The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 220.127.116.11 and fixes various bugs and security issues. The normal mmap paths all avoid creating a mapping where the pgoff inside the mapping could wrap around due to overflow. However, an expanding
mremap() can take such a non-wrapping mapping and make it bigger and cause a wrapping condition. A local unprivileged user able to access a NFS filesystem could use file locking to deadlock parts of an nfs server under some circumstance. Fixed a race between ksmd and other memory management code, which could result in a NULL ptr dereference and kernel crash.
In both trigger_scan and sched_scan operations, we were checking for the SSID length before assigning the value correctly. Since the memory was just kzalloced, the check was always failing and SSID with over 32 characters were allowed to go through. This required
CAP_NET_ADMIN privileges to be exploited. A malicious user or buggy application could inject diagnosing byte code and trigger an infinite loop in
inet_diag_bc_audit(). The code for evaluating LDM partitions contained bugs that could crash the kernel for certain corrupted LDM partitions.
Multiple integer overflows in the next_pidmap function allowed local users to cause a denial of service (system crash). The proc filesystem implementation in the Linux kernel did not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allowed local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls. When using a setuid root mount.cifs, local users could hijack password protected mounted CIFS shares of other local users. Kernel information via the TPM devices could by used by local attackers to read kernel memory.
The Linux kernel automatically evaluated partition tables of storage devices. The code for evaluating EFI GUID partitions contained a bug that causes a kernel oops on certain corrupted GUID partition tables, which might be used by local attackers to crash the kernel or potentially execute code. In a bluetooth ioctl, struct
sco_conninfo has one padding byte in the end. Local variable cinfo of type
sco_conninfo was copied to userspace with this uninitialized one byte, leading to an old stack contents leak. In a bluetooth ioctl, struct ca is copied from userspace. It was not checked whether the “device” field was NULL terminated. This potentially leads to
BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack.
In ebtables rule loading, struct tmp is copied from userspace. It was not checked whether the “name” field is NULL terminated. This may have lead to buffer overflow and passing contents of kernel stack as a module name to
try_then_request_module() and, consequently, to modprobe commandline. The
econet_sendmsg function allowed remote attackers to obtain potentially sensitive information from kernel stack memory by reading uninitialized data in the ah field of an Acorn Universal Networking (AUN) packet. The IPv4 and IPv6 implementations did not place the expected ‘0’ character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the
CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
Multiple integer overflows allowed local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages. An integer overflow allowed local users to gain privileges or cause a denial of service (system crash) via a crafted
agp_ioctl ioctl call. The
bcm_release function did not properly validate a socket data structure, which allowed local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.
raw_release function did not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation. Updated packages are available from download.opensuse.org.