• Back to all articles

SuSE: New Linux kernel packages fix security vulnerabilities

This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs. A signedness issue in CIFS could possibly have lead to to memory corruption, if a malicious server could send crafted replies to the host. Timo Warns reported an issue in the Linux implementation for GUID partitions. Users with physical access could gain access to sensitive kernel memory by adding a storage device with a specially crafted corrupted invalid partition table. The dccp_rcv_state_process function in the Datagram Congestion Control Protocol (DCCP) implementation did not properly handle packets for a CLOSED endpoint, which allowed remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet.

An integer overflow in the agp_generic_insert_memory function allowed local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call. Multiple integer overflows in the agp_allocate_memory and agp_create_user_memory functions allowed local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages. The agp_generic_remove_memory function did not validate a certain start parameter, which allowed local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call.

The do_task_stat function did not perform an expected uid check, which made it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary. The normal mmap paths all avoid creating a mapping where the pgoff inside the mapping could wrap around due to overflow. However, an expanding mremap() can take such a non-wrapping mapping and make it bigger and cause a wrapping condition. A local unprivileged user able to access a NFS filesystem could use file locking to deadlock parts of an nfs server under some circumstance.

The code for evaluating LDM partitions contained bugs that could crash the kernel for certain corrupted LDM partitions. When using a setuid root mount.cifs, local users could hijack password protected mounted CIFS shares of other local users. Updated packages are available from download.opensuse.org.

  SUSE Security Update: Security update for the Linux kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2011:1058-1
Rating:             important
References:         #635880 #665543 #677676 #684297 #687812 #689797 
                   #692784 #693043 #696107 #698221 #701254 #701355 
                   #702013 #702285 #705463 #714001 
Cross-References:   CVE-2011-0726 CVE-2011-1017 CVE-2011-1093
                   CVE-2011-1585 CVE-2011-1745 CVE-2011-1746
                   CVE-2011-1776 CVE-2011-2022 CVE-2011-2182
                   CVE-2011-2491 CVE-2011-2496 CVE-2011-3191

Affected Products:
                   SUSE Linux Enterprise Server 10 SP3
                   SLE SDK 10 SP3
______________________________________________________________________________

  An update that solves 12 vulnerabilities and has four fixes
  is now available.

Description:


  This kernel update for the SUSE Linux Enterprise 10 SP3
  kernel fixes  several security issues and bugs.

  The following security issues have been fixed:

  *

  CVE-2011-3191: A signedness issue in CIFS could
  possibly have lead to to memory corruption, if a malicious
  server could send crafted replies to the host.

  *

  CVE-2011-1776: Timo Warns reported an issue in the
  Linux implementation for GUID partitions. Users with
  physical access could gain access to sensitive kernel
  memory by adding a storage device with a specially crafted
  corrupted invalid partition table.

  *

  CVE-2011-1093: The dccp_rcv_state_process function in
  net/dccp/input.c in the Datagram Congestion Control
  Protocol (DCCP) implementation in the Linux kernel did not
  properly handle packets for a CLOSED endpoint, which
  allowed remote attackers to cause a denial of service (NULL
  pointer dereference and OOPS) by sending a DCCP-Close
  packet followed by a DCCP-Reset packet.

  *

  CVE-2011-1745: Integer overflow in the
  agp_generic_insert_memory function in
  drivers/char/agp/generic.c in the Linux kernel allowed
  local users to gain privileges or cause a denial of service
  (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl
  call.

  *

  CVE-2011-1746: Multiple integer overflows in the (1)
  agp_allocate_memory and (2) agp_create_user_memory
  functions in drivers/char/agp/generic.c in the Linux kernel
  allowed local users to trigger buffer overflows, and
  consequently cause a denial of service (system crash) or
  possibly have unspecified other impact, via vectors related
  to calls that specify a large number of memory pages.

