[El-errata] New Ksplice updates for UEKR6 5.4.17 on OL7 and OL8 (ELSA-2024-12271)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Apr 24 07:52:29 UTC 2024


Synopsis: ELSA-2024-12271 can now be patched using Ksplice
CVEs: CVE-2021-46931 CVE-2023-52435 CVE-2023-52464 CVE-2023-52469 CVE-2023-52486 CVE-2023-52583 CVE-2023-52587 CVE-2023-52594 CVE-2023-52595 CVE-2023-52597 CVE-2023-52598 CVE-2023-52599 CVE-2023-52600 CVE-2023-52601 CVE-2023-52602 CVE-2023-52603 CVE-2023-52604 CVE-2023-52605 CVE-2023-52606 CVE-2023-52607 CVE-2023-52615 CVE-2023-52617 CVE-2023-52619 CVE-2023-52622 CVE-2023-52623 CVE-2023-52637 CVE-2024-0340 CVE-2024-0607 CVE-2024-26593 CVE-2024-26598 CVE-2024-26600 CVE-2024-26602 CVE-2024-26606 CVE-2024-26613 CVE-2024-26615 CVE-2024-26625 CVE-2024-26635 CVE-2024-26636 CVE-2024-26645 CVE-2024-26663 CVE-2024-26664 CVE-2024-26671 CVE-2024-26673 CVE-2024-26675 CVE-2024-26679 CVE-2024-26684 CVE-2024-26685 CVE-2024-26696 CVE-2024-26697 CVE-2024-26702 CVE-2024-26704 CVE-2024-26720 CVE-2024-26722 CVE-2024-26820 CVE-2024-26825 CVE-2024-26848 CVE-2024-26917 CVE-2024-26920

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2024-12271.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2024-12271.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on
OL7 and OL8 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Note: Oracle has determined that CVE-2024-26615 is not applicable.

Dumping of SMC diagnostic connections when the connection itself is
being established can lead to a null-pointer dereference. A local
attacker can exploit this flaw to cause a denial of service.

The kernel is not affected by CVE-2024-26615 since the code under
consideration is not compiled (SMC support itself is not enabled).


* Note: Oracle has determined that CVE-2024-26625 is not applicable.

Improper cleanup of Logical Link Layer type 2 sockets can lead to a
use-after-free error later. An attacker, possibly remote, can exploit
this flaw to cause denial-of-service or aid in other types of attacks.

The kernel is not affected by CVE-2024-26625 since the code under
consideration is not compiled (LLC2 support is not enabled).


* Note: Oracle has determined that CVE-2024-26635 is not applicable.

Improper removal of token ring support in 2012 from the net subsystem
can lead to dereferencing of uninitialised pointers when receiving
token ring packets in the Logical Link Layer type 2 subsystem. A
remote attacker can exploit this flaw to cause denial-of-service,
privilege escalation, or aid in other types of attacks.

The kernel is not affected by CVE-2024-26635 since the code under
consideration is not compiled (LLC2 support is not enabled).


* Note: Oracle has determined that CVE-2024-26636 is not applicable.

Transmission in Logical Link Layer type 2 subsystem involving
zero-length headroom socket can lead to out-of-bounds write. A
local attacker can exploit this flaw to cause denial-of-service
or privilege escalation.

The kernel is not affected by CVE-2024-26636 since the code under
consideration is not compiled (LLC2 support is not enabled).


* Note: Oracle has determined that CVE-2024-26600 is not applicable.

Unsupported function by an attached external device can lead to a
null-pointer dereference in OMAP USB2 PHY driver for TI SOCs. A
physical attacker can exploit this flaw to cause denial-of-service.

The kernel is not affected by CVE-2024-26600 since the code under
consideration is not compiled (driver not present).


* Note: Oracle has determined that CVE-2024-26606 is not applicable.

Incorrect signaling of queued work for consumption in the (e)poll mode
in the binder driver (present in the Android IPC subsystem) can lead to
an indefinite wait for an event. A local attacker can exploit this flaw
to cause denial-of-service.

The kernel is not affected by CVE-2024-26606 since the code under
consideration is not compiled (driver not present).


* Note: Oracle has determined that CVE-2023-52597 is not applicable.

