[Ksplice-Fedora-30-updates] New Ksplice updates for Fedora 30 (FEDORA-2020-a010fc93bd)

[Oracle Ksplice]

Synopsis: FEDORA-2020-a010fc93bd can now be patched using Ksplice
CVEs: CVE-2019-19965

Systems running Fedora 30 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2020-a010fc93bd.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 30
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash in MPT3SAS when HBA doesn't support NVMe protocol.

If any faulty application issues an NVMe Encapsulated commands to HBA which
doesn't support NVMe protocol then a kernel crash might happen due to missing
error handling.


* Deadlock in fibre channel driver when aborting transaction.

When a transaction on a fibre channel connection is interrupted,
improper locking could result in a deadlock when attempting to handle
the error condition.


* Use-after-free of reservation when target mode iSCSI session is closed.

When connected to an iSCSI initiator that has requested persistent
reservations, the associated reservations are not properly destroyed
when the session is closed. These dangling reservations can then be
read, resulting in a use-after-free.


* NULL-pointer dereference when failing to bind socket for iSCSI connection.

The iSCSI initiator mode handler does not properly check that the
sockets it creates are correctly bound before use. An error in this path
could result in a NULL-pointer dereference and denial-of-service.


* Permissions bypass when using EVENT_FORK with userfaultfd.

The userfault feature UFFD_EVENT_FORK might be exploitable to read file
descriptors with elevated privileges, and should therefore be restricted
to users with CAP_SYS_PTRACE.


* Out-of-bounds read in netfilter ebtables validation.

When parsing netfilter ebtables entries, structure padding is not
properly computed, potentially allowing an entry to trigger an
out-of-bounds read.


* Use-after-free when failing to create iclog when mounting XFS image.

When mounting an XFS image, a failure to create the in-core log
structure could result in a use-after-free and kernel crash. A malicious
image might be able to exploit this issue to create a denial-of-service
if mounted.


* Missing configuration validation for GTP-U causes denial-of-service.

The hashtable size parameter for the GRPS Tunneling Protocol driver is
not properly checked. Setting the IFLA_GTP_PDP_HASHSIZE attribute to
zero could result in a kernel panic and denial-of-service.


* Sending TCP packet with empty skb might cause denial-of-service.

A race condition when sending TCP packets might cause sendmsg() to
dispatch a packet backed by an empty kernel memory buffer, resulting
in a kernel crash and denial-of-service.


* CVE-2019-19965: NULL-pointer dereference when discovering SCSI ports.

A flaw in the libsas library used by SCSI devices could trigger a race
condition, resulting in a NULL-pointer dereference and
denial-of-service when a SCSI device was added.


* Deadlock in iSCSI if socket is never read.

If a iSCSI socket connection is created but the receive side is never
read, the system might potentially deadlock while attempting to send the
reply.


* NULL-pointer dereference when binding Infiniband QP for RDMA in auto mode.

When performing RDMA over infiniband, the kernel erroneously attempts to
handle accounting for certain queue pairs which are only tracked in
userspace, resulting in a NULL-pointer dereference and
denial-of-service.


* Race condition in tcp_recvmsg causes memory corruption.

Invalid synchronization in the kernel tcp_recvmsg implementation could
result in corruption of the socket memory resulting in socket
misbehavior or a denial-of-service.


* Infinite loop when writing to preallocated extent on btrfs.

Two simultaneous writes to the same preallocated btrfs extent could race
with each other, causing an infinite livelock and flooding of the system
log.


* Race condition in SunRPC auth cache causes NULL-pointer dereference.

A race condition exists in the SunRPC generic auth cache implementation
that could result in an uninitialized cache entry being loaded. This
invalid entry might then be dereferenced, resulting in a kernel crash
and denial-of-service.


* Livelock in BPF verification with unknown scalars.

When verifying a BPF program with unknown scalar values, incorrect
verification logic could cause the verifier to fall into an infinite
loop, starving the system of resources. Loading a maliciously crafted
BPF program could trigger this behavior.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.