[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (4.9.168-1)
Jamie Iles
jamie.iles at oracle.com
Thu Jun 6 06:51:26 PDT 2019
Synopsis: 4.9.168-1 can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2018-1000026 CVE-2018-14625 CVE-2018-19824 CVE-2018-19985 CVE-2019-3459 CVE-2019-3460 CVE-2019-3701 CVE-2019-3819 CVE-2019-6133 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-8980 CVE-2019-9213
Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian kernel update, 4.9.168-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Denial-of-service when handling page request in Intel VT-d subsystem.
Incorrect error handling in the Intel VT-d subsystem when handling page
request leads to a NULL pointer dereference. This could be exploited to
cause a denial-of-service.
* Denial-of-service in the BATMAN advanced meshing protocol.
When receiving unicast packet in the BATMAN meshing protocol, a fragment
merge operation triggers a kernel BUG. This could lead to a
denial-of-service.
* CVE-2018-19824: Use-after-free when registering a malicious USB audio device.
A wrong error handling when registering a malicious USB audio device
exposing 0 interface could lead to a use-after-free. A local attacker
could use this flaw to cause a denial-of-service.
* Kernel panic in Queuing Discipline buffer removal.
A logic error when removing buffers from a queuing discipline can result in
dereferencing a poisoned pointer, leading to a kernel panic.
* Information leak via forwarding table from GRE device.
Dumping a forwarding database from a non-ethernet device can result in a kernel
information leak. A local user with access to a Generic Routing Encapsulation
device could use this flaw to facilitate a further attack.
* NULL pointer dereference in TCP loss probe timer.
A mismatch between the retransmission queue and packet count can result in a
NULL pointer dereference when the TCP loss probe timer executes.
* Denial-of-service in creation of tun device via netlink.
A logic error which allows the creation of a tun device via netlink can result
in a NULL pointer dereference, leading to a kernel crash. A local user with
the ability to create network interfaces could use this flaw to cause a
denial-of-service.
* Denial-of-service during incremental send of BTRFS filesystem.
A logic error when performing an incremental send of a BTRFS filesystem can
result in the kernel entering an infinite loop. A local user with the ability
to modify and send a BTRFS filesystem could use this flaw to cause a
denial-of-service.
* Use-after-free in exportfs dentry release.
A reference count manipulation error can result in an early free, leading to a
use-after-free. A local user could use this flaw to potentially escalate
privileges.
* Denial-of-service in CacheFiles concurrent page access.
Concurrent access to a single page in CacheFiles backend can result in a
reference to the page being leaked, leading to a memory leak. A local user
could use this flaw to exhaust system memory, leading to a denial-of-service.
* Deadlock during OCFS2 extent defragmentation.
A locking error when performing defragmentation of an OCFS2 extent can result
in taking the same lock twice, leading to a deadlock.
* Use-after-free in HFS and HFS+ error reporting.
A logic error when printing error information about a recently freed node can
result in a use-after-free. A local user could use this flaw to potentially
escalate privileges.
* Improved fix for Spectre v1: Bounds-check bypass in asynchronous I/O subsystem.
A missing sanitization of array index after bounds check in asynchronous
I/O subsystem could lead to an information leak. A local attacker
could use this flaw to leak information about running system.
* NULL pointer dereference in iSCSI session reset.
A logic error in the iscsi code when the iscsi state is set to
ISCSI_STATE_TERMINATE could lead to a NULL pointer dereference and
possible kernel panic or memory corruption. This could be exploited
for a denial of service attack.
* Denial-of-service when closing an AF_VSOCK socket.
A memory leak when closing a socket from the VSOCK address family could
allow an unprivileged process to exhaust kernel memory and cause a
denial-of-service.
* Denial-of-service when sending NVMe packets over RDMA.
A use-after-free bug in the error path when sending NVMe packet over
RDMA fails could lead to uninitialized memory access and cause a
denial-of-service.
* Use-after-free in Infiniband SRP target driver.
A print statement in the ib_srpt driver attempts to access a member of a
structure after it may have already been freed. This could be used to
cause a denial-of-service.
* CVE-2018-19985: Out-of-bounds memory access in USB High Speed Mobile device driver.
A missing length check in the hso_probe can lead to an out-of-bounds
memory access. This could cause a system to exhibit unexpected
behavior.
* Information leak in Memory Type Range Register ioctl.
A structure used for transferring data between user space and kernel
space in mtrr_ioctl contains a padding field that is not zeroed before
the structure is handed off to user space. This flaw could be exploited
by a local attacker to leak information about the running system.
