[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELBA-2019-4666)

Thu Jun 6 06:44:38 PDT 2019

Synopsis: ELBA-2019-4666 can now be patched using Ksplice
CVEs: CVE-2017-7308 CVE-2018-14625 CVE-2018-14634 CVE-2018-3620 CVE-2018-3646 CVE-2018-5333 CVE-2018-6554 CVE-2018-6555 CVE-2019-3459 CVE-2019-3460 CVE-2019-3819 CVE-2019-3882

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Bug Fix Advisory, ELBA-2019-4666.
More information about this errata can be found at
https://linux.oracle.com/errata/ELBA-2019-4666.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Remote attack vector in TCP internal control sockets.

An incorrect configuration of a certain set of control sockets used within
the IPv4 TCP core creates a potential vector for remote attack.  A remote
attacker could exploit this flaw to gather information about a target
system, and potentially cause a denial-of-service.

* Information leak in u32 Packet Classifier.

A missing length check on a user-controlled buffer in the Universal 32-bit key
Packet Classifier module can allow a local attacker to leak information about
the running system.

* Denial-of-service in packet editor error handling code.

Improper error handling in the act_pedit packet editor module can lead to a NULL
pointer dereference and subsequent kernel panic.  This could be used by a local
attacker to cause a denial-of-service.

* Use-after-free in SCTP protocol handling code.

A logic error in the code providing SCTP protocol support can lead to a
user-after-free scenario.  This can lead to unexpected behavior, and could
be used by a local attacker to cause a denial-of-service.

* Memory leak in Mellanox Spectrum switch driver.

A logic error in the Mellanox Spectrum switch driver's device shutdown code can
lead to certain structures not being freed when a device is destroyed.  This
could be used to waste system resources, and potentially cause a
denial-of-service.

* Potential deadlock in Hyper-V virtual network driver init path.

A lock ordering issue in the Hyper-V virtual network driver's init path can
lead to deadlock.  This could be used to cause a denial-of-service.

* Denial-of-service in sunrpc client authentication code.

An incorrect memory allocation in the sunrpc client authentication path can
lead to a kernel panic.  This could be used to cause a denial-of-service.

* Read of uninitialized memory in filesystem core.

An incorrect length check during a copy operation in the filesystem core can
lead to a read of uninitialized memory.  This could cause unexpected behavior,
including potential denial-of-service.

* Race condition in IPVS core.

A logic error in the IPVS core code path that handles new connections creates
a race condition, which can lead to an infinite loop.  This could be used to
cause a denial-of-service.

* Memory leaks in Netfilter Netlink code.

Multiple logic errors in Netfilter code to support Netlink sockets can lead to
memory being being leaked.  This could be used to waste system resources and
degrade performance.

* Race condition in 9P filesystem core.

A lock ordering issue in the 9P filesystem creates a race condition, which can
cause a particular list item to be deleted twice.  This could lead to unexpected
behavior, including a potential denial-of-service.

* Soft lockup in device-mapper core.

A failure to properly reschedule a process in the device-mapper core can result
in soft lockups.  These could result in degraded system performance, or
denial-of-service.

* Improved fix to CVE-2018-3620, CVE-2018-3646 for Xen PV guests.

Improperly sized writes to page tables by Xen PV guests can create page table
entries that are temporarily vulnerable to L1TF.

* CVE-2018-6554: Denial-of-service in IRDA socket binding.

Repeated calls to bind() on an IRDA socket could cause a memory leak
resulting in a denial of service by a local, unprivileged user.

* CVE-2018-6555: Privilege escalation in IRDA setsockopt().

Missing liveness checks could result in a use-after-free when performing
setsockopt() on an IRDA socket.  A local, unprivileged user could use
this flaw to corrupt kernel memory and potentially escalate privileges.

* Improved fix to CVE-2018-3620, CVE-2018-3646 for KVM shadow page tables.

KVM shadow PTEs for MMIO mappings are vulnerable to L1TF attacks from KVM
guests.

Orabug: 28671425

* Denial-of-service when using NBD_SET_BLKSIZE ioctl.

The NBD_SET_BLKSIZE ioctl does not properly sanitize its parameters.
Malicious input could result in a divide-by-zero and denial-of-service.

* Memory leak in DVBWorld DVB-S 2102 USB tuner driver.

The driver for the DVBWorld DVB-S 2102 allocates memory on probe that it
fails to ever deallocate. A malicious device could exploit this failure
to starve the system of resources and cause a denial-of-service.

* Denial-of-service when updating blk-mq sysfs entry.

The 'nr_requests' sysfs entry for the Multiqueue Block I/O Scheduler is
not properly sanitized. A malicious value might cause the driver to
overrun memory, resulting in memory corruption or a denial-of-service.

* Memory double-free when failing to register Userspace I/O device.

If an unexpected error occurs while attempting to register a Userspace
I/O driver, the device structure pointer might be accidentally freed
twice, resulting in memory corruption or a denial-of-service.

* Improved fix for Spectre v1: Bounds-check bypass in CD/DVD driver.

Missing sanitization of the array of device minor numbers when looking up
a pktcdvd CD/DVD device could lead to an information leak. A malicious
attacker could manipulate this value to gain information about the
running system.

* Improved fix for Spectre v1: Bounds-check bypass in Honeywell HMC6352 compass driver.

A missing use of the indirect call protection macro in Honeywell HMC6352
compass driver could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.

* Use-after-free when setting usb interface with xHCI USB Host.

A logic error when setting usb interface with xHCI USB Host could lead
to a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* Out-of-bounds access in completion handler of USB Inside Out Edgeport Serial driver.

