[Ksplice-Fedora-26-updates] New Ksplice updates for Fedora 26 (4.15.6-200.fc26)

[Oracle Ksplice]

Synopsis: 4.15.6-200.fc26 can now be patched using Ksplice
CVEs: CVE-2017-5753

Systems running Fedora 26 can now use Ksplice to patch against the
latest Fedora kernel update, 4.15.6-200.fc26.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 26
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in Infiniband subsystem.

A race condition when writing management datagram from userspace results
in kernel crash in the Infiniband subsystem. This could result in
denial-of-service.


* Denial-of-service in Infiniband core subsystem.

A NULL-pointer dereference when creating completion queue in Infiniband
core subsystem results in kernel crash. This could be exploited to cause
denial-of-service.


* Kernel information leak in dummy console driver.

Incorrect initialization of a kernel data structure in the dummy console
driver leads to stack memory leaking into userspace. This could be
exploited to introspect kernel memory and enhance existing attacks based
on that information.


* Denial-of-service when translating Xen machine address.

Incorrect control flow in Xen memory mapping subsystem leads to
execution of kernel code with uninitialized data. This could result in
undefined behavior and consequently, denial-of-service.


* Information leak when adding MPLS route.

An array access when adding a route in MultiProtocol Label Switching (MPLS)
subsystem leads to userspace controlled arbitrary out-of-bounds speculation.
This could serve as a side-channel leaking privileged memory into userspace.


* Denial-of-service during CHAP authentication in iSCSI subsystem.

Incorrect failure handling in the iSCSI Target Mode Stack leads to
dereference of a null pointer. This could be exploited to crash the
kernel.


* Data loss when writing to RAID block device.

Failure to propagate error status when performing chained block I/O on a
RAID device results in incorrect success response from the driver. This
may lead to data corruption.


* Multiple denial-of-service vulnerabilities in Btrfs filesystem.

A range of bugs in Btrfs filesystem operations results in
use-after-free, race condition and memory leak. A malicious local user
can exploit these bugs to cause data loss, kernel memory exhaustion and
denial-of-service.


* Denial-of-service when initializing ALSA sequence pool.

A race condition when initializing ALSA sequence pool leads to
use-after-free and out-of-bound memory access. An attacker can exploit
this to cause denial-of-service.


* Kernel crash when unmapping poison pages during spectre mitigation.

An update to the kernel memory hardware failure recovery system to
harden against speculative execution attacks could potentially unmap
pages still in-use by the kernel, causing a kernel crash and
denial-of-service.


* Privilege escalation when debugging inside a KVM guest.

A bug in KVM results in failure to restore host debug register during a
switch. This allows a guest process to escalate privilege to that of the
host kernel.


* Denial-of-service when routing packets in the netfilter subsystem.

Incorrect lock ordering in the netfilter connection tracking subsystem
results in deadlock in the kernel. This could be exploited to cause
denial-of-service.


* Fixes for CVE-2017-5753 not correctly enabled on L2 guest VMs in KVM.

Failing to appropriately copy CPU control registers into an L2 KVM guest
would result in mitigations for CVE-2017-5753 not being enabled
correctly.


* Denial-of-service when performing transition in SELinux subsystem.

A missing sanity-check in the SELinux subsystem allowed transition of
security context without having any policy loaded. This could be
exploited to trigger a kernel crash and denial-of-service.


* Privilege escalation when context switching in 64-bit systems.

Failure to restore some registers when switching to kernel context
allows an unprivileged local process to read arbitrary kernel memory by
exploiting speculative execution in the microprocessor. An attacker can
use this vulnerability to escalate privilege.


* Denial-of-service in netfilter getsockopt locking.

Incorrect ordering of mutex locks in the netfilter getsockopt
implementation could result in a deadlock. A local user could use this
flaw to cause a denial-of-service.


* Denial-of-service in public key signature verification.

A logic error when adding a public key to the kernel with an unsupported
hash type can result in an assertion failure or a kernel crash.  A local
user could use this flaw to cause a denial-of-service.


* Authentication bypass in certificate chain validation.

A failure to correctly validate X.509 certificate chains could result in
an invalid certificate chain being incorrectly trusted. A local user
could use this flaw to facilitate a further attack.


* Authentication bypass in certificate blacklist.

A logic error when checking for blacklisted X.509 certificates can
result in ignoring the list of blacklisted certificates. A local user
could use this flaw to facilitate a further attack.


* Use-after-free in RDMA uverbs reference counting.

Incorrect reference count manipulation in the RDMA uverbs implementation
can result in incorrectly using a freed object, leading to a
use-after-free. A local user could use this flaw to potentially escalate
privileges.


* Use-after-free in RDMA uverbs port number lookup.

A failure to validate information provided by userspace can result in a
use-after-free. A local user could use this flaw to potentially escalate
privileges.


* Denial-of-service in RDMA uverbs object allocation.

Incorrect lock ordering when allocating a uverbs object could result in
deadlock. A local user could use this flaw to cause a denial-of-service.


* Denial-of-service in Industrial IO buffer poll implementation.

A logic error int the poll implementation of the Industrial IO subsystem
could result in a NULL pointer dereference leading to a kernel crash. A
local user could use this flaw to cause a denial-of-service.


* Denial-of-service in Direct Rendering Manager node eviction.

A logic error when dealing with holes in the memory layout of DRM nodes
can result in an assertion failure, leading a Kernel crash. A local user
with access to the DRM subsystem could use this flaw to cause a
denial-of-service.


* Denial-of-service in RDMA uverbs error handling locking.

Unbalanced locking in an error path of the the RDMA uverbs
implementation could result in concurrent access to a protected
structure. A local user could use this flaw to cause a kernel crash or
other undefined behaviour.


* Memory corruption with Transparent Huge Pages and zswap.

A logic error when compressing a transparent huge page in zswap can
result in incorrect decompression, resulting in memory corruption
leading to undefined behaviour.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.