* Improved fix for CVE-2017-5753: Spectre v1 vulnerability in DRM driver's ioctl handler.
A value that is indirectly controlled by userspace is used to index a
buffer in drm_ioctl. A local attacker could use a Spectre-style attack
to exploit this flaw and cause unexpected behavior, or a
denial-of-service.
* Improved fix for Spectre v1: Bounds-check bypass in multicast ioctls.
The ioctl handlers for the ip6mr and ipmr multicast routing systems are
potentially vulnerable to Spectre variant 1 speculative execution
attacks.
* Use-after-free in AX.25 radio device driver.
Logic errors in the AX.25 amateur radio device driver can result in
use-after-free in several error paths, potentially resulting in a
denial-of-service.
* NULL-pointer dereference when transmitting IEEE 802.15.4 packets.
When transmitting packets over an IEEE 802.15.4 device, a missing daddr
field might result in a NULL-pointer dereference and denial-of-service.
* Race conditions in IPv6 tunnel code cause memory corruption.
Several rare race conditions in the IPv6 tunnel code could lead to
use-after-free of memory, potentially resulting in memory corruption or
a denial-of-service.
* Information leak in CAPI ISDN ioctl.
When reading device information via sysctl for a CAPI ISDN device, the
device manufacturer field might potentially contain unsanitized kernel
data, potentially leaking information to a malicious user.
* Invalid memory access in network packet address.
A failure to properly validate input could lead to an invalid length
being used for the network packed address, causing an invalid memory
access. This could be used for a denial-of-service attack.
* Information leak via IPv6 getsockopt syscall.
When requesting information about an IPv6 socket via the getsockopt
syscall, the sin6_flowinfo field is not properly cleared, potentially
exposing sensitive kernel information to a malicious user.
* NULL-pointer dereference when removing vxlan interface with GRO enabled.
When receiving data with Generic Receive Offload enabled on a vxlan
tunnel interface, a race condition can result in a NULL-pointer
dereference and denial-of-service.
* Improved fix for Spectre v1: Bounds-check bypass in ALSA sound drivers.
Several ALSA sound device drivers contain array accesses whose values
are controlled by userspace input, and might therefore be vulnerable to
a Spectre variant 1 speculative bounds-check bypass attack.
* Invalid memory access when adjusting TCP sequence number in connection tracking driver.
A logic error when adjusting TCP sequence number in connection tracking
driver could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.
* NULL pointer dereference in QLogic FCoE offload driver.
A missing check in QLogic FCoE offload driver error handling could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.
* CVE-2019-6133: Permission bypass of userspace Policykit protection.
When a non-root user try to control a systemd unit, the Policykit asks
for an administrator password. Once entered, polkit caches this password
up to five minutes for corresponding process based on PID and start_time
of the process. A race condition in the fork syscall could let an
attacker spawn a process with same start_time and same PID as targeted
process and thus control a systemd unit.
* Memory leak during cache lookup in SUNRPC driver.
A logic error during cache lookup in SUNRPC driver could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.
* NULL-pointer dereference when writing to HFI device in PIO mode.
When writing to a file across an HFI virtual network interface in PIO
mode, invalid socket configuration could result in a NULL-pointer
dereference and denial-of-service.
* NULL pointer dereference in probe of Cirrus Logic CS46XX driver.
A missing check in probe of Cirrus Logic CS46XX driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.
* Out-of-bounds accesses in usb audio driver.
A missing check in usb audio driver could lead to out-of-bounds
accesses. A local attacker could use this flaw to cause a
denial-of-service.
* Memory leaks in Distributed Lock Manager.
Missing free of resources in Distributed Lock Manager could lead to
multiple memory leaks. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.
* Double free when creating inodes in GFS2 file system.
A logic error when creating inodes in GFS2 file system could lead to a
double free. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when mounting a 9p remote filesystem.
A missing check of parameters when mounting a 9p remote filesystem could
lead to a kernel panic. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service in Intel Trace Hub Memory nr pages attribute setting.
A failure to validate userspace input in the intel trace hub code could
lead to an out-of-bounds memory access. This could be exploited to
cause a denial-of-service.
* Out-of-bounds access when locking/unlocking file over CIFS/SMB2.
When modifying lock structures on a CIFS/SMB2 remote mount, an
abnormally small max buffer size provided by the server could result in
an access out-of-bounds, potentially resulting in a denial-of-service.
* Deadlock when using fiemap ioctl on ext4 file with inline data.
When calling the fiemap() ioctl on an ext4 file with inline data, a
potential deadlock can occur if the call happens to generate a page
fault, resulting in a denial-of-service.