A missing check in completion handler of USB Inside Out Edgeport Serial
driver could lead to an out-of-bounds access. A local user could use a
malicious USB device to cause a denial-of-service.

* Out-of-bounds access in interrupt handler of USB TI 3410/5052 Serial driver.

A missing check in interrupt handler of USB TI 3410/5052 Serial driver
could lead to an out-of-bounds access. A local user could use a
malicious USB device to cause a denial-of-service.

* Integer overflow when finding CIFS entries.

A missing check when finding CIFS entries could lead to an integer
overflow. A local attacker could use this flaw to cause a
denial-of-service.

* Use-after-free in system-call auditing driver.

A locking error when adding a watcher in system-call auditing driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.

* NULL pointer dereference when using KFD ioctls in HSA kernel driver for AMD GPU devices.

A wrong return code when using KFD ioctls in HSA kernel driver for AMD
GPU devices could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.

* NULL pointer dereference when accessing TI BQ4802 RTC registers.

A wrong error-handling in TI BQ4802 RTC driver could lead to a NULL
pointer dereference when accessing RTC registers. A local attacker could
use this flaw to cause a denial-of-service.

* NULL pointer dereference when using Intel Management Engine Interface.

A logic error when using Intel Management Engine Interface could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.

* Denial-of-service when an I/O error happens while reading OCFS2 block.

A logic error when an I/O error happens while reading OCFS2 block could
lead to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 28821388

* Information leak when using Performance Monitoring Counter in a Xen guest.

A missing initialization of on-stack data when using Performance
Monitoring Counter in a Xen guest could lead to an information leak. A
local attacker could use this flaw to leak information about running
kernel and facilitate an attack.

* Undefined behaviour in nested Intel KVM guest APIC emulation.

Missing validity checks for the virtualized APIC in a nested KVM guest
could result in undefined behaviour of the guest.

Orabug: 28671425

* Denial-of-service in sysfs VMBus channel read.

A failure to properly handle unsupported device types in the VMBus
code could lead to uninitialized sysfs files.  Reading these files
could return garbage data or cause a kernel panic.  This could be
used for a denial of service.

Orabug: 28671425

* CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver.

A missing check when freeing resources in Reliable Datagram Sockets
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.

* Kernel crash in OCFS2 direct IO failure.

Failure to correctly free resources on direct IO failure could result in
triggering a kernel assertion and a kernel crash.

Orabug: 28951112

* Kernel crash in pmem disk bad block initialization.

A logic error when initializing bad block information for a pmem device can
result in the use of uninitialized memory, leading to a kernel crash or
undefined behavior.

Orabug: 29199920

* Denial-of-service when using an ioctl of LSI Logic MegaRAID SAS RAID Module.

A missing check when using FIRMWARE32 ioctl of LSI Logic MegaRAID SAS
RAID Module could lead to a an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.

* NULL pointer dereference in hwpoison memory failure.

A race condition in the hwpoison code could lead to a NULL pointer
dereference and possible kernel panic.  This could be used to cause
a denial-of-service.

* CVE-2018-14625: Kernel information leak when releasing a vsock.

A use-after-free bug when releasing an AF_VSOCK socket may allow an
attacker to read kernel memory from inside VM guest. This could be
exploited to leak privileged information and possibly impersonate
AF_VSOCK messages destined to other clients.

Orabug: 29212490

* Out-of-bounds memory access in i40e event handling.

A failure to allocate enough memory for a struct can result in an out-of-bounds
memory access, leading to a kernel crash or other undefined behavior.

Orabug: 29261177

* Race condition when creating vcpu on SVM causes guest failure.

Missing synchronization when creating the vcpu for an SVM guest could
result in a race condition, preventing the proper creation of a memory
region and causing a disruption in guest machine creation.

Orabug: 29527647

* Use-after free during NVMe sibling removal.

A race condition between removing an NVMe namespace sibling and performing IO
operations on that sibling can result in a use-after-free. A local user with
the ability to configure an NVMe device could use this flaw to cause a kernel
crash or potentially escalate privileges.

* Deadlock during NVMe device flush.

A premature flush of an NVMe device can result in a deadlock, leading to a
kernel hang.

Orabug: 29006717

* Denial-of-service when sending NVMe packets over RDMA.

A use-after-free bug in the error path when sending NVMe packet over
RDMA fails could lead to uninitialized memory access and cause a
denial-of-service.

Orabug: 29006717

* CVE-2019-3882: Denial-of-service when repeatedly DMA mapping device MMIO.

By repeatedly mapping device MMIO memory via mmap, a malicious user
could potentially consume unbounded system memory, resulting in resource
starvation and a denial-of-service.

Orabug: 29681377

* CVE-2019-3819: Deadlock in HID debug events read.

A logic error when reading HID debug events can result in the kernel entering
an infinite loop, leading to a system lock up. A privileged user could use this
flaw to cause a denial-of-service.

Orabug: 29629479

* CVE-2019-3459, CVE-2019-3460: Remote information leak via Bluetooth configuration request.

When parsing Bluetooth L2CAP options, some buffer length fields are not
properly validated, potentially allowing a malicious device to expose
kernel heap memory remotely.

Orabug: 29526424

* Denial-of-service in btrfs mount with overlapping chunks.

Missing checks for overlapping chunks could result in mounting a
corrupted filesystem and a kernel crash.

* Denial-of-guest-service when failing to emulate instructions in KVM.

In rare cases, KVM emulation could become stuck in an infinite loop
while repeatedly failing to execute memory-mapped IO, resulting in a
denial-of-service for L2 and potentially L1 guests.

Orabug: 28671425

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.