  *

  CVE-2011-2022: The agp_generic_remove_memory function
  in drivers/char/agp/generic.c in the Linux kernel before
  2.6.38.5 did not validate a certain start parameter, which
  allowed local users to gain privileges or cause a denial of
  service (system crash) via a crafted AGPIOC_UNBIND
  agp_ioctl ioctl call, a different vulnerability than
  CVE-2011-1745.

  *

  CVE-2011-0726: The do_task_stat function in
  fs/proc/array.c in the Linux kernel did not perform an
  expected uid check, which made it easier for local users to
  defeat the ASLR protection mechanism by reading the
  start_code and end_code fields in the /proc/#####/stat file
  for a process executing a PIE binary.

  *

  CVE-2011-2496: The normal mmap paths all avoid
  creating a mapping where the pgoff inside the mapping could
  wrap around due to overflow. However, an expanding mremap()
  can take such a non-wrapping mapping and make it bigger and
  cause a wrapping condition.

  *

  CVE-2011-2491: A local unprivileged user able to
  access a NFS filesystem could use file locking to deadlock
  parts of an nfs server under some circumstance.

  *

  CVE-2011-1017,CVE-2011-2182: The code for evaluating
  LDM partitions (in fs/partitions/ldm.c) contained bugs that
  could crash the kernel for certain corrupted LDM partitions.

  *

  CVE-2011-1585: When using a setuid root mount.cifs,
  local users could hijack password protected mounted CIFS
  shares of other local users.

  Also following non-security bugs were fixed:

  *
  patches.suse/fs-proc-vmcorec-add-hook-to-read_from_oldmem-to
  -check-for-non-ram-pages.patch: fs/proc/vmcore.c: add hook
  to read_from_oldmem() to check for non-ram pages
  (bnc#684297).
  * patches.xen/1062-xenbus-dev-leak.patch: xenbus: Fix
  memory leak on release.
  * patches.xen/1074-xenbus_conn-type.patch: xenbus: fix
  type inconsistency with xenbus_conn().
  * patches.xen/1080-blkfront-xenbus-gather-format.patch:
  blkfront: fix data size for xenbus_gather in connect().
  *
  patches.xen/1081-blkback-resize-transaction-end.patch:
  xenbus: fix xenbus_transaction_start() hang caused by
  double xenbus_transaction_end().
  * patches.xen/1089-blkback-barrier-check.patch:
  blkback: dont fail empty barrier requests.
  * patches.xen/1091-xenbus-dev-no-BUG.patch: xenbus:
  dont BUG() on user mode induced conditions (bnc#696107).
  * patches.xen/1098-blkfront-cdrom-ioctl-check.patch:
  blkfront: avoid NULL de-reference in CDROM ioctl handling
  (bnc#701355).
  * patches.xen/1102-x86-max-contig-order.patch: x86: use
  dynamically adjusted upper bound for contiguous regions
  (bnc#635880).
  *
  patches.xen/xen3-x86-sanitize-user-specified-e820-memmap-val
  ues.patch: x86: sanitize user specified e820 memmap values
  (bnc#665543).
  *
  patches.fixes/libiscsi-dont-run-scsi-eh-if-iscsi-task-is-mak
  ing-progress: Fix typo, which was uncovered in debug mode.
  * patches.fixes/pacct-fix-sighand-siglock-usage.patch:
  Fix sighand->siglock usage in kernel/acct.c (bnc#705463).

  Security Issue references:

  * CVE-2011-0726
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0726

  * CVE-2011-1017
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1017

  * CVE-2011-1093
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1093

  * CVE-2011-1745
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1745

  * CVE-2011-1746
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1746

  * CVE-2011-1776
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1776

  * CVE-2011-2022
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2022

  * CVE-2011-2182
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2182

  * CVE-2011-2491
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2491

  * CVE-2011-2496
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2496

  * CVE-2011-3191
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3191

  * CVE-2011-1585
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1585


Indications:

  Everyone using the Linux Kernel on x86_64 architecture should update.

