[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (USN-3752-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Fri Sep 21 03:20:19 PDT 2018
Synopsis: USN-3752-1 can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2018-1000200 CVE-2018-1000204 CVE-2018-10323 CVE-2018-1068 CVE-2018-10840 CVE-2018-10881 CVE-2018-1093 CVE-2018-1108 CVE-2018-1118 CVE-2018-1120 CVE-2018-11412 CVE-2018-11506 CVE-2018-12232 CVE-2018-12233 CVE-2018-12904 CVE-2018-13094 CVE-2018-13405 CVE-2018-13406 CVE-2018-3639 CVE-2018-5814
Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3752-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* NULL-pointer dereference in ext4 filesystem with aborted journal.
If the ext4 journaling process is run on an aborted journal, the
associated journal handle is set to NULL but later dereferenced in the
error path. This can be exploited by a malicious user to cause a
denial-of-service.
* CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check.
A failure to correctly validate bitmap information from an ext4
filesystem can result in an out-of-bounds read, leading to a Kernel
crash. A local user with the ability to mount an ext4 filesystem could
use this flaw to cause a denial-of-service.
* Improved fix for CVE-2018-1108: Information leak in kernel random number generator.
The fix for CVE-2018-1108 might produce insufficiently random data if the
backing random number generator is not properly initialized.
* Denial-of-service due to erroneous error condition in tty device driver.
An inappropriately strict error condition in the terminal device driver
could cause a kernel panic despite functioning correctly. A malicious
user could potentially use this to cause a denial-of-service.
* NULL-pointer dereference in tty driver when restoring line discipline.
When encountering an error while restoring a line discipline, the return
pointer from tty_ldisc_get() is not properly checked for error,
resulting in a potential denial-of-service.
* Speculative execution attacks in various ALSA sound drivers.
Various arrays in the ALSA sound driver code are potentially vulnerable
to a Spectre variant 1 speculative execution attack.
* Denial-of-service when loading filesystem over Quad-SPI.
An out-of-bounds read in the Cadence QSPI driver could additionally read
over a page boundary when loading a root filesystem. A malicious
attacker could exploit this to cause a denial-of-service.
* Memory corruption due to reused pointers in block device scheduler.
The block device I/O scheduler re-uses its I/O context pointers for each
request. These are not re-initialized, and so might cause memory
corruption when re-used in later requests that pass through the
scheduler.
* Double free of random bits generator leads to memory corruption.
The random bits generator for the generic crypto subsystem can in rare
cases be reused, resulting in a double free if an error is encountered
during setup.
* NULL-pointer dereference in Ceph write on non-active connection.
A race condition when reading data across the Ceph messaging protocol
could cause an attempted write on a NULL socket pointer, causing a
denial-of-service.
* Denial-of-service when accessing audio frames from 32 bits userspace.
A logic error in compat ioctl when reading or writing audio frames from
32 bits userspace could lead to kernel log flood. A local
attacker could use this flaw to cause a denial-of-service.
* Invalid memory access when using ALSA virmidi sequencer.
A locking error when using ALSA virmidi sequencer could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.
* Use-after-free while using ALSA Generic loopback driver.
A locking error when using ALSA Generic loopback driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when using TCM/IBLOCK Subsystem Plugin for Linux/BLOCK.
A logic error when using TCM/IBLOCK Subsystem Plugin for Linux/BLOCK
could lead to a kernel assert. A local attacker could use this flaw to
cause a denial-of-service.
* Out-of-bounds access when registering a new input device led.
A logic error when registering a new input device led could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.
* Out-of-bounds access when setting Queue Pair size in Mellanox Connect-IB HCA driver.
A missing check when setting Queue Pair size in Mellanox Connect-IB HCA
driver could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.
* Memory leak when releasing resources in DRM driver for VMware Virtual GPU.
A logic error when releasing resources in DRM driver for VMware Virtual
GPU could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.
* Denial-of-service when using USB Handspring Visor driver.
A logic error when parsing descriptor in USB Handspring Visor driver
could lead to a memory leak and invalid memory access. A local attacker
could use this flaw with a crafted USB device to cause a
denial-of-service.
* Use-after-free when handling BTRFS extent trees.
A locking error when handling BTRFS extent trees could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* Use-after-free when releasing device in USB XHCI driver.
A logic error when releasing device in USB XHCI driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* File system corruption on ext4 with fallocate.