* Denial-of-service during TTY reopen.
A locking error in the TTY subsystem can result in a NULL pointer dereference
if a TTY device is reopened whilst it's in use. A local user with access to a
TTY device could use this flaw to cause a kernel crash, leading to a
denial-of-service.
* Spurious signals during TTY reopen.
A logic error when locking a TTY when it is reopened can result in unnecessary
signals being sent to userspace processes.
* CVE-2019-3701: Denial-of-service in CAN controller.
Missing sanity checking in the Controller Area Network driver can allow
a malicious user to write arbitrary bits into the CAN device's I/O
memory, resulting in a system crash and denial-of-service.
* Information disclosure in IPv6 error reporting.
A failure to clear memory in the IPv6 error reporting implementation can result
in the leak of sensitive kernel information to userspace. A local user could
use this flaw to facilitate a further attack.
* Denial-of-service in AF_PACKET refcount manipulation.
A failure to correctly decrement a refcount in the AF_PACKET implementation can
result in the inability to unload Infiniband kernel modules.
* Kernel crash in IPv6 header read.
A logic error when reading from queued IPv6 packet headers can result in an
assertion failure, leading to a kernel crash.
* Kernel crash in IPsec authenticated encryption request completion.
A logic error in the authenticated encryption implementation for IPsec can
result in a NULL pointer dereference, leading to a kernel crash.
* Out-of-bounds memory access in authenticated encryption key parsing.
A logic error when reading unaligned keys for authenticated encryption can lead
to an integer underflow and result in a out-of-bounds memory access, leading to
a kernel crash. A local user could use this flaw to cause a denial-of-service.
* Undefined behavior during BTRFS filesystem umount.
A race condition when destroying extents can result in assertion failures when
unmounting a BTRFS filesystem, leading to undefined behavior.
* Use-after-free in Yama ancestry walk.
A race condition in the Yama security module can result in attempting to access
a freed process. A local user could use this flaw to cause a kernel crash or
potentially escalate privileges.
* NULL pointer dereference when freeing credential.
A missing NULL pointer check during a credential free could result in a kernel
crash.
* Use-after-free in V4L2 video buffer management.
A race condition when duplicating a file descriptor for a video buffer can
result in accessing released memory. A local user with access to a V4L2 device
could use this flaw to cause undefined behavior or a kernel crash.
* NULL pointer dereference in sunrpc portmapper request.
A failure to handle a memory allocation failure in the sunrpc implementation
can result in a NULL pointer dereference, leading to a kernel crash.
* Denial-of-service in ebtables memory allocation.
A failure to associate ebtables memory allocations with the current memory
cgroup can result in a process with restricted memory being able to exhaust
system memory. A local user could use this flaw to cause a denial-of-service.
* Kernel crash during invalid SELinux policy load.
A failure to handle errors during the load of an SELinux policy can result in a
kernel crash.
* Livelock in loop device block resize operation.
A failure to handle a block size change on an existing loopback device can
result in a livelock. A local user with the ability to configure a loopback
device could use this flaw to cause a denial-of-service.
* Information disclosure in SCTP socket address allocation.
A failure to correctly sanitise an SCTP socket memory allocation can result in
sensitive information being disclosed to userspace. A local user could use this
flaw to facilitate a further attack.
* Deadlock between ext4 and cgroups when reclaiming memory.
When reclaiming memory for cgroups, ext4 writeback might attempt to
access the same page, resulting in a potential lock order reversal and
system deadlock.
* Denial-of-service in OCFS2 when mounting image with unrecovered alloc.
When mounting an OCFS2 filesystem inage with an unrecovered local alloc
in its journal, an invalid kernel assertion casuses a panic when the
image should actually be recoverable with an ocfs2.fsck run.
* Data loss when performing fsync affecting multiple filesystem.
Incorrect error handling in writeback error when performing fsync on
memory-mapped file results in metadata corruption. This could lead to
inadvertent data loss.
* Incorrect MTU limit check in bridge device packet forwarding path.
A logic error in the bridge device packet forwarding path can cause
packets that exceed that device's MTU to be forwarded without first
being split into smaller pieces. This could cause unexpected
behavior for users of the bridge device.
* Use-after-free when packet SKB pointer changes.
If the pskb_trim_rcsum function changes a packet's SKB pointer, certain
fields in the packet header become stale. If the kernel attempts to
access some of these fields, it can result in a use-after-free. This
could potentially be exploited to cause unexpected behavior or a
denial-of-service.
* Out-of-bounds access in Open vSwitch when parsing flow attributes.
