[Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2019-be9add5b77)

[Oracle Ksplice]

Synopsis: FEDORA-2019-be9add5b77 can now be patched using Ksplice
CVEs: CVE-2019-3459 CVE-2019-3460 CVE-2019-3882 CVE-2019-9857

Systems running Fedora 29 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2019-be9add5b77.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 29
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-3459, CVE-2019-3460: Remote information leak via Bluetooth configuration request.

When parsing Bluetooth L2CAP options, some buffer length fields are not
properly validated, potentially allowing a malicious device to expose
kernel heap memory remotely.


* NULL-pointer dereference when creating IPv6 route.

In rare cases, when creating an IPv6 route fails, improper error
handling can result in a NULL-pointer dereference and denial-of-service.


* Stack corruption when connecting ROSE socket.

When establishing a Remote Operations Service Element connection, the
net facilities structure can actually consume more space on the stack
than is allocated. A malicious attacker might potentially be able to
abuse this out-of-bounds access to escalate their privileges.


* Memory corruption when flushing ILA hashtable.

When flushing Identifier Locator Addressing hashtables, an unexpected
error could result in a corruption of stack memory, resulting in a
denial-of-service or potentially a privilege escalation.


* Denial-of-service in btrfs readahead via log flood.

Incorrect warning logging when using readahead on btrfs could result in
a log flood, potentially starving the system of resources and resulting
in a denial-of-service.


* Invalid assertion in btrfs when running fsync on no-holes mount.

An incorrect assertion condition when running the 'fsync' command on a
btrfs filesystem mounted with the 'no-holes' option can cause a
denial-of-service when the filesystem was in fact operating correctly.


* Resource leak in when performing file locks over NFSv4.

When locking a file over a remote NFSv4 mount, the lock structure might
have its reference count improperly incremented, resulting in a leak. A
malicious user might exploit this to starve the system of resources,
causing performance degradation or a denial-of-service.


* Improved fix to Spectre v1: bounds-check bypass in various ALSA sound drivers.

Several arrays in subsystems of the ALSA sound device driver code are
potentially vulnerable to a Spectre variant 1 speculative execution
attack.


* Out-of-bounds memory access when changing PCM parameters on ALSA device.

When altering PCM parameters for an ALSA sound device, incorrect
ordering of allocations could result in an out-of-bounds memory access,
potentially resulting in memory corruption or a denial-of-service.


* Deadlock when attempting to open non-regular file with execve().

Due to invalid error handling, attempting to open a non-regular file for
execve() can result in a deadlock. An unprivileged user could exploit
this to starve the system of resources and cause a denial-of-service.


* NULL-pointer dereference when closing SCSI disk device with outstanding traffic.

When closing a SCSI disk device when outstanding I/O still processing,
incorrect synchronization could result in a race condition and
NULL-pointer dereference, causing a kernel crash and denial-of-service.


* Use-after-free when allocating GEM buffer for DRM device.

When allocating a Graphics Execution Manager buffer for a Direct
Rendering Manager device, an unexpected error can result in a
NULL-pointer dereference and potential denial-of-service.


* Use-after-free in BPF verifier in low-memory situations.

If memory allocation fails when verifying a BPF program, verification
might proceed on an invalid stack, potentially resulting in an invalid
result from the verification, memory corruption, or a denial-of-service.


* Out-of-bounds read when writing back ZRAM page.

When writing back an idle memory page to a ZRAM device, the device's
mode is checked with an unbounded string comparison, potentially reading
out-of-bounds memory and causing a denial-of-service or information
leak.


* Use-after-free in TIPC when exiting network mode.

When a Transparent Inter Process Communication protocol device is
removed from netowrk mode, internal driver timers might continue to fire
against freed memory, resulting in memory corruption or a
denial-of-service.


* CVE-2019-9857: Memory leak in inotify causes denial-of-service.

The kernel inotify file monitoring subsystem contains a refcount leak that
could be exploited by an unprivileged user to leak memory and cause a
denial-of-service.


* CVE-2019-3882: Denial-of-service when repeatedly DMA mapping device MMIO.

By repeatedly mapping device MMIO memory via mmap, a malicious user
could potentially consume unbounded system memory, resulting in resource
starvation and a denial-of-service.


* Log spam when punching holes in ext4 bigalloc filesystems.

When fallocating on an ext4 bigalloc filesystem, incorrect code when
freeing clusters might result in a flood of error responses, potentially
resulting in a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.