[El-errata] ELSA-2020-5755 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Mon Jul 13 06:37:43 PDT 2020

Oracle Linux Security Advisory ELSA-2020-5755


The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- bpf: fix sanitation rewrite in case of non-pointers (Daniel Borkmann)  [Orabug: 31552243]

- acpi: disallow loading configfs acpi tables when locked down (Jason A. Donenfeld)  [Orabug: 31493187]
- selftests/bpf: do not run test_kmod.sh for UEK5 (Alan Maguire)  [Orabug: 31540213]
- bpf: do not allow root to mangle valid pointers (Alexei Starovoitov)  [Orabug: 31540213]
- x86/mitigations: reset default value for srbds_mitigation (Mihai Carabas)  [Orabug: 31515075]
- x86/cpu: clear X86_BUG_SRBDS before late loading (Mihai Carabas)  [Orabug: 31515075]
- x86/mitigations: update MSRs on all CPUs for SRBDS (Mihai Carabas)  [Orabug: 31515075]
- p54usb: Fix race between disconnect and firmware loading (Alan Stern)  [Orabug: 31351863]  {CVE-2019-15220}
- media: rc: prevent memory leak in cx23888_ir_probe (Navid Emamdoost)  [Orabug: 31351671]  {CVE-2019-19054}
- mm: Fix mremap not considering huge pmd devmap (Fan Yang)  [Orabug: 31452398]  {CVE-2020-10757} {CVE-2020-10757}
- tcp: implement coalescing on backlog queue (Eric Dumazet)  [Orabug: 31517079]
- tcp: drop dst in tcp_add_backlog() (Eric Dumazet)  [Orabug: 31517079]
- bpf: Fix up bpf_skb_adjust_room helper's skb csum setting (Daniel Borkmann)  [Orabug: 31517079]

