[Ksplice][Ubuntu-19.10-Updates] New Ksplice updates for Ubuntu 19.10 Eoan (USN-4300-1)

[Oracle Ksplice]

Synopsis: USN-4300-1 can now be patched using Ksplice
CVEs: CVE-2019-18809 CVE-2019-19043 CVE-2019-19053 CVE-2019-19056 CVE-2019-19058 CVE-2019-19059 CVE-2019-19066 CVE-2019-19068 CVE-2019-3016 CVE-2020-2732

Systems running Ubuntu 19.10 Eoan can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4300-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 19.10
Eoan install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free when writing to SLIP serial line.

A locking error when writing to SLIP serial line while the line is being
closed could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2019-18809: Memory leak when identifying state in Afatech AF9005 DVB-T USB1.1 driver.

A logic error when identifying state in Afatech AF9005 DVB-T USB1.1
driver fails could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* Deadlock in iSCSI if socket is never read.

If a iSCSI socket connection is created but the receive side is never
read, the system might potentially deadlock while attempting to send the
reply.


* NULL-pointer dereference when binding Infiniband QP for RDMA in auto mode.

When performing RDMA over infiniband, the kernel erroneously attempts to
handle accounting for certain queue pairs which are only tracked in
userspace, resulting in a NULL-pointer dereference and
denial-of-service.


* Race condition in tcp_recvmsg causes memory corruption.

Invalid synchronization in the kernel tcp_recvmsg implementation could
result in corruption of the socket memory resulting in socket
misbehavior or a denial-of-service.


* Infinite loop when writing to preallocated extent on btrfs.

Two simultaneous writes to the same preallocated btrfs extent could race
with each other, causing an infinite livelock and flooding of the system
log.


* Livelock in BPF verification with unknown scalars.

When verifying a BPF program with unknown scalar values, incorrect
verification logic could cause the verifier to fall into an infinite
loop, starving the system of resources. Loading a maliciously crafted
BPF program could trigger this behavior.


* Race condition in SunRPC auth cache causes NULL-pointer dereference.

A race condition exists in the SunRPC generic auth cache implementation
that could result in an uninitialized cache entry being loaded. This
invalid entry might then be dereferenced, resulting in a kernel crash
and denial-of-service.


* Out-of-bounds read in BPF filter when sending packet.

When running Berkeley Packet Filter programs on outgoing packets, the
possibility exists for the BPF wrapper to access memory out of bounds.
A malicious BPF program might be able to exploit this behavior to cause
a kernel crash and denial-of-service.


* Race condition when accessing voltage regulator causes denial-of-service.

Incorrect synchronization when accessing voltage regulator devices could
result in a use-after-free, possibly corrupting memory. Accessing
regulator devices in this way could therefore cause a denial-of-service.


* Denial-of-service due to missing synchronization in netfilter teardown.

When exiting a netfilter network namespace, missing synchronization
could cause teardown to occur in an unexpected order, resulting in a
kernel crash and denial-of-service.


* NULL dereference when connecting wireless device with RF switching support.

When connecting a wireless device that supports RF switching, the
generic RF switch subsystem does not properly validate that the driver
has correctly constructed its device structure. Accessing a device with
a flawed driver might therefore cause a NULL dereference and
denial-of-service.


* Memory leak when setting ioctl options on ethernet devices.

Failure to properly initialize a structure when setting ioctl options on
ethernet devices (Marvell octeontx2, possibly others) could result in
the buffer structure being leaked. A malicious user able to change
network settings might be able to exploit this to cause a
denial-of-service.


* Memory leak when failing to write to generic block device.

Failing to write data to a block device might result in the leak of
associated iovec structure. A malicious user with write access to a
block device could exploit this to starve the system of resources.


* Use-after-free when broadcasting ethernet header on vlan.

The generic handling of ethernet headers when broadcasting makes
assumptions about the lifetime of some vlan objects that may not hold
for certain ethernet devices. When using these devices, a local user
might be able to trigger a denial-of-service by repeated broadcast.


* Memory leak when transmitting data on LAN78XX USB ethernet device.

When transmitting data over a Microchip LAN78XX USB ethernet adapter,
unexpected errors could result in the underlying packet buffer being
leaked, eventually resulting in performance degradation or a
denial-of-service.


