CVE-2014-3631
published 2014-09-28CVE-2014-3631: The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage…
PriorityP429high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
0.96%
57.2th percentile
The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 3.16.3-1 (bookworm) | linux 3.16.3-1 (bookworm) |
| linux | linux_kernel | >= 0 < 3.16.3-1 | 3.16.3-1 |
| linux | linux_kernel | >= 0 < 3.16.3-1 | 3.16.3-1 |
| linux | linux_kernel | >= 0 < 3.16.3-1 | 3.16.3-1 |
| linux | linux_kernel | >= 0 < 3.16.3-1 | 3.16.3-1 |
| linux | linux_kernel | >= 0 < 3.13.0-37.64 | 3.13.0-37.64 |
| linux | linux_kernel | >= 3.13 < 3.14.19 | 3.14.19 |
| linux | linux_kernel | >= 3.15 < 3.16.3 | 3.16.3 |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
vendor_ubuntu6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Trusty HWE) vulnerabilities
vendor_ubuntu·2014-10-09·CVSS 6.9
CVE-2014-3181 [MEDIUM] Linux kernel (Trusty HWE) vulnerabilities
Title: Linux kernel (Trusty HWE) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Steven Vittitoe reported multiple stack buffer overflows in Linux kernel's
magicmouse HID driver. A physically proximate attacker could exploit this
flaw to cause a denial of service (system crash) or possibly execute
arbitrary code via specially crafted devices. (CVE-2014-3181)
Ben Hawkes reported some off by one errors for report descriptors in the
Linux kernel's HID stack. A physically proximate attacker could exploit
these flaws to cause a denial of service (out-of-bounds write) via a
specially crafted device. (CVE-2014-3184)
Several bounds check flaws allowing for buffer overflows were discovered in
the Linux kernel's Whiteheat USB serial driver. A physically proximate
attac
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2014-10-09·CVSS 6.9
CVE-2014-3181 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Steven Vittitoe reported multiple stack buffer overflows in Linux kernel's
magicmouse HID driver. A physically proximate attacker could exploit this
flaw to cause a denial of service (system crash) or possibly execute
arbitrary code via specially crafted devices. (CVE-2014-3181)
Ben Hawkes reported some off by one errors for report descriptors in the
Linux kernel's HID stack. A physically proximate attacker could exploit
these flaws to cause a denial of service (out-of-bounds write) via a
specially crafted device. (CVE-2014-3184)
Several bounds check flaws allowing for buffer overflows were discovered in
the Linux kernel's Whiteheat USB serial driver. A physically proximate
attacker could exp
Red Hat
kernel: keys: incorrect termination condition in assoc array garbage collection
vendor_redhat·2014-09-09·CVSS 7.2
CVE-2014-3631 [HIGH] kernel: keys: incorrect termination condition in assoc array garbage collection
kernel: keys: incorrect termination condition in assoc array garbage collection
The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
A flaw was found in the way the Linux kernel's keys subsystem handled the termination condition in the associative array garbage collection functionality. A local, unprivileged user could use this flaw to crash the system.
Statement: This issue does not affect versions of the Linux kernel as shipped with Red Hat Enterpris
Debian
CVE-2014-3631: linux - The assoc_array_gc function in the associative-array implementation in lib/assoc...
vendor_debian·2014·CVSS 7.2
CVE-2014-3631 [HIGH] CVE-2014-3631: linux - The assoc_array_gc function in the associative-array implementation in lib/assoc...
