: 13966] - dl2k: Clean up rio_ioctl (Jeff Mahoney) [Orabug: 14126896] (CVE-2012-2313) - NFSv4: include bitmap in nfsv4 get acl data (Andy Adamson) (CVE-2011-4131) - KVM: Fix buffer overflow in kvm_set_irq (Avi Kivity) [Bugdb: 13966] (CVE-2012-2137) - net: sock: validate data_len before allocating skb in sock_alloc_send_pskb (Jason Wang) [Bugdb: 13966] (CVE-2012-2136) - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition (Andrea Arcangeli) [Bugdb: 13966] (CVE-2012-2373) - KVM: lock slots_lock around device assignment (Alex Williamson) [Bugdb: 13966] (CVE-2012-2121) - KVM: unmap pages from the iommu when slots are removed (Maxim Uvarov) [Bugdb: 13966] (CVE-2012-2121) - fcaps: clear the same personality flags as suid when fcaps are used (Eric Paris) [Bugdb: 13966] (CVE-2012-2123) - tilegx: enable SYSCALL_WRAPPERS support (Chris Metcalf) (CVE-2009-0029) - drm/i915: fix integer overflow in i915_gem_do_execbuffer (Xi Wang) [Orabug: 14107456] (CVE-2012-2384) - drm/i915: fix integer overflow in i915_gem_execbuffer2 (Xi Wang) [Orabug: 14107445] (CVE-2012-2383) - [dm] do not forward ioctls from logical volumes to the underlying device (Joe Jin) (CVE-2011-4127) - [block] fail SCSI passthrough ioctls on partition devices (Joe Jin) (CVE-2011-4127) - [block] add and use scsi_blk_cmd_ioctl (Joe Jin) [Orabug: 14056755] (CVE-2011-4127) - KVM: Ensure all vcpus are consistent with in-kernel irqchip settings (Avi Kivity) [Bugdb: 13871] (CVE-2012-1601) - regset: Return -EFAULT, not -EIO, on host-side memory fault (H. Peter Anvin) (CVE-2012-1097) - regset: Prevent null pointer reference on readonly regsets (H. Peter Anvin) (CVE-2012-1097) - cifs: fix dentry refcount leak when opening a FIFO on lookup (Jeff Layton) (CVE-2012-1090) - mm: thp: fix pmd_bad triggering in code paths holding mmap_sem read mode (Andrea Arcangeli) (CVE-2012-1179) - ext4: fix undefined behavior in ext4_fill_flex_info (Xi Wang) (CVE-2009-4307) - ocfs2: clear unaligned io flag when dio fails (Junxiao Bi) [Orabug: 14063941] - aio: make kiocb->private NUll in init_sync_kiocb (Junxiao Bi) [Orabug: 14063941] - igb: Fix for Alt MAC Address feature on 82580 and later devices (Carolyn Wyborny) [Orabug: 14258706] - igb: Alternate MAC Address Updates for Func2&3 (Akeem G. Abodunrin) [Orabug: 14258706] - igb: Alternate MAC Address EEPROM Updates (Akeem G. Abodunrin) [Orabug: 14258706] - cciss: only enable cciss_allow_hpsa when for ol5 (Joe Jin) [Orabug: 14106006] - Revert 'cciss: remove controllers supported by hpsa' (Joe Jin) [Orabug: 14106006] - [scsi] hpsa: add all support devices for ol5 (Joe Jin) [Orabug: 14106006] - Disable VLAN 0 tagging for none VLAN traffic (Adnan Misherfi) [Orabug: 14406424] - x86: Add Xen kexec control code size check to linker script (Daniel Kiper) - drivers/xen: Export vmcoreinfo through sysfs (Daniel Kiper) - x86/xen/enlighten: Add init and crash kexec/kdump hooks (Maxim Uvarov) - x86/xen: Add kexec/kdump makefile rules (Daniel Kiper) - x86/xen: Add x86_64 kexec/kdump implementation (Daniel Kiper) - x86/xen: Add placeholder for i386 kexec/kdump implementation (Daniel Kiper) - x86/xen: Register resources required by kexec-tools (Daniel Kiper) - x86/xen: Introduce architecture dependent data for kexec/kdump (Daniel Kiper) - xen: Introduce architecture independent data for kexec/kdump (Daniel Kiper) - x86/kexec: Add extra pointers to transition page table PGD, PUD, PMD and PTE (Daniel Kiper) - kexec: introduce kexec_ops struct (Daniel Kiper) - SPEC: replace DEFAULTKERNEL from kernel-ovs to kernel-uek
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 79484
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79484
    title OracleVM 3.1 : kernel-uek (OVMSA-2012-0042)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0676.NASL
    description Updated kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. (CVE-2012-1601) A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121) This update also fixes the following bug : * An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver. (BZ#816207) All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note that the procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 64037
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64037
    title RHEL 5 : kvm (RHSA-2012:0676)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-2013.NASL