The fallocate operation does not properly sanitize the "insert range"
parameter, potentially causing an overflow and corrupting filesystem
data.
* Denial-of-service in routing table locking implementation.
Multiple race conditions in the routing table locking can result in a
deadlock or hung tasks. A local user could use this flaw to cause a
denial-of-service.
* Denial-of-service during binding of cryptographic userspace interface.
A validation failure in the cryptographic userspace interface
implementation can result in the reading of uninitialised memory,
leading to undefined behaviour. A local user could use this flaw to
cause a denial-of-service.
* Denial-of-service in netlink sendmsg implementation.
A validation failure in the netlink sendmsg implementation can result in
the reading of uninitialised memory, leading to undefined behaviour. A
local user could use this flaw to cause a denial-of-service.
* Denial-of-service in netlink routing configuration interface.
A validation failure in the netlink interface for routing information
can result in the reading of uninitialised memory, leading to undefined
behaviour. A local user could use this flaw to cause a
denial-of-service.
* Undefined behaviour in socket buffer cloning.
A failure to initialise a variable when cloning a socket buffer can
result in undefined behaviour.
* Undefined behaviour in IPv6 Duplicate Address Detection.
A logic error when processing hardware addresses during IPv6 Duplicate
Address Detection can result in reading of uninitialised memory, leading
to undefined behaviour.
* Denial-of-service in memory cgroup resource freeing.
Incorrect error handling of a memory allocation failure in the memory
cgroup can result in a NULL pointer dereference, leading to a Kernel
crash. A local user could use this flaw to cause a denial-of-service.
* Denial-of-service in block backing device release.
A logic error can result in a failure to correctly shutdown writeback
queues when a device is released. A local user could use this flaw to
cause a denial-of-service.
* NULL pointer dereference when shutting down writeback workqueue.
A race condition when shutting down a block backing device writeback
workqueue can result in a NULL pointer dereference, leading to a Kernel
crash.
* NULL pointer dereference during failed GPIO line event creation.
A failure to handle a GPIO request failure can result in a NULL pointer
dereference, leading to a Kernel crash.
* Undefined behaviour in integrity block device memory allocation.
An incorrect free in the integrity block device could result in
undefined behaviour, leading to a Kernel crash.
* CVE-2018-1000200: Denial-of-service during OOM killer memory unmapping.
A race condition in the OOM killer can result in a double free of mmap
memory, leading to a Kernel crash. A local user with the ability to
trigger the OOM killer could use this flaw to cause a denial-of-service.
* Denial-of-service in Ceph direct read/write implementation.
A failure to validate buffer sizes from userspace can result in an
assertion failure, leading to a Kernel crash. A local user with access
to a Ceph filesystem could use this flaw to cause a Denial-of-service.
* Improved fix for CVE-2017-5753: Bounds-check bypass in ATM LAN emulation.
A missing use of the indirect call protection macro in the ATM LAN
emulation driver could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.
* Improved fix for Spectre v1: Bounds-check bypass in ZeitNet ZN1221/ZN1225 driver.
A missing sanitization of array index after bounds check in ZeitNet
ZN1221/ZN1225 driver could lead to an information leak. A local attacker
could use this flaw to leak information about running system.
* Improved fix for CVE-2017-5753: Bounds-check bypass in scheduler userspace interface.
A missing use of the indirect call protection macro in the scheduler
userspace interface could lead to speculative execution. A local
attacker could use this flaw to leak information about the running
system.
* Improved fix for Spectre v1: Bounds-check bypass in perf subsystem.
Multiple missing uses of the indirect call protection macro in the perf
subsystem could lead to speculative execution. A local attacker could
use this flaw to leak information about the running system.
* Denial-of-service in i2c-dev read/write ioctl.
A logic error when allocating a zero length buffer in the i2c-dev driver
can result in the dereference of an invalid pointer, leading to a Kernel
crash. A local user with access to an i2c-dev device could use this flaw
to cause a denial-of-service.
* Memory leaks when using IPV4 UDP and ping sockets.
Missing free of resources in error path when sending messages over IPV4
UDP and ping sockets could lead to memory leaks. A local attacker could
use this flaw to exhaust kernel memory and cause a denial-of-service.
* Denial-of-service when setting a small MTU on ANSI/IEEE 802.2 LLC type 2 socket.
A missing check when setting a small MTU on ANSI/IEEE 802.2 LLC type 2
socket could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.
