From ksplice-support_ww at oracle.com Wed Oct 23 00:02:09 2019 From: ksplice-support_ww at oracle.com (Oracle Ksplice) Date: Wed, 23 Oct 2019 07:02:09 GMT Subject: [Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2019-97380355ae) Message-ID: <2vsx2t4dry-1@userp3030.oracle.com> Synopsis: FEDORA-2019-97380355ae can now be patched using Ksplice CVEs: CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-15117 CVE-2019-15118 CVE-2019-15504 CVE-2019-15505 CVE-2019-15538 Systems running Fedora 29 can now use Ksplice to patch against the latest Fedora kernel update, FEDORA-2019-97380355ae. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running Fedora 29 install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * Memory leak when freeing NVMe subsystem. A logic error when releasing a NVMe subsystem could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * Kernel crash in MEGARAID SAS firmware crashdump loading. Missing bounds checks when loading firmware crashdump could result in an out-of-bounds access and kernel panic. * CVE-2019-15118: Stack overflow when checking input source type in ALSA USB driver. A logic error when checking input source type in ALSA USB driver could lead to a stack overflow. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-15117: Out-of-bounds access when parsing USB descriptor in ALSA USB driver. A missing check when parsing USB descriptor in ALSA USB driver could lead to an out-of-bounds access. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-15538: Denial-of-service in XFS filesystem with Quota support enabled. A locking error when XFS filesystem raise its quota limit could let a local or remote attacker cause a denial-of-service using chgrp on such filesystem. * CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Denial-of-service when parsing access point settings in Marvell WiFi-Ex driver. Logic errors when parsing access point settings in Marvell WiFi-Ex driver could lead to buffer overflows. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-15505: Out-of-bounds access in Technisat DVB-S/S2 USB2.0 driver. A logic error when receiving data over Technisat DVB-S/S2 USB2.0 driver could lead to an out-of-bounds access. A remote attacker could use this flaw to cause a denial-of-service. * CVE-2019-15504: Denial-of-service when initializing RSI wireless device. A double-free in the RSI WLAN driver could lead to a kernel crash or possibly kernel memory corruption. A crafted USB device could trigger this flaw to cause a denial-of-service. * Improved fix for Spectre v1: Bounds-check bypass in ATM Interphase driver. Speculative execution in ATM Interphase driver ioctl interface allows bounds-check bypass. A local user could exploit this vulnerability to escalate privileged. * Denial-of-service when transmitting GRE packet over IPv6. An invalid memory access in the GRE tunneling protocol could lead to a kernel crash. A local attacker could exploit this to cause a denial-of-service. * Denial-of-service when transmitting packet through IPv6 tunnel. A use-after-free bug in the IPv6 tunnel subsystem could cause a kernel crash when transmitting packets if generic segmentation offload is enabled. An attacker could exploit this to cause a denial-of-service. * Improved fix for Spectre v1: Bounds-check bypass in Infiniband subsystem. Speculative execution when registering agent in core Infiniband subsystem allows bounds-check bypass. A local user could exploit this vulnerability to escalate privileged. * Denial-of-service when transmitting IP packet through IP tunnel. A use-after-free bug in the IP-in-IP tunneling subsystem could cause a kernel crash when transmitting packets. An attacker could exploit this to cause a denial-of-service. * Denial-of-service when removing network namespace. A name conflict in the network namespace subsystem could trigger a kernel safety violation. An attacker capable of creating and removing network namespaces could exploit this to cause a denial-of-service. * Denial-of-service when dequeueing packet in network scheduler. A null-pointer dereference in the CODEL network packet scheduler could lead to a kernel crash. A local attacker could exploit this to cause a denial-of-service if CODEL scheduler is enabled. * Denial-of-service in the SMC socket subsystem. A race between queued work on an SMC socket and the shutdown of the same socket could lead to a use-after-free. An attacker could exploit this vulnerability to cause a denial-of-service. * Denial-of-service when configuring a device through usbfs. A double-free bug in the usbfs could cause a kernel crash when submitting a USB transaction. An attacker capable of configuring a USB device through ioctl interface could exploit this to cause a denial-of-service. * Denial-of-service when removing a Yurex USB device. Incorrect reference counting when removing a Yurex device could lead to a use-after-free. An attacker