[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2018-4270)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Nov 21 07:35:58 PST 2018

Synopsis: ELSA-2018-4270 can now be patched using Ksplice
CVEs: CVE-2017-13168 CVE-2017-5715 CVE-2018-14610 CVE-2018-14611 CVE-2018-14734
CVE-2018-15572 CVE-2018-17182 CVE-2018-3639

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4270.


We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


* KPTI enablement for Ksplice.

* RDS RDMA cancellation failure with IPv6 addresses.

A logic error when processing a cancellation request for an RDS socket
could incorrectly handle the address family resulting in failing to
cancel the request.  This could be triggered by the userspace and cause
application logic errors.

Orabug: 28720069

* Out-of-bounds access when initializing Broadcom NetXtreme-C/E driver.

An logic error when retrieving data for firmware images during
initialization of Broadcom NetXtreme-C/E driver could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a

Orabug: 28632641

* CVE-2018-14734: Use-after-free in Infiniband leave_multicast function.

A race condition in the infiniband code could allow the leave_multicast
function to use a structure that was allocated but subsequently freed in
the process_join function, leading to memory corruption and possible system

Orabug: 28774511

* Reserved page accounting imbalance with hugetlbfs mappings.

Incorrect handling of dirty hugetlbfs pages could result in a reserved
page count underflow when dropping filesystem caches under specific

Orabug: 28813999

* CVE-2017-13168: Denial-of-service in sg read/write implementation.

An unsafe implementation of read/write in the sg driver can result in
userspace being able to corrupt Kernel memory. A local user with access
to an sg device could use this flaw to cause undefined behaviour or a
Kernel crash, leading to a denial-of-service.

Orabug: 28824731

* Denial-of-service when an I/O error happens while reading OCFS2 block.

A logic error when an I/O error happens while reading OCFS2 block could
lead to a kernel assert. A local attacker could use this flaw to cause a

Orabug: 28821391

* CVE-2018-14610: Denial-of-service due to invalid BTRFS chunk block mappings.

A failure to validate chunk and block mappings during mount of a BTRFS
filesystem can result in a kernel crash. A local user with the ability
to mount a BTRFS filesystem could use this flaw to cause a

Orabug: 28700872

* CVE-2018-14611: Use-after-free when reading invalid BTRFS chunk.

A failure to validate the type of a BTRFS chunk can result in a
use-after-free. A local user with the ability to mount a crafted BTRFS
filesystem could use this flaw to potentially escalate privileges.

Orabug: 28700851

* Kernel crash in Infiniband uverbs initialization.

A failure to correctly handle an error case can result in accessing an
uninitialized variable, leading to a kernel crash.

Orabug: 28197305

* Denial-of-service in BTRFS hard link log replay.

A logic error when writing hard link information to the BTRFS log can
result in a kernel crash if the log is replayed during the next mount. A
local user with access to a BTRFS filesystem could use this flaw to
cause a denial-of-service.

Orabug: 27941939

* Hang during RDS non-blocking sendto call.

A logic error can result in a non-blocking RDS socket blocking if the
MPRDS connection is not yet up.

Orabug: 28762597

* Deadlock in NFS server during client initialization.

A race condition in the NFS server between trunking detection and client
initialization can result in a deadlock.

Orabug: 28775910

* CVE-2018-17182: Privilege escalation in VMA cache flushing.

A failure to correctly invalidate the VMA cache when an integer overflow
occurs can result in a use-after-free. An unprivileged local user could
use this flaw to escalate privileges.

Orabug: 28700955

* Guest hang in VHOST SCSI error recovery.

Missing handling of control queue operations for VHOST SCSI devices
could result in timeouts and guest hangs under error recovery.

Orabug: 28775556

* Improved fix for CVE-2018-3639: Speculative Store Bypass information leak.

In certain circumstances the mitigation for Speculative Store Bypass can
incorrectly be disabled upon a return to userspace.

Orabug: 28814574

* CVE-2018-15572: Information leak in context switches (SpectreRSB).

Missing RSB fills on some CPU families during context switch could allow
leaking of information between processes with a Spectre v2 attack.

Orabug: 28631576

* Support runtime retpoline control for CVE-2017-5715 (Spectre v2).

On some families of Intel processors IBRS is required for full
mitigation of Spectre v2 but has a significant performance overhead
compared to retpoline.  Add support for switching from IBRS to retpoline
where extra performance is required and risk analysis shows that
retpoline offers sufficient protection for the deployment.


Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list