[Ksplice][Ubuntu-20.04-Updates] New Ksplice updates for Ubuntu 20.04 Focal (USN-4909-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Apr 30 03:35:15 PDT 2021 

Synopsis: USN-4909-1 can now be patched using Ksplice
CVEs: CVE-2020-27170 CVE-2020-27171 CVE-2021-20194 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-3348

Systems running Ubuntu 20.04 Focal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4909-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.04
Focal install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2021-26932, XSA-361: Denial-of-host-service by malicious Xen frontend.

Batched mapping operations can be potentially mishandled by the Linux
Xen backend, resulting in incorrectly reported success or failure of the
operation. Running a malicious or buggy frontend could result in a
denial-of-service on the host.


* CVE-2021-26931, XSA-362: Mishandling of errors causes DoS of Xen backend.

Several error conditions in the scsi, block, and net Xen backend drivers
incorrectly cause kernel assertion failures. A malicious or buggy Xen
frontend might trigger these conditions, causing a denial-of-service in the
host.


* CVE-2021-20194: Privilege escalation in the BPF subsystem.

Missing error checks in the BPF subsystem could cause a buffer overflow.
A local user could use this flaw to escalate their privileges or cause
a denial-of-service.


* CVE-2021-26930, XSA-365: Bad error handing of blkback grant references.

The Xen blkback driver can incorrectly ignore errors when mapping grant
references, potentially reporting a false success, and causing unmapped
memory to be accessed. Hosting a malicious or buggy frontend driver
might result in a denial-of-service on the host.


* CVE-2021-3348: Use-after-free due to bad locking in Network block device.

A missing locking in Network block device could lead to use-after-free
when setting up a device. A local user could use this flaw to cause
a denial-of-service or to execute code.


* Improved fix to CVE-2020-27170, CVE-2020-27171: Information disclosure in BPF verifier.

Multiple flaws in the BPF verifier implementation could result in
incorrect arithmetic operations. A local user could use these flaws
to cause information disclosure.


* Denial-of-service in the NTFS drivers when reading standard information attribute.

Insufficient validation of standard information attribute in
a NTFS image allows maliciously crafted filesystem images to cause
a local denial-of-service during mount.


* Out-of-bounds memory accesses when accessing HID devices array fields.

Potential out-of-bounds write in __hidinput_change_resolution_multipliers()
and an out-of-bounds read in hidinput_count_leds() during HID
device registration. A local attacker could try to register a virtual
HID device to exploit this flaw.


* Memory leak in MediaTek's MT76 wifi driver in a receive poll loop.

Possible memory leak in mt76_add_fragment() function. This could
potentially be exploited by a remote attacker to waste system
resources and degrade performance, or to aid in another type
of attack.


* Out-of-bounds memory access in the NVMe TCP driver when receinv multiple PDUs.

Potential out-of-bounds access in nvme-tcp driver when receiving
multiple h2cdata PDUs. This could potentially be exploited by a
remote attacker to aid in another type of attack.


* Memory leak in RxRPC driver during socket release/shutdown.

Under certain conditions, it is possible for the rxrpc_lookup_local
function to leak memory.  This could potentially be exploited by a
remote attacker to waste system resources and degrade performance,
or to aid in another type of attack.


* Denial-of-service in memory compaction subsystem.

Bug in the memory compaction subsystem in fast_isolate_freepages()
function that can lead to corruption of the kernel's internal data
structures and local denial-of-service. A local user could use this
flaw to cause a denial-of-service.


* Denial-of-service in IPSEC subsystem.

Under certain conditions (SMP system, reordering of packets,
xfrm replay_window > 32) it is possible to trigger kernel
oops in XFRM module. A remote user could use this flaw to
cause a denial-of-service.


* Memory leak in the pNFS driver when receiving a new stateid.

Under certain conditions (new stateid that does not cached one)
there is a memory leak in pnfs_layout_process() functions of NFS
driver. A malicious NFS client can use this flaw to waste system
resources and degrade performance, or to aid in another type of
attack.


