[Ksplice-Fedora-26-updates] New Ksplice updates for Fedora 26 (FEDORA-2018-296bf0c332)

Thu Apr 5 03:47:35 PDT 2018

Synopsis: FEDORA-2018-296bf0c332 can now be patched using Ksplice
CVEs: CVE-2017-5715 CVE-2018-1000004 CVE-2018-1068

Systems running Fedora 26 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-296bf0c332.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 26
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Denial-of-service in RDMA Userspace Connection Manager Access module.

Missing validation of userspace provided options in RDMA Userspace
Connection Manager Access (UCMA) module may allows a malicious user
to exhaust kernel memory and cause a denial-of-service.

* Undefined behavior in Mellanox Connect-IB driver.

Integer overflow when resizing completion queue in Mellanox Connect-IB
driver allows a malicious user to trigger undefined behavior in the
kernel. This may be exploited to cause denial-of-service and hijack
control flow.

* Denial-of-service in Shared Memory Communications subsystem.

A null pointer dereference when creating socket in Shared Memory
Communication over RDMA (SMC-R) subsystem could lead to kernel crash and
a denial-of-service.

* Denial-of-service when aborting command in SCSI subsystem.

A null pointer dereference in QLA2XXX Fibre Channel driver when aborting
SCSI command leads to kernel crash. An attacker can exploit this to
cause a denial-of-service.

* Privilege escalation in OverlayFS subsystem.

A bug in the OverlayFS filesystem allows a user with access to lower
level create files in higher level. Under certain circumstances, this
could be exploited by an attacker to escalate privilege.

* Data loss when writing to Direct Access (DAX) block device.

Failure to set correct flags when writing to Direct Access block device
results in write commands being mistakenly interpreted as read. This
results in the data never being written to the underlying media.

* Improved fix for CVE-2018-1000004: Privilege escalation in ALSA sequencer.

A race condition when resizing pool in the ALSA sequencer leads
to a use-after-free vulnerability. A malicious user may exploit
this to escalate privilege.

* Improved fix for CVE-2018-1000004: Denial-of-service in ALSA sequencer.

A race condition in the ALSA sequencer subsystem leads to use-after-free
and subsequent memory corruption. This could allow an attacker to cause
a denial-of-service and possibly escalate privilege.

* Improved fix for CVE-2017-5715: Privilege escalation when making firmware calls.

Speculative execution by utilizing branch target injection (Spectre
variant 2) when making firmware calls allows an unprivileged local user
to read arbitrary kernel memory. This may be exploited to escalate
privilege.

* Denial-of-service during proc file creation in netfilter subsystem.

A race condition in the netfilter subsystem when creating proc file
leads to kernel panic. An attacker could exploit this to cause a
denial-of-service.

* Denial-of-service in Network Address Translation (NAT) subsystem.

A division-by-zero error when mapping port in the netfilter Network
Address Translation subsystem leads to kernel crash. An unprivileged
local user could exploit this vulnerability to cause a denial-of-service.

* CVE-2018-1068: Privilege escalation in bridging interface.

Lack of userspace parameter sanitization in the 32-bit syscall interface
for bridging allows a user with limited privilege to write into kernel
memory. This flaw could be exploited to escalate privilege.

* Denial-of-service when configuring ebtables filtering.

Failure to sanitize user-provided configuration parameters when adding
rules allows out-of-bound reads in the ebtables subsystem. An attacker
can exploit this to cause a denial-of-service.

* Denial-of-service in the netfilter subsystem.

A flaw when manipulating ipv6 packets in the netfilter Network Address
Translation (NAT) subsystem leads to a use-after-free vulnerability.
This could be exploited to cause a denial-of-service.

* Denial-of-service in SCSI Lower Level Drivers (LLD) infrastructure.

A missing callback entry for I/O Control Block (IOCB) timeout event
results in null pointer dereference and subsequent kernel crash. An
attacker could exploit this bug to cause a denial-of-service.

* Denial-of-service when making request in QLogic Fibre Channel HBA Driver.

Failure to handle error when making Get Port Name (GPN_ID) request in
the QLogic Fibre Channel HBA Driver in the SCSI subsystem leads to
undefined control flow inside the kernel. This could cause a
denial-of-service.

* Denial-of-service when creating session in QLogic HBA Driver.

A null pointer dereference when handling work event for creating new
session in QLogic Fibre Channel HBA Driver in SCSI subsystem leads to
kernel crash. An attacker could exploit this to cause a denial-of-service.

* Denial-of-service in Parallel NFS (pNFS) subsystem.

A reference count underflow in the Parallel NFS filesystem leads to a
use-after-free vulnerability. A malicious user could exploit this to
cause a denial-of-service.

* Data loss when writing to NFS filesystem.

A bug in the write completion path in the NFS filesystem leads to
return before unstable writes have been successfully committed to
disk. This could lead to data loss.

* Denial-of-service when instantiating Transparent Huge Pages.

A race condition between the kernel collapsing huge pages and user
instantiating new huge pages leads to kernel crash. An attacker could
exploit this vulnerability to cause denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.