A logic error in __parse_flow_nlattrs can result in an out-of-bounds
read. A remote attacker could potentially craft network traffic to
exploit this flaw, which could then cause a system to exhibit unexpected
behavior.
* Memory leak while dismantling network namespaces.
Under certain circumstances, it is possible for the kernel to fail to
properly flush error route objects when tearing down a network
namespace, causing these objects to be leaked. A local attacker could
potentially exploit this flaw to waste system resources and degrade
performance.
* Packet filters break after changing certain settings.
Modifying packet filters in a specific manner can cause some filters
to stop working unexpectedly. This could cause a system to exhibit
undesirable behavior.
* Improved fix for CVE-2017-5753: Spectre v1 vulnerability in ACP Modem driver.
A user-controlled value is used to index an array in the ACP Modem
driver. This flaw could be exploited using a Spectre v1 style attack to
leak information about the running system.
* NULL pointer dereference in uart write path.
Improper locking in the uart_put_char/uart_write functions can lead
to a NULL pointer dereference, and subsequent kernel panic. This
could potentially be exploited by a local attacker to cause a
denial-of-service.
* Integer overflow in uinput driver's input validation path.
A failure to check whether or not the result of a subtraction operation
will overflow can lead to an integer overflow in the uinput driver's
uinput_validate_absinfo function. This could potentially cause a system
to exhibit unexpected behavior.
* NULL pointer dereference in NVMe driver's RDMA path.
A failure to properly allocate a structure in the NVMe driver's RDMA
path can lead to a NULL pointer dereference when the system is under
heavy load. A local attacker could potentially exploit this flaw to
cause a denial-of-service.
* Use-after-free when truncating on F2FS object.
When truncating a node on a Flash-Friendly File System, a race condition
result in the use-after-free of a page structure, resulting in potential
memory corruption or a denial-of-service.
* Invalid memory access in L2TP during receive.
A failure to properly account for all optional fields in a L2TPv2
header could result in an out-of-bounds memory access in the L2TP code.
This could be potentially exploited to cause a denial-of-service attack.
* Denial-of-service in ROSE transmit with internally generated frames.
A missed NULL check in the rose transmit code could result in a NULL
pointer access and subsequent kernel panic. This could be used to
cause a denial-of-service.
* Use-after-free in OOM process killing.
A race condition in the OOM code could result in a use-after-free
if the process to be killed exits before it is killed. This could
be exploited for a denial-of-service.
* NULL pointer dereference in hwpoison memory failure.
A face condition in the hwpoison code could lead to a NULL pointer
dereference and possible kernel panic. This could be used to cause
a denial-of-service.
* Improved fix for CVE-2017-5753: Speculative execution in DRM legacy buffer free.
The DRM legacy buffer management implementation is vulnerable to a Spectre
variant 1 side-channel attack. A local user could use this flaw to read
arbitrary kernel memory.
* Information disclosure in Precision Time Protocol offset ioctl.
A failure to handle an error case can result in kernel stack memory being
leaked to userspace. A local user could use this flaw to facilitate a further
attack.
* Denial-of-service in NFSv4 startup.
A race condition between nfsd starting an userspace configuring it can result
in a NULL pointer dereference, leading to a kernel crash. A local user with the
ability to configure NFS could use this flaw to cause a denial-of-service.
* Kernel crash in EFI variable access.
A failure to prevent access to EFI variables when a system has not been booted
via EFI can result in a kernel crash.
* Denial-of-service in UDF extent parsing.
A failure to validate extent information from a UDF filesystem can result in an
assertion failure, leading to a kernel crash. A local user with the ability to
mount a UDF filesystem could use this flaw to cause a denial-of-service.
* Deadlock in DRBD handshake synchronisation.
Incorrect locking when performing a handshake in DRBD can result in a deadlock.
* Out-of-bounds memory access in i40e event handling.
A failure to allocate enough memory for a struct can result in an out-of-bounds
memory access, leading to a kernel crash or other undefined behavior.
* Information disclosure in seqfile string buffer construction.
A failure to terminate a string buffer in the seqfile buffer interface can
result in disclosure of sensitive information from the kernel stack. A local
user could use this flaw to facilitate a further attack.
* Denial-of-service in CIFS directory opening.
A race condition between multiple threads opening and closing a directory can
result in a NULL pointer derefernce, leading to a kernel crash. A local user
with access to a CIFS filesystem could use this flaw to cause a
denial-of-service.
* Kernel crash due to race condition when reading blocks in OCFS2.