* Use-after-free in the RxRPC during call releasing.

There is a race between rxrpc_release_call() and rxrpc_resend().
A remote attacker could use this flaw to trigger a use-after-free
bug in RxRPC module.


* Memory leak in overlayfs during link syscall.

Race condition in overlayfs that results in dentry leak, kernel crash.
A local user could exploit this to cause a denial-of-service.


* Denial-of-service in the legacy WiFi extensions when commiting changes.

Failure to validate dev->wireless_handlers pointer when performing
an ioctl can lead to a NULL pointer dereference. A local user could
exploit this to cause a denial-of-service.


* Out-of-bounds memory acces in the IPSEC/PF_KEYv2 socket when probing crypto algorithms.

Race condition between xfrm_probe_algs() and
count_ah_combs()/count_esp_combs()/dump_ah_combs()/dump_esp_combs()
can lead to kernel panic in skb_put(). A local user could exploit
this to cause a denial-of-service with SADB_REGISTER message from
a user process to the kernel.


* Denial-of-service in MediaTek's MT7601U WiFi driver in the receive path.

Wrong refcounting in mt7601u_rx_process_entry() can lead
to kernel crash. A remote user could exploit this to
cause a denial-of-service.


* Memory leak in the Chelsio Crypto Co-processor driver in the receive path.

Potential resource leak in Chelsio Crypto Co-processor driver
during socket's receive handling in chtls_recv_sock() when
no neighbour found. A remote attacker could use it to cause
denial-of-service.


* Data corruption in Virtual Socket protocol.

Due to incorrect locking in the Virtual Socket protocol,
an attacker could cause data corruption during socket
shutdown operation.


* Use-after-free in the Virtual Socket protocol when the connection times out.

Possible use-after-free when using connect() with timeout
in Virtual Socket protocol. An attacker could use it to cause
denial-of-service.


* Use-after-free in Virtual Socket protocol when closing a connection.

Potential use-after-free in Virtual Socket protocol when someone
tries to operate on a closed or released socket. A malicious user
might exploit this to cause a denial-of-service or privileges
escalation.


* Use-after-free in the address resolution code when flushing the network device.

Race condition in generic neighbour code in networking stack can
cause internal data corruption and possible use-after-free. An
attacker might use this to cause denial-of-service or to aid
in another type of attack.


* Denial-of-service in the SunRPC driver with GSS auth when handling zero length XDR objects.

A flaw in SUNRPC_GSS could lead to a null pointer dereference.
An local attacker could use this to cause denial-of-service.


* Security bypass in the WiFi WEP security protocol when checking fast receive support.

Due to a logic error in MAC80211's WEP handling,
an attacker could bypass a security check with a
default unicast key.


* Denial-of-service in the Xen backend network driver when checking receive slots availability.

Due to missing locking in xenvif_rx_ring_slots_available()
of Xen backend network device, an attacker could trigger
data race and corrupt internal data structures of kernel or
to use this flaw as aid in another type of attack.


* Use-aftre-frees in the HugeTLB driver when releasing a page.

Due to multiple race conditions in HugeTLB during pages freeing,
a local attacker could corrupt internal data structures of kernel
and cause denial of service or to aid in another type of attack.


* Denial-of-service in Transparent Hugepage Support when splitting a page.

Due to incorrect locking in Transparent Hugepage Support,
a local attacker could cause deadlock and denial-of-service.
Possible conditions include using madvise(MADV_REMOVE) on
madvise(MADV_HUGEPAGE) pages and partial truncation of
a mapped hugetmpfs file, or usage fallocate(FALLOC_FL_PUNCH_HOLE)
on it.


* Use-after-frees in Squashfs during mount and xattr operations.

A lack of input validation in Squashfs could lead to a
use-after-free and out-of-bounds accesses. An attacker
could prepare specially crafted squashfs images to
cause denial-of-service or to aid in another type of attack.


* Data corruptions in the network packet scheduler when changing qeueu discipline.

A logic error in qdisk could lead to a kernel oops. An attacker
could use this to cause denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-20.04-updates mailing list