Issued:
2018-10-30
Updated:
2018-10-30

RHSA-2018:3096 - Security Advisory

Synopsis

Important: kernel-rt security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Topic

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

  • A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)
  • kernel: out-of-bounds access in the show_timer function in kernel/time/posix-timers.c (CVE-2017-18344)
  • kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781)
  • kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902)
  • kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405)
  • kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830)
  • kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861)
  • kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661)
  • kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805)
  • kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208)
  • kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120)
  • kernel: a null pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130)
  • kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344)
  • kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803)
  • kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)
  • kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878)
  • kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026)
  • kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913)
  • kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232)
  • kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092)
  • kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094)
  • kernel: vhost: Information disclosure in vhost.c:vhost_new_msg() (CVE-2018-1118)
  • kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740)
  • kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c (CVE-2018-7757)
  • kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322)
  • kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879)
  • kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881)
  • kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883)
  • kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940)

Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.

Solution

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux for Real Time 7 x86_64
  • Red Hat Enterprise Linux for Real Time for NFV 7 x86_64

Fixes

  • BZ - 1314275 - CVE-2015-8830 kernel: AIO write triggers integer overflow in some protocols
  • BZ - 1337528 - CVE-2016-4913 kernel: Information leak when handling NM entries containing NUL
  • BZ - 1481136 - CVE-2017-10661 kernel: Handling of might_cancel queueing is not properly pretected against race
  • BZ - 1510602 - locking: bring in upstream PREEMPT_RT rtlock patches to fix single-reader limitation
  • BZ - 1512875 - WARNING: CPU: 7 PID: 1090 at drivers/target/target_core_transport.c:3009 __transport_check_aborted_status+0x153/0x190 [target_core_mod]
  • BZ - 1528312 - CVE-2017-17805 kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial-of-service
  • BZ - 1533909 - CVE-2018-5344 kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service
  • BZ - 1541846 - CVE-2018-1000026 kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet
  • BZ - 1551051 - CVE-2018-5803 kernel: Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service
  • BZ - 1551565 - CVE-2017-18208 kernel: Inifinite loop vulnerability in mm/madvise.c:madvise_willneed() function allows local denial of service
  • BZ - 1552867 - CVE-2018-7740 kernel: Denial of service in resv_map_release function in mm/hugetlb.c
  • BZ - 1553351 - RT: update kernel-rt source tree to match RHEL 7.6 tree
  • BZ - 1553361 - CVE-2018-7757 kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c
  • BZ - 1558066 - CVE-2017-18232 kernel: Mishandling mutex within libsas allowing local Denial of Service
  • BZ - 1560777 - CVE-2018-1092 kernel: NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image
  • BZ - 1560788 - CVE-2018-1094 kernel: NULL pointer dereference in ext4/xattr.c:ext4_xattr_inode_hash() causes crash with crafted ext4 image
  • BZ - 1563994 - CVE-2017-0861 kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation
  • BZ - 1569910 - Call Trace shows in guest when running determine_maximum_mpps.sh
  • BZ - 1571062 - CVE-2018-8781 kernel: Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space
  • BZ - 1571623 - CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service
  • BZ - 1573699 - CVE-2018-1118 kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg()
  • BZ - 1575472 - CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
  • BZ - 1576419 - CVE-2018-1130 kernel: a null pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash
  • BZ - 1577408 - CVE-2018-10940 kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
  • BZ - 1590720 - CVE-2018-10902 kernel: MIDI driver race condition leads to a double-free
  • BZ - 1590799 - CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption
  • BZ - 1596802 - CVE-2018-10878 kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image
  • BZ - 1596806 - CVE-2018-10879 kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file
  • BZ - 1596828 - CVE-2018-10881 kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image
  • BZ - 1596846 - CVE-2018-10883 kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function
  • BZ - 1599161 - CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members
  • BZ - 1608672 - RT system hang due to wrong of rq's nr_running
  • BZ - 1609664 - CVE-2018-5391 kernel: IP fragments with random offsets allow a remote denial of service (FragmentSmack)
  • BZ - 1610958 - CVE-2017-18344 kernel: out-of-bounds access in the show_timer function in kernel/time/posix-timers.c

