[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (4.15.0-38.41)

[Oracle Ksplice]

Synopsis: 4.15.0-38.41 can now be patched using Ksplice

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.15.0-38.41.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in OCFS2 reflink locking.

A race condition between an OCFS2 reflink operation and a protected read
on an inode can result in an assertion failure, leading to a Kernel
crash. A local user with access to an OCFS2 filesystem could use this
flaw to cause a denial-of-service.


* Information leak in filesystem core.

A logic error in filesystem core code can allow small amounts of kernel memory
to be leaked to userspace.  This flaw could be used by a local attacker to leak
information about the running system.


* Use-after-free in Amazon Elastic Ethernet Adapter removal.

Multiple logic errors when removing an Elastic Ethernet Adapter during
system suspend or module removal could result in a use-after-free and
kernel crash.


* Task hang in Transparent Inter Process Communication (TIPC) link monitor summary.

An infinite loop when dumping the link monitor summary for Transparent
Inter Process Communication (TIPC) sockets could result in the calling
task to hang.


* Information leak in Transparent Inter Process Communication (TIPC) netlink.

Use of uninitialized buffers in the TIPC TIPC_NL_LINK_SET netlink
operation could result in accessing uninitialized memory, possibly
leaking sensitive memory to user-space.


* Denial-of-service in user and kernel probes.

Incorrect handling of probes on instructions that inhibit interrupts
could result in running with an incorrect stack and subsequent kernel
crash.


* Improved Spectre v1 mitigations in BPF map and program types.

Missing hardening for Spectre v1 gadgets when looking up map and program
types in a BPF program could allow a local user with permission to run
BPF programs to leak sensitive kernel memory.


* Information leak in CIFS negotiation validation.

Incorrect allocation types could result in an incorrect buffer being
transferred to the CIFS server and leaking the contents of potentially
sensitive memory under specific conditions.


* Memory leak in cachefiles during vmscan.

Missing reference counting under memory pressure when fscache was
enabled could result in a leak of pages and eventual memory exhaustion.


* Kernel crash in Synaptics RMI4 SPI transfers.

Missing bounds checks could result in an out-of-bounds access during an
SPI transfer and a kernel crash or leak of kernel memory contents.


* Undefined behaviour in nested Intel KVM guest APIC emulation.

Missing validity checks for the virtualized APIC in a nested KVM guest
could result in undefined behaviour of the guest.


* Denial-of-service in ISOFS mount option parsing.

Missing resource frees could result in memory exhaustion when parsing
ISOFS mount options.  A local user with privileges to mount filesystems
could use this flaw to crash the system.


* NULL pointer dereference in ASoC topology controls.

Missing NULL pointer checks could result in a kernel crash when removing
an ASoC widget from the system.


* Kernel crash in iSCSI target with a read-only backend.

Incorrect handling of read-only targets could result in a kernel crash
when processing I/O on an iSCSI target.


* Privilege escalation in netfilter chain name changes.

A logic error when updating netfilter chain names could result in an
out-of-bounds write to heap memory.  A local user could use this flaw to
crash the system or potentially, escalate privileges.


* Use-after-free in block control group queue creation.

Missing locking when creating a block control group queue could result
in a use-after-free and kernel crash under specific conditions.


* System hang in iSCSI PHY configuration validation.

A logic error when validating the PHY configuration of an iSCSI device
could result in an infinite loop and I/O hang.


* Information leak in kernel thread /proc entries.

An incorrect check for kernel threads under specific conditions could
result in creating /proc entries for kthreads with the incorrect
uid/gid, making them readable by unprivileged users.


* NULL pointer dereference in Intel INT340x thermal driver probe.

A logic error during Intel INT340x thermal driver probe could result in
a NULL pointer dereference and kernel crash.


* Reference leak in RDS endpoint setup.

Missing reference count releases when setting up an Infiniband RDS
endpoint could result in later RDS socket failures.


* Use-after-free in Intel Integrated Sensor Hub device registration.

Incorrect cleanup during error handling for Intel Integrated Sensor Hub
device registration could result in a use-after-free and kernel crash.


* Undefined behaviour in Infiniband uverbs with missing attributes.

Missing validation of mandatory attributes could allow a uverbs method
to be called with missing attributes leading to undefined behaviour.


* Use-after-free in Infiniband RDMA device lookup.

A race condition when looking up an RDMA device during network namespace
changes could result in a use-after-free and kernel crash.


* Memory leak in RDMA IWPM map info.

Failure to free a buffer during hash lookup for RDMA IWPM map info
creation could result in a memory leak.  A local, privileged user could
use this flaw to exhaust memory.


* Use-after-free in soft RoCE packet transmission.

A double free could result in a kernel crash when transmitting packets
over a soft RoCE interface.  A local privileged user could use this flaw
to crash the system.


* False filesystem failure on VMWare paravirtualized SCSI adapter.

Incorrect handling of device aborts could result in marking a filesystem
read-only under specific conditions.


* Memory leak in BPF program JIT conversion.

Failure to free the JIT image buffer would result in a memory leak.  A
local user with permissions to create BPF programs could use this flaw
to exhaust memory.


* Undefined behaviour in Intel VT-D IOMMU TLB flushing.

Use of an undefined shift operation could result in undefined behaviour
when flushing TLBs.


* Denial-of-service in NVMe fabric option parsing.

Missing resource frees could result in memory exhaustion when parsing
NVMe fabric options.  A local user with privileges to create NVMe
fabrics could use this flaw to crash the system.


* Task hang in SMC socket sendpage().

Incorrect locking in the sendpage() call for Sockets Over RDMA (SMC)
could result in deadlock and a task hang.


* Kernel crash in QLogic QED iWARP device initialization.

Failure to allocate mutexes for a QLogic QED device with the iWARP
personality could result in a kernel crash when probing a device or a
memory leak on device removal.


* Kernel crash in QLogic QED RDMA event node allocation.

Incorrect allocation flags when allocating an event node could result in
sleeping during an atomic context and subsequent kernel crash or hang.


* Information leak in RXRPC sockets.

Failure to set the correct security level for an RXRPC kernel call could
result in transmitting packets with encryption unapplied in specific
conditions.


* NULL pointer dereference in network socket buffer editing.

A missing NULL pointer check could result in a kernel crash when the
socket buffer editing (skbedit) system was enabled.


* Kernel crash in DRM_IOCTL_MODE_CREATE_DUMB ioctl().

An integer overflow in the DRM_IOCTL_MODE_CREATE_DUMB ioctl() could
result in incorrect allocation sizes and out-of-bounds memory accesses
leading to a kernel crash.


* NULL pointer dereference in AFS server record deletion.

Failure to remove AFS server records completely during deletion can
result in a NULL pointer dereference or use-after-free leading to a
kernel crash.


* NULL pointer dereference in Netronome NFP Ethernet probing.

Older generations of the Netronome NFP Ethernet device may not have an
information table populated leading to a NULL pointer dereference during
device probe.


* Stale TLB entries in Intel KVM APIC changes.

Failure to flush the TLB after modifying the APIC mode or address could
result in spurious faults or memory corruption when shadow paging was
enabled.


* Undefined behaviour in Mellanox MLX4 MTT setting.

Use of an undefined shift operation when calculating the MTT for a
Mellanox MLX4 device could result in undefined behaviour.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.