could exploit this vulnerability to cause a denial-of-service. * Information leak when initializing PCAN-USB device. When loading a PCAN-USB driver, kernel passes an uninitialized buffer to the device. This could leak privileged kernel memory to the device and allow a malicious device to escalate privilege. * Denial-of-service when reconnecting to a SMBv3 server. A deadlock in the SMB / CIFS subsystem could lead to the kernel thread hanging indefinitely. An attacker could exploit this bug to cause a denial-of-service. * Denial-of-service during NFSv4 client state recovery. Failure to handle error correctly when recovering state in the NFSv4 client subsystem could lead to infinite loop in the kernel thread and a subsequent denial-of-service. * Denial-of-service during setattr on a NFSv4 inode. Setting attribute on an inode in NFS filesystem could confuse protocol version and try to use uninitialized data. This leads to a denial-of-service. * Denial-of-service when transmitting packet through Intel(R) wifi devices. A use-after-free vulnerability in the driver for certain Intel(R) wifi devices with segmentation offload enabled could cause a kernel crash. An attacker could exploit this to cause a denial-of-service. * Denial-of-service when unmapping an anonymous private page. Dereferencing an invalid page pointer when unmapping anonymous private page triggers a BUG in the kernel. This could lead to denial-of-service. * Improved fix for denial-of-service in non-hierarchical memory cgroup iteration. A logic error in the memory cgroup code could lead to kernel memory corruption and a kernel crash when iterating over cgroups. This could be exploited to cause a denial-of-service. * Denial-of-service when processing input from HID device. A null pointer dereference when processing input event from Holtek gaming controller could lead to a kernel crash. A malicious device could exploit this to cause a denial-of-service. * Denial-of-service when executing a BPF program. Incorrect validation in the BPF program verifier allowed certain BPF program which could crash the kernel. A malicious local user capable of loading BPF program could exploit this bug to cause a denial-of-service. * Denial-of-service in sendmsg when using TX_RING. A null pointer dereference in the sendmsg system call path when TX_RING is used could lead to a GPF. An attacker could exploit this to cause a denial-of-service. * Memory leak when resetting an SCTP stream. Failure to cleanup allocated memory for outgoing queue corresponding to an SCTP socket when resetting a stream leads to memory leak. A local unprivileged user could exploit this to cause a denial-of-service. * Use-before-initialization when parsing netlink messages. Lenient parsing of netlink messages allows use-before-initialization when sending a message. An unprivileged local user could exploit this to hijack kernel execution. * Denial-of-service in the eBPF sockmap subsystem. Multiple bugs when removing socket from a sockmap and and releasing a sockmap in the eBPF subsystem could lead to double-free and use-after-free vulnerability. An attacker with permission to load untrusted BPF program could exploit this to cause a denial-of-service. * Denial-of-service when handling error in the RXRPC socket subsystem. Incorrect locking when cleaning up after error in the RXRPC socket subsystem could lead to a deadlock. An attacker could exploit this to cause a denial-of-service. * Denial-of-service when flushing data in the ATA-over-Ethernet subsystem. Incorrect locking in the ATA-over-Ethernet (AoE) subsystem could trigger a BUG in the kernel. An attacker could exploit this to cause a denial-of-service. * Denial-of-service during writepages in the Ceph filesystem. Incorrect dirty page handling when writing back memory-mapped pages in the Ceph filesystem could trigger a BUG_ON in the kernel. An attacker could exploit this to cause a denial-of-service. * Use-before-initialization in the Ceph filesystem. Incorrect error handling when communicating with Ceph metadata server could lead the client to use uninitialized data. An attacker could possibly exploit this flaw to cause a denial-of-service. * Denial-of-service when handling page fault in userspace. A double-free bug in the userfaultfd subsystem could lead to kernel crash. An attacker with privilege to perform userfaultfd could exploit this to cause a denial-of-service and possibly escalate privilege. * Denial-of-service during journal operation in dm-integrity subsystem. A data race in the dm-integrity subsystem during journal operation could lead to a kernel crash. An unprivileged attacker could exploit this to cause a denial-of-service. * Denial-of-service when creating nvdimm namespace. Taking the wrong lock during nvdimm namespace creation and destruction leads to a deadlock. An attacker could exploit this to cause a denial-of-service. SUPPORT Ksplice support is available at ksplice-support_ww at oracle.com. From ksplice-support_ww at oracle.com Tue Oct 29 16:38:11 2019 From: ksplice-support_ww at oracle.com (Oracle Ksplice) Date: Tue, 29 Oct 2019 23:38:11 GMT Subject: [Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2019-a570a92d5a) Message-ID: <2vxwj8v71u-1@aserp3030.oracle.com> Synopsis: FEDORA-2019-a570a92d5a can now be patched using Ksplice CVEs: CVE-2019-14821 CVE-2019-14835 CVE-2019-15902 CVE-2019-16714 Systems running Fedora 29 can now use Ksplice to patch against the latest Fedora kernel update, FEDORA-2019-a570a92d5a. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running Fedora 29 install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * Multiple use-after-free in NVMe subsystem. Multiple logic errors in the NVMe subsystem could lead to use-after-frees. A local attacker could use these flaws to cause a denial-of-service. * Memory leak when receiving frontend notification in Xen block-device backend driver. A missing free of resources when receiving frontend notification in Xen block-device backend driver could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * NULL pointer dereference when sending ICMP packets with a particular configuration. A missing check when sending ICMP packets with a particular configuration could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Use-after-free in sound sequencer driver when deleting pools. A missing locking when deleting pools in sound sequencer driver from user space could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * Use-after-free when disconnecting USB Wireless device. A race condition when disconnecting USB Wireless device while transfers are on-going could lead to a use-after-free. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * Memory leak when adding a station in mac80211 stack fails. A logic error when adding a station in mac80211 stack fails could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * CVE-2019-15902: Bounds-check bypass in sys_ptrace(). An error when backporting original Spectre v1 fix for ptrace in stable kernels makes it vulnerable to Spectre v1. A local attacker could exploit this flaw to gain information about the running system. * Memory leak when setting IPv6 multicast socket options. A logic missing free of resources when setting IPv6 multicast socket options could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * Use-after-free when dropping packets in netpoll. A logic error when dropping packets in netpoll could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-16714: Information leak in Reliable Datagram Sockets IPv6 message info. Missing initialization could result in copying stale kernel stack contents to user-space when copying IPv6 message info for an RDS socket. * Memory leak when setting up a request in Cavium LiquidIO driver. A missing free of resources when setting up a request in Cavium LiquidIO driver could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * Memory leak when creating resources in Mellanox ConnectX HCA driver. A missing free of resources in error path when creating resources in Mellanox ConnectX HCA driver could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * Use-after-free when setting xattr in Ceph distributed file system. A logic error when setting xattr in Ceph distributed file system could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * Memory leak when looking up an invalid cell name in Andrew File System driver. A missing free of resources in error path when looking up an invalid cell name in Andrew File System driver could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * CVE-2019-14835: Privilege escalation during live migration of guest. A failure to check for guest creating a zero length queue in the vhost driver can lead to a buffer overflow in the host kernel. A guest virtual machine could use this flaw to crash the host or potentially escalate privileges when the virtual machine is live migrated. * Out-of-bounds access in CAPI2.0 driver. A logic error when writing to CAPI2.0 device could lead to an out-of-bounds access. A local attacker could use this flaw to cause a denial-of-service. * NULL pointer dereference when removing publication info in TIPC driver. A logic error when removing publication info in TIPC driver could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Denial-of-service during fsync on btrfs filesystem. A reference count error during fsync on btrfs filesystem could lead to a use-after-free or a kernel assert. A local attacker could use this flaw to cause a denial-of-service. * Information leak when emulating VMPTRST in KVM. A missing zeroing of on-stack data on host side when emulating VMPTRST in KVM could lead to an information leak. A local attacker from a guest could use this flaw to leak information about the host an facilitate an attack. * Out-of-bounds access during