Unnecessary synchronization of buffers when reading blocks in OCFS2
could in fact result in a race condition and kernel assertion failure,
causing a system crash.
* Double unlock in RxRPC message reception.
A failure to handle interruptions or errors when receiving an RxRPC packet can
result in a double unlock, leading to undefined behavior.
* Use-after-free in RDS socket lookup.
A failure to correctly check the reference count for an RDS socket can result
in accessing a freed socket, leading to a use-after-free. A local user with the
ability to create RDS sockets could use this flaw to cause a kernel crash or
potentially escalate privileges.
* Memory leak in FUSE splice write.
A failure to lock a pipe when performing a splice write in FUSE can result in a
memory leak.
* Denial-of-service in FUSE retrieval notification.
A failure to check for a zero number of pages to retrieve in the FUSE
filesystem can result in a NULL pointer dereference, leading to a kernel crash.
A local user could use this flaw to cause a denial-of-service.
* CVE-2019-7222: Information disclosure in KVM VMX emulation.
Incorrectly handling a page fault exception while emulating VMX instructions
can result in leaking host stack information to a guest. A guest VM could use
this flaw to facilitate a further attack on the host.
* CVE-2019-6974: Use-after-free in KVM device creation.
A reference count manipulation error when creating a KVM device can result in
an early free, leading to a use-after-free. A local user with access to KVM
could use this flaw to cause a kernel crash or potentially escalate privileges.
* CVE-2019-7221: Use-after-free in nested KVM preemption timer.
A failure to cancel a nested KVM timer before freeing it can result in a
use-after-free. A guest VM could use this flaw to crash the host.
* NULL pointer dereference in TTY flush.
A race condition between opening a TTY and flushing it can result in a NULL
pointer dereference, leading to a kernel crash.
* Memory corruption in Infiniband HFI1 loopback send.
A logic error in the Infiniband code could lead to memory corruption
and kernel panic. This could be used for a denial-of-service.
* Denial-of-service when handling signal in user process.
Incorrect signal handling allows an unprivileged local user to create
processes that are immune to termination attempt. An attacker can
exploit this flaw to exhaust resources that could eventually lead to a
denial-of-service.
* Denial-of-service when encrypting Wi-Fi packets for transmission.
An out-of-bound write when transmitting encrypted management packet in
the mac80211 subsystem could lead to a denial-of-service on certain
systems where the driver relies on software encryption.
* Denial-of-service in the batman-adv subsystem.
An out-of-bound access in kernel memory is possible when
transmitting packets through raw socket in the batman-adv
routing protocol. An unprivileged local user with CAP_NET_RAW
capability could possibly exploit this flaw to cause a
denial-of-service.
* CVE-2018-1000026: Denial-of-service when receiving invalid packet on bnx2x network card.
A missing input validation when receiving invalid packet on bnx2x
network card could lead to network outage. A remote attacker could use
this flaw to cause a denial-of-service.
* NULL pointer dereference in VMWare vsock destruction.
A failure to check for initialization failure when destroying a VMWare vsock
can result in a NULL pointer dereference, leading to a kernel crash.
* Kernel crash in IPv4 TCP unreachable destination error handling.
A race condition when processing a destination unreachable ICMP message in a
TCP stream can result in a NULL pointer dereference, leading to a kernel crash.
* Use-after-free during Vxlan device dismantle.
A failure to correctly clear incoming packets from buffers when dismantling a
Vxlan device can result in a use-after-free.
* Denial-of-service when triggering OOM on a process with many alien threads.
A too verbose print when setting OOM on a process sharing memory with
thousands of alien threads could lead to a rcu stall. A local attacker
could use this flaw to cause a denial-of-service.
* NULL pointer dereference when resetting InfiniBand SCSI RDMA devices.
A logic error when resetting InfiniBand SCSI RDMA devices could lead to
a NULL pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when a process request a key without subscribing to any keyring.
A missing initialization when a process request a key without
subscribing to any keyring could lead to a kernel assert. A local
attacker could use this flaw to cause a denial-of-service.
* NULL pointer dereference when using SIT driver with IPV6 disabled.
A missing check when using SIT driver with IPV6 disabled could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.
* Denial-of-service when running SCTP GSO over GRE over VLAN.
A logic error when running SCTP GSO over GRE over VLAN could lead to a
kernel panic. A local attacker could use this flaw to cause a
denial-of-service.
* Information disclosure in ALSA SoC dynamic power management debugfs interface.
Incorrect string handling in the ALSA SoC dynamic power management debugfs
interface can result in the copy of uninitialised kernel memory to userspace.
