kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks

An issue was discovered in the procpidstack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task...

kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks

An issue was discovered in the procpidstack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task...

Important: Red Hat Security Advisory: kernel-rt security and bug fix update

An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

Unbreakable Enterprise kernel security update

4.14.35-1844.2.5 - x86/apic: Switch all APICs to Fixed delivery mode Thomas Gleixner Orabug: 29262403 4.14.35-1844.2.4 - x86/platform/UV: Add check of TSC state set by UV BIOS [email protected] Orabug: 29205471 - x86/tsc: Provide a means to disable TSC ART [email protected] Orabug: 29205471 -...

OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0007) (Spectre)

The remote OracleVM system is missing necessary patches to address critical security updates : - x86/bugs: Fix the AMD SSBD usage of the SPECCTRL MSR Tom Lendacky Orabug: 28870524 CVE-2018-3639 - x86/bugs: Add AMD's SPECCTRL MSR usage Konrad Rzeszutek Wilk Orabug: 28870524 CVE-2018-3639 -...

Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4531)

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4531 advisory. - x86/bugs: Fix the AMD SSBD usage of the SPECCTRL MSR Tom Lendacky Orabug: 28870524 CVE-2018-3639 - x86/bugs: Add AMD's SPECCTRL MSR usage Konrad...

Unbreakable Enterprise kernel security update

4.1.12-124.25.1 - x86/bugs: Fix the AMD SSBD usage of the SPECCTRL MSR Tom Lendacky Orabug: 28870524 CVE-2018-3639 - x86/bugs: Add AMD's SPECCTRL MSR usage Konrad Rzeszutek Wilk Orabug: 28870524 CVE-2018-3639 - x86/cpufeatures: rename X86FEATUREAMDSSBD to X86FEATURELSCFGSSBD Mihai Carabas Orabug:...

Unbreakable Enterprise kernel security update

kernel-uek 3.8.13-118.30.1 - ext4: validate that metadata blocks do not overlap superblock Theodore Ts'o Orabug: 28220451 CVE-2018-1094 - ext4: always initialize the crc32c checksum driver Theodore Ts'o Orabug: 28220451 CVE-2018-1094 CVE-2018-1094 - vfs: Add sbrdonlysb to query the MSRDONLY flag ...

Ubuntu 18.04 LTS : Linux kernel (AWS, GCP, KVM, OEM, Raspberry Pi 2) vulnerabilities (USN-3871-3)

The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3871-3 advisory. Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to...

Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3880-1)

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3880-1 advisory. It was discovered that the CIFS client implementation in the Linux kernel did not properly handle setup negotiation during session recovery, leading to a...

iOS/macOS 10.13.6 - 'if_ports_used_update_wakeuuid()' 16-byte Uninitialized Kernel Stack Disclosure

/ macOS 10.13.4 introduced the file bsd/net/ifportsused.c, which defines sysctls for inspecting ports, and added the function IOPMCopySleepWakeUUIDKey to the file iokit/Kernel/IOPMrootDomain.cpp. Here's the code of the latter function: extern "C" bool IOPMCopySleepWakeUUIDKeychar buffer, sizet...

iOS / macOS 10.13.6 - if_ports_used_update_wakeuuid() 16-byte Uninitialized Kernel Stack Disclosure

/ macOS 10.13.4 introduced the file bsd/net/ifportsused.c, which defines sysctls for inspecting ports, and added the function IOPMCopySleepWakeUUIDKey to the file iokit/Kernel/IOPMrootDomain.cpp. Here's the code of the latter function: extern "C" bool IOPMCopySleepWakeUUIDKeychar buffer, sizet...

USN-3871-1: Linux kernel vulnerabilities

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service system crash or possibly execute arbitrary code...

Linux Kernel 4.4 - 'rtnetlink' Stack Memory Disclosure

/ Briefs - CVE-2016-4486 has discovered and reported by Kangjie Lu. - This is local exploit against the CVE-2016-4486. Tested version - Distro : Ubuntu 16.04 - Kernel version : 4.4.0-21-generic - Arch : x8664 Prerequisites - None Goal - Leak kernel stack base address of current process by...

Linux Kernel 4.4 - rtnetlink Stack Memory Disclosure

Linux Kernel 4.4 - rtnetlink Stack Memory Disclosure / Briefs - CVE-2016-4486 has discovered and reported by Kangjie Lu. - This is local exploit against the CVE-2016-4486. Tested version - Distro : Ubuntu 16.04 - Kernel version : 4.4.0-21-generic - Arch : x8664 Prerequisites - None Goal - Leak...

CVE-2018-19650

Local attackers can trigger a stack-based buffer overflow on vulnerable installations of Antiy-AVL ATool security management v1.0.0.22. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists...

Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value

Here's a code snippet from sleh.c with the second level exception handler for undefined instruction exceptions: static void handleuncategorizedarmsavedstatet state, booleant instrLen2 exceptiontypet exception = EXCBADINSTRUCTION; machexceptiondatatypet codes2 = EXCARMUNDEFINED; machmsgtypenumbert...

Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value

Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value Here's a code snippet from sleh.c with the second level exception handler for undefined instruction exceptions: static void handleuncategorizedarmsavedstatet state, booleant instrLen2 exceptiontypet exception =...

Linux Kernel - Pointer Leak via BPF Exploit

Exploit for linux platform in category dos / poc / Commit 82abbf8d2fc46d79611ab58daa7c608df14bb3ee "bpf: do not allow root to mangle valid pointers", first in v4.15 included the following snippet: ========= @@ -2319,43 +2307,29 @@ static int adjustregminmaxvalsstruct bpfverifierenv env, if...

Linux - Kernel Pointer Leak via BPF

/ Commit 82abbf8d2fc46d79611ab58daa7c608df14bb3ee "bpf: do not allow root to mangle valid pointers", first in v4.15 included the following snippet: ========= @@ -2319,43 +2307,29 @@ static int adjustregminmaxvalsstruct bpfverifierenv env, if srcreg-type != SCALARVALUE if dstreg-type != SCALARVALU...