- rds: Fix potential use after free in rds_ib_inc_free (Hans Westgaard Ry)  [Orabug: 31504054]
- cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM (Josh Poimboeuf)  [Orabug: 31421904]
- RDMA/cm: Spurious WARNING triggered in cm_destroy_id() (Ka-Cheong Poon)  [Orabug: 31483289]
- RDMA/cm: Make sure the cm_id is in the IB_CM_IDLE state in destroy (Jason Gunthorpe)  [Orabug: 31483289]
- RDMA/cm: Allow ib_send_cm_sidr_rep() to be done under lock (Jason Gunthorpe)  [Orabug: 31483289]
- RDMA/cm: Allow ib_send_cm_rej() to be done under lock (Jason Gunthorpe)  [Orabug: 31483289]
- RDMA/cm: Allow ib_send_cm_drep() to be done under lock (Jason Gunthorpe)  [Orabug: 31483289]
- RDMA/cm: Allow ib_send_cm_dreq() to be done under lock (Jason Gunthorpe)  [Orabug: 31483289]
- RDMA/cm: Add some lockdep assertions for cm_id_priv->lock (Jason Gunthorpe)  [Orabug: 31483289]
- RDMA/cm: Add missing locking around id.state in cm_dup_req_handler (Jason Gunthorpe)  [Orabug: 31483289]
- RDMA/cm: Make the destroy_id flow more robust (Jason Gunthorpe)  [Orabug: 31483289]
- RDMA/cm: Remove a race freeing timewait_info (Jason Gunthorpe)  [Orabug: 31483289]
- RDMA/cm: Use refcount_t type for refcount variable (Danit Goldberg)  [Orabug: 31483289]
- net/rds: NULL pointer de-reference in rds_ib_add_one() (Ka-Cheong Poon)  [Orabug: 31501438]
- scsi: mpt3sas: Introduce module parameter to override queue depth (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: Fix memset() in non-RDPQ mode (Suganath Prabu S)  [Orabug: 31486216]
- scsi: mpt3sas: Fix reply queue count in non RDPQ mode (Suganath Prabu S)  [Orabug: 31486216]
(Samuel Zou)  [Orabug: 31486216]
- scsi: mpt3sas: Fix double free warnings (Suganath Prabu S)  [Orabug: 31486216]
- scsi: mpt3sas: Disable DIF when prot_mask set to zero (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: Capture IOC data for debugging purposes (Suganath Prabu)  [Orabug: 31486216]
- scsi: mpt3sas: Use true, false for ioc->use_32bit_dma (Jason Yan)  [Orabug: 31486216]
- scsi: mpt3sas: Remove NULL check before freeing function (Jason Yan)  [Orabug: 31486216]
- scsi: mpt3sas: Update mpt3sas version to (Suganath Prabu)  [Orabug: 31486216]
- scsi: mpt3sas: Handle RDPQ DMA allocation in same 4G region (Suganath Prabu)  [Orabug: 31486216]
- scsi: mpt3sas: Separate out RDPQ allocation to new function (Suganath Prabu)  [Orabug: 31486216]
- scsi: mpt3sas: Rename function name is_MSB_are_same (Suganath Prabu)  [Orabug: 31486216]
- scsi: mpt3sas: Don't change the DMA coherent mask after allocations (Christoph Hellwig)  [Orabug: 31486216]
- scsi: mpt3sas: use true,false for bool variables (Jason Yan)  [Orabug: 31486216]
- scsi: mpt3sas: Update drive version to (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: Remove usage of device_busy counter (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: Print function name in which cmd timed out (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: Optimize mpt3sas driver logging (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: print in which path firmware fault occurred (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: Handle CoreDump state from watchdog thread (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: Add support IOCs new state named COREDUMP (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: renamed _base_after_reset_handler function (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: Add support for NVMe shutdown (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: Update MPI Headers to v02.00.57 (Sreekanth Reddy)  [Orabug: 31486216]
- scsi: mpt3sas: Fix double free in attach error handling (Dan Carpenter)  [Orabug: 31486216]
- scsi: mpt3sas: change allocation option (Tomas Henzl)  [Orabug: 31486216]
- KVM: VMX: check descriptor table exits on instruction emulation (Oliver Upton)  [Orabug: 31397358]

