[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (USN-3695-1)

[Oracle Ksplice]

Synopsis: USN-3695-1 can now be patched using Ksplice
CVEs: CVE-2018-1094 CVE-2018-10940 CVE-2018-1095 CVE-2018-1108 CVE-2018-11508 CVE-2018-7755

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3695-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-7755: Information leak through floppy disk driver ioctl.

A logic error when using floppy disk driver ioctl could lead to a kernel
address leak.  A local attacker could use this flaw to get address of
running kernel and facilitate an attack.


* Denial-of-service when removing flash device that enables UBI fastmap.

A double-free bug in the UBI wear-leveling subsystem leads to a kernel
crash when unmounting UBI flash device that enables fastmap in the
image. This could cause to a denial-of-service.


* Denial-of-service when initializing ReseirFs journal.

A format string error in one of the warning print during ReseirFs
journal initialization could lead to a kernel panic. A local attacker
could use this flaw to cause a denial-of-service.


* NULL pointer dereference when remapping shm file.

A logic error when remapping shm file could lead to a NULL-pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when opening a file on SMB2 CIFS filesystem.

A wrong error handling logic when opening a file on SMB2 CIFS filesystem
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Out-of-bounds access when using HID devices.

A variable type error when using HID devices could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-1095: NULL pointer dereference when writing xattr on ext4 filesystem.

An incorrect return type of a function when writing xattr on ext4
filesystem could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2018-1094: NULL pointer dereference when filling extended attributes on ext4 filesystem.

A missing initialization of crypto driver used to fill extended
attributes on ext4 filesystem could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when mounting a corrupted ext4 filesystem.

A missing check when mounting a corrupted ext4 filesystem where metadata
blocks override super block could lead to a memory corruption. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when setting RDMA option on an invalid device.

A missing check when user try to set RDMA option on a non-existing
device could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* NULL pointer dereference on allocation failure in Mellanox Connect-IB HCA driver.

A missing check after an allocation failure in Mellanox Connect-IB HCA
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Out-of-bounds access when initializing TX transfer in Software RDMA over Ethernet (RoCE) driver.

A logic error when initializing TX transfer in Software RDMA over
Ethernet (RoCE) driver could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.


* Use-after-free when releasing Audio PCM.

A logic error when releasing Audio PCM could lead to a use-after-free. A
local attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when using Non-Volatile Memory Device driver.

A missing check when using Non-Volatile Memory Device driver could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference when using AMDGPU Southern Islands cards.

Missing callbacks when using AMDGPU Southern Islands cards could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer deference when using compat ioctls of ALSA rawmidi driver.

A missing check on user input when using compat ioctls of ALSA rawmidi
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-1108: Information leak when relying on kernel random generator for cryptographic use.

Cryptographic drivers may use kernel random generator which doesn't have
enough entropy to generate true random data after boot. A local attacker
could use this flaw to decrypt sensitive data and leak information.


* NULL pointer dereference when removing HID raw devices.

A missing check when removing HID raw devices while calling get_report
ioctl could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* NULL pointer dereference when using pagecache.

A logic error when handling page in the pagecache could lead to a NULL
pointer deference. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when unregistering remote controllers.

A logic error when unregistering remote controllers could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when using seekdir on ext4 filesystem.

A logic error when using seekdir on ext4 filesystem could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when draining send-queue in RDMA core driver.

A missing check when draining send-queue in RDMA core driver could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* Out-of-bounds access in InfiniBand SCSI RDMA Protocol driver.

A logic error when sending data over InfiniBand SCSI RDMA Protocol
device could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service when loading/unloading mmc module multiple times.

A missing free of resources when unloading mmc module could lead to a
kernel warning on next load. A local attacker could use this flaw to
flood the kernel log and facilitate an attack.


* NULL pointer dereference when creating unix domain sockets on CIFS.

Attempting to create a unix domain socket on a mounted CIFS share can
cause a NULL pointer dereference and denial-of-service.


* Memory corruption in Intel i915 graphics driver error path.

In a rare case, the Intel i915 graphics driver would free memory
directly that was still in use in a cache, causing corruption or a
denial-of-service.


* NULL pointer dereference when using bind system call on RDS over Infiniband socket.

A logic error when using bind system call on RDS over Infiniband
instance could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* Use-after-free when deleting net namespaces.

When tearing down a net namespace, hwsim wireless interfaces are deleted
asynchronously. The namespace destruction can proceed simultaneously,
resulting in a denial-of-service when the hwsim interfaces are deleted.


* Denial-of-service while reading files using filesystem caching.

A race condition when reading files using filesystem caching could lead
to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access when adding IPv6 route.

A logic error when adding IPv6 route could lead to an invalid memory
access. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when using IPv6 Segment Routing Header encapsulation with IPv4 traffic.

A logic error when using IPv6 Segment Routing Header encapsulation with
IPv4 traffic could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service when setting a long option name to dns_resolver key.