CVEs

References

Red Hat Enterprise Linux for Real Time 7

SRPM
kernel-rt-3.10.0-957.rt56.910.el7.src.rpm SHA-256: 2b9e428c43753e7a69b5cd233531ecf0e595ecb7bf4fb32fb85bef9fb3503dd8
x86_64
kernel-rt-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 1baf9b6169e1d114afb340832f3b6e80f908b7ebaa2d9b6224a2a7f93aa2855f
kernel-rt-debug-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 32160156cba503c4b9a65dd0a9c800c98cba87c8cbe08baf280990ea4171ddfb
kernel-rt-debug-devel-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: b8a23d8189cdcd699492c91ba6825c0477b66522972c7cbafc5df1601e15aabf
kernel-rt-debug-kvm-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: c1a625f6934ece419f1d2a8d0ba6ed559e9090f372eb9f6bfcbfc648ea8f2a99
kernel-rt-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 8830663d4fa4f6cf4e831070a4f0947587a9ae2797c22502692804052cbb790d
kernel-rt-devel-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 1962a13654c324fb3c1d30eb381094e10c268caeecd387727f7d66dbf145389b
kernel-rt-doc-3.10.0-957.rt56.910.el7.noarch.rpm SHA-256: ce30426ba1972344df03564a7166625f5a5e2c620ce5a7392439f9499eb94ad4
kernel-rt-kvm-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: f788db6f8f62db2127d8d2dc719ac75f70b90cc26663829df21e29f5f11585d5
kernel-rt-trace-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 59c3389b3849658143afa2d5abc6e1457ce9ee86e7273860fd1002ea41cd09e2
kernel-rt-trace-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: cafe30cc7c38984ce55441c4cc8b5f88abe224a247006d55fc4c4a086ea807e5
kernel-rt-trace-devel-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: abad328220f2917b1fd5e966771e91c44c16e1beb134d39e8b91254702d40042
kernel-rt-trace-kvm-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 60fb49a798f8efd5e6568af0f271b6f20059c704d541563b220ad7a362583638

Red Hat Enterprise Linux for Real Time for NFV 7

SRPM
kernel-rt-3.10.0-957.rt56.910.el7.src.rpm SHA-256: 2b9e428c43753e7a69b5cd233531ecf0e595ecb7bf4fb32fb85bef9fb3503dd8
x86_64
kernel-rt-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 1baf9b6169e1d114afb340832f3b6e80f908b7ebaa2d9b6224a2a7f93aa2855f
kernel-rt-debug-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 32160156cba503c4b9a65dd0a9c800c98cba87c8cbe08baf280990ea4171ddfb
kernel-rt-debug-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: dd7d862228c8d434cfcbabb73a51a61f962baa07e4a335365d829827a57be0eb
kernel-rt-debug-devel-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: b8a23d8189cdcd699492c91ba6825c0477b66522972c7cbafc5df1601e15aabf
kernel-rt-debug-kvm-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 1e23d5f85236baf3b23694261df81f137e79b578ba00ef9c952becba6eb2db69
kernel-rt-debug-kvm-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: c1a625f6934ece419f1d2a8d0ba6ed559e9090f372eb9f6bfcbfc648ea8f2a99
kernel-rt-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 8830663d4fa4f6cf4e831070a4f0947587a9ae2797c22502692804052cbb790d
kernel-rt-debuginfo-common-x86_64-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 14676ffd7854b972f1ab79a7b7bec266def598044117109e2f51474be04b2bcc
kernel-rt-devel-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 1962a13654c324fb3c1d30eb381094e10c268caeecd387727f7d66dbf145389b
kernel-rt-doc-3.10.0-957.rt56.910.el7.noarch.rpm SHA-256: ce30426ba1972344df03564a7166625f5a5e2c620ce5a7392439f9499eb94ad4
kernel-rt-kvm-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 581c410cd12ba431a86c81c38a70fc32e8d9561e35fe47222b912511e6b05de4
kernel-rt-kvm-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: f788db6f8f62db2127d8d2dc719ac75f70b90cc26663829df21e29f5f11585d5
kernel-rt-trace-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 59c3389b3849658143afa2d5abc6e1457ce9ee86e7273860fd1002ea41cd09e2
kernel-rt-trace-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: cafe30cc7c38984ce55441c4cc8b5f88abe224a247006d55fc4c4a086ea807e5
kernel-rt-trace-devel-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: abad328220f2917b1fd5e966771e91c44c16e1beb134d39e8b91254702d40042
kernel-rt-trace-kvm-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 8f57e65d4f6623c5f7fdade938773ea42b6670ddd519a2bce4f64ca6ee7c3781
kernel-rt-trace-kvm-debuginfo-3.10.0-957.rt56.910.el7.x86_64.rpm SHA-256: 60fb49a798f8efd5e6568af0f271b6f20059c704d541563b220ad7a362583638

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.