From gregory.herrero at oracle.com Tue Apr 28 06:21:56 2020 From: gregory.herrero at oracle.com (Gregory Herrero) Date: Tue, 28 Apr 2020 15:21:56 +0200 Subject: [Ksplice-Fedora-30-updates] New Ksplice updates for Fedora 30 (FEDORA-2020-fe00e12580) Message-ID: <202004281322.03SDM5Ys007305@aserv0121.oracle.com> Synopsis: FEDORA-2020-fe00e12580 can now be patched using Ksplice CVEs: CVE-2020-2732 CVE-2020-9383 Systems running Fedora 30 can now use Ksplice to patch against the latest Fedora kernel update, FEDORA-2020-fe00e12580. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running Fedora 30 install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * CVE-2020-2732: Privilege escalation in Intel KVM nested emulation. Incorrect handling of emulated instructions and IO bitmaps could allow an unprivileged user in a nested KVM guest instance to crash the system or potentially, escalate privileges. * Denial-of-service in the Mellanox driver when recovering from error. A type confusion in the Mellanox driver when recovering from an error could lead to an invalid memory access and a kernel crash. A remote attacker could potentially use this flaw to trigger a denial-of-service. * Denial of service in control plane of netfilter. Netfilter receives a hash table from the userspace, however the validation of the hash table size is missing in netfilter that could cause an out of memory situation. A local user could use this flaw to cause a kernel crash. * Denial-of-service in Btrfs filesystem when reading a filesystem tree. Failure to to reset a pointer to NULL in the Btrfs filesystem when reading a filesystem tree leads to an invalid memory access through a pointer error code. An attacker could use this flaw to cause a denial-of-service through a specially crafted filesystem. * Memory corruption due to snprintf misuse in HD-audio driver. A flaw in HD-audio driver due to misuse of snprintf return value could lead to the memory corruption and the kernel crash. * Denial-of-service in reads of write-only NVMe memory. A NULL pointer dereference in the NVMe framework could result in a kernel crash when reading from a write-only device. A local, privileged user could use this flaw to crash the system. * Memory corruption when writing to pressure interface. Pressure information for each resource in the system is accessible through the respective file in /proc/pressure/cpu, memory, and io. Issuing write request with count parameter set to 0 on any file under /proc/pressure/ could result in a memory corruption and eventually kernel crash. A local, privileged user could use this flaw. * Multiple privilege escalations in ioctl handling of Realtek WiFi drivers. Multiple incorrect input validation on user provided lengths in various staging Realtek WiFi drivers could lead to an out-of-bounds memory write. A local user with the ability to send IOCTLs to those drivers could use this flaw to cause a denial-of-service or potentially escalate privileges. * Denial-of-service in System V IPC when releasing a sempahore. An incorrect locking in the System V IPC implementation allowed a malicious user to crash the kernel. A local, non-privileged user could trigger the kernel crash by repeatedly exercising System V IPC semaphore API calls. * Denial-of-service in tty device initialization. A NULL pointer dereference in tty device registration could result in a kernel crash when repeatedly performing a certain sequence of tty device registration/deregistration. A local, privileged user could use this flaw to crash the system. * Denial-of-service in NVMe driver stack. A flaw in the NVMe driver stack allowed a malicious user to wasting kernel memory that could result in out of memory situation. A local, privileged user could use this flaw to cause the system to become unstable or the kernel crash by repeatedly loading and unloading NVMe driver. * Denial-of-service in InfiniBand driver. A flaw in the InfiniBand driver implementation could result in a kernel lockup. A local, privileged user could use this flaw to cause the kernel lockup by repeatedly toggling network interfaces. * Denial-of-service in IOCTLs of i915 DRM driver. A memory access violation in the i915 DRM driver could result in a general protection fault. A local user with the ability to send IOCTLs to the driver could use this flaw to cause a kernel crash. * Denial-of-service in fallocate of OCFS2 file system. A NULL pointer dereference in the OCFS2 could result in a kernel crash when issuing fallocate system call to OCFS2 file system. A local, non-privileged user could use this flaw to crash the system. * Denial-of-service in control plane of VT subsystem. A NULL pointer dereference in the VT subsystem could result in a kernel crash when issuing ioctl. A local user could use this flaw to crash the system. * CVE-2020-9383: Information leak in floppy disk driver. A flaw in floppy driver could lead to an out-of-bounds read causing the information leak when assigning the floppy disk controller. * Use-after-free of PCM runtime in Dynamic Audio Power Management. A heap memory double-free can happen in snd_soc_dai_link_event() in sound/soc/soc-dapm.c in the Linux kernel. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS). * Memory leak in control plane of eCryptfs. A memory leak in the eCryptfs (Enterprise Cryptographic Filesystem) allowed a malicious user to wasting kernel memory that could result in out of memory situation. A local, unprivileged user could use this flaw to exhaust the memory on the system and cause a denial-of-service. * Memory corruption in stackdepot. Out-of-bounds write (memory corruption) in stackdepot (Generic stack depot for storing stack traces) could cause the system to become unstable or kernel crash. * Use-after-free in AMD CPU MCE. Use-after-free (the use of heap allocated memory after it has been freed) flaw in an error handling path of AMD CPU MCE (Machine Check Exception) implementation could result in kernel crash. * Kernel crash in eCryptfs when handling an error. A flaw in error handling path of eCryptfs (Enterprise-Class Stacked Cryptographic Filesystem) implementation could result in kernel crash. * Denial-of-service in KVM when handling an error. Error handling code in KVM (Kernel-based Virtual Machine) uses a variable that has not been initialized, leading to unpredictable or unintended results including the kernel crash. SUPPORT Ksplice support is available at ksplice-support_ww at oracle.com.