[El-errata] ELSA-2020-5866 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Oct 6 20:32:42 PDT 2020

Oracle Linux Security Advisory ELSA-2020-5866


The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) (Jann Horn)  [Orabug: 29434845]  {CVE-2019-6974}
- KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) (Peter Shier)  [Orabug: 29434898]  {CVE-2019-7221}
- KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) (Paolo Bonzini)  [Orabug: 29434924]  {CVE-2019-7222}
- net: arc_emac: fix koops caused by sk_buff free (Alexander Kochetkov)  [Orabug: 30254239]  {CVE-2016-10906}
- GFS2: don't set rgrp gl_object until it's inserted into rgrp tree (Bob Peterson)  [Orabug: 30254251]  {CVE-2016-10905}
- GFS2: Fix rgrp end rounding problem for bsize < page size (Bob Peterson)  [Orabug: 30254251]  {CVE-2016-10905}
- x86/apic/msi: update address_hi on set msi affinity (Joe Jin)  [Orabug: 31477035]
- x86/apic/msi: check and sync apic IRR on msi_set_affinity (Joe Jin)  [Orabug: 31477035]
- net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup (Sabrina Dubroca)  [Orabug: 31872821]  {CVE-2020-1749}
- nfs: Fix getxattr kernel panic and memory overflow (Jeffrey Mitchell)  [Orabug: 31872910]  {CVE-2020-25212}
- rbd: require global CAP_SYS_ADMIN for mapping and unmapping (Ilya Dryomov)  [Orabug: 31884169]  {CVE-2020-25284}
- mm/hugetlb: fix a race between hugetlb sysctl handlers (Muchun Song)  [Orabug: 31884239]  {CVE-2020-25285}
- ext4: fix potential negative array index in do_split() (Eric Sandeen)  [Orabug: 31895331]  {CVE-2020-14314}

- ARM: amba: Fix race condition with driver_override (Geert Uytterhoeven)  [Orabug: 29671212]  {CVE-2018-9415}
- block: blk_init_allocated_queue() set q->fq as NULL in the fail case (xiao jin)  [Orabug: 30120513]  {CVE-2018-20856}
- USB: serial: omninet: fix reference leaks at open (Johan Hovold)  [Orabug: 30484761]  {CVE-2017-8925}
- nl80211: validate beacon head (Johannes Berg)  [Orabug: 30556264]  {CVE-2019-16746}
- cfg80211: Use const more consistently in for_each_element macros (Jouni Malinen)  [Orabug: 30556264]  {CVE-2019-16746}
- cfg80211: add and use strongly typed element iteration macros (Johannes Berg)  [Orabug: 30556264]  {CVE-2019-16746}
- cfg80211: add helper to find an IE that matches a byte-array (Luca Coelho)  [Orabug: 30556264]  {CVE-2019-16746}
- cfg80211: allow finding vendor with OUI without specifying the OUI type (Emmanuel Grumbach)  [Orabug: 30556264]  {CVE-2019-16746}
- dccp: Fix memleak in __feat_register_sp (YueHaibing)  [Orabug: 30732821]  {CVE-2019-20096}
- fs/proc/proc_sysctl.c: Fix a NULL pointer dereference (YueHaibing)  [Orabug: 30732938]  {CVE-2019-20054}
- fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links (YueHaibing)  [Orabug: 30732938]  {CVE-2019-20054}
- scsi: libsas: stop discovering if oob mode is disconnected (Jason Yan)  [Orabug: 30770913]  {CVE-2019-19965}
- kernel/sysctl.c: fix out-of-bounds access when setting file-max (Will Deacon)  [Orabug: 31350720]  {CVE-2019-14898}
- sysctl: handle overflow for file-max (Christian Brauner)  [Orabug: 31350720]  {CVE-2019-14898}
- ath9k_htc: release allocated buffer if timed out (Navid Emamdoost)  [Orabug: 31351572]  {CVE-2019-19073}
- can: gs_usb: gs_can_open(): prevent memory leak (Navid Emamdoost)  [Orabug: 31351682]  {CVE-2019-19052}
- ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() (Takashi Iwai)  [Orabug: 31351837]  {CVE-2019-15927}
- media: usb: siano: Fix general protection fault in smsusb (Alan Stern)  [Orabug: 31351875]  {CVE-2019-15218}
- crypto: vmac - separate tfm and request context (Eric Biggers)  [Orabug: 31584410]
- SUNRPC: Fix a race with XPRT_CONNECTING (Trond Myklebust)  [Orabug: 31796770]
- SUNRPC: Fix disconnection races (Trond Myklebust)  [Orabug: 31796770]
- SUNRPC: Add a helper to wake up a sleeping rpc_task and set its status (Trond Myklebust)  [Orabug: 31796770]
- SUNRPC: Reduce latency when send queue is congested (Trond Myklebust)  [Orabug: 31796770]
- SUNRPC: RPC transport queue must be low latency (Trond Myklebust)  [Orabug: 31796770]
- SUNRPC: Fix a potential race in xprt_connect() (Trond Myklebust)  [Orabug: 31796770]
- SUNRPC: ensure correct error is reported by xs_tcp_setup_socket() (NeilBrown)  [Orabug: 31796770]
- SUNRPC: Fix races between socket connection and destroy code (Trond Myklebust)  [Orabug: 31796770]
- SUNRPC: Prevent SYN+SYNACK+RST storms (Trond Myklebust)  [Orabug: 31796770]
- SUNRPC: Report TCP errors to the caller (Trond Myklebust)  [Orabug: 31796770]
- SUNRPC: Ensure we release the TCP socket once it has been closed (Trond Myklebust)  [Orabug: 31796770]
- net-gro: fix use-after-free read in napi_gro_frags() (Eric Dumazet)  [Orabug: 31856195]  {CVE-2020-10720}
- PCI: Probe bridge window attributes once at enumeration-time (Bjorn Helgaas)  [Orabug: 31867577]

