[Ksplice][Ubuntu-19.10-Updates] New Ksplice updates for Ubuntu 19.10 Eoan (USN-4319-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue May 5 10:41:10 PDT 2020 

Synopsis: USN-4319-1 can now be patched using Ksplice
CVEs: CVE-2019-14895 CVE-2019-14896 CVE-2019-14897 CVE-2020-8428

Systems running Ubuntu 19.10 Eoan can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4319-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 19.10
Eoan install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service when getting packets from userspace buffer in TUN driver.

A logic error when getting packets from userspace buffer in TUN driver
could lead to a use-after-free or a deadlock. A local attacker could use
this flaw to cause a denial-of-service.


* NULL pointer dereference when connecting to CCITT X.25 Packet Layer socket.

A logic error when connecting to CCITT X.25 Packet Layer socket could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Out-of-bounds access when classifying network packets with traffic control index.

A logic error when classifying network packets with traffic control
index could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2020-8428: Use-after-free in filesystem directory handling.

A logic error in filesystem directory handling could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* Memory leak in ANSI/IEEE 802.2 LLC type 2 driver.

Missing release of resources when using ANSI/IEEE 802.2 LLC type 2
driver could lead to a memory leak. A local attacker could use this flaw
to cause a denial-of-service.


* Denial-of-service in the NFS readdir syscall.

Multiple memory leak and corruption bugs in the NFS filesystem during
readdir syscall could exhaust kernel memory and possible crash the
kernel. An attacker could exploit this bug to cause a denial-of-service.


* Information leak when accessing IOAPIC register in KVM.

Array access for IOAPIC register is missing protection against Spectre
v1-type attack. An attacker could exploit this bug to read privileged
kernel memory.


* Information leak when reading MCE registers in KVM.

Array access when reading Machine Check Exception register is missing
protection against Spectre v1-type attack. An attacker could exploit this
bug to read privileged kernel memory.


* Memory leak when registering USB Broadcom IEEE802.11n embedded FullMAC WLAN driver.

A missing free of resources when registering USB Broadcom IEEE802.11n
embedded FullMAC WLAN driver fails could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Memory leak in RPCSEC_GSS server authentication driver.

A wrong expiry time when using RPCSEC_GSS server authentication driver
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Information leak when writing to interrupt controller in KVM.

Array access when writing to PIC device in KVM is missing protection
against Spectre v1-type attack. An attacker could exploit this flaw to
leak privileged kernel memory.


* Use-after-free when removing LTC2941/LTC2943 Battery Gauge i2c device.

A logic error when removing LTC2941/LTC2943 Battery Gauge i2c device
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free when releasing Intel Resource Director Technology driver.

A logic error when releasing Intel Resource Director Technology driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free when unregistering cryptographic API 2.

A missing check when unregistering cryptographic API 2 could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* NULL pointer dereference when using USB Pegasus/Pegasus-II based ethernet device.

A missing check when using USB Pegasus/Pegasus-II based ethernet device
could lead to NULL pointer dereference. A local attacker could use this
flaw to cause a denial-of-service.


* Memory leak when setting traffic control index for network scheduler.

A logic error when setting traffic control index for network scheduler
fails could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.


* Use-after-free when releasing a Bluetooth HCI socket.

A locking error when releasing a Bluetooth HCI socket could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* Out-of-bounds access when setting memory policy for a tmpfs mount.

A logic error when setting memory policy for a tmpfs mount could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service in TKIP wireless implementation.

A missing check when using TKIP wireless implementation could let a
remote attacker use replay attack to cause a denial-of-service.


* Memory leak when unmounting reiser file system.

A missing free of resources when unmounting reiser file system could
lead to a memory leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.


* Information leak when running a VM in emulation mode (Spectre v1).

A spectre v1-type gadget when running a VM in emulation mode in the KVM
subsystem could allow a user to read privileged kernel memory. An
attacker could exploit this bug to escalate privilege.


* NULL pointer deference when using Benbi IV crypto in device mapper.

A logic error when using Benbi IV crypto in device mapper could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free in TCP Sack code.

A logic error in TCP Sack code could lead to a use-after-free. A remote
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when transmitting packet through ALB bond.

Incorrect header offset calculation when transmitting IPX packet through
ALB (Adaptive Load Balancing) bond leads to a use-after-free. An
attacker could exploit this bug to cause a denial-of-service.


* Invalid memory accesses when using raw sockets with GTP.

A missing check when using raw sockets with GTP could lead to usage of
uninitialized memory. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference in UBI Fastmap driver.

A logic error in UBI Fastmap driver could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a denial-of-
service.


* Denial-of-service in the crypto subsystem when destroying a socket.

Incorrect locking in the crypto subsystem could lead to a deadlock when
releasing a socket. An attacker could exploit this bug to cause a
denial-of-service.


* Denial-of-service when exiting System V IPC.

A locking error when exiting System V IPC could lead to a
denial-of-service. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when registering network sysfs attributes.

Logic errors when registering network sysfs attributes could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Memory leak when using network extended matches.

A missing check when using network extended matches could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Denial-of-service when committing transaction in btrfs fails.

