[Ksplice-Fedora-30-updates] New Ksplice updates for Fedora 30 (FEDORA-2020-c2d89d14d0)

[Oracle Ksplice]

Synopsis: FEDORA-2020-c2d89d14d0 can now be patched using Ksplice
CVEs: CVE-2019-14615

Systems running Fedora 30 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2020-c2d89d14d0.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 30
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory corruption in BTRFS when cloning file range.

When cloning a sparse file range in BTRFS, if said range ends with a
file hole, the internal structure representing the range's layout is
generated incorrectly and is invalid, resulting in corruption of both
the on-disk structure and potentially system memory.


* Memory leak when setting ioctl options on ethernet devices.

Failure to properly initialize a structure when setting ioctl options on
ethernet devices (Marvell octeontx2, possibly others) could result in
the buffer structure being leaked. A malicious user able to change
network settings might be able to exploit this to cause a
denial-of-service.


* Soft lockup when iterating filesystem inodes causes denial-of-service.

Several base filesystem iterators fail to properly yield to the
scheduler when iterating inodes. A malicious user or crafted filesystem
image might be able to exploit this to deny the system of CPU resources,
resulting in a denial-of-service.


* Deadlock in io_uring when submitting data.

When calling io_uring_enter with less actual data in the 'to_submit'
field than is present in the ring buffer, the syscall can become stuck
waiting for more data to become available. A malicious user with access
to the io_uring interface might be able to exploit this to create a
denial-of-service.


* Memory leak when failing to write to generic block device.

Failing to write data to a block device might result in the leak of
associated iovec structure. A malicious user with write access to a
block device could exploit this to starve the system of resources.


* Use-after-free when broadcasting ethernet header on vlan.

The generic handling of ethernet headers when broadcasting makes
assumptions about the lifetime of some vlan objects that may not hold
for certain ethernet devices. When using these devices, a local user
might be able to trigger a denial-of-service by repeated broadcast.


* Denial-of-service when connecting USB device with duplicate endpoints.

Connecting a USB device with an invalid configuration containing
duplicate endpoint addresses could cause those addresses to be written
to mistakenly. A malicious device might exploit this to cause memory
corruption or a denial-of-service.


* Use-after-free when failing to open file on character device.

A mishandled error case when opening a file on a generic character
device might result in a write to an invalid pointer, potentially
resulting in memory corruption or a denial-of-service.


* Out-of-bounds read in USB HID report descriptor size.

The size field for USB hardware ID reports is not correctly checked
against the maximum possible total buffer size, allowing for a
possibility where the report field extends past the total length of the
buffer. A malicious device might be able to exploit this to leak kernel
information or cause a denial-of-service.


* USB keyboard device with invalid keycodes causes out-of-bounds write.

The USB HID input driver looks up keys in an array-indexed table. A
malicious device with invalid keycodes could therefore trigger an
out-of-bounds write, potentially causing memory corruption or a
denial-of-service.


* Race condition in Cadence USB3 DRD driver causes denial-of-service.

A race condition in the Cadence USB3 Dual Role Device Controller could
result in a NULL-pointer dereference when handling hardware interrupts
from the device, resulting in a kernel crash and denial-of-service.


* Uninitialized structures in netfilter ARP tables causes NULL-pointer dereference.

An uninitialized network namespace pointer in the netfilter arptables
could result in a NULL-pointer dereference if a user sets a rule via
setsockopt() for the ARP or UNPSEC protocols. A user with the
CAP_NET_ADMIN permission could exploit this to cause a
denial-of-service.


* NULL-pointer dereference when handling netfilter ipset with ATTR_LINENO.

If a netfliter ipset has the attribute IPSET_ATTR_LINENO, calling the
IPSET_CMD_TEST command on it from userspace will result in a
NULL-pointer dereference and denial-of-service. A malicious user with
the CAP_NET_ADMIN permission could exploit this to cause a
denial-of-service.


* Out-of-bounds read in BPF filter when sending packet.

When running Berkeley Packet Filter programs on outgoing packets, the
possibility exists for the BPF wrapper to access memory out of bounds.
A malicious BPF program might be able to exploit this behavior to cause
a kernel crash and denial-of-service.


* Denial-of-service due to missing synchronization in netfilter teardown.

When exiting a netfilter network namespace, missing synchronization
could cause teardown to occur in an unexpected order, resulting in a
kernel crash and denial-of-service.


* Race condition when accessing voltage regulator causes denial-of-service.

