[Ksplice-Fedora-28-updates] New Ksplice updates for Fedora 28 (FEDORA-2018-f93103ae20)

[Oracle Ksplice]

Synopsis: FEDORA-2018-f93103ae20 can now be patched using Ksplice
CVEs: CVE-2018-3620 CVE-2018-3646

Systems running Fedora 28 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-f93103ae20.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 28
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Remote attack vector in TCP internal control sockets.

An incorrect configuration of a certain set of control sockets used within
the IPv4 TCP core creates a potential vector for remote attack.  A remote
attacker could exploit this flaw to gather information about a target
system, and potentially cause a denial-of-service.


* Denial-of-service in Cadence network driver.

A logic error in the Cadence network driver reset path can lead to a
denial-of-service to other PHYs on the MDIO bus, after the Cadence device is
reset.


* Information leak in u32 Packet Classifier.

A missing length check on a user-controlled buffer in the Universal 32-bit key
Packet Classifier module can allow a local attacker to leak information about
the running system.


* Potential deadlock in Inter-FE action module.

A lock ordering issue in the Inter-FE action module can lead to a deadlock.
This could be used to cause a denial-of-service.


* Denial-of-service in packet editor error handling code.

Improper error handling in the act_pedit packet editor module can lead to a NULL
pointer dereference and subsequent kernel panic.  This could be used by a local
attacker to cause a denial-of-service.


* Potential deadlock in Hyper-V virtual network driver init path.

A lock ordering issue in the Hyper-V virtual network driver's init path can
lead to deadlock.  This could be used to cause a denial-of-service.


* Memory leak in IPv6 routing code.

A reference counting error in the IPv6 routing code path can lead to resources
not being freed appropriately when they are no longer in use.  This could
be used to cause a denial-of-service.


* Use-after-free in SCTP protocol handling code.

A logic error in the code providing SCTP protocol support can lead to a
user-after-free scenario.  This can lead to unexpected behavior, and could
be used by a local attacker to cause a denial-of-service.


* Memory leak in Mellanox Spectrum switch driver.

A logic error in the Mellanox Spectrum switch driver's device shutdown code can
lead to certain structures not being freed when a device is destroyed.  This
could be used to waste system resources, and potentially cause a
denial-of-service.


* System hang in virtio host driver.

A logic error in the vhost driver can lead some processes to spin indefinitely,
waiting for an event to occur.  This could be used to cause a denial-of-service.


* Denial-of-service in hfsplus filesystem mount path.

Improper error handling in the hfsplus filesystem's mount path can lead to
a NULL pointer dereference, and subsequent kernel panic.  A local attacker
could use this to cause a denial-of-service.


* Denial-of-service in hfsplus record insertion path.

Improper error handling the the hfsplus filesystem's record insertion path
can cause a return code to be stored in place of a pointer.  This can lead
to a panic if the data is accessed elsewhere.  This could be used to cause a
denial-of-service.


* Denial-of-service in sunrpc client authentication code.

An incorrect memory allocation in the sunrpc client authentication path can
lead to a kernel panic.  This could be used to cause a denial-of-service.


* Denial-of-service in hfsplus directory lookup path.

A logic error in the hfsplus directory lookup code path can lead to a NULL
pointer dereference, and subsequent kernel panic.  This could be used to
cause a denial-of-service.


* Read of uninitialized memory in filesystem core.

An incorrect length check during a copy operation in the filesystem core can
lead to a read of uninitialized memory.  This could cause unexpected behavior,
including potential denial-of-service.


* Memory leak in Berkeley packet filter.

A failure to properly free memory under certain conditions leads to a memory
leak in BPF code.  This could be used to waste system resources and degrade
performance.


* Race condition in IPVS core.

A logic error in the IPVS core code path that handles new connections creates
a race condition, which can lead to an infinite loop.  This could be used to
cause a denial-of-service.


* Erroneous trigger of OOM killer in Netfilter Xtables code.

An incorrect flag on a memory allocation in the Netfilter Xtables code can lead
to the OOM killer being triggered in an allocation path where it should not
generally be triggered.  This could be used to cause a denial-of-service.


* Memory leaks in Netfilter Netlink code.

Multiple logic errors in Netfilter code to support Netlink sockets can lead to
memory being being leaked.  This could be used to waste system resources and
degrade performance.


* Multiple race conditions in f2fs filesystem core.

Multiple locking issues in the f2fs filesystem core create race conditions,
which can lead to reads of invalid data.  This could potentially be used to
cause unexpected behavior or denial-of-service.


* Race condition in 9P filesystem core.

A lock ordering issue in the 9P filesystem creates a race condition, which can
cause a particular list item to be deleted twice.  This could lead to unexpected
behavior, including a potential denial-of-service.


* Soft lockup in device-mapper core.

A failure to properly reschedule a process in the device-mapper core can result
in soft lockups.  These could result in degraded system performance, or
denial-of-service.


* Memory leak in selinuxfs.

A reference counting error can lead to a memory leak in the selinuxfs code.
This could be used to waste system resources, resulting in degraded performance,
and potential denial-of-service.


* Multiple denial-of-service vectors in btrfs mount path.

Several logic errors in the btrfs mount path can cause kernel panics.  Some of
these can be triggered by attempting to mount a specially crafted btrfs image.
These could be used to cause a denial-of-service.


* NULL pointer dereference in BTRFS relocation cleanup.

A missing NULL pointer check could result in a kernel crash when
mounting a corrupted filesystem.  A user with the ability to mount
filesystems could use this flaw to crash the system with a maliciously
crafted image.


* Race condition in btrfs mount path.

A locking issue in the btrfs mount path results in a race condition, when two
btrfs device scans run at the same time.  This can result in unexpected
behavior, which could be used by a malicious local attacker to cause
system instability or denial-of-service.


* Memory leak in i915 GPU driver.

A failure to properly free a buffer used to hold data for an i2c transfer
leads to a memory leak in the i915 GPU driver.  This could be used by a
local attacker to waste system resources, resulting in degraded performance.


* Improper error handling in fork path.

Improper error handling when forking a process can leave the duplicate
process's memory map in an inconsistent state.  This could cause unexpected
behavior.


* Improved fix to CVE-2018-3620, CVE-2018-3646 for Xen PV guests.

Improperly sized writes to page tables by Xen PV guests can create page table
entries that are temporarily vulnerable to L1TF.


* Improved fix to CVE-2018-3620, CVE-2018-3646 for KVM shadow page tables.

KVM shadow PTEs for MMIO mappings are vulnerable to L1TF attacks from KVM
guests.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.