[Ksplice][Ubuntu-19.10-Updates] New Ksplice updates for Ubuntu 19.10 Eoan (USN-4342-1)

[Oracle Ksplice]

Synopsis: USN-4342-1 can now be patched using Ksplice
CVEs: CVE-2019-16234 CVE-2019-19768 CVE-2020-10942 CVE-2020-12465 CVE-2020-12653 CVE-2020-12654 CVE-2020-2732 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-8992 CVE-2020-9383

Systems running Ubuntu 19.10 Eoan can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4342-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 19.10
Eoan install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Invalid memory access in cfg80211 driver.

A missing check on attribute from a netlink message in cfg80211 driver
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* Denial-of-service in NVMe driver stack.

A flaw in the NVMe driver stack allowed a malicious user to wasting
kernel memory that could result in out of memory situation. A local,
privileged user could use this flaw to cause the system to become
unstable or the kernel crash by repeatedly loading and unloading
NVMe driver.


* CVE-2020-8648: Use-after-free in the virtual terminal driver.

A locking error in the virtual terminal driver could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service or escalate privileges.


* Invalid memory access in network FIB rules.

A missing check on attribute from a netlink message in network FIB rules
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* Invalid memory access in Ethernet team driver.

A missing check on attribute from a netlink message in Ethernet team
driver could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Invalid memory access when sending messages over bonding socket.

A logic error when sending messages over bonding socket could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using DM Cache.

A logic error when using DM Cache could lead to a use-after-free. A
local attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in fallocate of OCFS2 file system.

A NULL pointer dereference in the OCFS2 could result in a kernel
crash when issuing fallocate system call to OCFS2 file system.  A local,
non-privileged user could use this flaw to crash the system.


* Denial-of-service in KVM when handling an error.

Error handling code in KVM (Kernel-based Virtual Machine) uses
a variable that has not been initialized, leading to unpredictable
or unintended results including the kernel crash.


* Multiple privilege escalations in ioctl handling of Realtek WiFi drivers.

Multiple incorrect input validation on user provided lengths in various
staging Realtek WiFi drivers could lead to an out-of-bounds memory
write. A local user with the ability to send IOCTLs to those drivers
could use this flaw to cause a denial-of-service or potentially escalate
privileges.


* Denial-of-service in Btrfs filesystem when reading a filesystem tree.

Failure to reset a pointer to NULL in the Btrfs filesystem when reading
a filesystem tree leads to an invalid memory access through a pointer
error code.  An attacker could use this flaw to cause a
denial-of-service through a specially crafted filesystem.


* Invalid memory access in network Connection tracking helpers.

A missing check on attribute from a netlink message in network
Connection tracking helpers could lead to an invalid memory access. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2019-16234: NULL pointer dereference when registering Intel Wireless WiFi driver.

A logic error in error path when registering Intel Wireless WiFi driver
fails on workqueue allocation could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* Deadlock when using too many slaves in IP-VLAN driver.

A logic error when using too many slaves in IP-VLAN driver could lead to
a deadlock. A local attacker could use this flaw to cause a denial-of-
service.


* Kernel crash in eCryptfs when handling an error.

A flaw in error handling path of eCryptfs (Enterprise-Class Stacked
Cryptographic Filesystem) implementation could result in kernel crash.


* Invalid memory access in network Flower classifier.

A missing check on attribute from a netlink message in network Flower
classifier could lead to an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.


* Memory leak in control plane of eCryptfs.

A memory leak in the eCryptfs (Enterprise Cryptographic Filesystem)
allowed a malicious user to wasting kernel memory that could result
in out of memory situation. A local, unprivileged user could use
this flaw to exhaust the memory on the system and cause
a denial-of-service.


* Improved fix for CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.

The original fix for CVE-2020-2732 prevented a windows guest with Hyper-V
enabled from booting.


* Denial-of-service in control plane of VT subsystem.

A NULL pointer dereference in the VT subsystem could result in a kernel
crash when issuing ioctl. A local user could use this flaw to crash
the system.


* Deadlock when using too many slaves on a MAC-VLAN socket.

A logic error when using too many slaves on a MAC-VLAN socket could lead
to a deadlock. A local attacker could use this flaw to cause a
denial-of- service.


* CVE-2020-12653: Denial-of-service when scanning for APs in mwifiex driver.

Failing to validate user-defined length parameter could cause an
out-of-bound memory access while scanning for APs in mwifiex driver. An
attacker could exploit this bug to cause a denial-of-service.


* NULL pointer dereference when closing FORE Systems 200E-series socket.

A missing check when closing FORE Systems 200E-series socket while
sending data over it could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when receiving IPV4 packets over SLIP network device.

Missing checks when receiving IPV4 packets over SLIP network device
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* Invalid memory access in Fair Queue network scheduler.

A missing check on attribute from a netlink message in Fair Queue network scheduler
could lead to an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.


* Invalid memory access in IEEE 802.1AE MAC-level encryption driver.

A missing check on attribute from a netlink message in IEEE 802.1AE
MAC-level encryption driver could lead to an invalid memory access. A
local attacker could use this flaw to cause a denial-of-service.


* Invalid memory access in NFC driver.

A missing check on attribute from a netlink message in NFC driver could
lead to an invalid memory access. A local attacker could use this flaw
to cause a denial-of-service.


* Memory leak when using btrfs ref verify tool.

Missing free of resources when using btrfs ref verify tool fails could
lead to a memory leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.


* NULL pointer dereference when using Elastic Network Adapter driver.

A missing check on user input when calling ethtool -X  without any hkey
on an Elastic Network Adapter interface could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a denial-of-
service.


* CVE-2020-12654: Denial-of-service when querying WMM status in mwifiex driver.