- rebuild bumping release

- bpf: fix sanitation of alu op with pointer / scalar type from different paths (Daniel Borkmann)  [Orabug: 31350800]  {CVE-2019-7308}
- bpf: prevent out of bounds speculation on pointer arithmetic (Daniel Borkmann)  [Orabug: 31350800]  {CVE-2019-7308}
- bpf: restrict unknown scalars of mixed signed bounds for unprivileged (Daniel Borkmann)  [Orabug: 31350800]  {CVE-2019-7308}
- bpf: move {prev_,}insn_idx into verifier env (Daniel Borkmann)  [Orabug: 31350800]  {CVE-2019-7308}
- bpf: reduce verifier memory consumption (Alexei Starovoitov)  [Orabug: 31350800]  {CVE-2019-7308}
- bpf: Prevent memory disambiguation attack (Alexei Starovoitov)  [Orabug: 31350800]  {CVE-2019-7308}
- Revert "rds: Do not cancel RDMAs that have been posted to the HCA" (Gerd Rausch)  [Orabug: 31476562]
- Revert "rds: Introduce rds_conn_to_path helper" (Gerd Rausch)  [Orabug: 31476562]
- Revert "rds: Three cancel fixes" (Gerd Rausch)  [Orabug: 31476551]
- scsi: megaraid_sas: Update driver version to 07.714.04.00-rc1 (Chandrakanth Patil)  [Orabug: 31481643]
- scsi: megaraid_sas: TM command refire leads to controller firmware crash (Sumit Saxena)  [Orabug: 31481643]
- scsi: megaraid_sas: Replace undefined MFI_BIG_ENDIAN macro with __BIG_ENDIAN_BITFIELD macro (Shivasharan S)  [Orabug: 31481643]
- scsi: megaraid_sas: Remove IO buffer hole detection logic (Sumit Saxena)  [Orabug: 31481643]
- scsi: megaraid_sas: Limit device queue depth to controller queue depth (Kashyap Desai)  [Orabug: 31481643]
- scsi: megaraid: make two symbols static in megaraid_sas_base.c (Jason Yan)  [Orabug: 31481643]
- scsi: megaraid: make some symbols static in megaraid_sas_fusion.c (Jason Yan)  [Orabug: 31481643]
- scsi: megaraid_sas: Use scnprintf() for avoiding potential buffer overflow (Takashi Iwai)  [Orabug: 31481643]
- scsi: megaraid_sas: silence a warning (Tomas Henzl)  [Orabug: 31481643]
- scsi: megaraid_sas: fix indentation issue (Colin Ian King)  [Orabug: 31481643]
- scsi: megaraid_sas: fixup MSIx interrupt setup during resume (Hannes Reinecke)  [Orabug: 31481643]
- scsi: megaraid_sas: Update driver version to 07.713.01.00-rc1 (Anand Lodnoor)  [Orabug: 31481643]
- scsi: megaraid_sas: Limit the number of retries for the IOCTLs causing firmware fault (Anand Lodnoor)  [Orabug: 31481643]
- scsi: megaraid_sas: Re-Define enum DCMD_RETURN_STATUS (Anand Lodnoor)  [Orabug: 31481643]
- scsi: megaraid_sas: Do not set HBA Operational if FW is not in operational state (Anand Lodnoor)  [Orabug: 31481643]
- scsi: megaraid_sas: Do not kill HBA if JBOD Seqence map or RAID map is disabled (Anand Lodnoor)  [Orabug: 31481643]
- scsi: megaraid_sas: Do not kill host bus adapter, if adapter is already dead (Anand Lodnoor)  [Orabug: 31481643]
- scsi: megaraid_sas: Update optimal queue depth for SAS and NVMe devices (Anand Lodnoor)  [Orabug: 31481643]
- scsi: megaraid_sas: Set no_write_same only for Virtual Disk (Anand Lodnoor)  [Orabug: 31481643]
- scsi: megaraid_sas: Reset adapter if FW is not in READY state after device resume (Anand Lodnoor)  [Orabug: 31481643]
- scsi: megaraid_sas: Make poll_aen_lock static (YueHaibing)  [Orabug: 31481643]
- scsi: megaraid_sas: remove unused variables 'debugBlk','fusion' (zhengbin)  [Orabug: 31481643]
- scsi: megaraid_sas: Unique names for MSI-X vectors (Chandrakanth Patil)  [Orabug: 31481643]
- scsi: megaraid_sas: Make some functions static (YueHaibing)  [Orabug: 31481643]
- scsi: megaraid_sas: fix spelling mistake "megarid_sas" -> "megaraid_sas" (Colin Ian King)  [Orabug: 31481643]
- media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (Tomas Bortoli)  [Orabug: 31351117]  {CVE-2019-19533}
- ALSA: core: Fix card races between register and disconnect (Takashi Iwai)  [Orabug: 31351890]  {CVE-2019-15214}
- ALSA: info: Fix racy addition/deletion of nodes (Takashi Iwai)  [Orabug: 31351890]  {CVE-2019-15214}
- rds: Deregister all FRWR mr with free_mr (Hans Westgaard Ry)  [Orabug: 31441472]
- uek-rpm: disable CONFIG_IP_PNP (Anjali Kulkarni)  [Orabug: 31454846]
- x86/speculation: Add SRBDS vulnerability and mitigation documentation (Mark Gross)  [Orabug: 31352781]  {CVE-2020-0543}
- x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (Mark Gross)  [Orabug: 31352781]  {CVE-2020-0543}
- x86/cpu: Add 'table' argument to cpu_matches() (Mark Gross)  [Orabug: 31352781]  {CVE-2020-0543}
- x86/cpu: Add a steppings field to struct x86_cpu_id (Mark Gross)  [Orabug: 31352781]  {CVE-2020-0543}
- netdev, octeon3-ethernet: move timecounter init to network driver probe() (Dave Aldridge)  [Orabug: 31439190]
- rds: Three cancel fixes (Håkon Bugge)  [Orabug: 31463014]
- can: peak_usb: fix slab info leak (Johan Hovold)  [Orabug: 31351139]  {CVE-2019-19534}
- uek-rpm: use expand macro with kernel_reqprovconf (Dave Kleikamp)  [Orabug: 31454052]
- can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices (Tomas Bortoli)  [Orabug: 31351248]  {CVE-2019-19536}
- net/mlx5: Decrease default mr cache size (Artemy Kovalyov)  [Orabug: 31410596]
- xfs: fix freeze hung (Junxiao Bi)  [Orabug: 31245660]
- netlabel: cope with NULL catmap (Paolo Abeni)  [Orabug: 31350492]  {CVE-2020-10711}
- mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() (Qing Xu)  [Orabug: 31350516]  {CVE-2020-12654}
- scsi: sg: add sg_remove_request in sg_write (Wu Bo)  [Orabug: 31350698]  {CVE-2020-12770}
- block, bfq: fix use-after-free in bfq_idle_slice_timer_body (Zhiqiang Liu)  [Orabug: 31350912]  {CVE-2020-12657}
- mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() (Qing Xu)  [Orabug: 31350931]  {CVE-2020-12653}
- USB: core: Fix free-while-in-use bug in the USB S-Glibrary (Alan Stern)  [Orabug: 31350965]  {CVE-2020-12464}

