[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2018-4195)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Sep 11 01:58:25 PDT 2018 

Synopsis: ELSA-2018-4195 can now be patched using Ksplice
CVEs: CVE-2018-1093 CVE-2018-12232 CVE-2018-12233 CVE-2018-3620 CVE-2018-3646
CVE-2018-5391

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4195.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service when removing USB3 device.

A double-free bug when removing USB3 devices leads to a NULL pointer
dereference. This can be triggered in the device's "safely remove"
feature path and lead to a denial-of-service.


* Incorrect sequence numbers in RDS/TCP.

Incorrect sequence numbers in an RDS/TCP connection could result in
warnings in an RDS stress test or potentially dropped packets.

Orabug: 28085194


* Improved fix to CVE-2018-1093: Denial-of-service in ext4 bitmap block validity
check.

Incorrect bitmap range checks could result in bitmap corruption and lost
space on an ext4 filesystem.

Orabug: 28078155


* Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization.

Incorrect locking when initializing an OCFS2 DLM lock resource could
result in memory corruption and a kernel crash.


* Denial-of-service in RDS user copying error.

A bug in the RDS error handling when performing a copy from user could lead
to an invalid memory allocation, leading to potential memory corruption and
possible kernel panic.  This could be used to cause a denial-of-service.


* Denial of service in RDS TCP socket shutdown.

A race condition that occurs when shutting down an RDS TCP socket could
lead to a NULL pointer dereference, causing possible memory corruption
or a kernel panic.  This could be exploited to cause a denial-of-service
attack.

Orabug: 28350092


* CVE-2018-12233: Out-of-bounds access using extended attributes with JFS
filesystem.

An incorrect size for buffer allocation could lead to an out-of-bounds
access when changing attributes on a JFS file from user space. An
unprivileged user could use this flaw to cause a denial-of-service.


* Race between RDS/IB setup and teardown causes NULL-pointer dereference.

A race condition between setup and teardown of a Reliable Datagram
Socket over Infiniband connection could result in a queue pair being
destroyed while still in use. The associated pointer could then be
dereferenced while NULL, resulting in a denial-of-service.

Orabug: 28341723


* Kernel crash in Intel X722 iWARP under high I/O pressure.

Multiple race conditions, memory leaks and invalid references in the
Intel X722 iWARP driver could result in a kernel invalid pointer
dereference and crash under I/O pressure.

Orabug: 28002611


* Incorrect failover group parsing in RDS/IP.

A logic error in parsing the "rdmaip_active_bonding_failover_groups"
module parameter could result in incorrectly distributing failover
groups.


* CVE-2018-12232: Denial-of-service in socket close()/fchownat() race.

A race condition between close() and fchownat() on a socket could result
in a NULL pointer dereference and kernel crash.  A local, unprivileged
user could use this flaw to crash the system.

Orabug: 28312496


* KVM hang in virtual machine live migration.

Incorrect handling of non-blocking faults with userfaultfd could result
in a hang when migrating a live KVM virtual machine.

Orabug: 28322517


* Connection loss in Infiniband RDMA during migration.

A race condition between migration and a port losing the link state
could result in failure to complete migration.

Orabug: 28362675


* CVE-2018-5391: Remote denial-of-service in IP fragment handling.

A malicious remote user can use a flaw in IP fragment handling to starve
IP processing on the system causing loss of connectivity.

Orabug: 28481663


* Prepare megasas driver for l1tf mitigation.

A logic error in MSI-X interrupt assignment in the megasas SCSI driver
can result in a kernel hang when CPUs are removed from the system via
hotplug.

Orabug: 28342108


* CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.

A flaw in terminal fault handling on Intel CPUs could result in
information leaks across privilege boundaries including between
processes on a system or between virtual machines.

Mitigations for these CVEs include disabling SMT (HyperThreading) on
affected Intel CPUs, extra L1 data cache flushing when running virtual
machines when EPT is supported.  Both of these mitigations have workload
dependent performance implications can can be tuned by the
administrator.  This update will immediately enable L1 data cache
flushes on Intel CPUs if KVM is in use.  Where untrusted guests are in
use it is recommended to disable SMT.

SMT disable:

/sys/devices/system/cpu/smt/control: write "on" to enable SMT, "off" to
disable SMT.  Default: on.

L1D flushing:

/sys/module/kvm_intel/parameters/vmentry_l1d_flush, write:
  - "never": disable L1D flushing, leaving CVE-2018-3620 unmitigated but
  no noticeable performance impact
  - "cond": flush only in high risk transfers, mitigates CVE-2018-3620
  with the minimum number of flushes
  - "always": flush on every VM entry, fully mitigates CVE-2018-3620
  with the most overhead.
Default: "always"

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list