[Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2019-164946aa7f)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Mar 4 08:47:35 PST 2019 

Synopsis: FEDORA-2019-164946aa7f can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2019-3819 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222

Systems running Fedora 29 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2019-164946aa7f.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 29
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash due to race condition when reading blocks in OCFS2.

Unnecessary synchronization of buffers when reading blocks in OCFS2
could in fact result in a race condition and kernel assertion failure,
causing a system crash.


* Improved fix for CVE-2017-5753: Speculative execution in DRM legacy buffer free.

The DRM legacy buffer management implementation is vulnerable to a Spectre
variant 1 side-channel attack. A local user could use this flaw to read
arbitrary kernel memory.


* Information disclosure in Precision Time Protocol offset ioctl.

A failure to handle an error case can result in kernel stack memory being
leaked to userspace. A local user could use this flaw to facilitate a further
attack.


* Denial-of-service in NFSv4 startup.

A race condition between nfsd starting an userspace configuring it can result
in a NULL pointer dereference, leading to a kernel crash. A local user with the
ability to configure NFS could use this flaw to cause a denial-of-service.


* Kernel crash in DRM atomic helper state duplication.

Failure to clear a pointer which was set to a temporary stack variable can
result in reading incorrectly initialised stack memory, leading to a kernel
crash or other undefined behavior.


* Kernel crash in EFI variable access.

A failure to prevent access to EFI variables when a system has not been booted
via EFI can result in a kernel crash.


* Denial-of-service in UDF extent parsing.

A failure to validate extent information from a UDF filesystem can result in an
assertion failure, leading to a kernel crash. A local user with the ability to
mount a UDF filesystem could use this flaw to cause a denial-of-service.


* Denial-of-service in BTRFS filesystem id management.

A failure to detect BTRFS filesystems with duplicate unique identifiers can
result in preventing the unmount of a BTRFS filesystem. A local user with the
ability to mount a filesystem could use this flaw to cause a denial-of-service.


* Deadlock in DRBD handshake synchronisation.

Incorrect locking when performing a handshake in DRBD can result in a deadlock.


* Use-after-free in ath10k station status reporting.

A failure to correctly handle an error case can result in a failure to clear a
freed pointer and lead to a potential use-after-free. A local user could use
this flaw to cause a kernel crash or escalate privileges.


* Deadlock in RAID 10 implementation during concurrent IO.

A race condition between regular IO and resync IO to a RAID 10 device can
result in a deadlock, leading to hung tasks.


* Out-of-bounds memory access in i40e event handling.

A failure to allocate enough memory for a struct can result in an out-of-bounds
memory access, leading to a kernel crash or other undefined behavior.


* Denial-of-service in BPF sockmap socket release.

A failure to clear buffers before releasing a socket from a BPF sockmap can
result in a warning. A local user could use this flaw to flood the kernel
message buffer, leading to a denial-of-service.


* Out-of-bounds access in KVM host virtual address translation.

A failure to correctly bounds check an offset can result in an out-of-bounds
write.


* Information disclosure in seqfile string buffer construction.

A failure to terminate a string buffer in the seqfile buffer interface can
result in disclosure of sensitive information from the kernel stack. A local
user could use this flaw to facilitate a further attack.


* Denial-of-service in CIFS directory opening.

A race condition between multiple threads opening and closing a directory can
result in a NULL pointer derefernce, leading to a kernel crash. A local user
with access to a CIFS filesystem could use this flaw to cause a
denial-of-service.


* Use-after-free during F2FS superblock release.

A logic error when releasing an F2FS superblock after a write error has
occurred can result in a use-after-free.


* NULL pointer dereference in DSA Energy Efficient Ethernet support.

A failure to check for a NULL pointer when querying a physical interface for
Energy Efficient Ethernet support in the Distributed Switch Architecture driver
can result in a NULL pointer dereference, leading to a kernel crash.


* Use-after-free in RDS socket lookup.

A failure to correctly check the reference count for an RDS socket can result
in accessing a freed socket, leading to a use-after-free. A local user with the
ability to create RDS sockets could use this flaw to cause a kernel crash or
potentially escalate privileges.


* Double unlock in RxRPC message reception.

A failure to handle interruptions or errors when receiving an RxRPC packet can
result in a double unlock, leading to undefined behavior.


* Denial-of-service in SCTP stream reconfiguration.

A failure to correctly copy an output stream during SCTP reconfiguration can
result in access of an invalid pointer, leading to a kernel crash. A local user
could use this flaw to cause a denial-of-service.


* Use-after-free in SCTP message send to removed endpoint.

A race condition between sending SCTP messages and removal of endpoints can
result in accessing a freed list entry, leading to a use-after-free. A local
user could use this flaw to cause a kernel crash or potentially escalate
privileges.


* Use-after-free in flower network classifier rule addition.

A failure to clear a rule from a hash table after it failed to initialise can
result in a use-after-free.


* Memory leak in FUSE splice write.

A failure to lock a pipe when performing a splice write in FUSE can result in a
memory leak.


* Denial-of-service in FUSE retrieval notification.

A failure to check for a zero number of pages to retrieve in the FUSE
filesystem can result in a NULL pointer dereference, leading to a kernel crash.
A local user could use this flaw to cause a denial-of-service.


* CVE-2019-7222: Information disclosure in KVM VMX emulation.

Incorrectly handling a page fault exception while emulating VMX instructions
can result in leaking host stack information to a guest. A guest VM could use
this flaw to facilitate a further attack on the host.


* CVE-2019-6974: Use-after-free in KVM device creation.

A reference count manipulation error when creating a KVM device can result in
an early free, leading to a use-after-free. A local user with access to KVM
could use this flaw to cause a kernel crash or potentially escalate privileges.


* CVE-2019-7221: Use-after-free in nested KVM preemption timer.

A failure to cancel a nested KVM timer before freeing it can result in a
use-after-free. A guest VM could use this flaw to crash the host.


* NULL pointer dereference in TTY flush.

A race condition between opening a TTY and flushing it can result in a NULL
pointer dereference, leading to a kernel crash.


* CVE-2019-3819: Deadlock in HID debug events read.

A logic error when reading HID debug events can result in the kernel entering
an infinite loop, leading to a system lock up. A privileged user could use this
flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-29-Updates mailing list