* Double free when registering a device fail in Mellanox Technologies 1/10/40Gbit Ethernet driver.
A logic error when registering a device fail in Mellanox Technologies
1/10/40Gbit Ethernet driver could lead to a double free. A local
attacker could use this flaw to cause a denial-of-service.
* Reference count leak in skb data modifier.
A missing release of reference in skb data modifier could lead to a
reference count leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.
* Out-of-bounds access when setting attributes in Open vSwitch driver.
A logic error when setting attributes in Open vSwitch driver could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.
* Information leak when receiving message over RDS socket.
A missing initialization of kernel memory when receiving message over
RDS socket could lead to a memory leak. A local attacker could use this
flaw to leak information about running kernel and facilitate an attack.
* Out-of-bounds access when comparing V4 addresses in SCTP IPV6 socket.
A missing check when comparing V4 addresses in SCTP IPV6 socket could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.
* Use-after-free when receiving messages in SCTP ULP sockets.
An error in the error path when receiving messages in SCTP ULP sockets
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
* Denial-of-service when releasing DMA resources in Broadcom Tigon3 driver.
A logic error when releasing DMA resources in Broadcom Tigon3 driver
could lead to a kernel assert. A local attacker could use this flaw to
cause a denial-of-service.
* NULL pointer dereference when creating a RX root namespace in Mellanox Technologies ConnectX-4 and Connect-IB core driver.
A logic error when creating a RX root namespace fails in Mellanox
Technologies ConnectX-4 and Connect-IB core driver could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when using IPV6 route driver.
A logic error when using IPV6 route driver could lead to usage of
uninitialized values and leads to unpredictable behaviors. A local
attacker could use this flaw to cause a denial-of-service.
* Denial-of-service when using Network Service Header socket.
A missing check on header length when using Network Service Header
socket could lead to an infinite loop. A local attacker could use this
flaw to cause a denial-of-service.
* CVE-2018-1120: Denial-of-service when mmapping specifc part of process memory on a slow filesystem.
A missing check when an user mmap() specific part of process memory on a
slow filesystem could lead to delay in accessing those specific part
from kernel side. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when initializing stream in SCTP socket.
A missing initialization of stack variables when initializing stream in
SCTP socket could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.
* Information leak when receiving message over TIPC socket.
A missing data initialization when receiving message over TIPC socket
could lead to an information leak. A local attacker could use this flaw
to leak information about running kernel and facilitate an attack.
* Denial-of-service when iterating over a radix tree.
A logic error when walking a radix tree inside kernel leads to a NULL
pointer dereference and subsequently causes a denial-of-service.
* Denial-of-service during btrfs incremental snapshot transfer.
A use-after-free vulnerability when making snapshot of a btrfs
filesystem triggers a kernel crash. This could lead to inadvertent
data loss and a denial-of-service.
* Denial-of-service when using balancing on BTRFS.
A logic error when remounting a BTFS file system with balancing mode
enabled could lead to a kernel assert. A local attacker could use this
flaw to cause a denial-of-service.
* Denial-of-service when removing USB3 device.
A double-free bug when removing USB3 devices leads to a NULL pointer
dereference. This can be triggered in the device's "safely remove"
feature path and lead to a denial-of-service.
* Denial-of-service when configuring network scheduler.
A partially initialized object when configuring Random Early Detection
(RED) in network scheduler leads to a NULL pointer dereference and a
denial-of-service.
* Denial-of-service when destroying broadcast socket.
A use-after-free bug when destroying a broadcast socket could be
exploited by a malicious local user with CAP_NET_BROADCAST to cause
denial-of-service.
* Denial-of-service when establishing TCP connection.
A bug when retransmitting unacknowledged TCP packet in the TCP Fast Open
path triggers a kernel crash. A malicious local user can exploit this to
cause a denial-of-service.
* CVE-2018-1000204: Kernel information leak when performing SG_IO ioctl.
A vulnerability in the SCSI subsystem allows copying uninitialized
kernel memory to userspace. This could provide an attacker with
sensitive kernel information.
* Denial-of-service when sending data over OHCI USB driver.
A logic error when sending data over OHCI USB driver in buffered dma
mode could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.
* Denial-of-service when removing USB device.
A double-free error in the DVB subsystem leads to kernel crash on USB
device removal causing a denial-of-service.
