[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (4.15.0-20.21)

[Sonja Schofield]

Synopsis: 4.15.0-20.21 can now be patched using Ksplice
CVEs: CVE-2018-1000199

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.15.0-20.21.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-1000199: Denial-of-service in hardware breakpoints.

Incorrect validation of a ptrace hardware breakpoint could result in
corrupted kernel state.  A local, unprivileged user could use this flaw
to crash the system or potentially, escalate privileges.


* NULL pointer dereferences when using RDMA Userspace Connection Manager Access driver.

Missing checks on user inputs or device state when using RDMA Userspace
Connection Manager Access driver could lead to NULL pointer dereferences.
A local attacker could use this flaw to cause a denial-of-service.


* Use-after-free when using RDMA Userspace Connection Manager Access driver.

Logic errors when processing requests or when creating device ids in
RDMA Userspace Connection Manager Access driver could lead to multiple
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when using RDMA Userspace Connection Manager Access driver.

A missing check on user input could lead to an out-of-bounds access when
using RDMA Userspace Connection Manager Access driver. A local attacker
could use this flaw to cause a denial-of-service.


* Deadlock while running garbage collector on IPV6 routes.

A locking error when running garbage collector and computing ages of
IPV6 elements could lead to a deadlock. A local attacker could use this
flaw to cause a denial-of-service.


* Denial-of-service when initializing IP Payload Compression Protocol.

A logic error when initializing IP Payload Compression Protocol could
lead to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when allocating Netfilter Xtables.

An error in a flag passed to the kernel allocator when allocating
Netfilter Xtables could allow an attacker to exhaust kernel memory and
cause a denial-of-service.


* Out-of-bounds access when using EBT among filters.

A missing check on user input when using EBT among filters could lead to
a out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when creating l2tp tunnel with IPV4-mapped IPV6 addresses.

A logic error when creating l2tp tunnel with IPV4-mapped IPV6 addresses
could lead to a use-after-free if the socket is provided by user-space.
A local attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when using IPV4 connection tracking.

A missing drop of connection tracker template when a connection tracker
is skipped could lead to a kernel panic. A local attacker could use this
flaw to cause a denial-of-service.


* Double-free when registering USBTV007 video driver.

A logic error in error path when registering USBTV007 video driver could
lead to a double-free. A local attacker could use this flaw to cause a
denial-of-service.


* Information leak when releasing memory in LRW crypto driver.

A missing zeroing of sensitive data used to encrypt / decrypt
information could lead to an information leak in LRW crypto driver. A
local attacker could use this flaw to decrypt sensitive information.


* IPv6 IPSEC bypass with source address NAT.

Missing handling of source address Network Address Translation (NAT)
could result in failing to match a transformation policy and bypassing
an IPSEC tunnel.


* Denial-of-service in thermal power allocator.

Missing locking in the thermal power allocator could result in a
use-after-free and kernel crash during thermal zone updates.


* Use-after-free in Microchip LAN7800 USB network adapter.

Failure to clean up asynchronous work during initialization and removal
could cause a use-after-free and kernel crash.  A physically present
user could use this flaw to crash the system.


* Denial-of-service in device frequency scaling governors.

A missing NULL pointer check when setting the device frequency scaling
governor could trigger a kernel crash.  A local, privileged user could
use this flaw to crash the system.


* NULL pointer dereference in GPIO descriptor validation.

Incorrect assignment before checking of a GPIO descriptor could result
in dereferencing an invalid pointer and a kernel crash.


* Denial-of-service in F2FS filesystem ranges.

Missing locking could result in deadlock and a kernel hang when
inserting or collapsing ranges.  A local, unprivileged user could use
this flaw to trigger a denial of service.


* Denial-of-service in Videobuf2 queue allocation.

Missing validation of the user supplied buffer count could result in an
out-of-bounds memory access and kernel crash.  A local user with access
to the video device could use this flaw to crash the system or
potentially, escalate privileges.


* Use-after-free in block device queue mapping.

Missing reinitialization of the queue map when updating block multiqueue
queues could result in the dereference of an invalid pointer and kernel
crash.


* Use-after-free in block IO scheduler update.

Missing synchronization could result in a use-after-free when updating
the IO scheduler.  A local, privileged user could use this flaw to crash
the system.


* Use-after-free in Mellanox MLX5 RoCE enable.

A race condition in enabling and disabling RoCE support on an MLX5
adapter could result in a use-after-free and kernel crash.


* NULL pointer dereference in block multiqueue cleanup.

A missing check for a mapped queue could result in a NULL pointer
dereference and kernel crash when removing a block device from the
system.