* Kernel crash in Chelsio FCoE remote port registration.
A race condition between allocating a virtual node port and setting its state
can result in a NULL pointer dereference, leading to a kernel crash.
* Denial-of-service in mac80211 Tunneled Direct Link Setup.
A race condition between associating a station with an Access Point and
initializing a Tunneled Direct Link Setup can result in a warning. A local user
with the ability to configure a mac80211 device could use this flaw to flood
the kernel message buffer, leading to a denial-of-service.
* CVE-2019-9213: Bypass of mmap_min_addr restriction.
An incorrect capability check in the mmap memory expansion implementation can
result in applications being able to bypass the minimum mmap address
restriction. A local user on a system without SMAP enabled could use this flaw
to exploit kernel NULL pointer dereferences.
* SMAP bypass during user memory copy.
A logic error when copying information to userspace can result in kernel code
executing without SMAP protection.
* Denial-of-service when adding a multicast forwarding entry in IPV6.
A logic error when adding a multicast forwarding entry in IPV6 could
lead to a deadlock. A local attacker could use this flaw to cause a
denial-of-service.
* Memory leak when registering a kobject associated to a net device.
A missing free of resources when registering a kobject for a net device
fails could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.
* Memory leak when unregistering an Ethernet team driver.
A missing free of a BPF filter when unregistering an Ethernet team
driver could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.
* Out-of-bounds memory accesses when using netlabel subsystem.
Logic errors when using netlabel subsystem could lead to out-of-bounds
memory accesses. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when network emulator is used.
A logic error when network emulator is used could lead to a kernel
assert. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when registering an NFC device.
A missing check when registering an NFC device could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.
* Memory leak when registering an IPv6-in-IPv4 tunnel.
A missing free of resources when registering an IPv6-in-IPv4 tunnel fails
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.
* CVE-2019-8980: Denial-of-service in kernel read file implementation.
A failure to free memory after a read error can result in a memory leak. A
local user could use this flaw to exhaust system memory, leading to a kernel
crash.
* Integer overflow when setting socket timeout.
The setsockopt syscall can accept negative values for timeout,
potentially resulting in an integer overflow and undefined behavior.
* Data corruption when terminating VM attached to IOMMU.
When terminating a virtual machine using an IOMMU device, the device's
memory page entries are not properly marked as invalid, potentially
resulting in corruption.
* NULL-pointer dereference when mounting NFS filesystem with missing device name.
Mounting an NFS filesystem with a missing device name could result in a
the NULL device name pointer being dereferenced, resulting in a kernel
oops and denial-of-service.
* Denial-of-service when __find_get_block_slow fails.
__find_get_block_slow can produce messages 100+ times a second in its
failure case. A malicious user could exploit this to waste system
resources, resulting in a soft denial-of-service.
* Memory leak when creating client in Plan 9 Resource Sharing Support driver.
A wrong error handling when creating client in Plan 9 Resource Sharing
Support driver could lead to a memory leak. A local attacker could use
this flaw to cause a denial-of-service.
* NULL pointer dereference in ISCSI transmission.
A race condition between ISCSI transmission and completion could result
in a NULL pointer dereference and kernel crash.
* Use-after-free when opening trace_pipe in trace filesystem.
A logic error in error path when opening trace_pipe in trace filesystem
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
* Deadlock when releasing commands in Linux-iSCSI.org iSCSI Target Mode Stack driver.
A locking error when releasing commands in Linux-iSCSI.org iSCSI Target
Mode Stack driver could lead to a deadlock. A local attacker could use
this flaw to cause a denial-of-service.
* Divide by zero error when mounting a corrupted BTRFS image.
A logic error when mounting a corrupted BTRFS image could lead to a
divide by zero error. A local attacker could use this flaw with a
crafted BTRFS image to cause a denial-of-service.
* Denial-of-service during online resizing with EXT4 filesystems.
A missing check during online resizing with EXT4 filesystems could lead
to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when soft offlining a transparent huge page.
A refcount error when soft offlining a transparent huge page could lead
to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.
* Invalid memory access when mapping vmalloc pages to userspace.
A logic error when mapping vmalloc pages to userspace while guard page
is enabled could lead to an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.
* Memory leak when failing to add NFS requests to the I/O queue.
Missing free of resources when failing to add NFS requests to the I/O
queue could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.
* Memory corruption during NFSv3 readdir request.
A logic error during NFSv3 readdir request could lead to a memory
corruption or an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.
* NULL pointer dereference when running fstrim on Bcache driver.
A missing check when running fstrim on Bcache driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.
* Potential kernel crash in UDF filesystem's truncate() error path.