* Denial-of-service when mapping video device memory.
Incorrect address calculation when mapping device memory for reading
in the videobuf2 subsystem leads to kernel panic. This could allow an
unprivileged local user to cause a denial-of-service.
* CVE-2018-11506: Out-of-bounds stack write in SCSI ioctl handler.
An improperly-sized stack buffer was being used to hold ioctl
information. A malicious user could exploit this and potentially
overwrite data on the stack.
* CVE-2018-13405: Permissions bypass when creating file in SGID directory.
Creating an executable file in an SGID directory can result in the file
having the group ownership of the directory. This can be exploited to
elevate privileges if the file is created in a directory owned by a
privileged group.
* CVE-2018-13094: NULL-pointer dereference when shrinking xfs inode.
When attempting to shrink an xfs inode for a file with corrupted
extended attributes, the non-existent attribute buffer might be
dereferenced, resulting in a denial-of-service.
* CVE-2018-12233: Out-of-bounds access using extended attributes with JFS filesystem.
An incorrect size for buffer allocation could lead to an out-of-bounds
access when changing attributes on a JFS file from user space. An
unprivileged user could use this flaw to cause a denial-of-service.
* CVE-2018-10881: Data corruption when using indirect blocks with ext4 filesystem.
A missing data zeroing when using indirect blocks with ext4 filesystem
could lead to data corruption or a kernel assert. A local attacker could
use this flaw to cause a denial-of-service.
* CVE-2018-11412: Out-of-bounds memory access from ext4 inode inline data.
A logic error in ext4 can result in incorrectly interpreting inline
inode data as an extended attribute. A local user with the ability to
mount an ext4 filesystem could use this flaw to access Kernel memory.
* CVE-2018-10840: Denial-of-service when operating on ext4 filesystem.
Failure to sanitize input when creating extended attribute in an ext4
filesystem leads to kernel crash when removing the attribute. An
attacker can mount a maliciously crafted filesystem image and operate on
it to cause a denial-of-service.
* CVE-2018-13406: Denial-of-service due to overflow in VBE2+ video driver.
Failing to validate the size and number of entries in an array
allocation in the Video BIOS 2.0 driver could result in an overflowed
allocation and denial-of-service.
* CVE-2018-10323: NULL pointer dereference when converting extents-format to B+tree in XFS filesystem.
A logic error when converting extents-format to B+tree in XFS filesystem
could lead to a NULL pointer dereference. A local attacker could use
this flaw with a crafted XFS image to cause a denial-of-service.
* CVE-2018-5814: Denial-of-service when registering USB devices using USB/IP.
Locking errors when registering USB devices using USB/IP could lead to a
NULL pointer dereference and a use-after-free. A local attacker could
use this flaw to cause a denial-of-service.
* Data race in vmxnet3 driver.
Lack of memory barrier results in incorrect ordering on memory access in
the vmxnet3 driver. This could lead to undefined behavior in the kernel.
* Denial-of-service when transmitting GRE packets.
Memory allocation failure when transmitting packets in Generic Routing
Encapsulation (GRE) tunneling protocol leads to kernel panic. This could
be exploited by an attacker with NET_CAP_ADMIN privilege to cause a
denial-of-service.
* Use-after-free when scheduling a tasklet in DCCP driver.
A logic error when scheduling a tasklet in DCCP driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when accessing a dead Mellanox Connect-IB HCA MR.
A logic error when accessing a dead Mellanox Connect-IB HCA MR could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.
* CVE-2018-12232: Denial-of-service in socket close()/fchownat() race.
A race condition between close() and fchownat() on a socket could result
in a NULL pointer dereference and kernel crash. A local, unprivileged
user could use this flaw to crash the system.
* Kernel crash in Intel IXGBE PCI error recovery.
Failure to close the Ethernet device on PCI error recovery could result
in triggering a kernel assertion and crashing the system under specific
conditions.
* Invalid memory dereference in DCCP sockets.
Missing initialization of DCCP sockets could cause the use of an
uninitialized pointer when sending or receiving packets triggering
undefined behaviour or potentially crashing the system.
* Information leak in netfilter socket matching.
An out of bounds array access in the netfilter socket matching code
could result in leaking the contents of kernel stack memory.
* Use-after-free in Mellanox MLX4 port creation failure.
Incorrect error handling in the Mellanox MLX4 port creation code could
result in a dangling sysfs file which could trigger a kernel crash when
accessed.