If an AP sends a malicious query to the station for WMM status, a buffer
overflow could occur. If an attacker can compromise the AP, this bug
could be triggered to cause a denial-of-service.


* Out-of-bounds memory write when reading EFI variables from sysfs.

Lack of proper synchronization when reading EFI variables from sysfs could
lead to an out-of-bounds memory write.  A local user with the ability to
read those files could use this flaw to cause a denial-of-service or
potentially escalate privileges.


* NULL pointer dereference when user modify queue pairs in Infiniband driver.

A logic error when user modify queue pairs in Infiniband driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Denial-of-service when destroying iscsi session.

A logic error when a user destroy an iscsi session whereas a connection
is still open could lead to a kernel assert. A local attacker could use
this flaw to cause a denial-of-service.


* Memory corruption due to snprintf misuse in HD-audio driver.

A flaw in HD-audio driver due to misuse of snprintf return
value could lead to the memory corruption and the kernel crash.


* Use-after-free when registering RmNet MAP interface.

A missing check when registering RmNet MAP interface could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* Denial-of-service in reads of write-only NVMe memory.

A NULL pointer dereference in the NVMe framework could result in a kernel
crash when reading from a write-only device.  A local, privileged user
could use this flaw to crash the system.


* CVE-2020-10942: Out-of-bounds memory access in the Virtual host driver.

Invalid input validation could lead to type confusion and out-of-bounds
memory accesses.  A local unprivileged user could use this to cause a
denial-of-service or potentially escalate privileges.


* Denial-of-service in InfiniBand driver.

A flaw in the InfiniBand driver implementation could result in a kernel
lockup. A local, privileged user could use this flaw to cause the kernel
lockup by repeatedly toggling network interfaces.


* Information leak in the SMC socket monitoring interface.

A missing zeroing of data when using the SMC socket monitoring interface
could leak kernel data. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.


* Invalid memory access in IEEE Std 802.15.4 Low-Rate Wireless Personal Area Networks driver.

A missing check on attribute from a netlink message in IEEE Std 802.15.4
Low-Rate Wireless Personal Area Networks driver could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2020-8992: Deadlock with too big journal size on ext4 filesystem.

Using a too big journal size on ext4 filesystem could lead to a
deadlock. A local attacker could use a specially crafted ext4 filesystem
to cause a denial-of-service.


* CVE-2020-8647, CVE-2020-8649: Use-after-free in the VGA text console driver.

A missing check when resizing console in the VGA text console driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* Memory corruption when writing to pressure interface.

Pressure information for each resource in the system is accessible
through the respective file in /proc/pressure/ – cpu, memory, and io.
Issuing write request with count parameter set to 0 on any file under
/proc/pressure/ could result in a memory corruption and eventually
kernel crash. A local, privileged user could use this flaw to cause a
denial-of-service.


* Denial of service in control plane of netfilter.

Netfilter receives a hash table from the userspace, however
the validation of the hash table size is missing in netfilter that
could cause an out of memory situation. A local user could use
this flaw to cause a kernel crash.


* CVE-2020-9383: Information leak in floppy disk driver.

A flaw in floppy driver could lead to an out-of-bounds read causing
the information leak when assigning the floppy disk controller.


* Invalid memory access in network match-all classifier.

A missing check on attribute from a netlink message in network match-all
classifier could lead to an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2019-19768: Use-after-free when adding a new trace using the tracing block driver.

A locking error when adding a new trace using the tracing block driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service or escalate privileges.


* NULL pointer dereference when transforming ipv6 socket to ipv4 socket.

A missing check when transforming ipv6 socket to ipv4 socket could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Invalid memory access in Virtual Local CAN Interface driver.

A missing check on attribute from a netlink message in Virtual Local CAN
Interface driver could lead to an invalid memory access. A local
attacker could use this flaw to cause a denial-of-service.


* Invalid memory access in Netfilter nf_tables driver.

A missing check on attribute from a netlink message in Netfilter
nf_tables driver could lead to an invalid memory access. A local
attacker could use this flaw to cause a denial-of-service.


* Invalid memory accesses in Netfilter nft_tunnel driver.

Missing checks on several attributes from a netlink messages in the
Netfilter nft_tunnel driver coud lead to invalid memory accesses.
A local attacker could use these flaws to cause a denial-of-service.


* Invalid memory access in tipc driver.

A missing check on an attribute in the tipc driver's netlink policy
can lead to an invalid memory access.  A local attacker could use this
flaw to cause a denial-of-service.


* Invalid memory access in devlink driver.

A missing check for a netlink policy attribute in the devlink driver can
lead to an invalid memory access.  A local attacker could use this flaw
to cause a denial-of-service.


* CVE-2020-12465: Buffer overflow in mt76 driver when processing oversized packets.

A missing boundary check in the mt76 driver's packet receive path can
lead to a buffer overflow which can corrupt the memory of pages
adjacent to the skb structure.  A remote attacker could exploit this
flaw to execute arbitrary code or to cause other unexpected behavior,
including a potential denial-of-service.


* Invalid memory access in taprio driver.

A missing attribute type in the taprio netlink policy can lead to an
invalid memory access.  A local attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service while configuring rmnet device.

When performing certain configuration operations on an rmnet device, it
is possible for the kernel to attempt to dereference a NULL pointer,
which leads to a system crash.  This flaw could be exploited by a local
attacked with sufficient privileges in order to cause a
denial-of-service.


* Invalid memory access in Infiniband uverbs command processing.

An arithmetic error in the Infiniband driver's uverbs command processing
path can lead to an invalid memory access.  This flaw could be exploited
by a local attacker to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.