    description Description of changes: * CVE-2011-4086: Denial of service in journaling block device. The journal block device assumed that a buffer marked as unwritten or delay could be live without checking if the buffer was mapped. An unprivileged local user could use this flaw to crash the system. * CVE-2012-1601: Denial of service in KVM VCPU creation. Inconsistent state in the creation of KVM virtual CPU's could lead to NULL pointer dereferences. A unprivileged local user could use this flaw to crash the system. [2.6.39-100.7.1.el6uek] - KVM: Ensure all vcpus are consistent with in-kernel irqchip settings (Avi Kivity) [Bugdb: 13871] {CVE-2012-1601} - jbd2: clear BH_Delay BH_Unwritten in journal_unmap_buffer (Eric Sandeen) [Bugdb: 13871] {CVE-2011-4086}
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 68673
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68673
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2013)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1470-1.NASL
    description Andy Adamson discovered a flaw in the Linux kernel's NFSv4 implementation. A remote NFS server (attacker) could exploit this flaw to cause a denial of service. (CVE-2011-4131) A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123) Schacher Raindel discovered a flaw in the Linux kernel's memory handling when hugetlb is enabled. An unprivileged local attacker could exploit this flaw to cause a denial of service and potentially gain higher privileges. (CVE-2012-2133). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 59474
    published 2012-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59474
    title Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1470-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0571.NASL
    description From Red Hat Security Advisory 2012:0571 : Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-4086, Moderate) * A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A local, unprivileged user on a KVM host could use this flaw to crash the host. (CVE-2012-1601, Moderate) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68526
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68526
    title Oracle Linux 6 : kernel (ELSA-2012-0571)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KERNEL-121203.NASL
    description The SUSE Linux Enterprise 11 SP2 kernel has been updated to 3.0.51 which fixes various bugs and security issues. It contains the following feature enhancements : - The cachefiles framework is now supported (FATE#312793, bnc#782369). The userland utilities were published seperately to support this feature. - The ipset netfilter modules are now supported (FATE#313309) The ipset userland utility will be published seperately to support this feature. - The tipc kernel module is now externally supported (FATE#305033). - Hyper-V KVP IP injection was implemented (FATE#314441). A seperate hyper-v package will be published to support this feature. - Intel Lynx Point PCH chipset support was added. (FATE#313409) - Enable various md/raid10 and DASD enhancements. (FATE#311379) These make it possible for RAID10 to cope with DASD devices being slow for various reasons - the affected device will be temporarily removed from the array. Also added support for reshaping of RAID10 arrays. mdadm changes will be published to support this feature. The following security issues have been fixed : - A race condition on hot adding memory could be used by local attackers to crash the system during hot adding new memory. (CVE-2012-5517) - A flaw has been found in the way Linux kernels KVM subsystem handled vcpu->arch.cr4 X86_CR4_OSXSAVE bit set upon guest enter. On hosts without the XSAVE feature and using qemu userspace an unprivileged local user could have used this flaw to crash the system. (CVE-2012-4461) - The KVM implementation in the Linux kernel allowed host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. (CVE-2012-1601) - Attempting an rds connection from the IP address of an IPoIB interface to itself causes a kernel panic due to a BUG_ON() being triggered. Making the test less strict allows rds-ping to work without crashing the machine. A local unprivileged user could use this flaw to crash the sytem. (CVE-2012-2372) - Dimitry Monakhov, one of the ext4 developers, has discovered a race involving asynchronous I/O and fallocate which can lead to the exposure of stale data --- that is, an extent which should have had the 'uninitialized' bit set indicating that its blocks have not yet been written and thus contain data from a deleted file will get exposed to anyone with read access to the