* Kernel hang in loopback device over NFS.
Suboptimal locking in the loopback device could result in I/O stalls on
all loopback devices when a slow filesystem backing a loop device
stalled.
* Use-after-free in USB gadget request tracing.
Incorrect ordering of tracing and the USB gadget request free could
result in a use-after-free and kernel crash or potentially code
execution.
* Memory corruption in USB CDC ACM system resume.
A race condition in the USB CDC ACM driver when resuming a suspended
system could result in memory corruption and triggering a kernel
assertion or corrupting memory.
* NULL pointer dereference in RealTek RTL8192U USB initialization.
A missing allocation check could result in a NULL pointer dereference
and kernel crash when probing failed.
* Deadlock in AMD cryptographic coprocessor debugfs setup.
Incorrect locking in the AMD CCP debugfs setup code could allow the
kernel to sleep in an atomic context resulting in deadlock.
* Privilege escalation in LSI MPT Fusion SAS queue allocation.
Incorrect bounds checks could result in an out-of-bounds write when a
system did not have all CPUs booted. This could cause a kernel crash or
potentially, code execution.
* Use-after-free in QLogic FCoE offload timeouts.
Missing request timeout handling could result in a use-after-free and
kernel crash under specific conditions with a QLogic FCoE SCSI device.
* Incorrect clock programming in SYM53C8XX Version 2 SCSI support.
Integer underflow could result in an out-of-bounds access and using an
incorrect clock divider. This could cause malfunction of the device.
* Kernel crash in Fusion MPT target info.
A missing bounds check could result in an out-of-bounds memory access
and kernel crash when getting the target info of a Fusion MPT device.
* Information leak in QLogic QEDI 25/40/100Gb iSCSI boot info.
Incorrect handling of string NULL termination could result in an
information leak of kernel memory when showing the QLogic boot device
information.
* NULL pointer dereference in AACRAID selftest failure.
Incorrect resource cleanup in the AACRAID device probing could result in
a NULL pointer dereference and kernel crash on selftest failure.
* Kernel crash in QLogic ISP4XXX SCSI host adapter register disconnect.
A race condition during rapid PCI/Register disconnect could result in a
kernel crash under specific conditions.
* NULL pointer dereference in QLogic QEDI 25/40/100Gb iSCSI port toggle.
A missing NULL pointer check could result in a kernel crash when
processing command cleanup during port toggle.
* Use-after-free in ASoC HDMI codec module unload.
A double free of the HDMI codec could result in dereferencing invalid
memory and a kernel crash on unload of the snd-soc-hdmi-codec module.
* Information leak in Conexant cx25821 probing.
Registration of too many Conexant cx25821 devices can result in an
out-of-bounds memory access and information leak or kernel crash.
* NULL pointer dereference in ST M41T80 RTC driver probing.
A race condition between device setup and interrupt registration could
result in processing an interrupt before the device driver was fully
setup.
* Use-after-free in Ricoh RP5C01 RTC registration.
A race condition when registering a Ricoh RP5C01 device could result in
a use-after-free and kernel crash.
* Memory corruption in QLogic QED network driver module unload.
Missing locking when unloading the QLogic QED device driver could result
in memory corruption and a kernel crash.
* Memory corruption in QLogic QED connection termination.
Race conditions when terminating a QLogic QED connection could result in
multiple frees to a single resource and memory corruption.
* CVE-2018-12904: Privilege escalation in nested VMX instructions.
Missing permissions checks when emulating VMX instructions for a nested
KVM guest could allow an unprivileged user in a nested guest to escalate
privileges or crash the L1 host.
* Deadlock in USB XHCI software interrupts.
Missing locking could result in deadlock during USB XHCI processing
under specific conditions.
* CVE-2018-1118: Information leak when creating a new message in vhost driver.
A missing initialization of a variable passed to user space when
creating a new message in vhost driver could lead to an information
leak. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.
* Improved fix for CVE-2018-3639: Correctly enable SSB on Xen PV guests.
The speculative store bypass fixes for Spectre variant 4 are not
correctly enabled on Xen Paravirtualization guest machines.
* Race condition between lookup and remove in Amiga Fast File System.
Missing locking on the directory inode in the Amiga Fast File System
could leave the pointer to the directory entry pointing into freed
memory, potentially allowing an attacker to cause a denial-of-service or
other unspecified impact.
