[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (USN-3931-1)

[Jamie Iles]

Synopsis: USN-3931-1 can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2018-14678 CVE-2018-19824 CVE-2019-3459 CVE-2019-3460 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-7308 CVE-2019-8912 CVE-2019-8980 CVE-2019-9213

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3931-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-8912: Use-after-free when releasing a socket.

A logic error when releasing a socket could lead to a use-after-free. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2019-6974: Use-after-free in KVM device creation.

A reference count manipulation error when creating a KVM device can result in
an early free, leading to a use-after-free. A local user with access to KVM
could use this flaw to cause a kernel crash or potentially escalate privileges.


* CVE-2019-7221: Use-after-free in nested KVM preemption timer.

A failure to cancel a nested KVM timer before freeing it can result in a
use-after-free. A guest VM could use this flaw to crash the host.


* CVE-2019-7222: Information disclosure in KVM VMX emulation.

Incorrectly handling a page fault exception while emulating VMX instructions
can result in leaking host stack information to a guest. A guest VM could use
this flaw to facilitate a further attack on the host.


* Information leak in IPv6 raw sockets with IP(V6)_ORIGDSTADDR.

A specially crafted IPv6 packet could force the IPv6 code to read beyond
the end of a buffer, causing a potential information leak of kernel
memory.


* Denial-of-service in IP skbuff error handling.

A logic error in the handling of errors in the skbuff code could lead
to a NULL pointer dereference, and subsequent kernel panic.  This could
be used to cause a denial-of-service.


* Denial-of-service in Linux Screen Reader speakup read.

A logic error in the read function on the speakup driver could result
in unbounded kernel memory writes, causing memory corruption and a kernel
crash.  A malicious user could use this to cause a denial-of-service.


* Information leak when forking a process.

A missing zeroing of stack used for new forked process could lead to an
information leak of the heap. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.


* Denial-of-service in event trigger tracing.

A flaw in the trace_events code could lead to a double free
of memory, leading to memory corruption and possible kernel
panic.  A malicious user could exploit this to cause a denial-
of-service.


* Information leak in trace code when creating kthreads.

A race condition in the kthread code could allow an unterminated string
to be printed into the task structure, potentially leaking memory into
other threads.  This could lead to an information leak or memory corruption
and possible kernel panic.


* Use-after-free in NFSv4 device info decode.

A specifically crafted request with a malformed xdr array from a NFSv4
client could result in a use-after-free condition and possible kernel
crash.  A malicious client could exploit this to generate a denial-of-service
attack.


* Information leak in /proc pagemap swap entries.

A missing security check in the mm code could allow unprivileged
users to view pagemap swap entries, allowing an unprivileged user
access to information about the memory of another process.


* Denial-of-service in Intel Wireless driver receive buffer allocation.

A race condition in the Intel PCIe wireless driver when the receive buffer
allocator is ran at the same time as the receive init function could result
in memory corruption and a kernel panic.  This could be used to cause a
denial-of-service.


* Denial-of-service in sysfs PCI device disable.

A failure to verify if a device still has a driver attached or not
when sysfs disables a device could lead to an inconsistent system
state for the device driver, leading to possible memory corruption or
kernel panic.  This could be exploited by a malicious user to cause
a denial-of-service.


* Use-after-free in NVMe RDMA admin queue start.

A failure to properly handle error conditions in the nvme rdma code
during the creation of the nvme rdma admin queue could lead to an
use-after-free condition, causing memory corruption and possible kernel
panic.


* Denial-of-service in Marvell mwifiex histogram data.

A logic error when entering the histogram data for the mwifiex
driver could result in a buffer underflow, leading to memory
corruption or a kernel panic.  This could be used to cause a
denial-of-service.


* Denial-of-service in pty character insert with multiple threads.

A race condition in the pty code could allow multiple threads to insert
input characters at the same time, leading to an out-of-bounds memory
write, causing memory corruption and kernel panic.  A malicious user could
use this to cause a denial-of-service.


* Denial-of-service in SCSI 3ware chrdev ioctl.