file. (CVE-2012-4508) - The rds_recvmsg function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket. (CVE-2012-3430) - The sfc (aka Solarflare Solarstorm) driver in the Linux kernel allowed remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value. (CVE-2012-3412) The following non-security issues have been fixed : BTRFS : - btrfs: fix double mntput() in mount_subvol(). - btrfs: use common work instead of delayed work - btrfs: limit fallocate extent reservation to 256MB - btrfs: fix a double free on pending snapshots in error handling - btrfs: Do not trust the superblock label and simply printk('%s') it - patches.suse/btrfs-update-message-levels.patch: Refresh. - patches.suse/btrfs-enospc-debugging-messages.patch: Minor updates. - patches.suse/btrfs-update-message-levels.patch: Minor updates. - btrfs: continue after abort during snapshot drop. (bnc#752067) - btrfs: Return EINVAL when length to trim is less than FSB. - btrfs: fix unnecessary while loop when search the free space, cache. - btrfs: Use btrfs_update_inode_fallback when creating a snapshot. - btrfs: do not bug when we fail to commit the transaction. - btrfs: fill the global reserve when unpinning space. - btrfs: do not allow degraded mount if too many devices are missing. - patches.suse/btrfs-8112-resume-balance-on-rw-re-mounts-p roperly.patch: fix mismerge. - btrfs: do not allocate chunks as agressively. - btrfs: btrfs_drop_extent_cache should never fail. - btrfs: fix full backref problem when inserting shared block reference. - btrfs: wait on async pages when shrinking delalloc. - btrfs: remove bytes argument from do_chunk_alloc. - btrfs: cleanup of error processing in btree_get_extent(). - btrfs: remove unnecessary code in btree_get_extent(). - btrfs: kill obsolete arguments in btrfs_wait_ordered_extents. - btrfs: do not do anything in our ->freeze_fs and ->unfreeze_fs. - btrfs: do not async metadata csumming in certain situations. - btrfs: do not hold the file extent leaf locked when adding extent item. - btrfs: cache extent state when writing out dirty metadata pages. - btrfs: do not lookup csums for prealloc extents. - btrfs: be smarter about dropping things from the tree log. - btrfs: confirmation of value is added before trace_btrfs_get_extent() is called. - btrfs: make filesystem read-only when submitting barrier fails. - btrfs: cleanup pages properly when ENOMEM in compression. - btrfs: do not bug on enomem in readpage. - btrfs: do not warn_on when we cannot alloc a page for an extent buffer. - btrfs: enospc debugging messages. S/390 : - smsgiucv: reestablish IUCV path after resume (bnc#786976,LTC#86245). - dasd: move wake_up call (bnc#786976,LTC#86252). - kernel: fix get_user_pages_fast() page table walk (bnc#786976,LTC#86307). - qeth: Fix IPA_CMD_QIPASSIST return code handling (bnc#785851,LTC#86101). - mm: Fix XFS oops due to dirty pages without buffers on s390. (bnc#762259) - zfcp: only access zfcp_scsi_dev for valid scsi_device (bnc#781484,LTC#85285). - dasd: check count address during online setting (bnc#781484,LTC#85346). - hugetlbfs: fix deadlock in unmap_hugepage_range() (bnc#781484,LTC#85449). - kernel: make user-access pagetable walk code huge page aware (bnc#781484,LTC#85455). - hugetlbfs: add missing TLB invalidation (bnc#781484,LTC#85463). - zfcp: fix adapter (re)open recovery while link to SAN is down (bnc#789010,LTC#86283). - qeth: set new mac even if old mac is gone (bnc#789010,LTC#86643). - qdio: fix kernel panic for zfcp 31-bit (bnc#789010,LTC#86623). - crypto: msgType50 (RSA-CRT) Fix (bnc#789010,LTC#86378). DRM : - drm/915: Update references, fixed a missing patch chunk. (bnc#725355) - drm/dp: Document DP spec versions for various DPCD registers. (bnc#780461) - drm/dp: Make sink count DP 1.2 aware. (bnc#780461) - DRM/i915: Restore sdvo_flags after dtd->mode->dtd Roundrtrip. (bnc#775577) - DRM/i915: Do not clone SDVO LVDS with analog. (bnc#766410) - DRM/radeon: For single CRTC GPUs move handling of CRTC_CRT_ON to crtc_dpms(). (bnc#725152) - DRM/Radeon: Fix TV DAC Load Detection for single CRTC chips. (bnc#725152) - DRM/Radeon: Clean up code in TV DAC load detection. (bnc#725152) - DRM/Radeon: On DVI-I use Load Detection when EDID is bogus. (bnc#725152) - DRM/Radeon: Fix primary DAC Load Detection for RV100 chips. (bnc#725152) - DRM/Radeon: Fix Load Detection on legacy primary DAC. (bnc#725152) - drm/i915: enable plain RC6 on Sandy Bridge by default (bnc#725355). Hyper-V : - Hyper-V KVP IP injection (fate#31441) : - drivers: net: Remove casts to same type. - drivers: hv: remove IRQF_SAMPLE_RANDOM which is now a no-op. - hyperv: Move wait completion msg code into rndis_filter_halt_device(). - hyperv: Add comments for the extended buffer after RNDIS message. - Drivers: hv: Cleanup the guest ID computation. - Drivers: hv: vmbus: Use the standard format string to format GUIDs. - Drivers: hv: Add KVP definitions for IP address injection. - Drivers: hv: kvp: Cleanup error handling in KVP. - Drivers: hv: kvp: Support the new IP injection messages. - Tools: hv: Prepare to expand kvp_get_ip_address() functionality. - Tools: hv: Further refactor kvp_get_ip_address(). - Tools: hv: Gather address family information. - Tools: hv: Gather subnet information. - Tools: hv: Represent the ipv6 mask using CIDR notation. - Tools: hv: Gather ipv[4,6] gateway information. - hv: fail the probing immediately when we are not in hyperv platform. - hv: vmbus_drv: detect hyperv through x86_hyper. - Tools: hv: Get rid of some unused variables. - Tools: hv: Correctly type string variables. - Tools: hv: Add an example script to retrieve DNS entries. - Tools: hv: Gather DNS information. - Drivers: hv: kvp: Copy the address family information. - Tools: hv: Add an example script to retrieve dhcp state. - Tools: hv: Gather DHCP information. - Tools: hv: Add an example script to configure an interface. - Tools: hv: Implement the KVP verb - KVP_OP_SET_IP_INFO. - Tools: hv: Rename the function kvp_get_ip_address(). - Tools: hv: Implement the KVP verb - KVP_OP_GET_IP_INFO. - tools/hv: Fix file handle leak. - tools/hv: Fix exit() error code. - tools/hv: Check for read/write errors. - tools/hv: Parse /etc/os-release. - hyperv: Fix the max_xfer_size in RNDIS initialization. - hyperv: Fix the missing return value in rndis_filter_set_packet_filter(). - hyperv: Fix page buffer handling in rndis_filter_send_request(). - hyperv: Remove extra allocated space for recv_pkt_list elements. - hyperv: Report actual status in receive completion packet. - hyperv: Add buffer for extended info after the RNDIS response message. Other : - net: prevent NULL dereference in check_peer_redir(). (bnc#776044 / bnc#784576) - patches.fixes/mm-hotplug-correctly-add-zone-to-other-nod es-list.patch: Refresh. - igb: fix recent VLAN changes that would leave VLANs disabled after reset. (bnc#787168) - md: Change goto target to avoid pointless bug messages in normal error cases. (bnc#787848) - intel_idle: IVB support (fate#313719). - x86 cpufreq: Do not complain on missing cpufreq tables on ProLiants. (bnc#787202) - hpilo: remove pci_disable_device. (bnc#752544) - ixgbe: Address fact that RSC was not setting GSO size for incoming frames. (bnc#776144) - hv: Cleanup error handling in vmbus_open(). - [SCSI] storvsc: Account for in-transit packets in the RESET path. - sg: remove sg_mutex. (bnc#785496) - perf: Do no try to schedule task events if there are none. (bnc#781574) - perf: Do not set task_ctx pointer in cpuctx if there are no events in the context. (bnc#781574) - mm: swap: Implement generic handlers for swap-related address ops fix. (bnc#778334) - hpwdt: Only BYTE reads/writes to WD Timer port 0x72. - xenbus: fix overflow check in xenbus_dev_write(). - xen/x86: do not corrupt %eip when returning from a signal handler. - Update Xen patches to 3.0.46. - Update Xen patches to 3.0.51. - mm: Check if PTE is already allocated during page fault. - rpm/kernel-binary.spec.in: Revert f266e647f to allow building with icecream again, as patches.rpmify/kbuild-fix-gcc-x-syntax.patch is a real fix now. - ipmi: decrease the IPMI message transaction time in interrupt mode. (bnc#763654) - ipmi: simplify locking. (bnc#763654) - ipmi: use a tasklet for handling received messages. (bnc#763654) - cxgb3: Set vlan_feature on net_device (bnc#776127, LTC#84260). - qlge: Add offload features to vlan interfaces (bnc#776081,LTC#84322). - mlx4_en: Added missing iounmap upon releasing a device (bnc#774964,LTC#82768). - mlx4: allow device removal by fixing dma unmap size (bnc#774964,LTC#82768). - qeth: fix deadlock between recovery and bonding driver (bnc#785100,LTC#85905). - SCSI st: add st_nowait_eof param to module. (bnc#775394) - patches.fixes/sched-fix-migration-thread-accounting-woes .patch: Update references. (bnc#773699, bnc#769251) - memcg: oom: fix totalpages calculation for swappiness==0. (bnc#783965) - fs: cachefiles: add support for large files in filesystem caching (FATE#312793, bnc#782369). - mm/mempolicy.c: