[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (4.15.0-34.37)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue Sep 25 03:53:45 PDT 2018 

Synopsis: 4.15.0-34.37 can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2018-1068 CVE-2018-1118

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.15.0-34.37.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-1118: Information leak when creating a new message in vhost driver.

A missing initialization of a variable passed to user space when
creating a new message in vhost driver could lead to an information
leak. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.


* Race condition between lookup and remove in Amiga Fast File System.

Missing locking on the directory inode in the Amiga Fast File System
could leave the pointer to the directory entry pointing into freed
memory, potentially allowing an attacker to cause a denial-of-service or
other unspecified impact.


* Race condition in generic filesystem asynchronous work provider.

Incorrect synchronization when queueing asynchronous work in the generic
filesystem backend could in rare cases leave dangling references to
freed memory, potentially causing a denial-of-service or memory
corruption.


* DMA memory exhaustion in Xen software IO TLB.

A logic error when releasing memory from the Xen software IO TLB could
result in failing to return all DMA capable memory to the allocator.
This could block Xen from creating new domains under specific
conditions.


* NULL-pointer dereference in Intel Omni-Path Architecture driver PSM module.

In rare circumstances, the PSM module of the Intel Omni-Path
Architecture can attempt to send a bad packet, triggering an improperly
synchronized error path and resulting in a NULL-pointer dereference.


* Updated fix for CVE-2017-5753: Spectre attack on getrlimit syscall.

The 'resource' parameter of the getrlimit syscall is vulnerable to a
Spectre variant 1 speculative execution attack.


* Denial-of-service when using buffered I/O on top of bcache device.

A logic error when using buffered I/O on top of bcache device could lead
to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* Kernel crash when creating RDS-over-IPv6 sockets.

Due to incorrect module reference counting, it was possible to unload
the IPv6 module while there were still RDS-over-IPv6 sockets in use.


* CVE-2018-1068: Privilege escalation when configuring bridge filtering.

Lack of input validation when configuring bridge filtering from a 32 bits
compat syscall could lead to an out-of-bounds write.  Unprivileged users
with the ability to create namespaces could use this flaw to escalate
privileges.


* Denial-of-service when sending vlan packets without headers.

A logic error when sending vlan packets without headers could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference in network BPF cleanup.

Incorrect error handling when validating a BPF program could result in a
NULL pointer dereference and kernel crash.  A local, privileged user
could use this flaw to crash the system.


* NULL-pointer dereference when removing SCSI device during access.

When removing a SCSI device from the system during load, the SCSI driver
might hold unprotected references to the device structure, potentially
allowing it to be freed and a NULL-pointer dereference to occur.


* NULL-pointer dereference in BTRFS when traversing recovery log tree.

When traversing the BTRFS recovery log tree, an unexpected error could
result in a NULL-pointer dereference and denial-of-service.


* Deadlock in BTRFS when allocating subvolume for writing.

In rare cases, allocating a BTRFS subvolume for write could cause a lock
order reversal, resulting in a system deadlock if an interrupt occurred.


* Incorrect struct offset in Intel Software Trace Hub causes denial-of-service.

When probing an Intel Software Trace Hub, the hub structure is improperly cast
from a pointer to another Intel Trace Hub device, causing memory
corruption or a denial-of-service.


* NULL-pointer dereference in Qualcomm Atheros driver when changing bitrate.

Changing the state of Qualcomm Atheros driver (for example by updating
the supported bitrates) can in rare cases trigger a race with an
internal worker thread that causes a NULL-pointer dereference and
denial-of-service.


* Denial-of-service when fallocating large f2fs file with zero_range.

When calling fallocate() on a large (16K) file on a Flash-Friendly File
System with zero_range and keep_size set, the file's flags are
improperly set, resulting in a later kernel crash and denial-of-service.


* NULL-pointer dereference when f2fs mounted with noextent_cache.

If an Flash-Friendly File System is mounted with the noextent_cache
option, various file operations might try to access the nonexistent
extent cache pointer, resulting in a NULL-pointer dereference and
denial-of-service.


* Privilege escalation during radix tree deletion.

Missing NULL pointer checks in the radix tree deletion code could result
in dereferencing an uninitialized pointer.  A local, unprivileged user
could use this flaw to crash the system or potentially, escalation
of privileges.


* Integer overflow in kernel pointer ring buffer.

An integer overflow in the kernel pointer ring buffer code could result
in an undersized allocation and invalid memory dereference leading to a
crash.


* Denial-of-service in kernel TLS sockets initialization vector.

