[Ksplice-Fedora-28-updates] New Ksplice updates for Fedora 28 (FEDORA-2018-6e8c330d50)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Jan 21 08:43:46 PST 2019 

Synopsis: FEDORA-2018-6e8c330d50 can now be patched using Ksplice
CVEs: CVE-2018-14625

Systems running Fedora 28 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-6e8c330d50.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 28
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in the BATMAN advanced meshing protocol.

When receiving unicast packet in the BATMAN meshing protocol, a fragment
merge operation triggers a kernel BUG. This could lead to a
denial-of-service.


* Denial-of-service when handling page request in Intel VT-d subsystem.

Incorrect error handling in the Intel VT-d subsystem when handling page
request leads to a NULL pointer dereference. This could be exploited to
cause a denial-of-service.


* CVE-2018-14625: Kernel information leak when releasing a vsock.

A use-after-free bug when releasing an AF_VSOCK socket may allow an
attacker to read kernel memory from inside VM guest. This could be
exploited to leak privileged information and possibly impersonate
AF_VSOCK messages destined to other clients.


* Deadlock in network namespace creation.

A logic error when tracking IP fragment packet counts can result in an
unbalanced count, leading to a deadlock where the kernel is unable to create
new network namespaces.


* Memory corruption in IPv6 packet transmission alignment.

A logic error when aligning IPv6 packets for transmission can result in SLAB
corruption.


* Kernel panic in Queuing Discipline buffer removal.

A logic error when removing buffers from a queuing discipline can result in
dereferencing a poisoned pointer, leading to a kernel panic.


* Kernel panic in Open vSwitch packet forwarding.

A logic error when receiving packets can result in dereferencing a poisoned
pointer, leading to a kernel panic.


* Information leak via forwarding table from GRE device.

Dumping a forwarding database from a non-ethernet device can result in a kernel
information leak. A local user with access to a Generic Routing Encapsulation
device could use this flaw to facilitate a further attack.


* NULL pointer dereference in TCP loss probe timer.

A mismatch between the retransmission queue and packet count can result in a
NULL pointer dereference when the TCP loss probe timer executes.


* Denial-of-service in creation of tun device via netlink.

A logic error which allows the creation of a tun device via netlink can result
in a NULL pointer dereference, leading to a kernel crash.  A local user with
the ability to create network interfaces could use this flaw to cause a
denial-of-service.


* Use-after-free during netfilter table update.

A race condition when updating netfilter table chains can result in a
use-after-free. A local user with the ability to configure netfilter could use
this flaw to potentially escalate privileges.


* Use-after-free in netftiler compatibility interface.

A logic error when destroying netfilter expressions can result in a
use-after-free. A local user with the ability to configure nftables could use
this flaw to escalate privileges.


* Denial-of-service in BPF cgroup memory allocation.

Sleeping in atomic context whilst allocating cgroup local storage in the BPF
subsystem can result in kernel crash. A local user with the ability to create
BPF programs could use this flaw to cause a denial-of-service.


* File descriptor leak in priority handling of Asynchronous IO.

A failure to handle an error case in the IO priority implementation of the
Asynchronous IO subsystem can result in the leak of a file descriptor.


* Memory leak in netfilter hashlimit table creation.

A failure to handle an error case can result in a memory leak.


* Denial-of-service during incremental send of BTRFS filesystem.

A logic error when performing an incremental send of a BTRFS filesystem can
result in the kernel entering an infinite loop. A local user with the ability
to modify and send a BTRFS filesystem could use this flaw to cause a
denial-of-service.


* Deadlock in Broadcom NetXtreme driver registration.

A failure to handle an error case when registering a Broadcom NetXtreme can
result in a failure to release a lock, leading to a deadlock.


* Use-after-free in exportfs dentry release.

A reference count manipulation error can result in an early free, leading to a
use-after-free. A local user could use this flaw to potentially escalate
privileges.


* Denial-of-service during netfilter rule replacement.

A reference count manipulation error when replacing a netfilter table rule can
result in an assertion failure, leading to a kernel crash. A local user with
the ability to add netfilter rules could use this flaw to cause a
denial-of-service.


* Kernel crash during CacheFiles object drop.

A failure to correctly handle an error case when looking up an object in an
CacheFiles instance can result in a NULL pointer dereference, leading to a
kernel crash.


* Denial-of-service in FSCache object lookup.

A race condition between looking up and dropping an object from an FSCache
instance can lead to a kernel hang. A local user could use this flaw to cause a
denial-of-service.


* Kernel crash in FSCache operation completion.

A race condition in the FSCache driver can result in a completion being called
twice concurrently, leading to an assertion failure and a kernel crash.


* Denial-of-service in CacheFiles concurrent page access.

Concurrent access to a single page in CacheFiles backend can result in a
reference to the page being leaked, leading to a memory leak. A local user
could use this flaw to exhaust system memory, leading to a denial-of-service.


* Deadlock during NVMe device flush.

A premature flush of an NVMe device can result in a deadlock, leading to a
kernel hang.


* Double free in NVMe RDMA admin queue buffer management.

A failure to correctly handle error cases in the NVMe RDMA driver can lead to a
double-free of a buffer when the controller is shutdown or reset.


* Deadlock during OCFS2 extent defragmentation.

A locking error when performing defragmentation of an OCFS2 extent can result
in taking the same lock twice, leading to a deadlock.


* Use-after-free in HFS and HFS+ error reporting.

A logic error when printing error information about a recently freed node can
result in a use-after-free. A local user could use this flaw to potentially
escalate privileges.


* Use-after-free during OCFS2 dentry tracing.

Failing to hold a reference to an OCFS2 inode when tracing can result in the
access of freed memory, leading to a use-after-free.


* NULL pointer dereference in DAX inode destruction.

A race condition between destroying an inode and locking a mapping in the DAX
subsystem can result in a NULL pointer reference, leading to a kernel crash. A
local user could use this flaw to cause a denial-of-service.


* Denial-of-service in BPF program verifier.

A logic error in the BPF verifier can result in an assertion failure, leading
to a kernel crash. A local user with the ability to create BPF programs could
use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-28-Updates mailing list