use enum value MPOL_REBIND_ONCE in mpol_rebind_policy(). - mm, mempolicy: fix mbind() to do synchronous migration. - revert 'mm: mempolicy: Let vma_merge and vma_split handle vma->vm_policy linkages'. - mempolicy: fix a race in shared_policy_replace(). - mempolicy: fix refcount leak in mpol_set_shared_policy(). - mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma(). - mempolicy: remove mempolicy sharing. Memory policy enhancements for robustness against fuzz attacks and force mbind to use synchronous migration. - Update scsi_dh_alua to mainline version (bnc#708296, bnc#784334) : - scsi_dh_alua: Enable STPG for unavailable ports - scsi_dh_alua: Re-enable STPG for unavailable ports - scsi_dh_alua: backoff alua rtpg retry linearly vs. geometrically - scsi_dh_alua: implement implied transition timeout - scsi_dh_alua: retry alua rtpg extended header for illegal request response - Revert removal of ACPI procfs entries. (bnc#777283) - x86: Clear HPET configuration registers on startup. (bnc#748896) - mlx4: Fixed build warning, update references (bnc#774500,LTC#83966). - xen/frontends: handle backend CLOSED without CLOSING. - xen/pciback: properly clean up after calling pcistub_device_find(). - xen/netfront: add netconsole support (bnc#763858 fate#313830). - netfilter: nf_conntrack_ipv6: fix tracking of ICMPv6 error messages containing fragments. (bnc#779750) - ipv6, xfrm: use conntrack-reassembled packet for policy lookup. (bnc#780216) - inetpeer: add namespace support for inetpeer. (bnc#779969) - inetpeer: add parameter net for inet_getpeer_v4,v6. (bnc#779969) - inetpeer: make unused_peers list per-netns. (bnc#779969) - kABI: use net_generic to protect struct netns_ipv{4,6}. (bnc#779969) - patches.rpmify/kbuild-fix-gcc-x-syntax.patch: kbuild: Fix gcc -x syntax. (bnc#773831) - patches.suse/supported-flag: Re-enabled warning on unsupported module loading. - nbd: clear waiting_queue on shutdown. (bnc#778630) - nohz: fix idle ticks in cpu summary line of /proc/stat (follow up fix for bnc#767469, bnc#705551). - fix TAINT_NO_SUPPORT handling on module load. - NFS: Fix Oopses in nfs_lookup_revalidate and nfs4_lookup_revalidate. (bnc#780008) - svcrpc: fix svc_xprt_enqueue/svc_recv busy-looping (bnc@779462). - net: do not disable sg for packets requiring no checksum. (bnc#774859) - sfc: prevent extreme TSO parameters from stalling TX queues. (bnc#774523 / CVE-2012-3412) - X86 MCE: Fix correct ring/severity identification in V86 case. (bnc#773267) - scsi_dh_rdac: Add a new netapp vendor/product string. (bnc#772483) - scsi_dh_rdac : Consolidate rdac strings together. (bnc#772483) - scsi_dh_rdac : minor return fix for rdac. (bnc#772483) - dh_rdac: Associate HBA and storage in rdac_controller to support partitions in storage. (bnc#772454) - scsi_dh_rdac: Fix error path. (bnc#772454) - scsi_dh_rdac: Fix for unbalanced reference count. (bnc#772454) - sd: Ensure we correctly disable devices with unknown protection type. (bnc#780876) - netfilter: ipset: timeout can be modified for already added elements. (bnc#790457) - netfilter: ipset: fix adding ranges to hash types. (bnc#790498) - workqueue: exit rescuer_thread() as TASK_RUNNING. (bnc#789993) - xhci: Add Lynx Point LP to list of Intel switchable hosts. (bnc#791853) - tg3: Introduce separate functions to allocate/free RX/TX rings. (bnc#785554) - net-next: Add netif_get_num_default_rss_queues. (bnc#785554) - tg3: set maximal number of default RSS queues. (bnc#785554) - tg3: Allow number of rx and tx rings to be set independently. (bnc#785554) - tg3: Separate coalescing setup for rx and tx. (bnc#785554) - tg3: Refactor tg3_open(). (bnc#785554) - tg3: Refactor tg3_close(). (bnc#785554) - tg3: Add support for ethtool -L|-l to get/set the number of rings. (bnc#785554) - tg3: Disable multiple TX rings by default due to hardware flaw. (bnc#785554) - x86, microcode, AMD: Add support for family 16h processors (bnc#791498,fate#314145). - scsi_remove_target: fix softlockup regression on hot remove. (bnc#789836) - autofs4: allow autofs to work outside the initial PID namespace. (bnc#779294) - autofs4: translate pids to the right namespace for the daemon. (bnc#779294) - vfs: dont chain pipe/anon/socket on superblock s_inodes list. (bnc#789703) - reiserfs: fix problems with chowning setuid file w/ xattrs. (bnc#790920) - reiserfs: fix double-lock while chowning setuid file w/ xattrs. (bnc#790920) - ALSA: hda - Fix SSYNC register value for non-Intel controllers (fate#313409,bnc#760833). - ALSA: hda: option to enable arbitrary buffer/period sizes (fate#313409,bnc#760833). - ALSA: hda - Fix buffer-alignment regression with Nvidia HDMI (fate#313409,bnc#760833). - ALSA: hda - explicitly set buffer-align flag for Nvidia controllers (fate#313409,bnc#760833). - ALSA: hda - Add Lynx Point HD Audio Controller DeviceIDs (fate#313409,bnc#760833). - ALSA: hda_intel: Add Device IDs for Intel Lynx Point-LP PCH (fate#313409,bnc#760833). - USB: OHCI: workaround for hardware bug: retired TDs not added to the Done Queue. (bnc#762158) - watchdog: iTCO_wdt: clean-up PCI device IDs (fate#313409, bnc#760833). - watchdog: iTCO_wdt: add Intel Lynx Point DeviceIDs (fate#313409, bnc#760833). - ahci: AHCI-mode SATA patch for Intel Lynx Point DeviceIDs (fate#313409, bnc#760833). - ata_piix: IDE-mode SATA patch for Intel Lynx Point DeviceIDs (fate#313409, bnc#760833). - i2c-i801: Add device IDs for Intel Lynx Point (fate#313409, bnc#760833). - jbd: Fix lock ordering bug in journal_unmap_buffer(). (bnc#790935) - usb: host: xhci: Fix Compliance Mode on SN65LVPE502CP Hardware. (bnc#788277) - usb: host: xhci: Fix NULL pointer dereferencing with 71c731a for non-x86 systems. (bnc#788277) - Do not remove fillup from the buildsystem. (bnc#781327) - ibmvfc: Fix double completion on abort timeout. (bnc#788452) - ibmvfc: Ignore fabric RSCNs when link is dead. (bnc#788452) - fs: only send IPI to invalidate LRU BH when needed. (bnc#763628 / bnc#744692) - smp: add func to IPI cpus based on parameter func. (bnc#763628 / bnc#744692) - smp: introduce a generic on_each_cpu_mask() function. (bnc#763628 / bnc#744692)
    last seen 2019-02-21
    modified 2014-08-20
    plugin id 64180
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64180
    title SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 7123 / 7127)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-0676.NASL
    description Updated kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. (CVE-2012-1601) A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121) This update also fixes the following bug : * An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver. (BZ#816207) All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note that the procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 59212
    published 2012-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59212
    title CentOS 5 : kvm (CESA-2012:0676)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1457-1.NASL
    description Andy Adamson discovered a flaw in the Linux kernel's NFSv4 implementation. A remote NFS server (attacker) could exploit this flaw to cause a denial of service. (CVE-2011-4131) A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123) Schacher Raindel discovered a flaw in the Linux kernel's memory handling when hugetlb is enabled. An unprivileged local attacker could exploit this flaw to cause a denial of service and potentially gain higher privileges. (CVE-2012-2133). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 59321
    published 2012-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59321
    title Ubuntu 11.04 : linux vulnerabilities (USN-1457-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1452-1.NASL
    description A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123) A flaw was found in how the Linux kernel passed the replacement session keyring to a child process. An unprivileged local user could exploit this flaw to cause a denial of service (panic). (CVE-2012-2745). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 59290
    published 2012-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59290
    title Ubuntu 11.10 : linux vulnerabilities (USN-1452-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1448-1.NASL
    description A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123) A flaw was found in how the Linux kernel passed the replacement session keyring to a child process. An unprivileged local user could exploit this flaw to cause a denial of service (panic). (CVE-2012-2745). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 59226
    published 2012-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59226
    title Ubuntu 12.04 LTS : linux vulnerabilities (USN-1448-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0676.NASL