- ALSA: seq: Cancel pending autoload work at unbinding device (Takashi Iwai)  [Orabug: 31352045]  {CVE-2017-16528}
- USB: serial: io_ti: fix information leak in completion handler (Johan Hovold)  [Orabug: 31352084]  {CVE-2017-8924}
- sample-trace-array: Fix sleeping function called from invalid context (Kefeng Wang)  [Orabug: 31543032]
- sample-trace-array: Remove trace_array 'sample-instance' (Kefeng Wang)  [Orabug: 31543032]
- tracing: Sample module to demonstrate kernel access to Ftrace instances. (Divya Indi)  [Orabug: 31543032]
- tracing: Adding new functions for kernel access to Ftrace instances (Aruna Ramakrishna)  [Orabug: 31543032]
- tracing: Adding NULL checks for trace_array descriptor pointer (Divya Indi)  [Orabug: 31543032]
- tracing: Verify if trace array exists before destroying it. (Divya Indi)  [Orabug: 31543032]
- tracing: Declare newly exported APIs in include/linux/trace.h (Divya Indi)  [Orabug: 31543032]
- tracing: Kernel access to Ftrace instances (Divya Indi)  [Orabug: 31543032]

- blktrace: Protect q->blk_trace with RCU (Jan Kara)  [Orabug: 31123576]  {CVE-2019-19768}
- media: technisat-usb2: break out of loop at end of buffer (Sean Young)  [Orabug: 31224554]  {CVE-2019-15505}
- btrfs: merge btrfs_find_device and find_device (Anand Jain)  [Orabug: 31351746]  {CVE-2019-18885}
- RDMA/cxgb4: Do not dma memory off of the stack (Greg KH)  [Orabug: 31351783]  {CVE-2019-17075}
- mwifiex: Abort at too short BSS descriptor element (Takashi Iwai)  [Orabug: 31351916]  {CVE-2019-3846}
- mwifiex: Fix possible buffer overflows at parsing bss descriptor (Takashi Iwai)  [Orabug: 31351916]  {CVE-2019-3846} {CVE-2019-3846}
- repair kABI breakage from "fs: prevent page refcount overflow in pipe_buf_get" (Dan Duval)  [Orabug: 31351941]  {CVE-2019-11487}
- mm: prevent get_user_pages() from overflowing page refcount (Linus Torvalds)  [Orabug: 31351941]  {CVE-2019-11487}
- mm: add 'try_get_page()' helper function (Linus Torvalds)  [Orabug: 31351941]  {CVE-2019-11487}
- fs: prevent page refcount overflow in pipe_buf_get (Matthew Wilcox)  [Orabug: 31351941]  {CVE-2019-11487}
- mm: make page ref count overflow check tighter and more explicit (Linus Torvalds)  [Orabug: 31351941]  {CVE-2019-11487}
- sctp: implement memory accounting on tx path (Xin Long)  [Orabug: 31351960]  {CVE-2019-3874}
- sunrpc: use SVC_NET() in svcauth_gss_* functions (Vasily Averin)  [Orabug: 31351995]  {CVE-2018-16884}
- sunrpc: use-after-free in svc_process_common() (Vasily Averin)  [Orabug: 31351995]  {CVE-2018-16884}
- af_packet: set defaule value for tmo (Mao Wenan)  [Orabug: 31439107]  {CVE-2019-20812}
- selinux: properly handle multiple messages in selinux_netlink_send() (Paul Moore)  [Orabug: 31439369]  {CVE-2020-10751}
- selinux: Print 'sclass' as string when unrecognized netlink message occurs (Marek Milkovic)  [Orabug: 31439369]  {CVE-2020-10751}
- mac80211: Do not send Layer 2 Update frame before authorization (Jouni Malinen)  [Orabug: 31473652]  {CVE-2019-5108}
- cfg80211/mac80211: make ieee80211_send_layer2_update a public function (Dedy Lansky)  [Orabug: 31473652]  {CVE-2019-5108}
- crypto: authenc - fix parsing key with misaligned rta_len (Eric Biggers)  [Orabug: 31535529]  {CVE-2020-10769}
- vgacon: Fix for missing check in scrollback handling (Yunhai Zhang)  [Orabug: 31705121]  {CVE-2020-14331} {CVE-2020-14331}
- rename kABI whitelists to lockedlists (Dan Duval)  [Orabug: 31783151]

