[Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2019-96b31a9602)

[Oracle Ksplice]

Synopsis: FEDORA-2019-96b31a9602 can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2019-7308

Systems running Fedora 29 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2019-96b31a9602.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 29
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Incorrect MTU limit check in bridge device packet forwarding path.

A logic error in the bridge device packet forwarding path can cause
packets that exceed that device's MTU to be forwarded without first
being split into smaller pieces.  This could cause unexpected
behavior for users of the bridge device.


* Use-after-free when packet SKB pointer changes.

If the pskb_trim_rcsum function changes a packet's SKB pointer, certain
fields in the packet header become stale.  If the kernel attempts to
access some of these fields, it can result in a use-after-free.  This
could potentially be exploited to cause unexpected behavior or a
denial-of-service.


* NULL pointer dereference during MDIO bus registration.

A failure to properly handle an error condition in __mdiobus_register
can lead to a NULL pointer dereference.  This could be exploited by
a local attacker to cause a denial-of-service.


* Kernel panic in networking core when drivers do not provide a features list.

Recent changes in the network core can result in a kernel panic when
attempting to probe PHY drivers that do not configure a features list.
This could potentially be exploited to cause a denial-of-service.


* Memory leak during act_tunnel_key driver initialization.

Under certain conditions, it is possible for the act_tunnel_key driver
to fail to release all references on some memory objects, resulting
in a memory leak.  This could potentially be exploited by a local
attacker to waste system resources and degrade performance.


* Packet filters break after changing certain settings.

Modifying packet filters in a specific manner can cause some filters
to stop working unexpectedly.  This could cause a system to exhibit
undesirable behavior.


* Out-of-bounds access in Open vSwitch when parsing flow attributes.

A logic error in __parse_flow_nlattrs can result in an out-of-bounds
read.  A remote attacker could potentially craft network traffic to
exploit this flaw, which could then cause a system to exhibit unexpected
behavior.


* Memory leak while dismantling network namespaces.

Under certain circumstances, it is possible for the kernel to fail to
properly flush error route objects when tearing down a network
namespace, causing these objects to be leaked.  A local attacker could
potentially exploit this flaw to waste system resources and degrade
performance.


* Leak of socket buffers in UDP send path.

In the IPv4 and IPv6 UDP send paths there are several logic errors that
can result in SKBs being leaked.  A local or remote attacker could
potentially exploit this flaw to waste system resources and degrade
performance.


* Kernel panic in IPv6 GRE tunneling driver.

The ip6_gre driver can incorrectly handle network namespaces in the
ip6gre_changelink function, resulting in list corruption, and a
potential future kernel panic.


* Potential use-after-free in Ceph FS core.

A failure to properly clear out the inode pointers in ceph_snap_realm
structures can potentially lead to a use-after-free of the inodes
referenced by those pointers.  This could potentially be exploited by
a local attacker to cause unexpected behavior, including
denial-of-service.


* Improved fix for CVE-2017-5753: Spectre v1 vulnerability in ACP Modem driver.

A user-controlled value is used to index an array in the ACP Modem
driver.  This flaw could be exploited using a Spectre v1 style attack to
leak information about the running system.


* NULL pointer dereference in uart write path.

Improper locking in the uart_put_char/uart_write functions can lead
to a NULL pointer dereference, and subsequent kernel panic.  This
could potentially be exploited by a local attacker to cause a
denial-of-service.


* Use of uninitialized memory in Hyper-V balloon driver.

A logic error in the Hyper-V balloon driver's handling of offlined
pages can lead to certain page structs being accessed before they
are initialized, leading to a kernel panic.  This could potentially
be exploited by a malicious local user to cause a denial-of-service.


* Integer overflow in uinput driver's input validation path.

A failure to check whether or not the result of a subtraction operation
will overflow can lead to an integer overflow in the uinput driver's
uinput_validate_absinfo function.  This could potentially cause a system
to exhibit unexpected behavior.


* KVM rejects certain hypercalls on 32-bit hosts.

A coding error in KVM's hypercall emulation path can cause
KVM_HC_SEND_IPI calls to fail on 32-bit hosts.  This will cause KVM
guests to hang during boot due to IPIs not being delivered.


* Information leak in KVM's VMX operation path.

A failure to properly zero out a structure after allocation can lead to
kernel information being leaked to userspace during certain VMX
operations.  This flaw could be exploited be a local attacker to leak
information about the running system.


* Improper locking in VT driver.

A particular lock is not held during a notify_update operation in the
virtual terminal driver.  This could potentially cause a system to
exhibit unexpected behavior.


* NULL pointer dereference in NVMe driver's RDMA path.

A failure to properly allocate a structure in the NVMe driver's RDMA
path can lead to a NULL pointer dereference when the system is under
heavy load.  A local attacker could potentially exploit this flaw to
cause a denial-of-service.


* Memory protection behaviors are not inherited by children after fork.

A logic error in an mm_struct initialization code path can lead to
memory protection key states not being properly copied from parent
processes to their children.  This could cause forked processes to
behave unexpectedly in certain situations.


* CVE-2019-7308: Out-of-bounds speculation in BPF verifier.

The BPF verifier can attempt to perform out-of-bounds speculation on
pointer arithmetic, creating a potential vector for side-channel
attacks.


* Potential refcount leak in inotify_add_watch error path.

A failure to decrement the refcount on a file descriptor after an error
has occurred in the inotify_add_watch syscall could lead to a small
amount of memory being leaked.  This flaw could be exploited by a local
attacker to waste system resources and degrade performance.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.