    description From Red Hat Security Advisory 2012:0676 : Updated kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. (CVE-2012-1601) A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121) This update also fixes the following bug : * An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver. (BZ#816207) All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note that the procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68527
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68527
    title Oracle Linux 5 : kvm (ELSA-2012-0676)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1455-1.NASL
    description A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123) A flaw was found in how the Linux kernel passed the replacement session keyring to a child process. An unprivileged local user could exploit this flaw to cause a denial of service (panic). (CVE-2012-2745). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 59309
    published 2012-05-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59309
    title Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1455-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-0571.NASL
    description Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-4086, Moderate) * A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A local, unprivileged user on a KVM host could use this flaw to crash the host. (CVE-2012-1601, Moderate) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 59165
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59165
    title CentOS 6 : kernel (CESA-2012:0571)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2469.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2011-4086 Eric Sandeen reported an issue in the journaling layer for ext4 filesystems (jbd2). Local users can cause buffers to be accessed after they have been torn down, resulting in a denial of service (DoS) due to a system crash. - CVE-2012-0879 Louis Rilling reported two reference counting issues in the CLONE_IO feature of the kernel. Local users can prevent io context structures from being freed, resulting in a denial of service. - CVE-2012-1601 Michael Ellerman reported an issue in the KVM subsystem. Local users could cause a denial of service (NULL pointer dereference) by creating VCPUs before a call to KVM_CREATE_IRQCHIP. - CVE-2012-2123 Steve Grubb reported an issue in fcaps, a filesystem-based capabilities system. Personality flags set using this mechanism, such as the disabling of address space randomization, may persist across suid calls. - CVE-2012-2133 Shachar Raindel discovered a use-after-free bug in the hugepages quota implementation. Local users with permission to use hugepages via the hugetlbfs implementation may be able to cause a denial of service (system crash).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 59070
    published 2012-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59070
    title Debian DSA-2469-1 : linux-2.6 - privilege escalation/denial of service
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20120515_KERNEL_ON_SL6_X.NASL
    description This update fixes the following security issues : - A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-4086, Moderate) - A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A local, unprivileged user on a KVM host could use this flaw to crash the host. (CVE-2012-1601, Moderate) The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61313
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61313
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1453-1.NASL
    description A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 59291
    published 2012-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59291
    title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1453-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0571.NASL
    description Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-4086, Moderate) * A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A local, unprivileged user on a KVM host could use this flaw to crash the host. (CVE-2012-1601, Moderate) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 59106
    published 2012-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59106
    title RHEL 6 : kernel (RHSA-2012:0571)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1507-1.NASL
    description A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) An error was found in the Linux kernel's IPv6 netfilter when connection tracking is enabled. A remote attacker could exploit this flaw to crash a system if it is using IPv6 with the nf_contrack_ipv6 kernel module loaded. (CVE-2012-2744). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 59985
