[Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2019-23ea681504)

[Oracle Ksplice]

Synopsis: FEDORA-2019-23ea681504 can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2018-16882

Systems running Fedora 29 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2019-23ea681504.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 29
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Out-of-bounds memory access in USB High Speed Mobile device driver.

A missing length check in the hso_probe can lead to an out-of-bounds
memory access.  This could cause a system to exhibit unexpected
behavior.


* Division-by-zero in POSIX timer signal delivery path.

A logic error in the POSIX timer signal delivery path can lead to a
timer being re-armed when its timer interval is set to 0.  This causes
a divide-by-zero exception, and subsequent kernel panic.  A local
attacker could exploit this to cause a denial-of-service.


* NULL dereference while writing Hyper-V SINT14 MSR.

It is possible for KVM's IOAPIC scan logic to be triggered
inappropriately when attempting to write to Hyper-V's SINT14 MSR.
If an IOAPIC has not been initialized, this can lead to a NULL
dereference, and subsequent kernel panic.  This could be used
to cause a denial-of-service.


* KVM guest OS crash while writing AMD EX_CFG MSR.

KVM will cause a guest OS to crash if it attempts to write to AMD's
Execution Unit Configuration MSR.  A local attacker could exploit
this flaw to cause a guest OS crash.


* CVE-2018-16882: NULL dereference in nested VM interrupt processing path.

A failure to properly handle an error condition nested_get_vmcs12_pages
can lead to a null dereference when processing posted interrupts for
nested VMs.  This could be exploited by a local attacker to cause
a denial-of-service on the host system.


* Information leak in Memory Type Range Register ioctl.

A structure used for transferring data between user space and kernel
space in mtrr_ioctl contains a padding field that is not zeroed before
the structure is handed off to user space.  This flaw could be exploited
by a local attacker to leak information about the running system.


* Memory leak in rtlwifi driver while processing C2H packets.

A failure to free a socket buffer under certain conditions in the
rtlwifi driver's CSH packet handling path can lead to small amounts of
memory being leaked.  This could potentially be exploited by a remote
attacker to waste system resources and degrade performance.


* Potential deadlock in Marvell wifi driver packet receive path.

A lock ordering issue in the Marvell wifi driver's packet receive path
can lead to a deadlock when a relatively small load is put on the
driver.  This flaw could be exploited by a local attacker to cause a
denial-of-service.


* Page table corruption during THP migration.

When attempting to migrate transparent hugepages between NUMA nodes, it
is possible for certain bits to get lost during the migration, leading
to userspace page table corruption.  This could potentially be exploited
by a local attacker to crash or otherwise disrupt the operation of user
processes.


* Improved fix for CVE-2017-5753: Spectre v1 vulnerability in DRM driver's ioctl handler.

A value that is indirectly controlled by userspace is used to index a
buffer in drm_ioctl.  A local attacker could use a Spectre-style attack
to exploit this flaw and cause unexpected behavior, or a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.