- xfs: add agf freeblocks verify in xfs_agf_verify (Zheng Bin)  [Orabug: 31350922]  {CVE-2020-12655}
- rds: Do not cancel RDMAs that have been posted to the HCA (Håkon Bugge)  [Orabug: 31396425]
- rds: Introduce rds_conn_to_path helper (Håkon Bugge)  [Orabug: 31396425]
- mwifiex: Abort at too short BSS descriptor element (Takashi Iwai)  [Orabug: 31351915]  {CVE-2019-3846}
- mwifiex: Fix possible buffer overflows at parsing bss descriptor (Takashi Iwai)  [Orabug: 31351915]  {CVE-2019-3846} {CVE-2019-3846}
- bnxt_en: Fix accumulation of bp->net_stats_prev. (Vijayendra Suman)  [Orabug: 31390689]
- nfs: initiate returning delegation when reclaiming one that's been recalled (Jeff Layton)  [Orabug: 31378792]
- NFS: More excessive attribute revalidation in nfs_execute_ok() (Trond Myklebust)  [Orabug: 31378792]
- uek-rpm: Add support for building a kdump kernel on MIPS64 (Dave Kleikamp)  [Orabug: 31373682]
- uek-rpm: Add config-mips64-embedded-kdump (Henry Willard)  [Orabug: 31373682]
- uek-rpm: Don't build kernel-uek-tools or perf packages for mips64 (Dave Kleikamp)  [Orabug: 31373682]
- scsi: mptfusion: Fix double fetch bug in ioctl (Dan Carpenter)  [Orabug: 31350940]  {CVE-2020-12652}
- ptp: fix the race between the release of ptp_clock and cdev (Vladis Dronov)  [Orabug: 31350706]  {CVE-2020-10690}
- net/rds: suppress memory allocation failure reports (Manjunath Patil)  [Orabug: 31359419]

- mips64/octeon: Initialize netdevice in octeon_pow struct (Vijay Kumar)  [Orabug: 31388199]
- uek-rpm/ol7/config-mips64: Disable IRQSOFF_TRACER (Henry Willard)  [Orabug: 31386710]
- xen/manage: enable C_A_D to force reboot (Dongli Zhang)  [Orabug: 31249146]

More information about the El-errata mailing list