    published 2012-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59985
    title Ubuntu 8.04 LTS : linux vulnerabilities (USN-1507-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1460-1.NASL
    description A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123)
    last seen 2019-02-21
    modified 2016-12-01
    plugin id 59324
    published 2012-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59324
    title USN-1460-1 : linux-ti-omap4 vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1459-1.NASL
    description A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123)
    last seen 2019-02-21
    modified 2016-12-01
    plugin id 59323
    published 2012-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59323
    title USN-1459-1 : linux-ti-omap4 vulnerabilities
redhat via4
advisories
  • bugzilla
    id 811299
    title Fix RPC priority queue wake up all tasks processing [rhel-6.2.z]
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment kernel is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571005
        • comment kernel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842006
      • AND
        • comment kernel-bootwrapper is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571009
        • comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842010
      • AND
        • comment kernel-debug is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571011
        • comment kernel-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842012
      • AND
        • comment kernel-debug-devel is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571019
        • comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842014
      • AND
        • comment kernel-devel is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571013
        • comment kernel-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842016
      • AND
        • comment kernel-doc is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571025
        • comment kernel-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842024
      • AND
        • comment kernel-firmware is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571027
        • comment kernel-firmware is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842026
      • AND
        • comment kernel-headers is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571007
        • comment kernel-headers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842008
      • AND
        • comment kernel-kdump is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571021
        • comment kernel-kdump is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842018
      • AND
        • comment kernel-kdump-devel is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571023
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842020
      • AND
        • comment perf is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571015
        • comment perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842022
      • AND
        • comment python-perf is earlier than 0:2.6.32-220.17.1.el6
          oval oval:com.redhat.rhsa:tst:20120571017
        • comment python-perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111530020
    rhsa
    id RHSA-2012:0571
    released 2012-05-15
    severity Moderate
    title RHSA-2012:0571: kernel security and bug fix update (Moderate)
  • rhsa
    id RHSA-2012:0676
rpms
  • kernel-0:2.6.32-220.17.1.el6
  • kernel-bootwrapper-0:2.6.32-220.17.1.el6
  • kernel-debug-0:2.6.32-220.17.1.el6
  • kernel-debug-devel-0:2.6.32-220.17.1.el6
  • kernel-devel-0:2.6.32-220.17.1.el6
  • kernel-doc-0:2.6.32-220.17.1.el6
  • kernel-firmware-0:2.6.32-220.17.1.el6
  • kernel-headers-0:2.6.32-220.17.1.el6
  • kernel-kdump-0:2.6.32-220.17.1.el6
  • kernel-kdump-devel-0:2.6.32-220.17.1.el6
  • perf-0:2.6.32-220.17.1.el6
  • python-perf-0:2.6.32-220.17.1.el6
  • kmod-kvm-0:83-249.el5_8.4
  • kmod-kvm-debug-0:83-249.el5_8.4
  • kvm-0:83-249.el5_8.4
  • kvm-qemu-img-0:83-249.el5_8.4
  • kvm-tools-0:83-249.el5_8.4
refmap via4
confirm
debian DSA-2469
mlist [oss-security] 20120329 Re: CVE request -- kernel: kvm: irqchip_in_kernel() and vcpu->arch.apic inconsistency
sectrack 1026897
secunia 49928
suse
  • SUSE-SU-2012:1679
  • openSUSE-SU-2013:0925
Last major update 20-06-2013 - 23:10
Published 17-05-2012 - 07:00
Last modified 04-01-2018 - 21:29
Back to Top