[Ksplice-Fedora-30-updates] New Ksplice updates for Fedora 30 (5.4.14-100.fc30)

[Oracle Ksplice]

Synopsis: 5.4.14-100.fc30 can now be patched using Ksplice

Systems running Fedora 30 can now use Ksplice to patch against the
latest Fedora kernel update, 5.4.14-100.fc30.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 30
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer deference on Broadcom NetXtreme RDMA memory deregistration.

The Broadcom driver code was incorrectly freeing MR resources in the case
of a memory deregistration failure, causing a NULL pointer dereference when
the deregistration is retried.


* Denial-of-service in Broadcom NetXtreme RDMA retransmission.

A logic error in the Broadcom NetXtreme code could lead to a memory
corruption during retransmission.  This could be exploited to cause a
denial-of-service.


* Use-after-free in Cgroup BPF release.

A logic error associated with cgroup auto-detachment could lead to a
use-after-free condition.


* Denial-of-service in RDA HNS RoCE setting of send queue size.

A failure to properly check user input on setting sq size in the HNS
code could lead to an invalid number and undefined behavior.  This
could potentially be exploited to cause a denial-of-service.


* Denial-of-service in RDA HNS RoCE when destroying a queue pair.

A failure to properly release all resources with a queue pair could result
in a memory leak.  This could be exploited to cause a denial-of-service.


* Memory corruption during NFS RDMA memory registration creation.

A logic error in the RDMA code could lead to memory corruption.  This could
be exploited for a denial-of-service attack.


* NULL pointer dereference with stream parser socket state write.

A bad assumption in the stream parser code could lead to a NULL pointer
dereference.


* Double free with SCSI LSI MPT Fusion SAS attach error.

A failure to properly deal with errors during device attachment could cause
a double free and possible memory corruption.


* Kernel oops in NFS client ID crypto initialization.

Improper error handling in the NFS code could lead to a kernel oops.  This
could be used for a denial-of-service attack.


* Denial-of-service with clk unregister.

An error in the clk driver causes memory allocated when registering a clk to
not be freed, leading to a memory leak.  This could be used for a denial-of-
service.


* NULL pointer dereference in NFSD during copy offload.

A failure to properly handle an error case could lead to a NULL pointer
dereference in NFSD, leading to possible kernel panic or memory corruption.


* NULL pointer dereference during Chelsio T3 and T4 ISCSI device destroy.

Improper error handling could lead to a NULL pointer dereference in the
driver code, potentially causing kernel panic or memory corruption.


* Denial-of-service when reading from ALSA sequencer procfs.

A race condition when reading ALSA sequencer timer through the procfs
interface could cause a use-after-free error. An attacker could exploit
this bug to cause a denial-of-service.


* Memory corruption in ALSA Firewire Tascam during soft IRQ.

A logic error with locking in the Tascam code could lead to memory
corruption during a soft IRQ.


* Denial-of-service in Edgeport USB serial driver callbacks.

Synchronization and sanitization bugs in the Edgeport USB serial
driver interrupt and completion callback path leads to multiple NULL
pointer dereference and deadlock. An attacker could exploit these to
cause a denial-of-service.


* Denial-of-service when configuring keyspan USB serial device.

Missing error handling during control request completion in the keyspan
USB serial driver could cause a NULL pointer dereference. An attacker
could exploit this flaw to cause a denial-of-service.


* Denial-of-service when querying quatech2 USB serial device.

Missing error handling in the quatech2 USB serial driver could cause a
NULL pointer dereference when querying line or modem status. An attacker
could exploit this to cause a denial-of-service.


* Kernel crash in RW semaphore when waiting writer starts spinning on owner.

A logic error in the RW semaphore code could incorrectly allow a semaphore
with RWSEM_OWNER_UNKNOWN to have a waiting writer spin on the owner, causing
a kernel crash.


* Memory leak in btrfs qgroup accounting.

A logic error in btrfs qgroup accounting error path could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Denial-of-service when writing back dirty pages to reclaim memory.

A division-by-zero error in the memory management subsystem when
determining whether to write back dirty pages to disk could cause a
kernel panic. This could inadvertently lead to a denial-of-service.


* Denial-of-service when releasing ipset.

A use-after-free bug when releasing an ipset in the netfilter subsystem
could cause kernel crash, and eventual denial-of-service  or possibly
allow an attacker to escalate privilege.


* NULL pointer dereference in ARP tables driver.

A missing structure initialization in ARP tables driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service in the broadcast path of macvlan driver.

Incorrect memory access when receiving broadcast packet in the macvlan
subsystem could cause a kernel crash. An attacker could exploit this to
cause a denial-of-service.


* Use-after-free when releasing clocks in PTP clock driver.

A logic error when releasing clocks in PTP clock driver could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* Denial-of-service when initializing Realtek rtl8152 driver.

An out-of-bound memory access when loading rtl8152 driver leads to a
NULL pointer dereference. An attacker could exploit this flaw to cause a
denial-of-service.


* Kernel panic in memory hotplug during removal.

A logic error in the memory hotplug code could lead to an invalid memory
free during removal, leading to a kernel panic.


* Out-of-bounds memory access in BPF socket access.

An invalid bounds check in the BPF could lead to a buffer overrun access,
causing potential memory corruption or a kernel panic.


* NULL pointer dereference in BPF encrypted socket message send.

A logic error in the BPF code could could cause a NULL pointer dereference
when encrypting a message, leading to a kernel panic.


* Denial-of-service in per-TID statistics handling for cfg80211 subsystem.

A logic error in the handling of per-TID statistics for the configuration
API for the 802.11 subsystem could lead to memory being leaked. This could
potentially be used for a denial-of-service.


* NULL pointer dereference during Netfilter nf_tables initialization.

A logic error in the nft_tunnel code could lead to a NULL pointer dereference
and possible kernel panic or memory corruption.


* Memory corruption during Netfilter flowtable list deletion.

A missing check in the netfilter tables code could lead to memory corruption
and subsequent kernel crash.


* Denial-of-service in BPF time wait and request socket release.

A logic error in the BPF code could lead to leaked sockets, which could be
used to cause a denial-of-service attack.


* Denial-of-service in Hyper-V net service when removing RNDIS device.

A logic error in the hyper-v code could lead to a memory leak when removing
a RNDIS device.  This could be exploited to cause a denial-of-service.


* Denial-of-service in Net HNS driver under memory pressure.

A failure to properly deal with an inability to allocate memory in the HNS
driver could cause a soft lockup.  This could be used for a denial-of-service
attack.


* NULL pointer dereference in Net Inter-FE initialization.

A logic error in the inter-fe code could lead to a NULL pointer dereference
during initialization.


* NULL pointer dereference when allocating ring in Intel I/OAT DMA driver.

A logic error when allocating ring in Intel I/OAT DMA driver fails could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Denial-of-service when configuring some mac80211-based wifi devices.

Trying to set device parameters on certain wireless device which don't
allow such configuration causes a NULL pointer dereference. An attacker
could exploit this to cause a denial-of-service.


* Denial-of-service when removing a SAS non-host remote PHY.

A logic error in the SAS transport code when removing a non-host could result
in a memory leak.  This could be targeted for a denial-of-service.


* Memory corruption in SCSI LPFC during IO buffer release.

A race condition in the lpfc code could lead to memory corruption during
a buffer release.


* Denial-of-service in SCSI LPFC during IRQ handling.

Invalid locking in the lpfc code could result in hard deadlocks, potentially
allowing a denial-of-service attack.


* Invalid memory read in Realtek 802.11AC wireless during CCK PD access.

An invalid array check in the Realtek code could lead to an invalid memory
read.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.