An incorrectly handled error case in the truncate(2) syscall on a UDF
filesystem can trip a kernel BUG(), leading to a kernel panic. This
could potentially be exploited to cause a denial-of-service.
* Data corruption on ext4 filesystems while performing direct AIO.
Under certain conditions, it is possible for unaligned direct AIO
operations on an ext4 filesystem to corrupt previously written
filesystem blocks. A malicious user could potentially exploit this flaw
to corrupt filesystem data.
* Information leak in v4l2 and uvc device drivers.
A failure to properly zero an event structure used in both the v4l2 and
uvc USB device drivers can lead to privileged kernel information being
leaked to userspace. This could potentially be exploited to leak
information about the running system.
* Kernel hang in directory entry invalidation race.
A race condition when calling d_invalidate() could result in a kernel
hang and then panic due to watchdog timeout. A system under heavy I/O
load could become unresponsive and hang under specific conditions.
* CVE-2019-3460: Information leak when parsing L2CAP options received from userspace.
Missing checks when parsing L2CAP option received from userspace could
lead to an information leak. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.
* CVE-2019-3459: Information leak when processing L2CAP options controlled by an attacker.
Missing checks on options lengths when processing L2CAP options could lead
to an information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.
* Out-of-bounds access when reading data over I2C bus.
A missing check on user input when reading data over I2C bus could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.
* Permissions bypass when reading from /proc/keys with suid.
When reading from /proc/keys, it might be possible to bypass correct
permissions checking by passing the file descriptor to an suid program.
* Denial-of-service when disconnecting generic USB device.
The number of configuration options is not properly validated when
disconnecting a USB device. A malicious device could exploit this to
improperly free memory, potentially resulting in a denial-of-service.
* Use-after-free during modular ISDN device close.
A race condition when removing timers during close of a modular ISDN device
could result in a use-after-free. A local user with the ability to configure a
modular ISDN device could use this flaw to cause a kernel crash or potentially
escalate privileges.
* Deadlock in lm80 fan divisor configuration.
A failure to unlock a mutex after an error when reading an lm80 fan divisor
register can result in a deadlock.
* Kernel crash in loopback device file descriptor configuration.
A locking error in the loopback device implementation can lead to a NULL
pointer dereference, leading to a kernel crash. A local user with access to a
loopback device could use this flaw to cause a denial-of-service.
* CVE-2019-3819: Deadlock in HID debug events read.
A logic error when reading HID debug events can result in the kernel entering
an infinite loop, leading to a system lock up. A privileged user could use this
flaw to cause a denial-of-service.
* Packet loss on ingress on an unmanaged L2TP over IP tunnel interface.
A missing check when receiving packets on an unmanaged L2TP over IP
tunnel interface could lead to packet loss.
* Undefined behavior in Transparent Interprocess Communication Protocol implementation.
Multiple instances of validation failures in the TIPC driver can result in the
kernel operating on uninitialized memory, leading to undefined behaviour or a
kernel crash. A local user could use this flaw to cause a denial-of-service.
* Logic errors in TIPC protocol implementation cause memory corruption.
Missing synchronization and incorrect error handling in the Transport
Inter Process Communication protocol can result in memory corruption,
potentially causing a denial-of-service.
* Race conditions in IPv6 TCP tunnel code cause memory corruption.
Several rare race conditions in the IPv6 TCP tunnel code could lead to
use-after-free of memory, potentially resulting in memory corruption or
a denial-of-service.
* Memory leak when performing checksum on smsc95xx packet.
When computing the checksum for an SMSC smsc95xx USB network device, the
packet buffer can in some cases be copied but the original not freed,
resulting in a memory leak. A malicious user might exploit this to deny
the system of resources, resulting in performance degradation or a
denial-of-service.
* Undefined behavior in CAPI AVM B1 device driver.
The CAPI AVM B1 device driver exploits undefined CPU behavior when
checking the device's version string.
* Undefined behavior in IPv6 Rapid Deployment handling.
When checking whether a IPv6 packet is a tunneled IPv4 packet, the
kernel relies on an outiszed bit-shift, which is undefined behavior.
* Resource leak when destroying PPP socket.
When destroying a Point-to-Point Protocol socket, a missing error
condition could result in a leak of the destination net device
structure, potentially resulting in system instability or a hang.
* Resource leak when deleting FIB nexthop exception.
When removing an entry from the FIB nexthop exception table, a race
condition might cause the destination device structure to become leaked,
potentially resulting in system instability or a denial-of-service.
* Invalid memory access when switching between command modes on mlx4.
