[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (USN-3871-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Feb 6 11:32:10 PST 2019 

Synopsis: USN-3871-1 can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10882 CVE-2018-10883 CVE-2018-14625 CVE-2018-16882 CVE-2018-17972 CVE-2018-18281 CVE-2018-19407 CVE-2018-9516

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3871-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved fix for CVE-2017-5753: Speculative execution in array accesses.

The current fix for CVE-2017-5753 fails to correctly disable compiler
optimization, which results in some array accesses not being correctly
protected against speculative execution attacks.


* Memory corruption in ALSA Dynamic Power Management driver.

When unloading an ALSA audio device that uses the Dynamic Power
Management feature, the device is not removed from the global list
before being freed. This can result in memory corruption or a
denial-of-service.


* Possible denial-of-service when multiple console writes race.

If multiple threads call the kernel console message utility
printk_safe_log_store() simultaneously, the re-use of local variables
might result in a kernel oops and denial-of-service.


* Use-after-free in FUSE when failing to create superblock.

If an error occurs while creating a Filesystem in Userspace superblock
after the connection to the FUSE service is made, the connection is not
torn down, resulting in a use-after-free and potential denial-of-service
when the superblock is freed.


* NULL-pointer dereference in FUSE when failing to create inode.

If inode creation fails for a Filesystem in Userspace file, the
connection teardown to the FUSE service might improperly try to cleanup
the non-existent inode, resulting in a NULL-pointer dereference and
denial-of-service.


* Out-of-bounds write in Device Tree overlay when resolving new devices.

When resolving a new Device Tree overlay, the device's property offsets
are not properly validated, potentially resulting in an out-of-bounds
write.


* Use-after-free in Trusted Platform Module context load.

In certain error cases, attempting to load the context structure for an
Intel Trusted Platform Module 2.0 device will result in use-after-free,
potentially causing a denial-of-service.


* Race condition in Trusted Platform Module common write function.

Missing locking in the Trusted Platform Module common write code could
allow two simultaneous TPM device accesses to overwrite each other's
data, potentially resulting in a denial-of-service or other unspecified
behavior.


* Invalid assertion in RDMA-over-Infiniband causes denial-of-service.

An invalid assertion could in rare cases cause a kernel panic and
denial-of-service when an unknown work request was received through a
management diagram.


* Stack corruption in NFSv4 idmapper verification with large uid.

When attempting to verify a uid or gid above 2147483647 in the NFSv4
idmapper code, a single NULL-byte will be written out-of-bounds on the
stack, resulting in a kernel panic and denial-of-service.


* NULL-pointer dereference due to race condition in Ceph backend task.

A race condition when canceling tasks in the Ceph RADOS block backend
might cause a work queue structure to be dereferenced after being
destroyed, resulting in a NULL-pointer dereference and
denial-of-service.


* Denial-of-service in UDF filesystem with incorrect directory size.

If a directory on the UDF filesystem reported a larger-than-accurate
size when being read, the entry could become further corrupted or
result in a denial-of-service.


* Improved fix for stack overflow in Elan I2C/SMBus touchpad driver.

Incorrectly sized stack structures in the Elan I2C/SMBus touchpad driver
could potentially allow overwriting stack values when initializing or
calibrating the device.


* Denial-of-service when formatting filesystem while using DM-MPIO.

Removing a file on a DM Multipath device while in the process of cloning
the device can result in a race condition and denial-of-service.


* Deadlock with XFS and zoned block device mapper.

Calling fs_reclaim on an XFS filesystem backed by a dm-zoned block
device could result in a lock order reversal, causing a hang and
denial-of-service.


* Denial-of-service with DesignWare USB2 controller driver port bitmap.

Incorrectly applying the port bitmap for a DesignWare High-Speed USB2
Controller device could cause an out-of-bounds write and kernel panic. A
malicious device could exploit this flaw to cause a denial-of-service.


* Information leak in virtual terminal screen buffer allocation.

When creating a virtual terminal device, the memory for the screen
buffer is not properly sanitized, potentially exposing kernel memory to
userspace.


* Denial-of-service in netfilter tables error -EBUSY error handling.

A logic error in the netfilter nf_tables code could lead to a memory leak,
which could be exploited to cause a denial-of-service.


* NULL pointer dereference in Netfilter tables counter reset.

A logic error in the netfilter code could result in a NULL pointer
dereference and possible kernel panic when resetting its counters.  This
could be exploited for a denial-of-service.


* Denial-of-service due to invalid assertion in netfilter chain.

An invalid assertion when processing an exceptionally long netfilter
chain could cause a denial-of-service.


* Denial-of-service when decoding IPsec session.

When decoding IPv6 IPsec session, an integer overflow triggers a kernel
BUG. A local user with privilege to create IPsec tunnel can exploit this
to create a denial-of-service.


* Denial-of-service when filtering ethernet packets.

Failure to validate userspace data when matching ethernet packets with
filtering rules in the ebtables subsystem leads to out-of-bound write in
the kernel. An attacker could exploit this to corrupt kernel memory and
possibly escalate privilege.


* Denial-of-service when setting CIFS extended attribute.

A failure to free memory when setting an extended attribute in a CIFS
filesystem can lead to a memory leak. A local user with access to a CIFS
filesystem could use this flaw to exhaust system memory, leading to a
denial-of-service.


