[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2020-5715)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2020-5715 can now be patched using Ksplice CVEs:
CVE-2019-11599 CVE-2019-12819 CVE-2019-14896 CVE-2019-14897 CVE-2019-15505
CVE-2019-19045 CVE-2019-19056 CVE-2019-19057 CVE-2019-19058 CVE-2019-19524
CVE-2019-19537 CVE-2019-19767 CVE-2019-20636 CVE-2019-9500 CVE-2019-9503
CVE-2020-0543 CVE-2020-11608 CVE-2020-11609 CVE-2020-11668 CVE-2020-12768

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5715.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5715.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak in KVM_HC_CLOCK_PAIRING hypercall.

A failure to zero out all fields of a structure used during the
KVM_HC_CLOCK_PAIRING hypercall can lead to privileged kernel information
being leaked to userspace.

Orabug: 31333678


* CVE-2019-9500: Potential heap overflow in Broadcom FullMAC WLAN driver.

A missing length check in the brcmfmac driver can lead to a buffer
overflow on the heap.  This could cause a system to exhibit unexpected
behavior, and could potentially lead to a denial-of-service.

Orabug: 30872843


* CVE-2019-15505: Out-of-bounds access in Technisat DVB-S/S2 USB2.0 driver.

A logic error when receiving data over Technisat DVB-S/S2 USB2.0 driver
could lead to an out-of-bounds access. A remote attacker could use this
flaw to cause a denial-of-service.

Orabug: 31224553


* CVE-2019-19767: Use-after-free in with malformed ext4 filesystems.

Missing error handling in the ext4 inode size handling code could result
in a use-after-free and kernel crash.  A malformed ext4 filesystem could
crash the system at mount time.

Orabug: 31218807


* CVE-2019-19056, CVE-2019-19057: Denial-of-service in the Marvell mwifiex PCIe driver.

Failure to handle error during initialization of Marvell mwifiex PCIe
driver leads to memory leak. An attacker could exploit this to exhaust
kernel memory that eventually may cause a denial-of-service.

Orabug: 31263146, 31246301


* CVE-2019-20636: Out-of-bounds write via crafted keycode table.

A validation error when parsing a keycode table supplied by userspace to
an input device can result in an out-of-bounds write. A local user with
the ability to configure an input device could use this flaw to cause a
denial-of-service or potentially escalate privileges.

Orabug: 31200557


* Denial-of-service when mounting an ocfs2 filesystem.

A NULL pointer dereference when mounting an ocfs2 filesystem causes
kernel panic. A malicious device can trigger this bug to cause a
denial-of-service.

Orabug: 31117439


* CVE-2019-9503: Denial-of-service when receiving firmware event frames over a Broadcom WLAN USB dongle.

A failure to validate firmware event frames received over a Broadcom
WLAN USB dongle could let a remote attacker cause a denial-of-service.

Orabug: 31234675


* Denial-of-service when initializing a serial CAN device.

Incorrect error handling in the serial line CAN interface driver leads
to memory leak. An attacker could exploit this to cause a
denial-of-service.

Orabug: 31314977


* CVE-2020-11608: NULL pointer dereference when initializing USB GSPCA based webcams.

A missing check on exposed endpoint numbers from USB GSPCA based webcams
could lead to a NULL pointer dereference. A local attacker could use a
malicious USB device to cause a denial-of-service.

Orabug: 31213757


* CVE-2019-19537: Denial-of-service in USB character device registration.

Incorrect locking when registering and deregistering a USB character
device could result in a use-after-free and kernel crash.  A local user
with the ability to insert USB devices could use this flaw to crash the
system.

Orabug: 31317666


* CVE-2019-19524: Use-after-free when unregistering memoryless force-feedback driver.

A missing free of a timer when unregistering memoryless force-feedback
driver could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.

Orabug: 31213690


* CVE-2020-11609: NULL pointer dereference when initializing STV06XX USB Camera device.

A missing check on USB endpoints when initializing STV06XX USB Camera
device could lead to a NULL pointer dereference. A local attacker could
use this flaw and a malicious USB device to cause a denial-of-service.

Orabug: 31200578


* Denial-of-service via invalid TSC values in KVM.

By setting Timestamp Counter-Scaling settings to invalid values, a
malicious user might be able to cause a denial-of-service by flooding
the system logs with kernel warnings of the form:

"user requested TSC rate below hardware speed"

and

"Invalid TSC scaling ratio".

Orabug: 31333678


* CVE-2019-12819: Use-after-free during initialization of MDIO bus driver.

A failure to correctly handle device registration failure of the MDIO bus
driver can result in a use-after-free. A local user with the ability to
hot-plug a network device could use this flaw to cause a denial-of-service or
escalate privileges.

Orabug: 31222291


* CVE-2019-11599: Information leak in the coredump implementation.

A locking error in the coredump implementation could let an attacker
leak sensitive information or cause a denial-of-service.

Orabug: 31222107


* CVE-2019-19058: Denial-of-service in iwlwifi firmware interface.

A memory leak while querying iwlwifi firmware debug interface could
cause kernel memory exhaustion. An attacker with permission to read the
firmware debug file could exploit this to cause a denial-of-service.

Orabug: 31233656


* Use-after-free when writing to SLIP serial line.

A locking error when writing to SLIP serial line while the line is being
closed could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.

Orabug: 31314977


* CVE-2019-14896, CVE-2019-14897: Denial-of-service when parsing BSS in Marvell 8xxx Libertas WLAN driver.

A missing check when parsing BSS in Marvell 8xxx Libertas WLAN driver
could lead to buffer overflows. A local attacker could use this flaw to
cause a denial-of-service.

Orabug: 31351306


* CVE-2020-11668: NULL pointer dereference when initializing Xirlink C-It USB camera device.

A missing check on USB endpoints when initializing Xirlink C-It USB
camera device could lead to a NULL pointer dereference. A local attacker
could use this flaw and a malicious USB device to cause a
denial-of-service.

Orabug: 31213766


* Information leak in KVM's VMX operation path.

A failure to properly zero out a structure after allocation can lead to
kernel information being leaked to userspace during certain VMX
operations.  This flaw could be exploited be a local attacker to leak
information about the running system.

Orabug: 31333678


* CVE-2019-19045: Memory leak when creating CQ in Mellanox Technologies Innova driver.

A missing free of resources when creating CQ in Mellanox Technologies
Innova driver fails could lead to a memory leak. A local attacker could
use this flaw to exhaust kernel memory and cause a denial-of-service.

Orabug: 31301340


* NFSv4 client fails to correctly renew lease when using fsinfo.

When calling fsinfo over an NFSv4 mount, the client will erroneously
believe it has renewed its clientid lease, when in reality it is still
in the expiry period, resulting in potential lock loss and I/O errors on
the mount.

Orabug: 30594625


* CVE-2020-12768: Memory leak in SVM CPU init error path.

When certain memory allocations fail during SVM CPU initialization, the
kernel does not free all previously allocated memory.  This leads to a
memory leak which could be used by a local attacker with permission to
create VMs in order to waste system resources, degrading performance and
potentially causing a denial-of-service.

Orabug: 31350457


* CVE-2020-0543: Side-channel information leak using SRBDS.

A side-channel information leak on some generations of Intel processors
could allow the leaking of internal microarchitectural buffers used by
instructions like RDRAND, RDSEED and SGX EGETKEY.

Updated microcode is required for this vulnerability to be mitigated.

The status of the mitigation can be found using the following command:
$ cat /sys/devices/system/cpu/vulnerabilities/srbds

Orabug: 31352781

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.