[Ksplice-Fedora-30-updates] New Ksplice updates for Fedora 30 (FEDORA-2020-fe00e12580)

[Gregory Herrero]

Synopsis: FEDORA-2020-fe00e12580 can now be patched using Ksplice
CVEs: CVE-2020-2732 CVE-2020-9383

Systems running Fedora 30 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2020-fe00e12580.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 30
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.

Incorrect handling of emulated instructions and IO bitmaps could allow
an unprivileged user in a nested KVM guest instance to crash the system
or potentially, escalate privileges.


* Denial-of-service in the Mellanox driver when recovering from error.

A type confusion in the Mellanox driver when recovering from an error
could lead to an invalid memory access and a kernel crash.  A remote
attacker could potentially use this flaw to trigger a denial-of-service.


* Denial of service in control plane of netfilter.

Netfilter receives a hash table from the userspace, however
the validation of the hash table size is missing in netfilter that
could cause an out of memory situation. A local user could use
this flaw to cause a kernel crash.


* Denial-of-service in Btrfs filesystem when reading a filesystem tree.

Failure to to reset a pointer to NULL in the Btrfs filesystem when
reading a filesystem tree leads to an invalid memory access through a
pointer error code.  An attacker could use this flaw to cause a
denial-of-service through a specially crafted filesystem.


* Memory corruption due to snprintf misuse in HD-audio driver.

A flaw in HD-audio driver due to misuse of snprintf return
value could lead to the memory corruption and the kernel crash.


* Denial-of-service in reads of write-only NVMe memory.

A NULL pointer dereference in the NVMe framework could result in a kernel
crash when reading from a write-only device.  A local, privileged user
could use this flaw to crash the system.


* Memory corruption when writing to pressure interface.

Pressure information for each resource in the system is accessible
through the respective file in /proc/pressure/cpu, memory, and io.
Issuing write request with count parameter set to 0 on any file under
/proc/pressure/ could result in a memory corruption and eventually
kernel crash. A local, privileged user could use this flaw.


* Multiple privilege escalations in ioctl handling of Realtek WiFi drivers.

Multiple incorrect input validation on user provided lengths in various
staging Realtek WiFi drivers could lead to an out-of-bounds memory
write. A local user with the ability to send IOCTLs to those drivers
could use this flaw to cause a denial-of-service or potentially escalate
privileges.


* Denial-of-service in System V IPC when releasing a sempahore.

An incorrect locking in the System V IPC implementation allowed
a malicious user to crash the kernel. A local, non-privileged user
could trigger the kernel crash by repeatedly exercising System V IPC
semaphore API calls.


* Denial-of-service in tty device initialization.

A NULL pointer dereference in tty device registration could result in
a kernel crash when repeatedly performing a certain sequence of tty
device registration/deregistration. A local, privileged user could use
this flaw to crash the system.


* Denial-of-service in NVMe driver stack.

A flaw in the NVMe driver stack allowed a malicious user to wasting
kernel memory that could result in out of memory situation. A local,
privileged user could use this flaw to cause the system to become
unstable or the kernel crash by repeatedly loading and unloading
NVMe driver.


* Denial-of-service in InfiniBand driver.

A flaw in the InfiniBand driver implementation could result in a kernel
lockup. A local, privileged user could use this flaw to cause the kernel
lockup by repeatedly toggling network interfaces.


* Denial-of-service in IOCTLs of i915 DRM driver.

A memory access violation in the i915 DRM driver could result in
a general protection fault. A local user with the ability to send
IOCTLs to the driver could use this flaw to cause a kernel crash.


* Denial-of-service in fallocate of OCFS2 file system.

A NULL pointer dereference in the OCFS2 could result in a kernel
crash when issuing fallocate system call to OCFS2 file system.  A local,
non-privileged user could use this flaw to crash the system.


* Denial-of-service in control plane of VT subsystem.

A NULL pointer dereference in the VT subsystem could result in a kernel
crash when issuing ioctl. A local user could use this flaw to crash
the system.


* CVE-2020-9383: Information leak in floppy disk driver.

A flaw in floppy driver could lead to an out-of-bounds read causing
the information leak when assigning the floppy disk controller.


* Use-after-free of PCM runtime in Dynamic Audio Power Management.

A heap memory double-free can happen in snd_soc_dai_link_event() in
sound/soc/soc-dapm.c in the Linux kernel. An unprivileged local
attacker can use this flaw for a privilege escalation or for a system
crash and a denial of service (DoS).


* Memory leak in control plane of eCryptfs.

A memory leak in the eCryptfs (Enterprise Cryptographic Filesystem)
allowed a malicious user to wasting kernel memory that could result
in out of memory situation. A local, unprivileged user could use
this flaw to exhaust the memory on the system and cause
a denial-of-service.


* Memory corruption in stackdepot.

Out-of-bounds write (memory corruption) in stackdepot (Generic stack
depot for storing stack traces) could cause the system to become
unstable or kernel crash.


* Use-after-free in AMD CPU MCE.

Use-after-free (the use of heap allocated memory after it has been
freed) flaw in an error handling path of AMD CPU MCE (Machine Check
Exception) implementation could result in kernel crash.


* Kernel crash in eCryptfs when handling an error.

A flaw in error handling path of eCryptfs (Enterprise-Class Stacked
Cryptographic Filesystem) implementation could result in kernel crash.


* Denial-of-service in KVM when handling an error.

Error handling code in KVM (Kernel-based Virtual Machine) uses
a variable that has not been initialized, leading to unpredictable
or unintended results including the kernel crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.