* Denial-of-service in CIFS filesystem mount.

A failure to correctly handle signals during a CIFS mount operation can
result in an infinite loop. A local user with the ability to mount a
CIFS filesystem could use this flaw to cause a denial-of-service.


* CVE-2018-10883: Out-of-bounds access in ext4 block journal handling.

A logic error in ext4 block journal handling could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 filesystem to cause a denial-of-service.


* CVE-2018-10879: Use-after-free when setting extended attribute entry on ext4 filesystem.

A logic error when setting extended attribute entry on ext4 filesystem
could lead to a use-after-free. A local attacker could use this flaw
with a crafted ext4 filesystem to cause a denial-of-service.


* CVE-2018-10878: Out-of-bounds access when initializing ext4 block bitmap.

A logic error when initializing ext4 block bitmap could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 image to cause a denial-of-service.


* CVE-2018-10876: Use-after-free when removing space in ext4 filesystem.

A logic error when removing space in ext4 filesystem could lead to a
use-after-free. A local attacker could use this flaw with a crafted ext4
image to cause a denial-of-service.


* CVE-2018-10877: Out-of-bounds access when using corrupted ext4 filesystem with abnormal extent tree.

A missing check when using corrupted ext4 filesystem with abnormal
extent tree could lead to an out-of-bounds access. A local attacker
could use this flaw with a crafted ext4 image to cause a
denial-of-service.


* CVE-2018-10880: Out-of-bounds access when making inode space in ext4 filesystem.

A logic error when making inode space in ext4 filesystem could lead to
an out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 image to cause a denial-of-service.


* CVE-2018-10882: Out-of-bounds access when unmounting a crafted ext4 filesystem.

A logic error when unmounting a crafted ext4 filesystem could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Improved fix for CVE-2017-5753: Indirect branch speculation.

Information controlled by userspace can be used to disclose kernel
memory via speculation in the Human Input Device driver. A local user
could use this flaw to facilitate a further attack on the system.


* CVE-2018-9516: Denial-of-service in Bluetooth HIDP debug events.

Missing bounds checks in the Bluetooth HIDP debugfs functions could
result in an out of bounds access and kernel crash, triggerable by a
privileged user.


* Denial-of-service in netfilter log target.

Incorrect locking in the netfilter log target can result in deadlock
when accessing memory backed by a userfaultfd region. A local user with
access to netfilter and userfaultfd could use this flaw to cause a
denial-of-service.


* Denial-of-service in IBM ASM Service Processor read handler.

A logic error in the ibmasm driver could allow the code to write outside
the bounds of a given buffer, leading to kernel or userspace memory
corruption and possible kernel panic.  This could be used to cause a
denial-of-service.


* Information leak in USB serial error handling.

A failure to properly check boundaries could lead to leaking kernel
memory to user space.


* Denial-of-service with NVMe controller memory buffer during reset.

A failure to properly reset the submission queue during a reset could
result in an invalid memory access of the controller memory buffer. This
could be exploited to cause a denial-of-service.


* Denial-of-service with multiple loop devices.

Improper device validation in the loop code could lead to an infinite
loop when accessing all of the loop file descriptors.  This could be
exploited to cause a denial-of-service.


* Denial-of-service in F2FS error handling.

Missing checks and logic errors in f2fs could lead to kernel BUGs or
corrupted filesystem.  This could be used to cause a denial-of-service.


* Denial-of-service in TTY reopen.

Logic errors in the TTY code during a reopen call could lead to invalid
memory access and possible kernel panic or memory leaks.  This could be
exploited to cause a denial-of-service.


* CVE-2018-18281: Information leak in mremap syscall.

A logic error in the mremap code could allow one process to access
memory of a different process.


* CVE-2018-19407: Denial-of-service in KVM IOAPIC scan.

A missing safety check in KVM's IOAPIC scan path can cause the kernel
to attempt access certain objects that have not been initialized.  This
can cause unexpected behavior, including a potential system crash.


* CVE-2018-17972: Information leak in /proc kernel stack dumps.

A failure to restrict accessing /proc/self/task/*/stack to only
root could allow an unprivileged user to get information about the
stack and its contents on another process.


* Deadlock in single NIC Hyper-V VMs.

A race condition in the probe function on Hyper-V VMs could
result in a deadlock.  This could be used for a denial-of-service.


* Denial-of-service in sysfs VMBus channel read.

A failure to properly handle unsupported device types in the VMBus
code could lead to uninitialized sysfs files.  Reading these files
could return garbage data or cause a kernel panic.  This could be
used for a denial of service.


* CVE-2018-14625: Kernel information leak when releasing a vsock.

A use-after-free bug when releasing an AF_VSOCK socket may allow an
attacker to read kernel memory from inside VM guest. This could be
exploited to leak privileged information and possibly impersonate
AF_VSOCK messages destined to other clients.


* CVE-2018-16882: NULL dereference in nested VM interrupt processing path.

A failure to properly handle an error condition nested_get_vmcs12_pages
can lead to a null dereference when processing posted interrupts for
nested VMs.  This could be exploited by a local attacker to cause
a denial-of-service on the host system.


* Denial-of-service on device unregister in OF Platform driver.

A logic error in the of platform code when performing a device
unregister could lead to a use-after-free, potentially causing memory
corruption or a kernel panic.  This could be used by a privileged user
to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-18.04-updates mailing list