[arch-security] [Arch Linux Security Advisory ASA-201411-14] linux: local denial of service, privilege escalation

Mon Nov 17 12:54:34 UTC 2014

Arch Linux Security Advisory ASA-201411-14
==========================================

Severity: Medium
Date    : 2014-11-17
CVE-ID  : CVE-2014-3610, CVE-2014-3611, CVE-2014-3646, CVE-2014-3647,
CVE-2014-7825, CVE-2014-7826, CVE-2014-8369, CVE-2014-8480, CVE-2014-8481
Package : linux
Type    : local denial of service, privilege escalation
Remote  : No
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package linux before version 3.17.3-1 is vulnerable to local denial
service and privilege escalation via various issues.

Resolution
==========

Upgrade to 3.17.3-1.

# pacman -Syu "linux>=3.17.3-1"

The problem has been fixed upstream in version 3.17.3.

Workaround
==========

None.

Description
===========

CVE-2014-3610: The WRMSR processing functionality in the KVM subsystem
in the Linux kernel does not properly handle the writing of a
non-canonical address to a model-specific register, which allows guest
OS users to cause a denial of service (host OS crash) by leveraging
guest OS privileges, related to the wrmsr_interception function in
arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c.

CVE-2014-3611: Race condition in the __kvm_migrate_pit_timer function in
arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel allows
guest OS users to cause a denial of service (host OS crash) by
leveraging incorrect PIT emulation.

CVE-2014-3646: arch/x86/kvm/vmx.c in the KVM subsystem in the Linux
kernel does not have an exit handler for the INVVPID instruction, which
allows guest OS users to cause a denial of service (guest OS crash) via
a crafted application.

CVE-2014-3647: arch/x86/kvm/emulate.c in the KVM subsystem in the Linux
kernel does not properly perform RIP changes, which allows guest OS
users to cause a denial of service (guest OS crash) via a crafted
application.

CVE-2014-7825: kernel/trace/trace_syscalls.c in the Linux kernel does
not properly handle private syscall numbers during use of the perf
subsystem, which allows local users to cause a denial of service
(out-of-bounds read and OOPS) or bypass the ASLR protection mechanism
via a crafted application.

CVE-2014-7826: kernel/trace/trace_syscalls.c in the Linux kernel through
3.17.2 does not properly handle private syscall numbers during use of
the ftrace subsystem, which allows local users to gain privileges or
cause a denial of service (invalid pointer dereference) via a crafted
application.

CVE-2014-8369: The kvm_iommu_map_pages function in virt/kvm/iommu.c in
the Linux kernel miscalculates the number of pages during the handling
of a mapping failure, which allows guest OS users to cause a denial of
service (host OS page unpinning) or possibly have unspecified other
impact by leveraging guest OS privileges. NOTE: this vulnerability
exists because of an incorrect fix for CVE-2014-3601.

CVE-2014-8480: The instruction decoder in arch/x86/kvm/emulate.c in the
KVM subsystem in the Linux kernel lacks intended decoder-table flags for
certain RIP-relative instructions, which allows guest OS users to cause
a denial of service (NULL pointer dereference and host OS crash) via a
crafted application.

CVE-2014-8481: The instruction decoder in arch/x86/kvm/emulate.c in the
KVM subsystem in the Linux kernel does not properly handle invalid
instructions, which allows guest OS users to cause a denial of service
(NULL pointer dereference and host OS crash) via a crafted application
that triggers (1) an improperly fetched instruction or (2) an
instruction that occupies too many bytes. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2014-8480.

Impact
======

A local OS user may be able to cause a kernel crash in various ways, or
escalate privileges.

References
==========

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3610
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3611
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3646
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3647
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7825
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7826
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8369
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8480
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8481
http://permalink.gmane.org/gmane.comp.security.oss.general/14526

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141117/d58f9516/attachment.bin>