[Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2019-97380355ae)

[Oracle Ksplice]

Synopsis: FEDORA-2019-97380355ae can now be patched using Ksplice
CVEs: CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-15117 CVE-2019-15118 CVE-2019-15504 CVE-2019-15505 CVE-2019-15538

Systems running Fedora 29 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2019-97380355ae.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 29
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak when freeing NVMe subsystem.

A logic error when releasing a NVMe subsystem could lead to a memory
leak. A local attacker could use this flaw to exhaust kernel memory and
cause a denial-of-service.


* Kernel crash in MEGARAID SAS firmware crashdump loading.

Missing bounds checks when loading firmware crashdump could result in an
out-of-bounds access and kernel panic.


* CVE-2019-15118: Stack overflow when checking input source type in ALSA USB driver.

A logic error when checking input source type in ALSA USB driver could
lead to a stack overflow. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2019-15117: Out-of-bounds access when parsing USB descriptor in ALSA USB driver.

A missing check when parsing USB descriptor in ALSA USB driver could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2019-15538: Denial-of-service in XFS filesystem with Quota support enabled.

A locking error when XFS filesystem raise its quota limit could let
a local or remote attacker cause a denial-of-service using chgrp on such
filesystem.


* CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Denial-of-service when parsing access point settings in Marvell WiFi-Ex driver.

Logic errors when parsing access point settings in Marvell WiFi-Ex
driver could lead to buffer overflows. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2019-15505: Out-of-bounds access in Technisat DVB-S/S2 USB2.0 driver.

A logic error when receiving data over Technisat DVB-S/S2 USB2.0 driver
could lead to an out-of-bounds access. A remote attacker could use this
flaw to cause a denial-of-service.


* CVE-2019-15504: Denial-of-service when initializing RSI wireless device.

A double-free in the RSI WLAN driver could lead to a kernel crash or
possibly kernel memory corruption. A crafted USB device could trigger
this flaw to cause a denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in ATM Interphase driver.

Speculative execution in ATM Interphase driver ioctl interface allows
bounds-check bypass. A local user could exploit this vulnerability to
escalate privileged.


* Denial-of-service when transmitting GRE packet over IPv6.

An invalid memory access in the GRE tunneling protocol could lead to a
kernel crash. A local attacker could exploit this to cause a
denial-of-service.


* Denial-of-service when transmitting packet through IPv6 tunnel.

A use-after-free bug in the IPv6 tunnel subsystem could cause a kernel
crash when transmitting packets if generic segmentation offload is
enabled. An attacker could exploit this to cause a denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in Infiniband subsystem.

Speculative execution when registering agent in core Infiniband
subsystem allows bounds-check bypass. A local user could exploit
this vulnerability to escalate privileged.


* Denial-of-service when transmitting IP packet through IP tunnel.

A use-after-free bug in the IP-in-IP tunneling subsystem could cause
a kernel crash when transmitting packets. An attacker could exploit
this to cause a denial-of-service.


* Denial-of-service when removing network namespace.

A name conflict in the network namespace subsystem could trigger a
kernel safety violation. An attacker capable of creating and removing
network namespaces could exploit this to cause a denial-of-service.


* Denial-of-service when dequeueing packet in network scheduler.

A null-pointer dereference in the CODEL network packet scheduler could
lead to a kernel crash. A local attacker could exploit this to cause a
denial-of-service if CODEL scheduler is enabled.


* Denial-of-service in the SMC socket subsystem.

A race between queued work on an SMC socket and the shutdown of the same
socket could lead to a use-after-free. An attacker could exploit this
vulnerability to cause a denial-of-service.


* Denial-of-service when configuring a device through usbfs.

A double-free bug in the usbfs could cause a kernel crash when
submitting a USB transaction. An attacker capable of configuring
a USB device through ioctl interface could exploit this to cause
a denial-of-service.


* Denial-of-service when removing a Yurex USB device.

Incorrect reference counting when removing a Yurex device could lead to
a use-after-free. An attacker could exploit this vulnerability to cause
a denial-of-service.


* Information leak when initializing PCAN-USB device.

When loading a PCAN-USB driver, kernel passes an uninitialized buffer
to the device. This could leak privileged kernel memory to the device
and allow a malicious device to escalate privilege.