* Divide-by-zero in CAKE scheduling algorithm during load.

The COMMON Applications Kept Enhanced (CAKE) kernel scheduling
discipline incorrectly uses 32-bit division on a 64-bit interval when
running. This might result in a 32-bit overflow and divide-by-zero if
the scheduling interval were sufficiently long.


* Memory leak when replying to SCTP command encounters error.

When generating a reply to a Stream Control Transmission Protocol
command packet, an unexpected error might result in the leak of the
command's associated memory chunk structure. A malicious client might be
able to exploit this by starving the system of memory, causing
performance degradation or a denial-of-service.


* Memory leak when creating netlink socket on VLAN ethernet fails.

A mishandled error condition when creating a netlink socket for a
VLAN ethernet device could result in the leak of the VLAN device
structure.


* Denial-of-service when connecting USB device with duplicate endpoints.

Connecting a USB device with an invalid configuration containing
duplicate endpoint addresses could cause those addresses to be written
to mistakenly. A malicious device might exploit this to cause memory
corruption or a denial-of-service.


* Use-after-free when failing to initialize voltage regulator device.

When initializing a voltage regulator device, several error paths are
not correctly unwound, potentially resulting in a race condition that
might corrupt the device structure, resulting in a denial-of-service.


* NULL-pointer dereference when accessing generic reset controller.

When accessing devices that use the generic RESET_CONTROLLER interface
(SoCs, GPIO), some error conditions might generate a NULL pointer rather
than a error value. This NULL-value could then be dereferenced,
resulting in a denial-of-service.


* Kernel crash when ASoC PCM and DAI devices share name.

If an ALSA System-on-Chip PCM and DAI device have identical names, an
error condition could be triggered that might cause an invalid pointer
to be added to the device list. Accessing this list would then result
in a kernel crash and denial-of-service.


* Double-free when switching network namespaces with WiFi device.

Switching network namespaces while using a WiFi (IEEE 802.11) device
could cause a field in the device structure to remain pointing into
freed memory, and potentially freed a second time. A malicious user able
to alter network namespaces might use this to cause a denial-of-service.


* Information leak in perf events sysfs reporting.

Improper bounds checking when reporting perf events via sysfs might
result in the accidental exposure of kernel addresses if the requested
device attribute were out of range.


* Divide-by-zero in scheduler when creating cgroups on systems with high uptime.

On systems with extremely high uptime, creating a cgroup might result
in the system scheduler seeing a value of zero for the cgroup's
lifetime. Attempting to compute the average load for this cgroup would
then result in a divide-by-zero crash, and denial-of-service.


* Race condition when configuring ethernet drivers may cause corruption.

When configuring i40e and ixgbe ethernet devices, improper
synchronization could result in memory corruption and a potential
denial-of-service.


* Use-after-free when probing Amtel MACB ethernet controller.

Unexpected errors when conecting an Amtel MACB ethernet device could
result in the device's driver freeing system clock structures it did not
allocate. This could result in memory corruption or a kernel crash and
denial-of-service.


* Use-after-free when failing to open file on character device.

A mishandled error case when opening a file on a generic character
device might result in a write to an invalid pointer, potentially
resulting in memory corruption or a denial-of-service.


* Out-of-bounds read in USB HID report descriptor size.

The size field for USB hardware ID reports is not correctly checked
against the maximum possible total buffer size, allowing for a
possibility where the report field extends past the total length of the
buffer. A malicious device might be able to exploit this to leak kernel
information or cause a denial-of-service.


* USB keyboard device with invalid keycodes causes out-of-bounds write.

The USB HID input driver looks up keys in an array-indexed table. A
malicious device with invalid keycodes could therefore trigger an
out-of-bounds write, potentially causing memory corruption or a
denial-of-service.


* Information leak when transmitting CAN packet.

When generating a Controller Area Network packet for transmission
through a virtual CAN bus, uninitialized data might be inadvertently
included in an unused area of the CAN packet's buffer and transmitted
over the virtual network.


* CVE-2019-19056: Denial-of-service in the Marvell mwifiex PCIe driver.

Failure to handle error during initialization of Marvell mwifiex PCIe
driver leads to memory leak. An attacker could exploit this to exhaust
kernel memory that eventually may cause a denial-of-service.


* CVE-2019-19066: Denial-of-service int SCSI bfa driver.