An incorrect memcpy could cause the kernel to copy the incorrect IV to
user-space and result in incorrect encryption or decryption operations.


* Kernel crash with duplicate Infiniband uverbs ioctl attributes.

Incorrect handling of uverbs attributes could result in an invalid
pointer dereference.  A local, privileged user could use this flaw to
crash the system or potentially, escalate privileges.


* Deadlock in Infiniband uverbs RDMA destruction.

Missing unlocking in the Infiniband uverbs RDMA destruction could result
in unbalanced locks and deadlock, preventing I/O.


* Use-after-free in network transformation policy resolution.

Incorrect locking in the network transformation policy subsystem could
result in a use-after-free and kernel crash under specific conditions.


* Use-after-free in Broadcom Netxtreme HCA module unload.

Failure to flush a workqueue on module unload could result in running
work after the module was no longer present and crashing the system.


* Use-after-free in NFSv4 migration failure.

Incorrect handling of migration failure on an NFSv4 mount could result
in a use-after-free and kernel crash under specific conditions.


* Use-after-free in MACVLAN network adapter creation.

Incorrect link creation could result in incorrect destruction of a
MACVLAN device and a subsequent use-after-free and kernel crash under
specific conditions.


* Missing KVM events in nested Intel hypervisors.

Specific KVM events would not correctly be injected to an L2 hypervisor
resulting in missing events and guest corruption.


* Livelock in filesystem dentry allocation and addition.

A livelock in the filesystem code could result in a hang on a
multiprocessor system under specific loads and causing the system to
become unresponsive.


* NULL pointer dereference in RAID 1 during replacement.

Incorrect handling of device removal during RAID 1 disk replacement
could result in a NULL pointer dereference and kernel crash.


* Use-after-free in IPv4 netfilter CLUSTERIP error.

Incorrect reference counting in the IPv4 netfilter CLUSTERIP code could
result in a use-after-free and kernel crash during error handling.


* Denial-of-service in ceph filesystem options parsing.

Missing resource frees when processing duplicate option strings could
result in a memory leak.  A local user with permission to mount
filesystems could use this flaw to exhaust system memory.


* NULL pointer dereference in Xen pvcall backend.

Incorrect NULL pointer handling could result in a  NULL pointer
dereference and kernel crash when failing to connect a pvcalls backend
on a Xen paravirtualized guest.


* Use-after-free in Broadcom Netxtreme HCA registration failure.

Failure to release all resources after failing to register a Broadcom
Netxtreme HCA device could result in a use-after-free and kernel crash.


* BTRFS filesystem replay failure on power loss during fsync.

Incorrect handling of the replay log could result in failure to repair
and mount a BTRFS filesystem after power loss during fsync.


* Private information disclosure in iwlwifi multicast frames.

Incorrect handling of multicast frames could result in transmitting the
frames without encryption, leaking potentially sensitive data in
specific conditions.


* Use-after-free in QLogic RoCE queue polling.

Missing locking could result in a dereferencing a stale pointer and a
use-after-free when polling a command queue.  Under specific conditions
this could trigger a kernel panic.


* Connection loss in QLogic RoCE IPv4 GIDs.

Incorrect initialization of GIDs on a QLogic RoCE device could result in
GID corruption and loss of an IPv4 connection.


* Use-after-free in SMSC Ethernet adapter module unload.

Failure to unregister network devices before unregistering the physical
layer could result in use-after-free and kernel crash when removing the
smsx911x module.


* NULL pointer dereference in Infiniband core initialization.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when initializing an Infiniband device.


* Use-after-free in network transformation error handler.

Incorrect locking in the transformation error handling function could
result in a use-after-free and kernel crash.  A local user with network
admin privileges could use this flaw to crash the system.


* Kernel crash in iwlwifi link aggregation setup.

Incorrect error handling during link aggregation setup could result in
an out-of-bounds array access and kernel crash.


* Traffic control modification failure in network scheduler.

Multiple problems in the traffic control subsystem error handling could
result in failure to modify traffic control rules.


* NULL pointer dereference in QLogic QED Ethernet doorbell writes.

Missing barriers could result in a QLogic QED Ethernet device seeing
stale memory contents and triggering a NULL pointer dereference under
specific conditions.


* Kernel hang in memory page owner setting.

Incorrect recursion checking when setting the memory page owner could
result in an infinite loop under low memory conditions and a kernel
hang.


* Information leak in IEEE802154 Cascoda CA8210 writes.

Missing initialization of a stack buffer could result in leaking the
contents of the kernel stack by an unprivileged user when writing to a
Cascoda CA8210 device.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-18.04-updates mailing list