Racing of an IRQ and handling of floating point control register for a
KVM can lead to the corruption of said register on System/390 machines.
A local attacker can exploit this flaw to cause denial-of-service, data
corruption, or aid in other types of attacks.

The kernel is not affected by CVE-2023-52597 since the code under
consideration is not compiled (kernel is not built for System/390).


* Note: Oracle has determined that CVE-2023-52598 is not applicable.

Racing of an IRQ and handling of floating point control register on a
System/390 machine can lead to corruption of the register. A local
attacker can exploit this flaw to cause denial-of-service, data
corruption, or aid in other types of attacks.

The kernel is not affected by CVE-2023-52598 since the code under
consideration is not compiled (kernel is not built for System/390).


* Note: Oracle has determined that CVE-2023-52599 is not applicable.

An invalid value of allocation group number in JFS filesystem can lead
to an out-of-bounds access (both read and write). A local attacker can
exploit this flaw to extract sensitive information from kernel memory,
cause privilege escalation, denial-of-service, or aid in other types
of attacks.

The kernel is not affected by CVE-2023-52599 since the code under
consideration is not compiled (entire filesystem is not compiled).


* Note: Oracle has determined that CVE-2023-52600 is not applicable.

After an unsuccessful mount in JFS filesystem, the memory can be freed
asynchronously which can lead to a use-after-free error. A local
attacker can exploit this flaw to cause denial-of-service or aid in
other types of attacks.

The kernel is not affected by CVE-2023-52600 since the code under
consideration is not compiled (entire filesystem is not compiled).


* Note: Oracle has determined that CVE-2023-52604 is not applicable.

Updating an internal data structure in JFS filesystem can lead to
out-of-bounds access (both read and write). A local attacker can
exploit this flaw to extract sensitive information from kernel memory,
cause privilege escalation, denial-of-service, or aid in other types of
attacks.

The kernel is not affected by CVE-2023-52604 since the code under
consideration is not compiled (entire filesystem is not compiled).


* Note: Oracle has determined that CVE-2023-52601 is not applicable.

Missing bound check for accessing an internal data structure in JFS
filesystem can lead to out-of-bounds access (both read and write). A
local attacker can exploit this flaw to extract sensitive information
from kernel memory, cause privilege escalation, denial-of-service, or
aid in other types of attacks.

The kernel is not affected by CVE-2023-52601 since the code under
consideration is not compiled (entire filesystem is not compiled).


* Note: Oracle has determined that CVE-2023-52602 is not applicable.

An invalid value in the internal entry table of JFS filesystem can lead
to out-of-bounds access (both read and write). A local attacker can
exploit this flaw to extract sensitive information from kernel memory,
cause privilege escalation, denial-of-service, or aid in other types of
attacks.

The kernel is not affected by CVE-2023-52602 since the code under
consideration is not compiled (entire filesystem is not compiled).


* Note: Oracle has determined that CVE-2023-52603 is not applicable.

An inadequate check while splitting an internal data structure in JFS
filesystem can lead to an out-of-bounds access (both read and write).
A local attacker can exploit this flaw to extract sensitive information
from kernel memory, cause privilege escalation, denial-of-service, or
aid in other types of attacks.

The kernel is not affected by CVE-2023-52603 since the code under
consideration is not compiled (entire filesystem is not compiled).


* Note: Oracle has determined that CVE-2023-52606 is not applicable.

Invalid maximum size assumption for emulation of vector instructions by
the PowerPC architecture core can lead to kernel stack corruption. A
local attacker can exploit this flaw to cause privilege escalation or
denial-of-service.

The kernel is not affected by CVE-2023-52606 since the code under
consideration is not compiled (kernel is not built for PowerPC).


* Note: Oracle has determined that CVE-2023-52607 is not applicable.

Failure to check memory allocation success can lead to a null-pointer
dereference in the PowerPC architecture's memory management code.

The kernel is not affected by CVE-2023-52607 since the code under
consideration is not compiled (kernel is not built for PowerPC).


* Note: Oracle has determined that CVE-2023-52617 is not applicable.

Removing a PCI device can cause a race in MicroSemi Switchtec PCIe
switch management driver, leading to a use-after-free. A physical
attacker can exploit this flaw to cause privilege escalation or
denial-of-service.

