[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2019-4612)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Apr 18 10:58:03 PDT 2019

Synopsis: ELSA-2019-4612 can now be patched using Ksplice
CVEs: CVE-2019-3701 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-8980 CVE-2019-9213

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-4612.
More information about this errata can be found at


We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


* Add support for runtime configuration of target LIO inquiry strings.

This adds support for configuring the vendor, model and revision LIO
inquiry strings for target devices on the system through configfs.

Orabug: 29344881

* Denial-of-service in the Infiniband core driver when allocating protection domains.

A missing initialization of the shared protection domain when allocating
protection domains leads to use of uninitialized memory.

Orabug: 29384900

* CVE-2019-6974: Use-after-free in KVM device creation.

A reference count manipulation error when creating a KVM device can result in
an early free, leading to a use-after-free. A local user with access to KVM
could use this flaw to cause a kernel crash or potentially escalate privileges.

Orabug: 29408541

* CVE-2019-7222: Information disclosure in KVM VMX emulation.

Incorrectly handling a page fault exception while emulating VMX instructions
can result in leaking host stack information to a guest. A guest VM could use
this flaw to facilitate a further attack on the host.

Orabug: 29408618

* CVE-2019-7221: Use-after-free in nested KVM preemption timer.

A failure to cancel a nested KVM timer before freeing it can result in a
use-after-free. A guest VM could use this flaw to crash the host.

Orabug: 29408638

* Denial-of-service when umounting a filesystem with many dentries in the dentry cache.

A logic error when unmounting a filesystem with many dentries in the
dentry cache could lead to a soft lockup. A local attacker could use
this flaw to cause a denial-of-service.

Orabug: 29450975

* Undefined behaviour in Mellanox MLX4 MTT setting.

Use of an undefined shift operation when calculating the MTT for a
Mellanox MLX4 device could result in undefined behaviour.

Orabug: 29019427

* NULL pointer dereference on Xen virtual block device removal.

A missing check on Xen virtual block device removal could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a

Orabug: 29489795

* CVE-2019-9213: Bypass of mmap_min_addr restriction.

An incorrect capability check in the mmap memory expansion implementation can
result in applications being able to bypass the minimum mmap address
restriction. A local user on a system without SMAP enabled could use this flaw
to exploit kernel NULL pointer dereferences.

Orabug: 29501977

* Use-after-free of socket buffer in crypto API core.

The crypto module's alg_do_release function fails to zero out a pointer
to a socket structure after that structure is freed.  This can lead to a
use-after-free scenario, which can result in unexpected behavior,
including a potential kernel panic.

Orabug: 29454874

* CVE-2019-8980: Denial-of-service in kernel read file implementation.

A failure to free memory after a read error can result in a memory leak. A
local user could use this flaw to exhaust system memory, leading to a kernel

Orabug: 29454858

* Data corruption on ext4 filesystems while performing direct AIO.

Under certain conditions, it is possible for unaligned direct AIO
operations on an ext4 filesystem to corrupt previously written
filesystem blocks.  A malicious user could potentially exploit this flaw
to corrupt filesystem data.

Orabug: 29598590

* CVE-2019-3701: Denial-of-service in CAN controller.

Missing sanity checking in the Controller Area Network driver can allow
a malicious user to write arbitrary bits into the CAN device's I/O
memory, resulting in a system crash and denial-of-service.

Orabug: 29215297

* Use-after-free in Mellanox MLX5 self-healing flow.

Failure to correctly stop work during the self-healing flow could result
in a use-after-free and kernel crash under specific conditions.

Orabug: 29447325

* Kernel crash in Mellanox MLX5 interface attach failure.

Missing error handling during interface attach failure could result in
dereferencing invalid pointers and a kernel crash.

Orabug: 29447325

* Memory leak in Mellanox MLX5 E-Switch FDB table creation.

Missing resource freeing during FDB table creation could result in
exhaustion of kernel memory.

Orabug: 29447325

* Kernel crash in Mellanox MLX5 vport queries.

An incorrect resource freeing function could result in a kernel crash
under specific conditions.

Orabug: 29019430

* Kernel deadlock in Mellanox MLX5e IPSEC resource freeing.

Incorrect locking could result in a deadlock when freeing IPSEC
resources under specific conditions.

Orabug: 29019427

* NULL pointer dereference in ISCSI transmission.

A race condition between ISCSI transmission and completion could result
in a NULL pointer dereference and kernel crash.

Orabug: 29024514

* Mellanox MLX5 debugfs creation failure on device hotplug.

Failure to correctly remove debugfs entries on MLX5 device removal could
result in failure to recreate the entries on hotplug and cause the
device probe to fail.

Orabug: 29447325

* Correctly report SET_DRIVER_VERSION commands for Mellanox MLX5.

The Mellanox MLX5 driver did not correctly decode SET_DRIVER_VERSION
commands to a string resulting in ambiguous debug messages.

Orabug: 29447325

* Mellanox MLX5 device IRQ allocation failure after kexec.

Failure to correctly free resources on device shutdown could result in
failing to reallocate them after a kexec and cause MLX5 devices to be

Orabug: 29019427

* Use-after-free in AMD GPU HSA module unload.

A use-after-free in the amdkfd module exit function could result in a
kernel crash when unloading the module.

Orabug: 29534199

* Spectre v2 bypass with EIBRS support.

Multiple logic errors could cause EIBRS to be disabled on new CPUs with
EIBRS support and the kernel booted with spec_store_bypass_disable=on or
prctl() for SSBD control.

Orabug: 29423796, 29526400

* Spectre v4 SSBD setting failure for KVM guests.

If SSBD was disabled on the host, guest toggling of the SSBD state would
be transparently dropped resulting in Spectre v4 vulnerability for the

Orabug: 29423796


Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list