Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.1 for Virtuozzo 7.0.6

Issue date: 2017-12-11

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2017-111

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernel 3.10.0-693.1.1.vz7.37.30 (Virtuozzo 7.0.6).

2. Security Fixes

  • [Important] dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges. (CVE-2017-8824)

  • [Important] The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system. (CVE-2017-16939)

  • [Important] A flaw was found in the patches used to fix the ‘Dirty COW’ vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. (CVE-2017-1000405)

  • [Moderate] A vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS. (CVE-2017-1000407)

3. Bug Fixes

  • Many of the issues that BUG_ON()s were supposed to catch in tcache were not serious enough to crash the kernel. A warning will now be output in such cases instead. (PSBM-77154)

  • FUSE: improve performance of splice() operation in case of heavily fragmented memory. (PSBM-77949)

  • When there were more than two users of a page, __tcache_page_tree_delete() failed to freeze it. The page would never be invalidated and tcache_node->nr_pages would never be decremented. A kernel warning would be output as a result. (PSBM-78354)

4. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.