* Use-after-free in Intel 10GbE PCIE Virtual Function disable.

Missing synchronization when disabling or resetting a Virtual Function
could result in a use-after-free and kernel crash.  A local, privileged
user could use this flaw to crash the system.


* Kernel hang in target core command queuing.

Incorrect handling of insufficient resources could result in deadlock
and a kernel hang under IO pressure.


* Use-after-free in Intel INT340X thermal driver.

Missing resource deallocation on probe failure could result in dangling
sysfs files and ACPI device which would trigger a kernel crash on
access.


* Denial-of-service in IPv6 header chain fragmentation.

Excessive extheaders in an IPv6 datagram beyond the PMTU size could
result in a kernel crash.  A local, unprivileged user could use this
flaw to crash the system.


* Kernel crash in Microchip LAN78XX USB Ethernet bind failure.

Missing resource cleanup on bind failure could result in a
use-after-free and kernel crash.


* Kernel crash in Distributed Switch Architecture (DSA) with incorrect port.

Incorrect handling of a frame with an unexpected CPU port would result
in a kernel crash when incrementing receive statistics.


* Kernel information leak in network receive.

Incorrect accesses for the frame Ethernet header could result in an
out-of-bounds access and kernel information leak under specific
conditions when receiving a frame.


* Kernel information leak in netlink socket connect().

Missing validation of the socket address when performing connect() on a
netlink socket could result in leaking information from the kernel
stack.  A local user could use this information to leak the kernel
address.


* NULL pointer dereference in network BPF cleanup.

Incorrect error handling when validating a BPF program could result in a
NULL pointer dereference and kernel crash.  A local, privileged user
could use this flaw to crash the system.


* Use-after-free in PPTP connect().

Invalid reference counting could result in a use-after-free and kernel
crash in the PPTP connect() function.


* NULL pointer dereference in Realtek R8169 device probing.

A race condition between device registration and initialization could
result in a NULL pointer dereference and kernel crash.


* Information leak in SCTP recvmmsg().

Missing initialization of the address field could result in leaking up
to 8 bytes of kernel memory to user-space.  A local, unprivileged user
could use this flaw to leak privileged memory contents.


* Uninitialized memory use in SCTP socket bind.

Missing validation could result in using uninitialized memory when
binding an SCTP socket resulting in incorrect address decoding.


* Denial-of-service Vhost virtio net accelerator polling.

Missing error handling in the vhost polling could result in a
use-after-free and kernel crash.


* Use-after-free in Virtual Routing and Forwarding (VRF) driver.

Missing error handling on VRF output could result in a use-after-free or
double-free and kernel crash.


* Denial-of-service in bonding enslave.

Incorrect error handling when enslaving a bonding device could result in
a deadlock and kernel hang.  A local privileged user could use this flaw
to hang the system.


* Use-after-free in network scheduler key deletion.

Failure to remove a key from internal kernel data structures could
result in a use-after-free or memory leak.


* Kernel crash in Mellanox MLX5e device with IPv6 stub.

Incorrect handling of the IPv6 stub when IPv6 is disabled could result
in dereferencing an invalid pointer and subsequently, a kernel crash.


* Use-after-free in Mellanox MLX5 eswitch flow failure.

Missing error handling when configuring flows could result in a memory
leak or double-free followed by a kernel crash.


* Denial-of-service in network stream parser.

Incorrect error reporting in the network stream parser could result in
infinite loops or invalid data reporting.


* Kernel crash in vhost log bitmap.

Missing validation of a user supplied bitmap could result in triggering
a kernel assertion and crash.  A local, privileged user could use this
flaw to crash the system.


* Denial-of-service in teaming port addition.

Incorrect error handling when adding a port to a teamed network device
could result in a deadlock and kernel hang.  A local privileged user
could use this flaw to hang the system.


* Denial-of-service in network device tunnel name setting.

Missing validation of user supplied tunnel names could result in kernel
stack corruption and a denial of service, or potentially privilege
escalation.


* Denial-of-service in network scheduler initialization.

Multiple NULL pointer dereferences in the network scheduler code could
result in a kernel crash.  A local, privileged user could use this flaw
to crash the system.


* Denial-of-service in probe of JEDEC Flash.

A failure to properly handle results from a read of flash manufacturer
information can lead to an invalid memory access and kernel crash.  This
could be exploited to cause a denial-of-service.


* Denial-of-service in NVMe over Fabrics FC Transport Loopback Test driver aborts.

A race condition associated with aborts during I/O in the NVMe fcloop code
could lead to accessing freed memory, leading to potential memory corruption
or a kernel panic.  This could be exploited to cause a denial-of-service
attack.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.