While querying port statistics in the SCSI bfa driver, incorrect error
handling causes a memory leak. An attacker could possibly exploit this
to cause a denial-of-service.


* CVE-2019-19068: Denial-of-service in realtek wifi driver.

Incorrect error handling on some Realtek wifi drivers could cause memory
leak. A malicious device could trigger this to cause a denial-of-service.


* Uninitialized structures in netfilter ARP tables causes NULL-pointer dereference.

An uninitialized network namespace pointer in the netfilter arptables
could result in a NULL-pointer dereference if a user sets a rule via
setsockopt() for the ARP or UNPSEC protocols. A user with the
CAP_NET_ADMIN permission could exploit this to cause a
denial-of-service.


* NULL-pointer dereference when using netfilter with DCCP and SCTP protocols.

When using netfilter conntrack interface, the netfilter implementation for
the DCCP and SCTP protocols does not properly validate input. In
particular, a NULL timeout pointer will still be dereferenced, resulting
in a kernel crash and denial-of-service.


* NULL-pointer dereference when handling netfilter ipset with ATTR_LINENO.

If a netfliter ipset has the attribute IPSET_ATTR_LINENO, calling the
IPSET_CMD_TEST command on it from userspace will result in a
NULL-pointer dereference and denial-of-service. A malicious user with
the CAP_NET_ADMIN permission could exploit this to cause a
denial-of-service.


* NULL-pointer dereference when hotplugging CPU with Intel RAPL support.

When hotplugging a cpu that supports Intel Running Average Power Limit
functionality, unexpected hardware values provided by the chip might
result in a NULL-pointer dereference and denial-of-service.


* CVE-2019-19053: Denial-of-service in the iovec interface in rpmsg bus.

Failure to handle errors while copying data from userspace over iovec
interface could lead to memory leak in the Remote Processor Messaging
(rpmsg) subsystem. An attacker could exploit this to cause kernel memory
exhaustion and an eventual denial-of-service.


* CVE-2019-19058: Denial-of-service in iwlwifi firmware interface.

A memory leak while querying iwlwifi firmware debug interface could
cause kernel memory exhaustion. An attacker with permission to read the
firmware debug file could exploit this to cause a denial-of-service.


* CVE-2019-19059: Denial-of-service in Intel iwlwifi PCIe driver.

Incorrect error handling in Intel iwlwifi driver during device
initialization leads to memory leak. An attacker could exploit this to
exhaust kernel memory and cause a denial-of-service.


* NULL pointer deference on Broadcom NetXtreme RDMA memory deregistration.

The Broadcom driver code was incorrectly freeing MR resources in the case
of a memory deregistration failure, causing a NULL pointer dereference when
the deregistration is retried.


* Denial-of-service in Broadcom NetXtreme RDMA retransmission.

A logic error in the Broadcom NetXtreme code could lead to a memory
corruption during retransmission.  This could be exploited to cause a
denial-of-service.


* NULL pointer dereference when destroying Chelsio T3/T4 iSCSI device.

A missing check when destroying Chelsio T3/T4 iSCSI device could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference when allocating ring in Intel I/OAT DMA driver.

A logic error when allocating ring in Intel I/OAT DMA driver fails could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Double free with SCSI LSI MPT Fusion SAS attach error.

A failure to properly deal with errors during device attachment could cause
a double free and possible memory corruption.


* NULL pointer dereference with stream parser socket state write.

A bad assumption in the stream parser code could lead to a NULL pointer
dereference.


* Denial-of-service with clk unregister.

An error in the clk driver causes memory allocated when registering a clk to
not be freed, leading to a memory leak.  This could be used for a denial-of-
service.


* NULL pointer dereference in NFSD during copy offload.

A failure to properly handle an error case could lead to a NULL pointer
dereference in NFSD, leading to possible kernel panic or memory corruption.


* Denial-of-service in Edgeport USB serial driver callbacks.

Synchronization and sanitization bugs in the Edgeport USB serial
driver interrupt and completion callback path leads to multiple NULL
pointer dereference and deadlock. An attacker could exploit these to
cause a denial-of-service.


* Denial-of-service when configuring keyspan USB serial device.

Missing error handling during control request completion in the keyspan
USB serial driver could cause a NULL pointer dereference. An attacker
could exploit this flaw to cause a denial-of-service.