Failure to properly clean up after an attempt to commit a transaction
fails in the btrfs filesystem could cause a NULL pointer dereference. An
attacker could exploit this bug to cause a denial-of-service.


* CVE-2019-14896, CVE-2019-14897: Denial-of-service when parsing BSS in Marvell 8xxx Libertas WLAN driver.

A missing check when parsing BSS in Marvell 8xxx Libertas WLAN driver
could lead to buffer overflows. A local attacker could use this flaw to
cause a denial-of-service.


* Information leak when reading performance counter in KVM.

Array access for performance counter is missing protections against
Spectre v1-type attack. An attacker could exploit this to read
privileged kernel memory.


* Information leak when writing to APIC register in KVM.

Array access when writing to local APIC register in KVM is missing
protection against Spectre v1-type attack. An attacker could exploit
this bug to disclose privileged kernel information.


* Information leak when accessing performance counter in KVM.

Array access when reading performance counter register in KVM is missing
protection against Spectre v1-type attack. An attacker with privilege to
read performance counter could exploit this bug to read sensitive kernel
memory.


* Information leak in KVM MSR index computation using Spectre v1.

A missing check in KVM MSR index computation could lead to an
information leak using Spectre v1 type attack. A local attacker could
use this flaw to leak information about running kernel and facilitate an
attack.


* Speculative execution in KVM when reading or writing debug register.

Array access for debug register is missing protection against Spectre
v1-type attack. An attacker with KVM_CAP_DEBUGREGS capability could
exploit this flaw to read kernel memory and possibly escalate privilege.


* CVE-2019-14895: Denial-of-service when receiving Country WLAN element in Marvell WiFi-Ex driver.

A logic error when receiving Country WLAN element in Marvell WiFi-Ex
driver could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Denial-of-service when initializing USB infrared dongle.

Failing to sanity-check USB infrared device endpoint could allow a NULL
pointer dereference. An attacker could craft a malicious device to cause
a denial-of-service by exploiting this bug.


* Information leak when accessing crash data in Hyper-V guest.

Array access for crash MSR is missing protection against Spectre v1
type attack. An attacker could exploit this bug to leak privileged
kernel information.


* Information leak in Cisco/Aironet 34X/35X/4500/4800 ioctl handling.

A missing zeroing of allocated memory in Cisco/Aironet 34X/35X/4500/4800
ioctl handling could lead to an information leak. A local attacker could
use this flaw to leak information about running kernel and facilitate an
attack.


* Use-after-free when adding and removing tree element in btrfs.

A locking error when adding and removing tree element in btrfs could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Privileged escalation in the Aironet driver ioctl interface.

Failing to validate permission before certain privileged ioctl operation
in the Cisco Aironet driver could allow a user without CAP_NET_ADMIN to
read WEP keys. An attacker could use the key to decrypt network traffic
and leak sensitive information.


* Use-after-free when using invalid MTU in TCP/IP protocol suite.

A missing check when using invalid MTU in TCP/IP protocol suite could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* NULL pointer dereference when handling frame in High-availability Seamless Redundancy driver.

A missing check when handling frame in High-availability Seamless
Redundancy driver could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when scaling in the drm driver.

A division-by-zero error in the drm driver leads to a kernel crash.
An attacker could exploit this bug to cause a denial-of-service.


* Denial-of-service during FITRIM ioctl operation in btrfs.

An assertion failure in the btrfs filesystem when performing FITRIM
ioctl triggers kernel fail-safe mechanism. An unprivileged attacker
could exploit this bug to cause a denial-of-service.


* Denial-of-service when writing encrypted page in ext4.

Incorrect use of mempool when encrypting data in the ext4 filesystem
could lead to a deadlock. An attacker may exploit this bug to cause a
denial-of-service.


* Denial-of-service when binding to a SCTP socket.

A bug in SCTP protocol could cause a NULL pointer dereference in the
SELinux subsystem when binding to a socket. An attacker could exploit
this to cause a denial-of-service.


* Denial-of-service when allocating memory in rsi driver.

Unsafe allocation in USB URB completion handler in the RSI driver could
lead to a deadlock. An attacker may exploit this to cause a
denial-of-service.


* Denial-of-service when transmitting packet in Mellanox Switch driver.

A race condition in the Mellanox Switch driver may cause invalid memory
access. An attacker could exploit this to cause a denial-of-service.


* Denial-of-service in when synchronizing SRCU.

A data race in the SRCU implementation could cause the synchronization
to fail. An attacker could exploit this bug to cause a denial-of-service
or possibly trigger a use-after-free.


* Denial-of-service when arming watchdog timer.

Trying to arm a watchdog timer when one is already pending triggers a
fail-safe mechanism in the kernel. This could inadvertently lead to a
denial-of-service.


* Denial-of-service when releasing IPsec context in mlx5 driver.

Failing to release allocated memory when releasing IPSec context in mlx5
driver could exhaust kernel memory. An attacker could exploit this to
cause a denial-of-service.


* Denial-of-service when setting MSR in Intel KVM subsystem.