* Denial-of-service when reconnecting to a SMBv3 server.

A deadlock in the SMB / CIFS subsystem could lead to the kernel thread
hanging indefinitely. An attacker could exploit this bug to cause a
denial-of-service.


* Denial-of-service during NFSv4 client state recovery.

Failure to handle error correctly when recovering state in the NFSv4
client subsystem could lead to infinite loop in the kernel thread and a
subsequent denial-of-service.


* Denial-of-service during setattr on a NFSv4 inode.

Setting attribute on an inode in NFS filesystem could confuse protocol
version and try to use uninitialized data. This leads to a
denial-of-service.


* Denial-of-service when transmitting packet through Intel(R) wifi devices.

A use-after-free vulnerability in the driver for certain Intel(R)
wifi devices with segmentation offload enabled could cause a kernel
crash. An attacker could exploit this to cause a denial-of-service.


* Denial-of-service when unmapping an anonymous private page.

Dereferencing an invalid page pointer when unmapping anonymous private
page triggers a BUG in the kernel. This could lead to denial-of-service.


* Improved fix for denial-of-service in non-hierarchical memory cgroup iteration.

A logic error in the memory cgroup code could lead to kernel memory
corruption and a kernel crash when iterating over cgroups.  This could
be exploited to cause a denial-of-service.


* Denial-of-service when processing input from HID device.

A null pointer dereference when processing input event from Holtek
gaming controller could lead to a kernel crash. A malicious device could
exploit this to cause a denial-of-service.


* Denial-of-service when executing a BPF program.

Incorrect validation in the BPF program verifier allowed certain BPF
program which could crash the kernel. A malicious local user capable of
loading BPF program could exploit this bug to cause a denial-of-service.


* Denial-of-service in sendmsg when using TX_RING.

A null pointer dereference in the sendmsg system call path when TX_RING
is used could lead to a GPF. An attacker could exploit this to cause a
denial-of-service.


* Memory leak when resetting an SCTP stream.

Failure to cleanup allocated memory for outgoing queue corresponding to
an SCTP socket when resetting a stream leads to memory leak. A local
unprivileged user could exploit this to cause a denial-of-service.


* Use-before-initialization when parsing netlink messages.

Lenient parsing of netlink messages allows use-before-initialization
when sending a message. An unprivileged local user could exploit this to
hijack kernel execution.


* Denial-of-service in the eBPF sockmap subsystem.

Multiple bugs when removing socket from a sockmap and and releasing a
sockmap in the eBPF subsystem could lead to double-free and
use-after-free vulnerability. An attacker with permission to load
untrusted BPF program could exploit this to cause a denial-of-service.


* Denial-of-service when handling error in the RXRPC socket subsystem.

Incorrect locking when cleaning up after error in the RXRPC socket
subsystem could lead to a deadlock. An attacker could exploit this to
cause a denial-of-service.


* Denial-of-service when flushing data in the ATA-over-Ethernet subsystem.

Incorrect locking in the ATA-over-Ethernet (AoE) subsystem could trigger
a BUG in the kernel. An attacker could exploit this to cause a
denial-of-service.


* Denial-of-service during writepages in the Ceph filesystem.

Incorrect dirty page handling when writing back memory-mapped pages in
the Ceph filesystem could trigger a BUG_ON in the kernel. An attacker
could exploit this to cause a denial-of-service.


* Use-before-initialization in the Ceph filesystem.

Incorrect error handling when communicating with Ceph metadata server
could lead the client to use uninitialized data. An attacker could
possibly exploit this flaw to cause a denial-of-service.


* Denial-of-service when handling page fault in userspace.

A double-free bug in the userfaultfd subsystem could lead to kernel
crash. An attacker with privilege to perform userfaultfd could exploit
this to cause a denial-of-service and possibly escalate privilege.


* Denial-of-service during journal operation in dm-integrity subsystem.

A data race in the dm-integrity subsystem during journal operation could
lead to a kernel crash. An unprivileged attacker could exploit this to
cause a denial-of-service.


* Denial-of-service when creating nvdimm namespace.

Taking the wrong lock during nvdimm namespace creation and destruction
leads to a deadlock. An attacker could exploit this to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.