[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2020-5569)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Mar 17 13:44:03 PDT 2020 

Synopsis: ELSA-2020-5569 can now be patched using Ksplice
CVEs: CVE-2019-14615 CVE-2019-14895 CVE-2019-14901 CVE-2019-15291 CVE-2019-15538 CVE-2019-19338 CVE-2020-7053

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5569.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5569.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Deadlock in Reliable Datagram socket connection.

Incorrect locking when establinging a Reliable Datagram Socket
connection could result in a task hang under specific conditions leading
to an I/O stall.


* CVE-2019-14901: Denial-of-service when parsing TDLS action frame in Marvell WiFi-Ex driver.

Missing checks when parsing TDLS action frame in Marvell WiFi-Ex driver
could lead to a buffer overflow. A local attacker could use this flaw to
cause a denial-of-service.

Orabug: 30819438


* CVE-2019-15291: Denial-of-service in B2C2 FlexCop driver probing.

Incorrect device validation when probing a B2C2 FlexCop driver could
result in a NULL pointer dereference and kernel crash.  A local user
with the ability to insert USB devices could use this flaw to crash the
system.


* Denial-of-service in Reliable Datagram Socket send cancellation.

A number of logic bugs when cancelling an RDS send operation could
result in out-of-bounds accesses and a kernel crash.  A local user could
use this flaw to crash the system, or potentially, escalate privileges.

Orabug: 30852643, 30865079


* IO hang in Reliable Datagram Socket remote DMA socket closing.

A logic error when dropping an RDMA socket could result in hung tasks
and application timeouts.

Orabug: 30681066


* Denial-of-service in CIFS POSIX file locks on close.

Incorrect error handling of POSIX file locks when closing a CIFS file
could result in an invalid pointer dereference and kernel crash.

Orabug: 30809456


* CVE-2019-15538: Denial-of-service in XFS filesystem with Quota support enabled.

A locking error when XFS filesystem raise its quota limit could let
a local or remote attacker cause a denial-of-service using chgrp on such
filesystem.

Orabug: 30788113


* CVE-2020-7053: Use-after-free when destroying i915 GEM context.

A locking error when destroying GEM context in the i915 graphic driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* NULL dereference while loading userspace I/O driver.

The userspace I/O driver can potentially attempt to access an
uninitialized pointer while the module is loading.  This leads
to a NULL dereference and subsequent kernel panic.  This flaw
could potentially be exploited to cause a denial-of-service.


* CVE-2019-14895: Denial-of-service when receiving Country WLAN element in Marvell WiFi-Ex driver.

A logic error when receiving Country WLAN element in Marvell WiFi-Ex
driver could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Kernel panic in Infiniband RDMA QP send queues.

Incorrect accounting could result in a request overflow and kernel panic
in the Infiniband/RDMA stack under specific conditions.

Orabug: 30888677


* Denial-of-service in IPMI device registration.

Multiple logic errors when registering an IPMI device could result in
failure to register the device or a NULL pointer dereference and kernel
crash.

Orabug: 30916684


* CVE-2019-14895: Denial-of-service when receiving Country WLAN element in Marvell WiFi-Ex driver.

A logic error when receiving Country WLAN element in Marvell WiFi-Ex
driver could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Denial-of-service in Pressure Stall Information cgroup destruction.

Missing memory frees when destroying a control group could result in a
memory leak and eventual exhaustion of system resources.

Orabug: 30903264


* Denial-of-service in Infiniband pool destruction.

A race condition when shutting down an Infiniband FMR pool could result
in a use-after-free and kernel crash under specific conditions.

Orabug: 30967501


* CVE-2019-19338: Missing Intel TAA mitigation in KVM guests.

The original vendor fix for CVE-2019-11135 did not correctly pass
through migitation status to KVM guests which could result in guests not
fully mitigating against TAA.  This update forcibly disables TSX on
affected hosts so that guests do not need runtime changes.  A new
control, /sys/kernel/debug/x86/tsx_force_abort is added to disable TSX,
defaulting to 1 on vulnerable systems, writing 0 to this file will
re-enable TSX but potentially leave guests vulnerable.


* CVE-2019-14615: Information leak in Intel i915 generation 9 devices.

Missing pipeline flushing when switching i915 contexts could lead to
information leaks between unrelated GPU contexts. A malicious user
could potentially use this to obtain sensitive information.

Orabug: 30773852

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list