* Race condition in generic filesystem asynchrony provider.
Incorrect synchronization when queueing asynchronous work in the generic
filesystem backend could in rare cases leave dangling references to
freed memory, potentially causing a denial-of-service or memory
corruption.
* DMA memory exhaustion in Xen software IO TLB.
A logic error when releasing memory from the Xen software IO TLB could
result in failing to return all DMA capable memory to the allocator.
This could block Xen from creating new domains under specific
conditions.
* NULL-pointer dereference in Intel Omni-Path Architecture driver PSM module.
In rare circumstances, the PSM module of the Intel Omni-Path
Architecture can attempt to send a bad packet, triggering an improperly
synchronized error path and resulting in a NULL-pointer dereference.
* NULL-pointer dereference in Infiniband userspace RDMA system.
A race condition in the Infiniband user-mapped RDMA subsystem might
result in a NULL-pointer dereference, allowing a malicious user to cause
a denial-of-service.
* Updated fix for CVE-2017-5753: Spectre attack on getrlimit syscall.
The 'resource' parameter of the getrlimit syscall is vulnerable to a
Spectre variant 1 speculative execution attack.
* Denial-of-service when using buffered I/O on top of bcache device.
A logic error when using buffered I/O on top of bcache device could lead
to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.
* Kernel crash when creating RDS-over-IPv6 sockets.
Due to incorrect module reference counting, it was possible to unload
the IPv6 module while there were still RDS-over-IPv6 sockets in use.
* CVE-2018-1068: Privilege escalation when configuring bridge filtering.
Lack of input validation when configuring bridge filtering from a 32 bits
compat syscall could lead to an out-of-bounds write. Unprivileged users
with the ability to create namespaces could use this flaw to escalate
privileges.
* Denial-of-service when sending vlan packets without headers.
A logic error when sending vlan packets without headers could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference in network BPF cleanup.
Incorrect error handling when validating a BPF program could result in a
NULL pointer dereference and kernel crash. A local, privileged user
could use this flaw to crash the system.
* NULL-pointer dereference when removing SCSI device during access.
When removing a SCSI device from the system during load, the SCSI driver
might hold unprotected references to the device structure, potentially
allowing it to be freed and a NULL-pointer dereference to occur.
* NULL-pointer dereference in BTRFS when traversing recovery log tree.
When traversing the BTRFS recovery log tree, an unexpected error could
result in a NULL-pointer dereference and denial-of-service.
* Deadlock in BTRFS when allocating subvolume for writing.
In rare cases, allocating a BTRFS subvolume for write could cause a lock
order reversal, resulting in a system deadlock if an interrupt occurred.
* Incorrect struct offset in Intel Software Trace Hub causes denial-of-service.
When probing an Intel Software Trace Hub, the hub structure is improperly cast
from a pointer to another Intel Trace Hub device, causing memory
corruption or a denial-of-service.
* NULL-pointer dereference in Qualcom Atheros driver when changing bitrate.
Changing the state of Qualcom Atheros driver (for example by updating
the supported bitrates) can in rare cases trigger a race with an
internal worker thread that causes a NULL-pointer dereference and
denial-of-service.
* Denial-of-service when fallocating large f2fs file with zero_range.
When calling fallocate() on a large (16K) file on a Flash-Friendly File
System with zero_range and keep_size set, the file's flags are
improperly set, resulting in a later kernel crash and denial-of-service.
* NULL-pointer dereference when f2fs mounted with noextent_cache.
If an Flash-Friendly File System is mounted with the noextent_cache
option, various file operations might try to access the nonexistent
extent cache pointer, resulting in a NULL-pointer dereference and
denial-of-service.
* Privilege escalation radix tree deletion.
Missing NULL pointer checks in the radix tree deletion code could result
in dereferencing an uninitialized pointer. A local, unprivileged user
could use this flaw to crash the system or potentially, escalate
privileges.
* Integer overflow in kernel pointer ring buffer.
An integer overflow in the kernel pointer ring buffer code could result
in an undersized allocation and invalid memory dereference leading to a
crash.
* Denial-of-service in kernel TLS sockets initialization vector.
An incorrect memcpy could cause the kernel to copy the incorrect IV to
user-space and result in incorrect encryption or decryption operations.
* Kernel crash with duplicate Infiniband uverbs ioctl attributes.
