[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (USN-3678-1)

Wed Jul 4 07:32:28 PDT 2018

Synopsis: USN-3678-1 can now be patched using Ksplice
CVEs: CVE-2018-10021 CVE-2018-1092 CVE-2018-3639 CVE-2018-8087

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3678-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* NULL pointer dereference when shutting down an already closed aQuantia device.

A missing check when shutting down an already closed aQuantia device
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.

* NULL pointer dereference when using Thunderbolt with failing firmware.

A missing check when using Thunderbolt while firmware is failing could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.

* CVE-2018-8087: Memory leak when using Simulated radio testing tool for mac80211.

A missing release of resources when creating a new radio in Simulated
radio testing tool for mac80211 could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.

* NULL-pointer dereference when debugging xhci device.

In rare cases, disconnecting an xhci device while debugging can cause
the device to unregister itself twice, causing a NULL pointer
dereference and denial-of-service.

* Denial-of-service when configuring V4L2 output overlay.

A kernel crash when performing V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY ioctl
operation to overlay an image on a V4L2 video stream leads to a
denial-of-service.

* Kernel memory exhaustion when creating file or directory.

Under certain circumstances, memory allocated for creating a file or
directory may not be free'd after the operation completes. This could
lead to kernel memory exhaustion and possibly a denial-of-service.

* CVE-2018-1092: NULL pointer dereference when using unallocated root directory on ext4 filesystem.

A missing check when using unallocated root directory on ext4 filesystem
could lead to a NULL pointer dereference. A local attacker could mount a
crafted ext4 filesystem and cause a denial-of-service.

* Kernel crash in AMD KVM CPU execution.

Incorrect handling of speculation restriction when running a KVM guest
on an AMD system could result in an invalid memory dereference and
reboot.

* CVE-2018-10021: Denial-of-service in SAS device abort and failover.

Incorrect error handling when aborting or failing over a SAS device
could result in resource starvation and IO hangs.  A physically present
malicious user could use this flaw to cause a denial of service.

* Improved fix to CVE-2018-3639: Speculative Store Bypass information leak.

The original vendor fix for CVE-2018-3639 did not expose the mitigation
to KVM guests on AMD or correctly handle symmetric multithreading (SMT)
systems.

This update enables the speculative store bypass mitigation full time to
protect guests and SMT systems by default on AMD systems and can be
manually enabled/disable by writing 1/0 to
/proc/sys/vm/ksplice_ssbd_control.  The /proc/sys/vm/ksplice_ssbd_status
file reports the current mitigation status.

* Improved fix to CVE-2018-3639: Speculative Store Bypass information leak for eBPF.

Malicious eBPF programs can be vulnerable to a speculative store bypass
attack without hardening or having the SSBD mitigation enabled whilst
running an eBPF program.

* Single Thread Indirect Branch Predictors enable failure.

Incorrect masking could prevent the STIBP feature of the IA32_SPEC_CTRL
MSR from being set.  Guests that used the STIBP feature to mitigate
Spectre v2 would not be fully mitigated.

* Use-after-free in netfilter ipset exit.

Missing locking in the netfilter ipset core could result in a
use-after-free and kernel crash when destroying a network namespace.

* Denial-of-service in vhost configuration ioctl().

A logic error in the validation of user-supplied pointers could result
in dereferencing an illegal address and crashing the kernel.

* Denial-of-service in L2TP tunnel creation.

Multiple race conditions when creating an L2TP tunnel could result in a
use-after-free condition and kernel crash.  A local user could use this
flaw to crash the system or, potentially, escalate privileges.

* Information leak in vhost user buffer copying.

A logic error when copying from a vhost device to user buffer could
result in copying descriptors rather than data.  This could leak kernel
address layout information to user-space.

* Use-after-free in Atheros ath9k transmit node cleaning.

Missing locking could result in a use-after-free and kernel crash when
cleaning queues for transmit nodes under rare conditions.

* IO hang in loopback device with encryption.

Incorrect error handling for invalid encryption types in the loopback
device handler could result in failing to release locks and subsequent
IO hangs when performing IO to a block device.

* Denial-of-service in kernel-initiated user page access.

Incorrect interpretation of return codes in a kernel mapping utility
function could result in kernel code trying to dereference an invalid
address either resulting in a crash or other undefined behaviour.

* Kernel hang in Xen netfront device removal.

A race condition when removing Xen netfront network devices could result
in a kernel hang when shutting down the system.

* Kernel crash in ATA link handling with SAS hosts.

Incorrect handling of link errors on a SATA device with a SAS host could
result in a NULL pointer dereference and kernel crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.