USB device reset. A logic error during USB device reset could lead to an out-of-bounds access. A local attacker could use this flaw to cause a denial-of-service. * Double free when disconnecting TV Master TM5600/6000/6010 USB device. A logic error when disconnecting TV Master TM5600/6000/6010 USB device while transfers are on-going could lead to a double free. A local attacker could use this flaw to cause a denial-of-service. * NULL pointer dereference in Xen network device error handling. Incorrect error handling when filling fragments for a Xen network device could result in a NULL pointer dereference and kernel crash. * CVE-2019-14821: Denial-of-service in KVM MMIO coalesced writes. An out-of-bounds access to the coalesced MMIO ring buffer could result in a kernel crash. A malicious guest could use this flaw to crash the hypervisor or potentially, escalate privileges. * Improved fix for Spectre v1: Bounds check bypass in nl80211 CQM RSSI. A missing use of the indirect call protection macro in the Netlink 802.11 code when updating the cqm rssi parameters could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * NULL pointer dereference when accessing a revoked key. A missing check when accessing a revoked key could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Invalid memory access in floppy disk driver. A logic error when copying data to userspace from floppy disk driver could lead to an invalid memory access. A local attacker could use this flaw to cause a denial-of-service. * Potential NULL dereference in AFS directory read path. A missing NULL pointer check in the AFS directory read path can lead a NULL pointer dereference and subsequent kernel panic. This flaw could potentially be exploited to cause a denial-of-service. * NULL dereference in XFRM while decoding session information. In certain cases, necessary fields of data structures used in the XFRM session decode path may not actually be populated when they are assumed to be. This can lead to NULL dereferences in both the IPv4 and IPv6 decode paths. This flaw could potentially be exploited to cause a denial-of-service. * Divide-by-zero in USB TMC driver. A failure to properly sanitize data provided from a connected USB device can cause the USB TMC driver to attempt to divide by zero, which will lead to a kernel panic. A malicious attacker could exploit this flaw with a specially crafted USB device to cause a denial-of-service. * Use-after-free in TCMU driver when processing timed out commands. A logic error in the TCMU driver's handling of timed out iSCSI commands can lead to a use-after-free. A remote attacker could potentially exploit this flaw on a busy system to cause unexpected behavior, including a potential denial-of-service. * Memory leak in AMDGPU_CS ioctl handler. A failure to properly clean up when certain errors occur during the AMDGPU_CS ioctl leads to a memory leak. This flaw could be exploited by a local attacker to waste system resources and degrade performance, potentially causing a denial-of-service. * Btrfs hangs during second buffer writeback attempt. Due to incorrect handling of an error condition, it is possible for certain lock bits to remain set unexpectedly after a failed attempt to write back an extent buffer. A second attempt to write back the failed data will hang forever waiting for the lock bit to clear. This flaw could potentially be exploited by a local attacker to cause a denial-of-service to the filesystem. * Use-after-free in MediaTek MT7615E driver when changing beacon frame info. A logic error in the code responsible for setting beacon frame information in the MT7615E driver leads to a use-after-free scenario. This flaw could potentially be exploited to cause a system to exhibit unexpected behavior. * Potential use-after-free in BPF Flow Dissector. Improper RCU protections on certain BPF program structures can lead to a use-after-free scenario in the Flow Dissector's program-detach path. This could potentially cause a system to exhibit unexpected behavior, and may result in a denial-of-service. * Use-after-free in BPF while freeing JITed program. A failure to properly order operations to account for concurrent users of the same BPF program can lead to a use-after free scenario when trying to unlink that program. This could potentially be exploited to cause a system to exhibit unexpected behavior. * Out-of-bounds copy from kernel stack to Infiniband driver HW queues. When preparing for certain RDMA operations, it is possible for the Infiniband Netxtreme HCA driver to copy past the end of some command structure which are stored on the stack, causing stack data to be leaked into the hardware queues. This flaw could potentially be used in conjunction with another exploit to cause a system to exhibit unexpected behavior, or to leak privileged information. SUPPORT Ksplice support is available at ksplice-support_ww at oracle.com.