[Ksplice][Ubuntu-20.04-Updates] New Ksplice updates for Ubuntu 20.04 Focal (USN-4483-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Oct 22 12:37:02 PDT 2020 

Synopsis: USN-4483-1 can now be patched using Ksplice
CVEs: CVE-2019-20810 CVE-2020-10757 CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 CVE-2020-10781 CVE-2020-12655 CVE-2020-12656 CVE-2020-12771 CVE-2020-13974 CVE-2020-15393 CVE-2020-24394

Systems running Ubuntu 20.04 Focal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4483-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.04
Focal install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free when tearing down SCTP queue.

A reference counting bug in the SCTP protocol leads to a use-after-free
in while tearing down outgoing queue. An attacker could exploit this bug
to cause a denial-of-service.


* CVE-2020-15393: Memory leak when in USB test driver.

A missing free of resources when a USB test device is disconnected could
lead to a memory leak. A physically proximate attacker could use this
flaw to exhaust kernel memory and cause a denial-of-service.


* CVE-2020-10766: Information leak using Spectre V4 variant.

A logic error when context switching between multiple processes could
let an attacker disable SSBD mitigation and leak information about
victim process.


* Out-of-bounds access in QLogic QEDI 25/40/100Gb iSCSI Initiator driver.

A missing check on user input in QLogic QEDI 25/40/100Gb iSCSI Initiator
driver could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service or escalate privileges.


* Denial-of-service in Prism2.5/3 USB driver.

A missing check on endpoint type of a plugged USB device could lead to
an invalid memory access. A local attacker could use this flaw and a
malicious USB device to cause a denial-of-service.


* NULL pointer dereference when renaming a folder while deleting it on ext4.

A logic error when renaming a folder while deleting it on ext4 could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* NULL pointer dereference when receiving packet over a tunnel device.

A logic error when receiving packet over a tunnel device could lead to a
NULL pointer dereference. A remote attacker could use this flaw to cause
a denial-of-service.


* Out-of-bounds access when receiving a malformed GSO packet.

A logic error when receiving a malformed GSO packet could lead to an
out-of-bounds access. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2019-20810: Denial-of-service with GO7007 sound card initialization.

A failure to properly deal with errors during initialization could lead
to a memory leak.  This could be exploited for a denial-of-service attack.


* Denial-of-service in the ALSA info subsystem.

A too verbose debug print could be triggered from user space in the ALSA
info subsystem. A local attacker could use this flaw to cause a denial-
of-service.


* CVE-2020-10757: Flaw in DAX page mapping allows privilege escalation.

A flaw in the kernel handling for remapping huge pages mishandles pages
mapped for the DAX (direct userspace access) subsystem. A user with
access to DAX-mapped storage could exploit this to escalate their
privileges.


* NULL pointer dereference when setting ext4 extended attributes.

A missing check when setting ext4 extended attributes could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service when using Virtual terminal ioctl.

A logic error when using Virtual terminal ioctl could lead to general
protection fault. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when setting TCP_CONGESTION tcp socket option.

A logic error when setting TCP_CONGESTION tcp socket option and later on
freeing it could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.


* Integer underflow in ioctl of frame buffer devices.

A logic error while computing user input in FBIOPUT_VSCREENINFO ioctl of
frame buffer devices could lead to an integer underflow. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2020-10781: Denial-of-service using Zram hot_add file sysfs entry.

A wrong permission setting on /sys/class/zram-control/hot_add file could
let an attacker create zram devices nodes and exhaust kernel memory. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2020-12655: Denial-of-service when syncing data on XFS filesystem.

On logic error when syncing data on a specially crafted XFS filesystem
could let an attacker cause a denial-of-service.


* Use-after-free when creating a ANSI/IEEE 802.2 LLC type 2 socket.

A logic error when creating a ANSI/IEEE 802.2 LLC type 2 socket could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2020-13974: Integer overflow in virtual terminal keyboard interface.

Improper handling of ASCII key events in the kernel's virtual terminal
driver could lead to an integer overflow on repeated keypresses. This
could potentially result in an unspecified security impact.


* Race condition when sending IB subnet MAD causes denial-of-service.

When allocating an Infiniband management diagram packet for the
Infiniband subnet manager, the request data might be freed before the
diagram is fully transmitted, resulting in a use-after-free and
denial-of-service.


* Kernel crash in guest VM with machine check exception.

An error in handling a machine check on a Linux host could lead to a crash in
the guest VM.


* Denial-of-service in AppArmor security module.

A reference count error when setting up a cryptographic socket and later
closing it could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Use-after-free in Serial ATA and Parallel ATA driver.

A logic error in Serial ATA and Parallel ATA driver could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* CVE-2020-24394: Information leak when exporting a filesystem over NFS.

A logic error when exporting a filesystem without ACL support over NFS
could lead to wrong permissions being used for newly created files. An
attacker could use this flaw to leak information stored in this
filesystem.


* CVE-2020-12771: Deadlock during BCache node coalesce failure.

A logic error when taking locks during a coalesce of notes in the BCache
driver can result in a deadlock.


* Note: Oracle will not provide an update for CVE-2020-12656.

The memory leak happens only when loading/unloading the affected module
and loading a kernel module is a privileged operation.


* Out-of-bounds access in USB Infinity USB Unlimited Phoenix driver.