A missing check on user input when setting a long option name to
dns_resolver key could lead to a flood of kernel log. A local attacker
could use this flaw to cause a denial-of-service.


* Invalid memory access when connecting PPP over L2TP socket.

A missing check when connecting PPP over L2TP socket could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when dumping network neighbor table.

A missing check when dumping network neighbour table could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access when releasing ANSI/IEEE 802.2 LLC type 2 socket.

A missing stop of deferred work when releasing ANSI/IEEE 802.2 LLC type
2 socket could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Out-of-bounds access when parsing TCP MD5 Signature.

A missing check when parsing TCP MD5 Signature could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Uninitialized memory access when setting packet ring in raw packet socket.

A locking error when setting packet ring in raw packet socket could lead
to an uninitialized memory access. A local attacker could use this flaw to
cause a denial-of-service.


* Invalid memory access when setting TCP MD5 signature socket option.

A missing check when setting TCP MD5 signature socket option could lead
to an invalid memory access. A local attacker could use this flaw to
cause a denial-of-service.


* Kernel assert when setting options in Ethernet team driver.

A logic error when setting 2 times the same option in Ethernet team
driver could lead to a kernel assert if kernel list debug is activated.
A local attacker could use this flaw to cause a denial-of-service.


* Invalid memory access when connecting PPP over Ethernet socket.

A missing check on user input when connecting PPP over Ethernet socket
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* Out-of-bounds access when using VLAN tagged packets.

A missing check when using VLAN tagged packets could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when closing a TCP connection.

A missing zeroing of resources when closing a TCP connection could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Out-of-bounds access when using Inter-FE based on IETF ForCES InterFE LFB socket.

Missing checks when using Inter-FE based on IETF ForCES InterFE LFB
socket could lead to out-of-bounds accesses. A remote attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service when closing LLC socket.

Incorrect reference counting when closing an LLC socket leads to a
use-after-free vulnerability. A malicious unprivileged user can exploit
this to cause a denial-of-service.


* NULL pointer dereference when getting security xattr.

A logic error when getting security xattr of an inode could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2018-10940: Information leak when checking if CD-ROM media changed.

A missing check when user checks if CD-ROM media changed using an IOCTL
could lead to an information leak. A local attacker could use this flaw
to leak information about running kernel and facilitate an attack.


* Use-after-free in L2TP tunnel debug files.

Missing references holding in L2TP tunnel debug files could lead to
multiple use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when initializing Broadcom NetXtreme-C/E driver.

An logic error when retrieving data for firmware images during
initialization of Broadcom NetXtreme-C/E driver could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-11508: Information disclosure in 32-bit timex syscall.

A failure to correctly initialize memory can result in a leak of
sensitive Kernel memory to userspace. A local user could use this flaw
to facilitate a further attack.


* Denial-of-service when registering a new binary type.

A logic error when registering a new binary type with a too big offset
could lead to an overflow. A local attacker could use this flaw to cause
a denial-of-service.


* Out-of-bounds access when looking for key in BTRFS tree.

A missing check when looking for key in BTRFS tree could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access while receiving event from Roccat HID device.

A missing check on Roccat HID device input could lead to an
out-of-bounds access. A local attacker could use a crafted input device
to cause a denial-of-service.


* Denial-of-service when unmounting a jffs2 filesystem.

Incomplete error handling in the JFFS2 subsystem could lead to a kernel
crash when releasing a superblock. This could cause a denial-of-service.


* Denial-of-service when removing Zilog IR driver.

Incorrect reference counting when polling a Zilog/Hauppauge IR
Transmitter leads to a kernel crash when removing the driver. This could
be exploited by an attacker to cause a denial-of-service.


* Denial-of-service when garbage-collecting F2FS blocks.

When garbage collecting encrypted F2FS filesystem blocks, we may run
into an infinite loop. This could block a kernel thread indefinitely and
cause a denial-of-service.


* Denial-of-service in the RXRPC Kerberos security subsystem.

An assertion failure during challenge–response authentication in the
RXRPC Kerberos security subsystem leads to a kernel crash. A malicious
local user could exploit this to cause a denial-of-service.


* Denial-of-service when transmitting network packet in vmxnet3 driver.

A race-condition when transmitting packet through the vmxnet3 driver
leads to transmit hang when network coalescing is disabled. This could
be exploited from inside a VM to cause a denial-of-service.


* Denial-of-service when shutting down SMC socket.

A use-after-free bug when shutting down SMC socket leads to a
NULL pointer dereference and subsequent kernel crash. This could allow a
malicious local user to cause a denial-of-service.


* Denial-of-service when using OHCI-1394 firewire driver with an IOMMU.

A logic error when reading device descriptor through DMA in OHCI-1394
firewire driver while system use an IOMMU could lead to a page fault. A
local attacker could use this flaw to cause a denial-of-service.


* Denial-of-service during cleanup in the Intel iWARP driver.

Failure to release resources during cleanup in the Intel Infiniband
iWRAP subsystem leads to kernel memory exhaustion. This could be
exploited by an attacker to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.