Details

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.

This update provides the corresponding updates for the Linux Hardware

Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please

note that this update changes the Linux HWE kernel to the 4.10 based

kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from

Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege

attributes of files when performing a failed unprivileged system call. A

local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel

did not properly validate meta block groups. An attacker with physical

access could use this to specially craft an ext4 image that causes a denial

of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in

the Linux kernel contained an integer overflow. A local attacker could use

this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA

over ethernet (RXE) transport implementation in the Linux kernel. A local

attacker could use this to cause a denial of service (system crash) or

possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO

PCI driver for the Linux kernel. A local attacker with access to a vfio PCI

device file could use this to cause a denial of service (system crash) or

possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did

not properly perform reference counting in some situations. An unprivileged

attacker could use this to cause a denial of service (system hang).

(CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in

some situations did not prevent special internal keyrings from being joined

by userspace keyrings. A privileged local attacker could use this to bypass

module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet

discovered that the netfiler subsystem in the Linux kernel mishandled IPv6

packet reassembly. A local user could use this to cause a denial of service

(system crash) or possibly execute arbitrary code. (CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in

the Linux kernel did not properly emulate instructions on the SS segment

register. A local attacker in a guest virtual machine could use this to

cause a denial of service (guest OS crash) or possibly gain administrative

privileges in the guest OS. (CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel

improperly emulated certain instructions. A local attacker could use this

to obtain sensitive information (kernel memory). (CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel

improperly emulated the VMXON instruction. A local attacker in a guest OS

could use this to cause a denial of service (memory consumption) in the

host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle

empty writes to /proc/pid/attr. A local attacker could use this to cause a

denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping

socket implementation in the Linux kernel. A local privileged attacker

could use this to cause a denial of service (system crash). (CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory

allocator allowed duplicate freelist entries. A local attacker could use

this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in

the Linux kernel did not properly initialize memory related to logging. A

local attacker could use this to expose sensitive information (kernel

memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance()

function in the Linux kernel. A local attacker could use this to expose

sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during

a setxattr call on a tmpfs filesystem. A local attacker could use this to

gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the

VideoCore DRM driver of the Linux kernel. A local attacker could use this

to cause a denial of service (system crash) or possibly execute arbitrary

code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did

not properly restrict mapping page zero. A local privileged attacker could

use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic

Routing Encapsulation (GRE) tunneling implementation in the Linux kernel.

An attacker could use this to possibly expose sensitive information.

(CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux

kernel did not properly handle invalid IP options in some situations. An

attacker could use this to cause a denial of service or possibly execute

arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of

the Linux kernel. A local attacker could use this to cause a denial of

service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP

packets with the URG flag. A remote attacker could use this to cause a

denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did

not properly set up a destructor in certain situations. A local attacker

could use this to cause a denial of service (system crash). (CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling

code in the Linux kernel. A local attacker could use this to cause a denial

of service (system crash) or possibly execute arbitrary code.

(CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made

improper assumptions about internal data layout when performing checksums.

A local attacker could use this to cause a denial of service (system crash)

or possibly execute arbitrary code. (CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem

in the Linux kernel. A local attacker could use this to cause a denial of

service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux

kernel contained a stack-based buffer overflow. A local attacker with

access to an sg device could use this to cause a denial of service (system

crash) or possibly execute arbitrary code. (CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct

Rendering Manager (DRM) driver for VMWare devices in the Linux kernel. A

local attacker could use this to cause a denial of service (system crash).

(CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did

not properly validate reported information from the device. An attacker

with physical access could use this to expose sensitive information (kernel

memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the

Linux kernel. A local attacker could use this to cause a denial of service

(memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and

mbind compat syscalls in the Linux kernel. A local attacker could use this

to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash)

implementation in the Linux kernel did not properly handle a full request

queue. A local attacker could use this to cause a denial of service

(infinite recursion). (CVE-2017-7618)

Tuomas Haanpää and Ari Kauppi discovered that the NFSv2 and NFSv3 server

implementations in the Linux kernel did not properly handle certain long

RPC replies. A remote attacker could use this to cause a denial of service

(system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the

Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection

mechanism. A local attacker with access to /dev/mem could use this to

expose sensitive information or possibly execute arbitrary code.

(CVE-2017-7889)

Tuomas Haanpää and Ari Kauppi discovered that the NFSv2 and NFSv3 server

implementations in the Linux kernel did not properly check for the end of

buffer. A remote attacker could use this to craft requests that cause a

denial of service (system crash) or possibly execute arbitrary code.

(CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB

Serial Converter device driver of the Linux kernel. An attacker with

physical access could use this to expose sensitive information (kernel

memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux

kernel did not properly perform reference counting. A local attacker could

use this to cause a denial of service (tty exhaustion). (CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output

of the print_bpf_insn function. A local attacker could use this to obtain

sensitive address information. (CVE-2017-9150)