A missing check on user input when using USB Infinity USB Unlimited
Phoenix driver could lead to an out-of-bounds access. A local attacker
could use this flaw to cause a denial-of-service.


* Information leak in the AdLib FM cards driver.

A missing zeroing of on stack data in the AdLib FM cards driver could
lead to an information leak. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.


* Information leak in cryptographic subsystems.

A missing zeroing of sensitive data when freeing it in cryptographic
subsystems could lead an information leak. A local attacker could use
this flaw to leak information about running kernel and facilitate an
attack or leak sensitive information.


* Out of bounds write in ioctl of Turtle Beach Maui and Tropez soundcards driver.

Out of bounds write in ioctl of Turtle Beach Maui and Tropez soundcards
driver could happen when issuing Wavefront synth commands from
userspace. A local, unprivileged user could use this flaw to cause
a denial-of-service or potentially escalate privileges.


* Out-of-bounds access when using Amateur Radio AX.25 Level 2 protocol socket.

Logic errors when connecting or sending messages over Amateur Radio
AX.25 Level 2 protocol socket could lead to out-of-bounds accesses. A
local attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference on unmounting fs while balance is canceled (btrfs).

Unmounting brtfs filesystem while cancelling the balance could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2020-10768: Information leak using Spectre V2 gadgets due to incorrect prctl configuration.

A logic error could let a local user enable indirect branch prediction
even if it has been force disabled to mitigate Spectre V2 attacks. A
local attacker could use this flaw to leak information about a victim
process.


* CVE-2020-10767: Information leak using Spectre V2 attack when IBPB is disabled.

A logic error when STIBP is not supported by the hardware makes IBPB
disabled unconditionally by default. A local attacker could use this
flaw to leak information about other processes.


* NULL pointer dereference in khugepaged on collapsing a page.

VMA containing anonymous pages could be replaced with file VMA. If private page
is NULL in file VMA then it leads to NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* NULL pointer dereference on a race condition in nfsd/clients.

Without ensuring valid locking, a file may go away while taking file reference
leading to NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free in Atheros 802.11n wireless driver.

A firmware bug when timeout occurs at completion of setup or on connecting to a
service, a local buffer is freed which was later used by another code path
leading to crash and thus causing denial of service.


* Kernel oops while reading amdgpu's PCI configuration file in sysfs.

Reading pp_num_states in /sys directory causes amdgpu driver to access illegal
address from uninitialized data leads to segmentation fault and the reboot
system. A local attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when IP set receives a packet and frees the buffer.

A logic error when IP set module receives a packet and frees wrong function to
free the buffer that causes crashing the system. A remote attacker could use
this flaw to cause a denial-of-service.


* Untrusted PCI device can masquerade a faulty gfx device.

A malicious untrusted PCI device can masquerade the VID:PID of a faulty device
to effectively disable the IOMMU restrictions. A local, unprivileged user could
use this flaw to cause a denial-of-service or potentially escalate privileges.


* Loss of I/O in TCMU scsi driver.

Userspace program could send wrong scsi command completion leading to premature
completion of a valid command without servicing it. This will lead to dropping
I/O.


* Memory corruption in IEEE 802.11n WiFi driver.

Insufficient space reserved to wireless scan path could cause memory
corruption and a kernel crash.


* Memory leak on unlinking sockets in sock_hash_free.

Free the list elements in socket hash when socket has itself is freed.


* Memory leak when closing sockets.

A missing free of resources when closing socket in network core code path could
lead to memory leak. A remote attacker could user this flaw to exhaust kernel
memory and cause a denial-of-service.


* Denial-of-service on VM fault.

A logic error when root PD clean operation can overwrite a PDE update done by
CPU leading to VM fault. This causes a denial-of-service.


* Denial-of-service on accessing invalid memory in blk-mq.

Wnen encountering error in reallocating a buffer after hardware queue is
increased, blk-mq continues to use stale/invalid memory leading to kernel panic.
This will cause denial-of-service. Without incrementing the hardware queue, the
system performance will be severely degraded on heavy load of I/O.


* Information leak in STMicroelectronics HTS221 sensor driver.

When filling buffer, kernel passes an uninitialized buffer to the device. This
could leak privileged kernel memory to the device and allow a malicious device
to escalate privilege. It can also leak information to userspace.


* Information leak in Asahi Kasei AK8974 3-Axis Magnetometer.

When filling buffer, kernel passes an uninitialized buffer to the device. This
could leak privileged kernel memory to the device and allow a malicious device
to escalate privilege. It can also leak information to userspace.


* Use-after-free when releasing page table entries adjacent to a stack.

A race condition when releasing page table entries on a memory range adjacent
to a stack could lead to a use-after-free. A local, unprivileged user could use
this flaw to cause a denial-of-service or potentially escalate privileges.


* Denial-of-service when hardware queues for block device is increased.

Increasing hardware queue size for a block size does not allocate corresponding
internal data buffers. When the newly added queue is accessed, it touches the
invalid data buffers and causes kernel panic. Performance is severely
degraded without increasing the hardware queues.


* Denial-of-service in ADDI-DATA APCI_1500 COMEDI driver.

A missing check on user input when using ADDI-DATA APCI_1500 COMEDI
driver could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-20.04-updates mailing list