RHSA-2018:3096: Important: kernel-rt security, bug fix, and enhancement update

First published: Tue Oct 30 2018(Updated: )

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.<br>Security Fix(es):<br><li> A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)</li> <li> kernel: out-of-bounds access in the show_timer function in kernel/time/posix-timers.c (CVE-2017-18344)</li> <li> kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781)</li> <li> kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902)</li> <li> kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405)</li> <li> kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830)</li> <li> kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861)</li> <li> kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661)</li> <li> kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805)</li> <li> kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208)</li> <li> kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120)</li> <li> kernel: a null pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130)</li> <li> kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344)</li> <li> kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803)</li> <li> kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)</li> <li> kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878)</li> <li> kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026)</li> <li> kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913)</li> <li> kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232)</li> <li> kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092)</li> <li> kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094)</li> <li> kernel: vhost: Information disclosure in vhost.c:vhost_new_msg() (CVE-2018-1118)</li> <li> kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740)</li> <li> kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c (CVE-2018-7757)</li> <li> kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322)</li> <li> kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879)</li> <li> kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881)</li> <li> kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883)</li> <li> kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940)</li> Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/severity
• agent/type
• agent/softwarecombine
• agent/last-modified-date
• agent/references
• agent/first-publish-date
• agent/weakness
• agent/remedy
• agent/title
• agent/description
• agent/event
• agent/tags
• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2018:3096
• agent/software-canonical-lookup
• package-manager/redhat