- rds/ib: Make i_{recv,send}_hdrs non-contigious (Hans Westgaard Ry)  [Orabug: 30634865]
- md: get sysfs entry after redundancy attr group create (Junxiao Bi)  [Orabug: 31683116]
- md: fix deadlock causing by sysfs_notify (Junxiao Bi)  [Orabug: 31683116]

- can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices (Tomas Bortoli)  [Orabug: 31351221]  {CVE-2019-19535}
- media: hdpvr: Fix an error handling path in hdpvr_probe() (Arvind Yadav)  [Orabug: 31352053]  {CVE-2017-16644}
- fs/binfmt_misc.c: do not allow offset overflow (Thadeu Lima de Souza Cascardo)  [Orabug: 31588258]
- clear inode and truncate pages before enqueuing for async inactivation (Gautham Ananthakrishna)  [Orabug: 31744270]

- mm: create alloc_last_chance debugfs entries (Mike Kravetz)  [Orabug: 31295499]
- mm: perform 'last chance' reclaim efforts before allocation failure (Mike Kravetz)  [Orabug: 31295499]
- mm: let page allocation slowpath retry 'order' times (Mike Kravetz)  [Orabug: 31295499]
- fix kABI breakage from "netns: provide pure entropy for net_hash_mix()" (Dan Duval)  [Orabug: 31351904]  {CVE-2019-10638} {CVE-2019-10639}
- netns: provide pure entropy for net_hash_mix() (Eric Dumazet)  [Orabug: 31351904]  {CVE-2019-10638} {CVE-2019-10639}
- hrtimer: Annotate lockless access to timer->base (Eric Dumazet)  [Orabug: 31380495]
- rds: ib: Revert "net/rds: Avoid stalled connection due to CM REQ retries" (Håkon Bugge)  [Orabug: 31648141]
- rds: Clear reconnect pending bit (Håkon Bugge)  [Orabug: 31648141]
- RDMA/netlink: Do not always generate an ACK for some netlink operations (Håkon Bugge)  [Orabug: 31666975]
- genirq/proc: Return proper error code when irq_set_affinity() fails (Wen Yaxng)  [Orabug: 31723450]

- fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (Alexander Potapenko)  [Orabug: 31350639]  {CVE-2020-10732}
- crypto: user - fix memory leak in crypto_report (Navid Emamdoost)  [Orabug: 31351640]  {CVE-2019-19062}
- of: unittest: fix memory leak in unittest_data_add (Navid Emamdoost)  [Orabug: 31351702]  {CVE-2019-19049}
- IB/sa: Resolv use-after-free in ib_nl_make_request() (Divya Indi)  [Orabug: 31656992]
- net-sysfs: call dev_hold if kobject_init_and_add success (YueHaibing)  [Orabug: 31687545]  {CVE-2019-20811}

More information about the El-errata mailing list