Mandriva

MDVSA-2014:230: kernel

Leave a comment

Multiple vulnerabilities has been found and corrected in the Linux
kernel:

The WRMSR processing functionality in the KVM subsystem in the
Linux kernel through 3.17.2 does not properly handle the writing of a
non-canonical address to a model-specific register, which allows guest
OS users to cause a denial of service (host OS crash) by leveraging
guest OS privileges, related to the wrmsr_interception function in
arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c
(CVE-2014-3610).

Race condition in the __kvm_migrate_pit_timer function in
arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through
3.17.2 allows guest OS users to cause a denial of service (host OS
crash) by leveraging incorrect PIT emulation (CVE-2014-3611).

arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before
3.12 does not have an exit handler for the INVEPT instruction, which
allows guest OS users to cause a denial of service (guest OS crash)
via a crafted application (CVE-2014-3645).

arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through
3.17.2 does not have an exit handler for the INVVPID instruction,
which allows guest OS users to cause a denial of service (guest OS
crash) via a crafted application (CVE-2014-3646).

arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel
through 3.17.2 does not properly perform RIP changes, which allows
guest OS users to cause a denial of service (guest OS crash) via a
crafted application (CVE-2014-3647).

The SCTP implementation in the Linux kernel through 3.17.2 allows
remote attackers to cause a denial of service (system crash) via
a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and
net/sctp/sm_statefuns.c (CVE-2014-3673).

The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c
in the SCTP implementation in the Linux kernel through 3.17.2 allows
remote attackers to cause a denial of service (panic) via duplicate
ASCONF chunks that trigger an incorrect uncork within the side-effect
interpreter (CVE-2014-3687).

arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before
3.17.2 on Intel processors does not ensure that the value in the CR4
control register remains the same after a VM entry, which allows host
OS users to kill arbitrary processes or cause a denial of service
(system disruption) by leveraging /dev/kvm access, as demonstrated by
PR_SET_TSC prctl calls within a modified copy of QEMU (CVE-2014-3690).

kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2
does not properly handle private syscall numbers during use of the
perf subsystem, which allows local users to cause a denial of service
(out-of-bounds read and OOPS) or bypass the ASLR protection mechanism
via a crafted application (CVE-2014-7825).

kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2
does not properly handle private syscall numbers during use of the
ftrace subsystem, which allows local users to gain privileges or
cause a denial of service (invalid pointer dereference) via a crafted
application (CVE-2014-7826).

The pivot_root implementation in fs/namespace.c in the Linux kernel
through 3.17 does not properly interact with certain locations of
a chroot directory, which allows local users to cause a denial of
service (mount-tree loop) via . (dot) values in both arguments to
the pivot_root system call (CVE-2014-7970).

The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux
kernel through 3.17.2 miscalculates the number of pages during
the handling of a mapping failure, which allows guest OS users to
cause a denial of service (host OS page unpinning) or possibly have
unspecified other impact by leveraging guest OS privileges. NOTE: this
vulnerability exists because of an incorrect fix for CVE-2014-3601
(CVE-2014-8369).

The updated packages provides a solution for these security issues.

Leave a Reply