When switching between the events and polling modes on a Mellanox mlx4
network device, missing synchronization could allow pending callbacks to
point into freed memory, potentially resulting in memory corruption or a
denial-of-service.
* Permissions bypass setting mode on ipvlan slave devices.
The CAP_NET_ADMIN permission is not properly enforced for some on ipvlan
slave devices, potentially allowing a malicious user to change device
mode for other devices in the same ipvlan group.
* Denial-of-service when deleting VXLAN device.
If a packet is received on a VXLAN device while it is being deleted, a
race condition might cause an invalid pointer dereference, resulting in
a kernel crash and denial-of-service.
* Log flood in Libertas ThinFirm wireless driver.
The Libertas ThinFirm wireless device driver passes invalid parameters
to the USB core, causing a flood of warning-level tracebacks in the log.
* NULL-pointer dereference when disconnecting from Intel Trace Hub.
When disconnecting an output port from an Intel Trace Hub, a dangling
NULL pointer is left behind that could be dereferenced the next time a
similar device is configured, resulting in a denial-of-service.
* Stack corruption when connecting ROSE socket.
When establishing a Remote Operations Service Element connection, the
net facilities structure can actually consume more space on the stack
than is allocated. A malicious attacker might potentially be able to
abuse this out-of-bounds access to escalate their privileges.
* Improved fix to Spectre v1: bounds-check bypass in various ALSA sound drivers.
Several arrays in subsystems of the ALSA sound device driver code are
potentially vulnerable to a Spectre variant 1 speculative execution
attack.
* Out-of-bounds memory access when changing PCM parameters on ALSA device.
When altering PCM parameters for an ALSA sound device, incorrect
ordering of allocations could result in an out-of-bounds memory access,
potentially resulting in memory corruption or a denial-of-service.
* Deadlock when attempting to open non-regular file with execve().
Due to invalid error handling, attempting to open a non-regular file for
execve() can result in a deadlock. An unprivileged user could exploit
this to starve the system of resources and cause a denial-of-service.
* NULL-pointer dereference when closing SCSI disk device with outstanding traffic.
When closing a SCSI disk device when outstanding I/O still processing,
incorrect synchronization could result in a race condition and
NULL-pointer dereference, causing a kernel crash and denial-of-service.
* Deadlock when writing from USB gadget mode.
When writing to a USB device from the peripheral side, improper lock
ordering could cause a deadlock and denial-of-service.
* NULL pointer dereference on node creation of OCFS2 file system.
A logic error on node creation of OCFS2 file system could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when using device mapper with Thin provisioning support.
A missing check when using device mapper with Thin provisioning support
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.
* NULL pointer dereference when mounting a CIFS filesystem with invalid mount option.
A missing check when mounting a CIFS filesystem with an invalid devname
as a mount option could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.
* NULL pointer dereference when merging extra information element in Wilocity 60g WiFi card wil6210 driver.
A missing check when merging extra information element in Wilocity 60g
WiFi card wil6210 driver could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.
* NULL pointer dereference when suspending ALSA PCM drivers.
A missing check when suspending ALSA PCM drivers could lead to a NULL
pointer dereference for some of the PCM drivers. A local attacker could
use this flaw to cause a denial-of-service.
* Out-of-bounds access when trying to display a logo bigger than screen size.
A missing check when trying to display a logo bigger than screen size in
the framebuffer driver could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.
* Stack out-of-bounds when terminating USB gadget mode.
When shutting down the USB peripheral-side driver, a pending callback
might potentially corrupt stack memory, leading to memory corruption or
a panic and denial-of-service.
* CVE-2018-14625: Kernel information leak when releasing a vsock.
A use-after-free bug when releasing an AF_VSOCK socket may allow an
attacker to read kernel memory from inside VM guest. This could be
exploited to leak privileged information and possibly impersonate
AF_VSOCK messages destined to other clients.
* Memory corruption in IPv6 packet transmission alignment.
A logic error when aligning IPv6 packets for transmission can result in SLAB
corruption.
* Memory leak when inserting a new mesh path in mac80211 mesh networking.
A missing free when inserting a new mesh path in mac80211 mesh
networking fails could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.
* Denial-of-service in FSCache object lookup.
A race condition between looking up and dropping an object from an FSCache
instance can lead to a kernel hang. A local user could use this flaw to cause a
denial-of-service.
* Use-after-free during OCFS2 dentry tracing.
Failing to hold a reference to an OCFS2 inode when tracing can result in the
access of freed memory, leading to a use-after-free.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Debian-9.0-Updates
mailing list