Special Instructions and Notes:

  Please reboot the system after installing this update.


Package List:

  - SUSE Linux Enterprise Server 10 SP3 (i586 ia64 ppc s390x x86_64):

     kernel-default-2.6.16.60-0.83.2
     kernel-source-2.6.16.60-0.83.2
     kernel-syms-2.6.16.60-0.83.2

  - SUSE Linux Enterprise Server 10 SP3 (i586 ia64 x86_64):

     kernel-debug-2.6.16.60-0.83.2

  - SUSE Linux Enterprise Server 10 SP3 (i586 ppc x86_64):

     kernel-kdump-2.6.16.60-0.83.2

  - SUSE Linux Enterprise Server 10 SP3 (i586 x86_64):

     kernel-smp-2.6.16.60-0.83.2
     kernel-xen-2.6.16.60-0.83.2

  - SUSE Linux Enterprise Server 10 SP3 (i586):

     kernel-bigsmp-2.6.16.60-0.83.2
     kernel-kdumppae-2.6.16.60-0.83.2
     kernel-vmi-2.6.16.60-0.83.2
     kernel-vmipae-2.6.16.60-0.83.2
     kernel-xenpae-2.6.16.60-0.83.2

  - SUSE Linux Enterprise Server 10 SP3 (ppc):

     kernel-iseries64-2.6.16.60-0.83.2
     kernel-ppc64-2.6.16.60-0.83.2

  - SLE SDK 10 SP3 (i586 ia64 x86_64):

     kernel-debug-2.6.16.60-0.83.2

  - SLE SDK 10 SP3 (i586 ppc x86_64):

     kernel-kdump-2.6.16.60-0.83.2

  - SLE SDK 10 SP3 (i586 x86_64):

     kernel-xen-2.6.16.60-0.83.2

  - SLE SDK 10 SP3 (i586):

     kernel-xenpae-2.6.16.60-0.83.2


References:

  http://support.novell.com/security/cve/CVE-2011-0726.html
  http://support.novell.com/security/cve/CVE-2011-1017.html
  http://support.novell.com/security/cve/CVE-2011-1093.html
  http://support.novell.com/security/cve/CVE-2011-1585.html
  http://support.novell.com/security/cve/CVE-2011-1745.html
  http://support.novell.com/security/cve/CVE-2011-1746.html
  http://support.novell.com/security/cve/CVE-2011-1776.html
  http://support.novell.com/security/cve/CVE-2011-2022.html
  http://support.novell.com/security/cve/CVE-2011-2182.html
  http://support.novell.com/security/cve/CVE-2011-2491.html
  http://support.novell.com/security/cve/CVE-2011-2496.html
  http://support.novell.com/security/cve/CVE-2011-3191.html
  https://bugzilla.novell.com/635880
  https://bugzilla.novell.com/665543
  https://bugzilla.novell.com/677676
  https://bugzilla.novell.com/684297
  https://bugzilla.novell.com/687812
  https://bugzilla.novell.com/689797
  https://bugzilla.novell.com/692784
  https://bugzilla.novell.com/693043
  https://bugzilla.novell.com/696107
  https://bugzilla.novell.com/698221
  https://bugzilla.novell.com/701254
  https://bugzilla.novell.com/701355
  https://bugzilla.novell.com/702013
  https://bugzilla.novell.com/702285
  https://bugzilla.novell.com/705463
  https://bugzilla.novell.com/714001
  http://download.novell.com/patch/finder/?keywords=14f999b2da14400252037984b14f317a
  http://download.novell.com/patch/finder/?keywords=4f2403980de031813f91f813b6171179
  http://download.novell.com/patch/finder/?keywords=8c7d79d86d626d9e405009e6174cabd5
  http://download.novell.com/patch/finder/?keywords=a2be52185ebaeba245a1c8aff0c659e2
  http://download.novell.com/patch/finder/?keywords=a70d925c5736ccbb5c46bf7c01dfdfb6