[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2020-5649)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Fri Apr 17 07:48:11 PDT 2020 

Synopsis: ELSA-2020-5649 can now be patched using Ksplice CVEs:
CVE-2018-5953 CVE-2019-18806 CVE-2019-18809 CVE-2020-10942

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5649.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5649.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in the batman-adv subsystem.

An out-of-bound access in kernel memory is possible when
transmitting packets through raw socket in the batman-adv
routing protocol. An unprivileged local user with CAP_NET_RAW
capability could possibly  exploit this flaw to cause a
denial-of-service.

Orabug: 29784399


* Spurious signals during TTY reopen.

A logic error when locking a TTY when it is reopened can result in unnecessary
signals being sent to userspace processes.

Orabug: 30591419


* CVE-2019-18809: Memory leak when identifying state in Afatech AF9005 DVB-T USB1.1 driver.

A logic error when identifying state in Afatech AF9005 DVB-T USB1.1
driver fails could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.

Orabug: 31029908


* CVE-2019-18806: Memory leak when allocating large buffers in QLogic QLA3XXX Network driver.

A missing free of resources when allocating large buffers in QLogic
QLA3XXX Network driver could lead to a memory leak. A local attacker
could use this flaw to exhaust kernel memory and cause a
denial-of-service.

Orabug: 31055325


* Use-after-free when using NFS with page cache.

A logic error when using NFS with page cache could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.

Orabug: 31015775


* NULL pointer dereference during UBIFS mount.

A missing NULL pointer check when reading the device name in a UBIFS
filesystem can result in a NULL pointer dereference, leading to a kernel
crash.

Orabug: 29410897


* CVE-2020-10942: Out-of-bounds memory access in the Virtual host driver.

Invalid input validation could lead to type confusion and out-of-bounds
memory accesses.  A local unprivileged user could use this to cause a
denial-of-service or potentially escalate privileges.

Orabug: 31085991


* Use-after-free when constructing ERSPAN packet header.

When constructing the header for a v1 or v2 ERSPAN packet header, data
is written to an out-of-date ethernet header structure, which might be
freed memory. This could result in memory corruption or a kernel crash.

Orabug: 29784424


* Deadlock when deleting NVMe namespace fails.

When removing an NVMe namespace, an unexpected error could result in the
deleting thread waiting on a lock held by the parent command, causing a
deadlock and system hang.

Orabug: 31002557


* Out-of-bounds read when transmitting packet using XFRM.

The kernel XFRM implementation reads data out-of-bounds when decoding
the offloaded IPsec structure. In combination with another exploit, this
might leak sensitive kernel information.

Orabug: 30885434


* Point-to-Point Protocol IOCDETACH ioctl causes use-after-free.

The PPPIOCDETACH ioctl for the Point-to-Point Protocol is fundamentally
race-prone, and can result in memory corruption or a denial-of-service.

Orabug: 31061772


* Flawed logic in read/write semaphore implementation causes crash.

The implementation of read/write sempahores since kernel version 4.9
contains a flaw if multiple threads are waiting on the same lock,
resulting in multiple writers being allowed access. This manifests as
various data corruptions and kernel crashes.

Orabug: 31087349


* System fails to generate vmcore dump after panic.

When encountering a kernel BUG or other catastrophic system error, the
vmcore diagnostic file is not properly created. This is not a security
issue of itself, but makes diagnosing failures difficult.

Orabug: 31098796


* CVE-2018-5953: Information leak in software IO TLB driver.

Too verbose prints in software IO TLB driver leak information about
running kernel. A local attacker could use this flaw to facilitate an
attack.

Orabug: 31085014

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list