Medium: kernel

Issue Overview:

Possible double free in stcp_sendmsg() (incorrect fix for CVE-2017-5986):

It was found that the code in net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. This vulnerability was introduced by CVE-2017-5986 fix (commit 2dcab5984841).

Reachable BUG_ON from userspace in sctp_wait_for_sndbuf:

It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. (CVE-2017-5986)

Shmat allows mmap null page protection bypass:

The do_shmat function in ipc/shm.c in the Linux kernel, through 4.9.12, does not restrict the address calculated by a certain rounding operation. This allows privileged local users to map page zero and, consequently, bypass a protection mechanism that exists for the mmap system call. This is possible by making crafted shmget and shmat system calls in a privileged context. (CVE-2017-5669)

Affected Packages:

kernel

Issue Correction:
Run yum update kernel to update your system.

New Packages:

i686:  
    perf-debuginfo-4.9.20-10.30.amzn1.i686  
    kernel-tools-devel-4.9.20-10.30.amzn1.i686  
    kernel-debuginfo-common-i686-4.9.20-10.30.amzn1.i686  
    kernel-tools-4.9.20-10.30.amzn1.i686  
    kernel-tools-debuginfo-4.9.20-10.30.amzn1.i686  
    perf-4.9.20-10.30.amzn1.i686  
    kernel-headers-4.9.20-10.30.amzn1.i686  
    kernel-debuginfo-4.9.20-10.30.amzn1.i686  
    kernel-4.9.20-10.30.amzn1.i686  
    kernel-devel-4.9.20-10.30.amzn1.i686  
  
noarch:  
    kernel-doc-4.9.20-10.30.amzn1.noarch  
  
src:  
    kernel-4.9.20-10.30.amzn1.src  
  
x86_64:  
    kernel-tools-4.9.20-10.30.amzn1.x86_64  
    kernel-headers-4.9.20-10.30.amzn1.x86_64  
    kernel-debuginfo-4.9.20-10.30.amzn1.x86_64  
    kernel-tools-devel-4.9.20-10.30.amzn1.x86_64  
    kernel-tools-debuginfo-4.9.20-10.30.amzn1.x86_64  
    perf-debuginfo-4.9.20-10.30.amzn1.x86_64  
    perf-4.9.20-10.30.amzn1.x86_64  
    kernel-devel-4.9.20-10.30.amzn1.x86_64  
    kernel-debuginfo-common-x86_64-4.9.20-10.30.amzn1.x86_64  
    kernel-4.9.20-10.30.amzn1.x86_64  

Additional References

Red Hat: CVE-2017-5669, CVE-2017-5986, CVE-2017-6353

Mitre: CVE-2017-5669, CVE-2017-5986, CVE-2017-6353