[Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2019-a570a92d5a)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue Oct 29 16:38:11 PDT 2019 

Synopsis: FEDORA-2019-a570a92d5a can now be patched using Ksplice
CVEs: CVE-2019-14821 CVE-2019-14835 CVE-2019-15902 CVE-2019-16714

Systems running Fedora 29 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2019-a570a92d5a.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 29
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Multiple use-after-free in NVMe subsystem.

Multiple logic errors in the NVMe subsystem could lead to
use-after-frees. A local attacker could use these flaws to cause a
denial-of-service.


* Memory leak when receiving frontend notification in Xen block-device backend driver.

A missing free of resources when receiving frontend notification in Xen
block-device backend driver could lead to a memory leak.  A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* NULL pointer dereference when sending ICMP packets with a particular configuration.

A missing check when sending ICMP packets with a particular configuration could
lead to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free in sound sequencer driver when deleting pools.

A missing locking when deleting pools in sound sequencer driver from
user space could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Use-after-free when disconnecting USB Wireless device.

A race condition when disconnecting USB Wireless device while transfers
are on-going could lead to a use-after-free. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* Memory leak when adding a station in mac80211 stack fails.

A logic error when adding a station in mac80211 stack fails could lead
to a memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* CVE-2019-15902: Bounds-check bypass in sys_ptrace().

An error when backporting original Spectre v1 fix for ptrace in stable
kernels makes it vulnerable to Spectre v1. A local attacker could
exploit this flaw to gain information about the running system.


* Memory leak when setting IPv6 multicast socket options.

A logic missing free of resources when setting IPv6 multicast socket
options could lead to a memory leak. A local attacker could use this
flaw to exhaust kernel memory and cause a denial-of-service.


* Use-after-free when dropping packets in netpoll.

A logic error when dropping packets in netpoll could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2019-16714: Information leak in Reliable Datagram Sockets IPv6 message info.

Missing initialization could result in copying stale kernel stack
contents to user-space when copying IPv6 message info for an RDS socket.


* Memory leak when setting up a request in Cavium LiquidIO driver.

A missing free of resources when setting up a request in Cavium LiquidIO
driver could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.


* Memory leak when creating resources in Mellanox ConnectX HCA driver.

A missing free of resources in error path when creating resources in
Mellanox ConnectX HCA driver could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Use-after-free when setting xattr in Ceph distributed file system.

A logic error when setting xattr in Ceph distributed file system could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Memory leak when looking up an invalid cell name in Andrew File System driver.

A missing free of resources in error path when looking up an invalid
cell name in Andrew File System driver could lead to a memory leak. A
local attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* CVE-2019-14835: Privilege escalation during live migration of guest.

A failure to check for guest creating a zero length queue in the vhost driver
can lead to a buffer overflow in the host kernel.  A guest virtual machine
could use this flaw to crash the host or potentially escalate privileges when
the virtual machine is live migrated.


* Out-of-bounds access in CAPI2.0 driver.

A logic error when writing to CAPI2.0 device could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when removing publication info in TIPC driver.

A logic error when removing publication info in TIPC driver could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service during fsync on btrfs filesystem.

A reference count error during fsync on btrfs filesystem could lead to a
use-after-free or a kernel assert. A local attacker could use this flaw
to cause a denial-of-service.


* Information leak when emulating VMPTRST in KVM.

A missing zeroing of on-stack data on host side when emulating VMPTRST
in KVM could lead to an information leak. A local attacker from a guest
could use this flaw to leak information about the host an facilitate an
attack.


* Out-of-bounds access during USB device reset.

A logic error during USB device reset could lead to an out-of-bounds
access. A local attacker could use this flaw to cause a
denial-of-service.


* Double free when disconnecting TV Master TM5600/6000/6010 USB device.

A logic error when disconnecting TV Master TM5600/6000/6010 USB device
while transfers are on-going could lead to a double free. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference in Xen network device error handling.

Incorrect error handling when filling fragments for a Xen network device
could result in a NULL pointer dereference and kernel crash.


* CVE-2019-14821: Denial-of-service in KVM MMIO coalesced writes.

An out-of-bounds access to the coalesced MMIO ring buffer could result
in a kernel crash.  A malicious guest could use this flaw to crash the
hypervisor or potentially, escalate privileges.


* Improved fix for Spectre v1: Bounds check bypass in nl80211 CQM RSSI.

A missing use of the indirect call protection macro in the Netlink 802.11
code when updating the cqm rssi parameters could lead to speculative
execution. A local attacker could use this flaw to leak information about
the running system.


* NULL pointer dereference when accessing a revoked key.

A missing check when accessing a revoked key could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access in floppy disk driver.

A logic error when copying data to userspace from floppy disk driver
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* Potential NULL dereference in AFS directory read path.

A missing NULL pointer check in the AFS directory read path can lead a
NULL pointer dereference and subsequent kernel panic.  This flaw could
potentially be exploited to cause a denial-of-service.


* NULL dereference in XFRM while decoding session information.

In certain cases, necessary fields of data structures used in the XFRM
session decode path may not actually be populated when they are assumed
to be.  This can lead to NULL dereferences in both the IPv4 and IPv6
decode paths.  This flaw could potentially be exploited to cause a
denial-of-service.


* Divide-by-zero in USB TMC driver.

A failure to properly sanitize data provided from a connected USB
device can cause the USB TMC driver to attempt to divide by zero, which
will lead to a kernel panic.  A malicious attacker could exploit this
flaw with a specially crafted USB device to cause a denial-of-service.


* Use-after-free in TCMU driver when processing timed out commands.

A logic error in the TCMU driver's handling of timed out iSCSI commands
can lead to a use-after-free.  A remote attacker could potentially
exploit this flaw on a busy system to cause unexpected behavior,
including a potential denial-of-service.


* Memory leak in AMDGPU_CS ioctl handler.

A failure to properly clean up when certain errors occur during the
AMDGPU_CS ioctl leads to a memory leak.  This flaw could be exploited
by a local attacker to waste system resources and degrade performance,
potentially causing a denial-of-service.


* Btrfs hangs during second buffer writeback attempt.

Due to incorrect handling of an error condition, it is possible for
certain lock bits to remain set unexpectedly after a failed attempt to
write back an extent buffer.  A second attempt to write back the failed
data will hang forever waiting for the lock bit to clear.  This flaw
could potentially be exploited by a local attacker to cause a
denial-of-service to the filesystem.


* Use-after-free in MediaTek MT7615E driver when changing beacon frame info.

A logic error in the code responsible for setting beacon frame
information in the MT7615E driver leads to a use-after-free scenario.
This flaw could potentially be exploited to cause a system to exhibit
unexpected behavior.


* Potential use-after-free in BPF Flow Dissector.

Improper RCU protections on certain BPF program structures can lead to
a use-after-free scenario in the Flow Dissector's program-detach path.
This could potentially cause a system to exhibit unexpected behavior,
and may result in a denial-of-service.


* Use-after-free in BPF while freeing JITed program.

A failure to properly order operations to account for concurrent users
of the same BPF program can lead to a use-after free scenario when
trying to unlink that program.  This could potentially be exploited
to cause a system to exhibit unexpected behavior.


* Out-of-bounds copy from kernel stack to Infiniband driver HW queues.

When preparing for certain RDMA operations, it is possible for the
Infiniband Netxtreme HCA driver to copy past the end of some command
structure which are stored on the stack, causing stack data to be
leaked into the hardware queues.  This flaw could potentially be used
in conjunction with another exploit to cause a system to exhibit
unexpected behavior, or to leak privileged information.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-29-Updates mailing list