[Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2019-a95015e60f)

[Oracle Ksplice]

Synopsis: FEDORA-2019-a95015e60f can now be patched using Ksplice
CVEs: CVE-2019-13272

Systems running Fedora 29 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2019-a95015e60f.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 29
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in various Intel ASoC driver initialization.

When probing an Intel rt5672, nau8824, es8316 or max98090 ALSA
System-on-Chip sound device, missing initialization of the platform_name
field could result in an invalid pointer dereference and system crash.


* Denial-of-service when instantiating ASoC device.

When instantiating an ALSA System-on-Chip sound device, incorrect lock
ordering in the error path could result in a deadlock and
denial-of-service.


* Use-after-free when removing Mellanox Hotplug device.

A logic flaw in the generic Mellanox Hotplug device driver could result
in a use-after-free when removing the device, potentially causing memory
corruption or a denial-of-service.


* Integer overflow in virtual memory system when performing mlock.

An integer size mismatch when performing an mlock might result in an
integer overflow and undefined behavior if an extreme amount of virtual
memory is allocated.


* Race condition in crypto initialization causes denial-of-service.

A race condition when running crypto algorithm tests can result in the
test algorithm being inappropriately freed, resulting in a kernel crash
and denial-of-service.


* Out-of-bounds write in Line6 POD USB audio interface driver.

The driver for Line6 POD USB audio interfaces allocates a buffer based
on the usb_maxpacket value reported by the device itself. A malicious
device could report a value of zero to cause an out-of-bounds write,
potentially resulting in memory corruption.


* Deadlock when using IOCB_CMD_POLL on a userfault file descriptor.

If a userfault file descriptor is polled for changes using the
IOCB_CMD_POLL interface, incorrect lock flags could result in a deadlock
if an interrupt is issued while the lock is held.


* Deadlock when updating properties on virtual GPU.

The Virtio virtual GPU driver fails to release a spinlock before
sleeping when updating device properties, potentially resulting in a
deadlock and denial-of-service.


* Denial-of-service via invalid TSC values in KVM.

By setting Timestamp Counter-Scaling settings to invalid values, a
malicious user might be able to cause a denial-of-service by flooding
the system logs with kernel warnings of the form:

"user requested TSC rate below hardware speed"

and

"Invalid TSC scaling ratio".


* NULL-pointer dereference when setting TCP_NOTSENT_LOWAT on KCM socket.

If a user attempts to set the TCP_NOTSENT_LOWAT socket option on a
Kernel Connection Multiplexer socket whose psock has been dropped,
the kernel might attempt to read the saved_write_space value from the
NULL psock pointer, resulting in a kernel crash and denial-of-service.


* Use-after-free when closing KCM socket with backlogged work.

If a Kernel Connection Multiplexer socket is closed with outstanding
send data, it's backing structure might be freed while I/O is still
pending against it. This can result in a use-after-free, causing memory
corruption or a denial-of-service.


* Divide-by-zero in block device driver when metadata unavailable.

When a block device's metadata becomes unavailable (for example if it is
retrieved from a separate device), the data recovery loop can in rare
cases divide by zero while calculating the remaining work, causing a
denial-of-service.


* Undefined behavior in Cavium Liquidio ethernet device driver.

The Cavium Liquidio ethernet driver can, while scheduling handlers for
packet delivery, shift an integer beyond its bounds, which is undefined
behavior.


* NULL-pointer dereference when processing request in QLogic QEDI iSCSI driver.

When processing requests for a QLogic QEDI 25/40/100Gb iSCSI Initiator
device, the iSCSI session's target name pointer is dereferenced despite
possibly being NULL. This could result in a denial-of-service.


* Use-after-free when opening NFSv4 file with O_CREAT unset.

A race condition between opening a file over NFSv4 without the O_CREAT
flag set and the parent task exiting can cause a use-after-free of the
task structure. This results in a denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in sys_ptrace().

Missing sanitizaion of array index after bounds check in the
sys_ptrace() system call could lead to a Spectre variant 1 information
leak. A local ttacker could exploit this flaw to gain information about
the running system.


* Denial-of-service when initializing Intersil Prism54 wireless device.

When initializing an Intersil Prism54 wireless device, a logic error
could result in an attempted dereference of an empty list structure,
resulting in a kernel crash and denial-of-service.


* CVE-2019-13272: Privilege escalation via ptrace.

A logic flaw when computing credentials for ptrace could allow the
ptrace link to be established with the previously held credentials of
the parent process. A malicious user might exploit this to escalate
their access to root.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.