Kernel security update: CVE-2017-11176 and other; Virtuozzo ReadyKernel patch 26.1 for Virtuozzo 7.0.x

Issue date: 2017-07-19

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2017-065

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3), 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4), and 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3).

2. Security Fixes

  • [Moderate] The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. (CVE-2017-11176)

  • [Moderate] If the sctp module was loaded on the host, a privileged user inside a container could make sctp listen on a socket in an inappropriate state, causing a kernel crash (use-after-free in sctp_wait_for_sndbuf()). (PSBM-64050)

3. Bug Fixes

  • A data race was discovered in the implementation of /proc/$PID/map_files. A privileged user on the host could crash the kernel by using mmap and munmap for a file and simultaneously trying to access /proc/$PID/map_files. (PSBM-68472)

  • It was found that the kernel could crash (skb_under_panic) if an skb from a virtual (NETIF_F_VENET) device was processed in a particular networking configuration. The problem was caused by the incorrect skb headroom calculation and missing headroom checks. (PSBM-68362)

  • A data race between calc_load_fold_active() and try_to_wake_up() was discovered. As a result of that race, the values shown in /proc/loadavg could be calculated incorrectly in some cases. (PSBM-68052)

  • A data race was discovered in ploop, which could lead to the kernel crash due to the list corruption during parallel push backups. (PSBM-67513)

4. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.