The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
Scope: local
bookworm: resolved (fixed in 3.16.3-1)
bullseye: resolved (fixed in 3.16.3-1)
forky: resolved (fixed in 3.16.3-1)
sid: resolved (fixed in 3.16.3-1)
trixie: resolved (fixed in 3.16.3-1)
GHSA
GHSA-ggpq-6x2p-4r8r: The assoc_array_gc function in the associative-array implementation in lib/assoc_array
ghsa_unreviewed·2022-05-17
CVE-2014-3631 [HIGH] GHSA-ggpq-6x2p-4r8r: The assoc_array_gc function in the associative-array implementation in lib/assoc_array
The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
OSV
linux vulnerabilities
osv·2014-10-09·CVSS 6.9
CVE-2014-3181 [MEDIUM] linux vulnerabilities
linux vulnerabilities
Steven Vittitoe reported multiple stack buffer overflows in Linux kernel's
magicmouse HID driver. A physically proximate attacker could exploit this
flaw to cause a denial of service (system crash) or possibly execute
arbitrary code via specially crafted devices. (CVE-2014-3181)
Ben Hawkes reported some off by one errors for report descriptors in the
Linux kernel's HID stack. A physically proximate attacker could exploit
these flaws to cause a denial of service (out-of-bounds write) via a
specially crafted device. (CVE-2014-3184)
Several bounds check flaws allowing for buffer overflows were discovered in
the Linux kernel's Whiteheat USB serial driver. A physically proximate
attacker could exploit these flaws to cause a denial of service (system
crash) via a special
OSV
CVE-2014-3631: The assoc_array_gc function in the associative-array implementation in lib/assoc_array
osv·2014-09-28·CVSS 7.2
CVE-2014-3631 [HIGH] CVE-2014-3631: The assoc_array_gc function in the associative-array implementation in lib/assoc_array
The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
Kernel
KEYS: Fix termination condition in assoc array garbage collection
kernel_security·2014-09-10·CVSS 7.2
CVE-2014-3631 [HIGH] KEYS: Fix termination condition in assoc array garbage collection
KEYS: Fix termination condition in assoc array garbage collection
This fixes CVE-2014-3631.
It is possible for an associative array to end up with a shortcut node at the
root of the tree if there are more than fan-out leaves in the tree, but they
all crowd into the same slot in the lowest level (ie. they all have the same
first nibble of their index keys).
When assoc_array_gc() returns back up the tree after scanning some leaves, it
can fall off of the root and crash because it assumes that the back pointer
from a shortcut (after label ascend_old_tree) must point to a normal node -
which isn't true of a shortcut node at the root.
Should we find we're ascending rootwards over a shortcut, we should check to
see if the backpointer is zero - and if it is, we have completed the scan.
This
No detection rules found.
Bugzilla
CVE-2014-3631 kernel: keys: incorrect termination condition in assoc array garbage collection
bugzilla·2014-09-10·CVSS 7.2
CVE-2014-3631 [HIGH] CVE-2014-3631 kernel: keys: incorrect termination condition in assoc array garbage collection
CVE-2014-3631 kernel: keys: incorrect termination condition in assoc array garbage collection
A flaw was found in the way the termination condition in the associative array
garbage collection functionality was handled when used from the keys subsystem.
A local unprivileged user could use this flaw to crash the system.
Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b2a4df200d570b2c33a57e1ebfa5896e4bc81b69
Discussion:
Created attachment 936266
Upstream patch proposal
---
Statement:
This issue does not affect versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue.
---
The patch has been posted upstream: https://lkml.o
Bugzilla
CVE-2014-3631 BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [fedora-all]
bugzilla·2014-07-04·CVSS 7.2
CVE-2014-3631 [HIGH] CVE-2014-3631 BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [fedora-all]
CVE-2014-3631 BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [fedora-all]
Description of problem:
We have two virtual machines with Fedora 20 on two different hosts with Fedora 20.
From kernels 3.13 and subsequent, the virtual machine stop responding exactly after 3 days from boot.
Version-Release number of selected component (if applicable):
kernel 3.13 and subsequent.
Now we are using 3.14.9-200
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
here are the messages on the console
[260027.360246] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
[260027.361115] IP: [] assoc_array_gc+0x2f7/0x540
[260027.361115] PGD dae15067 PUD cfc24067 PMD 0
[260027.361115] Oops: 0000 [#1] SMP
[26
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=95389b08d93d5c06ec63ab49bd732b0069b7c35ehttp://osvdb.org/show/osvdb/111298http://www.exploit-db.com/exploits/36268http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.3http://www.securityfocus.com/bid/70095http://www.ubuntu.com/usn/USN-2378-1http://www.ubuntu.com/usn/USN-2379-1https://bugzilla.redhat.com/show_bug.cgi?id=1140325https://github.com/torvalds/linux/commit/95389b08d93d5c06ec63ab49bd732b0069b7c35ehttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=95389b08d93d5c06ec63ab49bd732b0069b7c35ehttp://osvdb.org/show/osvdb/111298http://www.exploit-db.com/exploits/36268http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.3http://www.securityfocus.com/bid/70095http://www.ubuntu.com/usn/USN-2378-1http://www.ubuntu.com/usn/USN-2379-1https://bugzilla.redhat.com/show_bug.cgi?id=1140325https://github.com/torvalds/linux/commit/95389b08d93d5c06ec63ab49bd732b0069b7c35e
2014-09-28
Published