* Denial-of-service when querying quatech2 USB serial device.

Missing error handling in the quatech2 USB serial driver could cause a
NULL pointer dereference when querying line or modem status. An attacker
could exploit this to cause a denial-of-service.


* Denial-of-service when reading from ALSA sequencer procfs.

A race condition when reading ALSA sequencer timer through the procfs
interface could cause a use-after-free error. An attacker could exploit
this bug to cause a denial-of-service.


* Memory leak in btrfs qgroup accounting.

A logic error in btrfs qgroup accounting error path could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Denial-of-service when writing back dirty pages to reclaim memory.

A division-by-zero error in the memory management subsystem when
determining whether to write back dirty pages to disk could cause a
kernel panic. This could inadvertently lead to a denial-of-service.


* Denial-of-service in per-TID statistics handling for cfg80211 subsystem.

A logic error in the handling of per-TID statistics for the configuration
API for the 802.11 subsystem could lead to memory being leaked. This could
potentially be used for a denial-of-service.


* Denial-of-service when releasing ipset.

A use-after-free bug when releasing an ipset in the netfilter subsystem
could cause kernel crash, and eventual denial-of-service  or possibly
allow an attacker to escalate privilege.


* NULL pointer dereference in ARP tables driver.

A missing structure initialization in ARP tables driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* NULL pointer dereference during Netfilter nf_tables initialization.

A logic error in the nft_tunnel code could lead to a NULL pointer dereference
and possible kernel panic or memory corruption.


* Memory corruption during Netfilter flowtable list deletion.

A missing check in the netfilter tables code could lead to memory corruption
and subsequent kernel crash.


* Denial-of-service in Hyper-V net service when removing RNDIS device.

A logic error in the hyper-v code could lead to a memory leak when removing
a RNDIS device.  This could be exploited to cause a denial-of-service.


* Use-after-free when releasing clocks in PTP clock driver.

A logic error when releasing clocks in PTP clock driver could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* Denial-of-service when initializing realtek rtl8152 driver.

An out-of-bound memory access when loading rtl8152 driver leads to a
NULL pointer dereference. An attacker could exploit this flaw to cause a
denial-of-service.


* Denial-of-service when configuring some mac80211-based wifi devices.

Trying to set device parameters on certain wireless device which don't
allow such configuration causes a NULL pointer dereference. An attacker
could exploit this to cause a denial-of-service.


* Out-of-bounds memory access in BPF socket access.

An invalid bounds check in the BPF could lead to a buffer overrun access,
causing potential memory corruption or a kernel panic.


* NULL pointer dereference in BPF encrypted socket message send.

A logic error in the BPF code could could cause a NULL pointer dereference
when encrypting a message, leading to a kernel panic.


* Denial-of-service in BPF time wait and request socket release.

A logic error in the BPF code could lead to leaked sockets, which could be
used to cause a denial-of-service attack.


* NULL pointer dereference in Net Inter-FE initialization.

A logic error in the inter-fe code could lead to a NULL pointer dereference
during initialization.


* CVE-2019-19043: Denial-of-service when configuring MAC-VLAN.

A memory leak during channel setup while configuring MAC-VLAN in i40e
ethernet driver causes kernel memory exhaustion. An attacker could
exploit this to cause a denial-of-service.


* Denial-of-service when removing a SAS non-host remote PHY.

A logic error in the SAS transport code when removing a non-host could result
in a memory leak.  This could be targeted for a denial-of-service.


* CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.

Incorrect handling of emulated instructions and IO bitmaps could allow
an unprivileged user in a nested KVM guest instance to crash the system
or potentially, escalate privileges.


* Memory corruption in ALSA Firewire Tascam during soft IRQ.

A logic error with locking in the Tascam code could lead to memory
corruption during a soft IRQ.


* CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.

A race condition when performing a paravirtualized TLB flush could
result in stale mappings in a KVM guest potentially allowing processes
access to pages from other processes.  A local unprivileged user could
use this flaw to crash the system or potentially, escalate privileges.


* Denial-of-service during ShiftFS file unlink.

A failure to correctly reference a dentry when unlinking a file on a
shiftfs filesystem can result in kernel crash. A local user with the
ability to use a shiftfs filesystem could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.