A general protection fault is triggered when trying to set certain MSR
in the Intel KVM subsystem. This could lead to  a denial-of-service.


* Denial-of-service when setting LED trigger.

A NULL pointer dereference when setting LED trigger leads to a kernel
crash. An attacker could exploit this bug to cause a denial-of-service.


* Denial-of-service when setting key in crypto subsystem.

A type confusion in the chelsio crypto subsystem causes memory
corruption. An attacker could exploit this bug to cause a
denial-of-service.


* Information leak when handling virtchannel request.

Missing initialization of user-space accessible stack memory leaks
privileged kernel data. An attacker may exploit this bug to escalate
privilege.


* Denial-of-service in the HID multitouch subsystem.

Missing check in the HID multitouch driver when reporting data from
lower layer causes a NULL pointer dereference. An attacker could exploit
this bug to cause a denial-of-service.


* Denial-of-service in the kernel RCU implementation.

A race condition in the RCU tree plugin allows unsafe concurrent
accesses to kernel data structure. An attacker may be able to exploit
this bug to corrupt kernel memory and cause a denial-of-service.


* Denial-of-service when creating empty ubifs filesystem.

Incorrect memory allocation when creating an empty ubifs filesystem
could cause out-of-bound memory access. An attacker may exploit this bug
to cause a denial-of-service.


* Denial-of-service when configuring IPv6 link.

Inadequate error handling in IPv6 address configuration subsystem causes
a NULL pointer dereference. An attacker with network administration
privilege could exploit this bug to cause a denial-of-service.


* Denial-of-service when initializing input device.

Large memory allocation in the input device event interface leads to a
kernel panic. A malicious device may exploit this bug to cause a
denial-of-service.


* Denial-of-service when receiving data over rxrpc protocol.

A bug in the rxrpc protocol leads to a use after free when receiving
data. An attacker may exploit this to cause a denial-of-service or
possibly escalate privilege.


* Denial-of-service when decompressing erofs filesystem.

A bug in the erofs decompressor leads to invalid memory access. An
attacker could exploit this bug to cause a denial-of-service.


* Denial-of-service when binding to an XDP socket.

A data race when binding to an XDP socket could lead to kernel memory
corruption. An attacker may exploit this bug to cause a
denial-of-service.


* Denial-of-service in RSI wifi driver on disconnect.

Inadequate error handling after a disconnection or for missing device
endpoint causes memory leak. An attacker could exploit this bug to
exhaust kernel memory and cause a denial-of-service.


* Denial-of-service during sendmsg in tipc driver.

Inadequate error handling when sendmsg on a tipc socket fails leads to
memory leak. An attacker could exploit this to exhaust kernel memory and
cause a denial-of-service.


* Denial-of-service when configuring a XDP socket.

A data race during setsockopt on a XDP socket may cause kernel memory
corruption. A local attacker could exploit this to cause a
denial-of-service.


* Denial-of-service during System V message queue operation.

Uninitialized memory access when performing msgctl syscall could lead to
undefined behavior in the kernel. An attacker may exploit this bug to
cause a denial-of-service.


* Denial-of-service when performing fsync on a btrfs filesystem.

A rename followed by an fsync in btrfs filesystem may lead to an
infinite loop. An attacker may expolit this bug to cause a
denial-of-service.


* Information leak from FPU during KVM context switch.

Failing to reload FPU state during context switch in the KVM subsystem
causes kernel state to leak into the guest. A local user may exploit
this bug to disclose privileged information.


* Denial-of-service in CIFS when handling command cancellation.

Sleeping in atomic context in the CIFS filesystem may cause a deadlock.
An attacker could exploit this bug to cause a denial-of-service.


* Denial-of-service in the netfilter OS fingerprint subsystem.

Missing check for the existence of a device attribute in the netfilter
passive OS fingerprinting subsystem leads to a NULL pointer dereference
during device initialization. An attacker with network configuration
privilege may exploit this bug to cause a denial-of-service.


* Denial-of-service when receiving packet in btusb driver.

Sleeping in atomic context in the bluetooth subsystem could lead to a
deadlock when receiving certain packets. An attacker may exploit this
bug to cause a denial-of-service.


* Denial-of-service when writing to cloned file in ocfs2 filesystem.

Incorrect locking in the ocfs2 filesystem when writing to a cloned file
leads to a NULL pointer dereference. An attacker could exploit this bug
to cause a denial-of-service.


* Denial-of-service in the em28xx driver.

A bug in the em28xx driver when handling allocation failure causes
memory leak. An attacker may exploit this bug to exhaust kernel memory
and cause a denial-of-service.


* Denial-of-service when accessing file in ext4 filesystem.

A race condition in the ext4 filesystem causes file access in a deleted
directory and leads to a NULL pointer dereference. An unprivileged local
attacker can exploit this bug to cause a denial-of-service.


* Use-after-free during NVMe-over-Fabrics Target queue initialization.

Incorrect error handling when initializing queue in NVMe-over-Fabrics
Target driver causes a use-after-free bug. A malicious user could
exploit this to cause a denial-of-service or possibly escalate
privilege.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-19.10-updates mailing list