Incorrect handling of uverbs attributes could result in an invalid
pointer dereference. A local, privileged user could use this flaw to
crash the system or potentially, escalate privileges.
* Deadlock in Infiniband uverbs RDMA destruction.
Missing unlocking in the Infiniband uverbs RDMA destruction could result
in unbalanced locks and deadlock, preventing I/O.
* Use-after-free in network transformation policy resolution.
Incorrect locking in the network transformation policy subsystem could
result in a use-after-free and kernel crash under specific conditions.
* Use-after-free in Broadcom Netxtreme HCA module unload.
Failure to flush a workqueue on module unload could result in running
work after the module was no longer present and crashing the system.
* Use-after-free in NFSv4 migration failure.
Incorrect handling of migration failure on an NFSv4 mount could result
in a use-after-free and kernel crash under specific conditions.
* Use-after-free in MACVLAN network adapter creation.
Incorrect link creation could result in incorrect destruction of a
MACVLAN device and a subsequent use-after-free and kernel crash under
specific conditions.
* Missing KVM events in nested Intel hypervisors.
Specific KVM events would not correctly be injected to an L2 hypervisor
resulting in missing events and guest corruption.
* Livelock in filesystem dentry allocation and addition.
A livelock in the filesystem code could result in a hang on a
multiprocessor system under specific loads and causing the system to
become unresponsive.
* NULL pointer dereference in RAID 1 during replacement.
Incorrect handling of device removal during RAID 1 disk replacement
could result in a NULL pointer dereference and kernel crash.
* Use-after-free in IPv4 netfilter CLUSTERIP error.
Incorrect reference counting in the IPv4 netfilter CLUSTERIP code could
result in a use-after-free and kernel crash during error handling.
* Denial-of-service in ceph filesystem options parsing.
Missing resource frees when processing duplicate option strings could
result in a memory leak. A local user with permission to mount
filesytems could use this flaw to exhaust system memory.
* NULL pointer dereference in Xen pvcall backend.
Incorrect NULL pointer handling could result in a NULL pointer
dereference and kernel crash when failing to connect a pvcalls backend
on a Xen paravirtualized guest.
* Use-after-free in Broadcom Netxtreme HCA registration failure.
Failure to release all resources after failing to register a Broadcom
Netxtreme HCA device could result in a use-after-free and kernel crash.
* BTRFS filesystem replay failure on power loss during fsync.
Incorrect handling of the replay log could result in failure to repair
and mount a BTRFS filesystem after powerloss during fsync.
* Private information disclosure in iwlwifi multicast frames.
Incorrect handling of multicast frames could result in transmitting the
frames without encryption, leaking potentially sensitive data in
specific conditions.
* Use-after-free in QLogic RoCE queue polling.
Missing locking could result in a dereferencing a stale pointer and a
use-after-free when polling a command queue. Under specific conditions
this could trigger a kernel panic.
* Connection loss in QLogic RoCE IPv4 GIDs.
Incorrect initialization of GIDs on a QLogic RoCE device could result in
GID corruption and loss of an IPv4 connection.
* Use-after-free in SMSC Ethernet adapter module unload.
Failure to unregister network devices before unregistering the physical
layer could result in use-after-free and kernel crash when removing the
smsx911x module.
* NULL pointer dereference in Infiniband core initialization.
A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when initializing an Infiniband device.
* Use-after-free in network transformation error handler.
Incorrect locking in the transformation error handling function could
result in a use-after-free and kernel crash. A local user with network
admin privileges could use this flaw to crash the system.
* Kernel crash in iwlwifi link aggregation setup.
Incorrect error handling during link aggregation setup could result in
an out-of-bounds array access and kernel crash.
* Traffic control modification failure in network scheduler.
Multiple problems in the traffic control subsystem error handling could
result in failure to modify traffic control rules.
* NULL pointer dereference in QLogic QED Ethernet doorbell writes.
Missing barriers could result in a QLogic QED Ethernet device seeing
stale memory contents and triggering a NULL pointer dereference under
specific conditions.
* Kernel hang in memory page owner setting.
Incorrect recursion checking when setting the memory page owner could
result in an infinite loop under low memory conditions and a kernel
hang.
* Information leak in IEEE802154 Cascoda CA8210 writes.
Missing initialization of a stack buffer could result in leaking the
contents of the kernel stack by an unprivileged user when writing to a
Cascoda CA8210 device.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-18.04-updates
mailing list