[Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2018-5904d0794d)

[Oracle Ksplice]

Synopsis: FEDORA-2018-5904d0794d can now be patched using Ksplice
CVEs: CVE-2017-5715

Systems running Fedora 29 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-5904d0794d.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 29
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in tmpfs page release path.

When a hugepage backed tmpfs filesystem is under heavy load, a kernel
assertion can fail while attempting to free backing pages, due to a
race with a hugepage split operation.  A malicious local attacker could
exploit this flaw to cause a denial-of-service.


* Unsafe locking in hugepage split path.

The hugepage split path attempts to take a lock that is not IRQ-safe,
without disabling interrupts.  This can lead to unexpected behavior,
including a potential deadlock.


* Multiple denial-of-service vectors while collapsing tmpfs backing pages.

Several logic errors in khugepaged's processing of tmpfs backing pages can
lead to kernel panics.  These flaws could be exploited by a malicious local
attack to cause a denial-of-service.


* Potential packet corruption in TCP/IP core.

In certain cases, user pages containing socket buffer data can be
prematurely marked for reuse.  This can result in TCP/IP packet
corruption if the pages are actually reused.


* Packet loss due to incorrect flagging in networking core.

A failure to clear a flag on forwarded packets in the networking core
can lead to the packets being blocked unexpectedly.  This could cause
unexpected behavior.


* Inconsistent packet states caused by virtio net driver.

The virtio network driver does not disable guest checksumming when XDP
is set, which can cause packet headers to end up in an inconsistent
state.  This could cause a system to exhibit unexpected behavior.


* Deadlock in TIPC protocol cleanup code.

A lock ordering issue in the TIPC protocol's node cleanup path can lead
to a deadlock.  This could cause a denial-of-service.


* Shadow page table corruption during emulated writes.

A race condition while writing to KVM's shadow page tables can lead
to guest PTEs and shadow PTEs being out of sync.  This can cause
unexpected behavior, including improper memory accesses.


* Improved fix for CVE-2017-5715: Information leak due to missing IBPB calls in SVM.

A potential Spectre v2 attack vector exists in the KVM code that
supports SVM-enabled processors, due to a failure to call
indirect_branch_prediction_barrier when freeing vcpus.  This can be
exploited by a local attacker to leak information about the running
system.


* Information leak in KVM_HC_CLOCK_PAIRING hypercall.

A failure to zero out all fields of a structure used during the
KVM_HC_CLOCK_PAIRING hypercall can lead to privileged kernel information
being leaked to userspace.


* NULL dereference in KVM_HC_SEND_IPI hypercall.

A use-before-initialization scenario in KVM's hypercall used for
sending IPIs can lead to a NULL pointer dereference, and subsequent
kernel panic.  This flaw could potentially cause a guest VM to crash
the host system.


* Buffer overflow in btrfs_control_ioctl.

A failure to check that a user-supplied string is NULL-terminated can
lead to a buffer overflow in the btrfs ioctl handler.  This could lead
to unexpected behavior, including a potential denial-of-service.


* Use-after-free in btrfs block relocation path.

A failure to set a pointer to NULL when it is no longer in use in
relocate_block_group can lead to a use-after-free scenario.  This can
cause a system to exhibit unexpected behavior, and could potentially
lead to a denial-of-service.


* Shift overflow during AC97-SPSA control write.

A logic error in the AC97 driver's snd_ac97_put_spsa routine can cause
a bitwise shift exponent to be calculated incorrectly, resulting in a
shift operation that overflows beyond the 32 bits allocated to store
the result.  This could result in unexpected behavior on some systems.


* Use-after-free in sound driver control interface.

A race condition that exists in the sound driver core, when processes
attempt to concurrently add and remove user control elements.  This
race condition can result in a use-after-free scenario, which can cause
unexpected behavior, including a potential system crash.


* Data corruption in blk-mq while writing to SCSI device.

If certain write operations to a SCSI device are delayed, the blk-mq
layer may flag the write requests in a manner that can cause them
to be merged with other requests, potentially invalidating parts
of the original request metadata.  This can lead to data corruption
when the write request is eventually processed.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.