Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.1 for Virtuozzo 7.0.6¶

1. Overview¶

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernel 3.10.0-693.1.1.vz7.37.30 (Virtuozzo 7.0.6).

2. Security Fixes¶

• [Important] dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges. (CVE-2017-8824)

• [Important] The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system. (CVE-2017-16939)

• [Important] A flaw was found in the patches used to fix the ‘Dirty COW’ vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. (CVE-2017-1000405)

• [Moderate] A vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS. (CVE-2017-1000407)

3. Bug Fixes¶

• Many of the issues that BUG_ON()s were supposed to catch in tcache were not serious enough to crash the kernel. A warning will now be output in such cases instead. (PSBM-77154)

• FUSE: improve performance of splice() operation in case of heavily fragmented memory. (PSBM-77949)

• When there were more than two users of a page, __tcache_page_tree_delete() failed to freeze it. The page would never be invalidated and tcache_node->nr_pages would never be decremented. A kernel warning would be output as a result. (PSBM-78354)

4. Installing the Update¶

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

5. References¶

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-39.1-2.vl7/

• https://access.redhat.com/security/cve/CVE-2017-8824

• https://access.redhat.com/security/cve/CVE-2017-16939

• https://access.redhat.com/security/cve/CVE-2017-1000405

• https://access.redhat.com/security/cve/CVE-2017-1000407

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2017-111.json.