A missing privilege check in the scsi 3ware driver code could
allow a user without sufficient privileges to pass user memory
into the ioctl and then manipulate the memory, potentially causing
memory corruption and a kernel panic.  This could be used for a
denial-of-service attack.


* Denial-of-service in SCSI QLogic QEDF Virtual Port removal.

A failure to signal that a vport is being removed in the qedf driver code
could allow requests made during the time a vport is being removed to get
stuck and never return.  This could be used to cause a denial-of-service.


* Information leak in crypto IPsec authenc key setting.

A failure to initialize memory when setting up authen keys in the
crypto code could leak pointers to the authenc keys.


* Denial-of-service with corrupt squashfs image.

A failure to properly deal with metadata corruption in squashfs could
result in a kernel oops.  This could be exploited for a denial-of-service.


* Denial-of-service in PMEM namespace removal.

A missing check in the memory remapping code could lead to a
General Protection Fault when removing a pmem namespace that
is smaller than the section size.  This could be used to cause a
denial-of-service.


* Denial-of-service in fork with large number of Virtual Memory Areas.

If a process with a large number of Virtual Memory Areas (VMAs) is being
forked when selected by the OOM killer it may block the OOM killer from
properly being able to kill it and reclaim the memory.  This could be used
to cause a denial-of-service.


* Use-after-free in ceph statfs.

A race condition in the ceph code could allow a use-after-free when
calling ceph-statfs.  This could be exploited to cause a denial-of-service.


* Denial-of-service in LightNVM pblk error handling.

Logic errors in the lightnvm pblk code could lead to memory
corruption and system crash.  A malicious user could use this to
cause a denial-of-service.


* Denial-of-service while reading TPC stats in the ath10k driver.

A logic error in the ath10k driver could result in writing past the
end of an array while reading TPC stats, leading to memory corruption
and kernel panic.  This could be exploited to cause a denial-of-service.


* CVE-2019-3459: Information leak when processing L2CAP options controlled by an attacker.

Missing checks on options lengths when processing L2CAP options could lead
to an information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.


* CVE-2018-19824: Use-after-free when registering a malicious USB audio device.

A wrong error handling when registering a malicious USB audio device
exposing 0 interface could lead to a use-after-free. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2018-14678: Privilege escalation in Xen PV guests.

Incorrect register accounting during paravirtualized failsafe callbacks
could result in the use of uninitialized memory and a kernel crash or
potentially escalation of privileges in a paravirtualized guest.


* CVE-2019-8980: Denial-of-service in kernel read file implementation.

A failure to free memory after a read error can result in a memory leak. A
local user could use this flaw to exhaust system memory, leading to a kernel
crash.


* CVE-2019-3460: Information leak when parsing L2CAP options received from userspace.

Missing checks when parsing L2CAP option received from userspace could
lead to an information leak. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.


* CVE-2019-9213: Bypass of mmap_min_addr restriction.

An incorrect capability check in the mmap memory expansion implementation can
result in applications being able to bypass the minimum mmap address
restriction. A local user on a system without SMAP enabled could use this flaw
to exploit kernel NULL pointer dereferences.


* Use-after-free of socket buffer in crypto API core.

The crypto module's alg_do_release function fails to zero out a pointer
to a socket structure after that structure is freed.  This can lead to a
use-after-free scenario, which can result in unexpected behavior,
including a potential kernel panic.


* Improved fix to CVE-2017-5753: Speculative execution in eBPF programs.

Missing checks in the eBPF verifier could result in speculative memory
accesses allowing a user with the ability to load eBPF programs to leak
the contents of sensitive memory.


* CVE-2019-7308: Out-of-bounds speculation in BPF verifier.

The BPF verifier can attempt to perform out-of-bounds speculation on
pointer arithmetic, creating a potential vector for side-channel
attacks.


* Information leak when doing pointer subtraction in eBPF.

A missing check when doing pointer subtraction in eBPF as unprivileged
user could leak kernel memory address. A local attacker could use this
flaw to leak information about running kernel and facilitate an attack.


* Out-of-bounds access when creating a new netfilter set element.

A missing check when creating a new netfilter set element could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-services when creating new ipsets.

A logic error when creating new ipsets could exhaust kernel memory. A
local attacker from an unprivileged container could this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.