Date: 12.12.2014
Severity: 2.9
Type: Local

Summary

1. The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value.
2. The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets.

Description

1. It was found that espfix funcionality (when returning to userspace with a 16
   bit stack, the CPU will not restore the high word of esp for us on executing
   iret and thus potentially leaks kernel addresses; espfix fixes this) does not
   work for 32-bit KVM paravirt guests.
   A local unprivileged user could potentially use this flaw to leak kernel
   stack addresses.
2. Fragmentation code erroneously sets skb->len rather than using skb_trim()
   to adjust the length of the first fragment after copying out all the others.
   This leaves the skb tail pointer pointing to after where the data
   originally ended, and thus causes the encryption MIC to be written
   at that point, rather than where it belongs: immediately after the
   data.

Affected Distributions

Ubuntu Ubuntu Linux 10.04 sparc
Ubuntu Ubuntu Linux 10.04 powerpc
Ubuntu Ubuntu Linux 10.04 i386
Ubuntu Ubuntu Linux 10.04 ARM
Ubuntu Ubuntu Linux 10.04 amd64
Linux kernel

References

https://bugzilla.redhat.com/show_bug.cgi?id=1172765