Incorrect synchronization when accessing voltage regulator devices could
result in a use-after-free, possibly corrupting memory. Accessing
regulator devices in this way could therefore cause a denial-of-service.


* Use-after-free when failing to initialize voltage regulator device.

When initializing a voltage regulator device, several error paths are
not correctly unwound, potentially resulting in a race condition that
might corrupt the device structure, resulting in a denial-of-service.


* NULL-pointer dereference when accessing generic reset controller.

When accessing devices that use the generic RESET_CONTROLLER interface
(SoCs, GPIO), some error conditions might generate a NULL pointer rather
than a error value. This NULL-value could then be dereferenced,
resulting in a denial-of-service.


* Kernel crash when ASoC PCM and DAI devices share name.

If an ALSA System-on-Chip PCM and DAI device have identical names, an
error condition could be triggered that might cause an invalid pointer
to be added to the device list. Accessing this list would then result
in a kernel crash and denial-of-service.


* Double-free when switching network namespaces with WiFi device.

Switching network namespaces while using a WiFi (IEEE 802.11) device
could cause a field in the device structure to remain pointing into
freed memory, and potentially freed a second time. A malicious user able
to alter network namespaces might use this to cause a denial-of-service.


* NULL dereference when connecting wireless device with RF switching support.

When connecting a wireless device that supports RF switching, the
generic RF switch subsystem does not properly validate that the driver
has correctly constructed its device structure. Accessing a device with
a flawed driver might therefore cause a NULL dereference and
denial-of-service.


* Information leak in perf events sysfs reporting.

Improper bounds checking when reporting perf events via sysfs might
result in the accidental exposure of kernel addresses if the requested
device attribute were out of range.


* Divide-by-zero in scheduler when creating cgroups on systems with high uptime.

On systems with extremely high uptime, creating a cgroup might result
in the system scheduler seeing a value of zero for the cgroup's
lifetime. Attempting to compute the average load for this cgroup would
then result in a divide-by-zero crash, and denial-of-service.


* Race condition when configuring ethernet drivers may cause corruption.

When configuring i40e and ixgbe ethernet devices, improper
synchronization could result in memory corruption and a potential
denial-of-service.


* Memory leak when transmitting data on LAN78XX USB ethernet device.

When transmitting data over a Microchip LAN78XX USB ethernet adapter,
unexpected errors could result in the underlying packet buffer being
leaked, eventually resulting in performance degradation or a
denial-of-service.


* Divide-by-zero in CAKE scheduling algorithm during load.

The COMMON Applications Kept Enhanced (CAKE) kernel scheduling
discipline incorrectly uses 32-bit division on a 64-bit interval when
running. This might result in a 32-bit overflow and divide-by-zero if
the scheduling interval were sufficiently long.


* Memory leak when replying to SCTP command encounters error.

When generating a reply to a Stream Control Transmission Protocol
command packet, an unexpected error might result in the leak of the
command's associated memory chunk structure. A malicious client might be
able to exploit this by starving the system of memory, causing
performance degradation or a denial-of-service.


* Memory leak when creating netlink socket on VLAN ethernet fails.

A mishandled error condition when creating a netlink socket for a
VLAN ethernet device could result in the leak of the VLAN device
structure.


* Use-after-free when probing Amtel MACB ethernet controller.

Unexpected errors when conecting an Amtel MACB ethernet device could
result in the device's driver freeing system clock structures it did not
allocate. This could result in memory corruption or a kernel crash and
denial-of-service.


* NULL-pointer dereference when hotplugging CPU with Intel RAPL support.

When hotplugging a cpu that supports Intel Running Average Power Limit
functionality, unexpected hardware values provided by the chip might
result in a NULL-pointer dereference and denial-of-service.


* Information leak when transmitting CAN packet.

When generating a Controller Area Network packet for transmission
through a virtual CAN bus, uninitialized data might be inadvertently
included in an unused area of the CAN packet's buffer and transmitted
over the virtual network.


* NULL-pointer dereference when using netfilter with DCCP and SCTP protocols.

When using netfilter conntrack interface, the netfilter implementation for
the DCCP and SCTP protocols does not properly validate input. In
particular, a NULL timeout pointer will still be dereferenced, resulting
in a kernel crash and denial-of-service.


* CVE-2019-14615: Information leak in Intel i915 generation 9 devices.

Missing pipeline flushing when switching i915 contexts could lead to
information leaks between unrelated GPU contexts. A malicious user
could potentially use this to obtain sensitive information.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.