The kernel is not affected by CVE-2023-52617 since the code under
consideration is not compiled (driver not present).


* CVE-2023-52587: Deadlock in ipoib multicast mode.

Incorrect locking when iterating the multicast list for an IP-over-IB
connection could result in an infinite loop. A malicious user able to
create IP-over-IB connections might be able to exploit this to cause a
denial-of-service on the system.


* CVE-2023-52435: Denial-of-service in net subsystem.

The core net subsystem is responsible for segmenting socket buffers for
various protocols. A missing bound check while doing that can lead to a
null-pointer dereference. A local attacker can exploit this flaw to
cause a denial-of-service.


* CVE-2023-52486: Denial-of-service in Direct Rendering Manager subsystem.

When replacing the scanned-out framebuffer with a new one, a deadlock
is possible leading to a use-after-free. A local attacker can exploit
this flaw to cause denial-of-service or aid in other types of attacks.


* CVE-2023-52583: Denial-of-service in Ceph distributed filesystem.

Incorrect locking order between parent and child directory entries
during an operation in Ceph filesystem can lead to a deadlock. A
local attacker can exploit this flaw to cause a denial-of-service.


* CVE-2023-52594: Information leak in Atheros HTC-based WiFi driver.

A missing bound-check in the transmit status operation after a config
request by an Atheros HTC-based WiFi card can lead to an out-of-bounds
read. A local attacker can exploit this flaw to extract sensitive
information from the kernel memory or cause denial-of-service.


* CVE-2023-52595: Denial-of-service in Ralink WiFi driver.

Hardware reset stops beacon transmission in hardware, but the Ralink
WiFi driver doesn't stop it in the mac80211 software stack, leading to
a deadlock resulting in non-transmission. A local attacker can exploit
this flaw to cause a denial-of-service.


* CVE-2023-52605: Denial-of-service in Extended MCA Error Log driver.

A misplaced null check in the module exit function of ACPI Extended MCA
Error Log driver can lead to a null-pointer dereference. A privileged
attacker can exploit this flaw to cause denial-of-service.


* CVE-2023-52615: Denial-of-service in Hardware Random Number Generator.

A read from /dev/hwrng into a memory mapped by another read can
lead to a deadlock. A local attacker can exploit this flaw to
cause a denial-of-service.


* CVE-2023-52619: Denial-of-service in generic Persistent Storage filesystem layer.

RAM Oops/Panic Logger of the Persistent Storage layer can set the
number of CPU cores to an odd number, leading to a crash. A local
attacker can exploit this flaw to cause denial-of-service.


* CVE-2024-0340: Information leak when using Vhost.

A missing zeroing of kernel memory when using Vhost could lead to an
information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.


* CVE-2024-0607: Denial-of-service in the netfilter subsystem.

A logical error in the netfilter subsystem could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2024-26593: Data corruption in Intel 82801 (ICH/PCH) I2C driver.

The i2c-i801 driver has a flawed implementation of the block-write
block-read process call transactions, leading to reading wrong data
and leaving residual data in the device FIFO buffer. An attacker can
exploit this flaw to cause data corruption, denial-of-service, or aid
in other types of attacks.


* CVE-2024-26598: Use-after-free in ARM Virtual Generic Interrupt Controller.

During peripheral interrupt translation, incorrect refcounting by the
KVM Virtual Generic Interrupt Controller (VGIC) for ARM machines can
lead to a use-after-free. A local attacker can exploit this flaw to
cause denial-of-service or privilege escalation.


* CVE-2024-26602: Denial-of-service using membarrier system call.

membarrier syscall can slowdown some systems entirely to saturation.
A local attacker can exploit this flaw to cause a denial-of-service.


* CVE-2024-26613: Information leak in RDS networking stack.

An incorrect bound-check when receiving path latency can lead to an
out-of-bounds read. A local attacker can exploit this flaw to extract
sensitive information from kernel memory or cause denial-of-service.


* Denial-of-service in AMD x86 systems when launching KVM guests with Secure Boot.

Due to lack of support for some events in Advance Virtual Interrupt
Controller (AVIC) used by AMD machines, servicing those events require
disabling AVIC on demand. Incorrect locking when attempting that can
lead to a deadlock. A local attacker can exploit this flaw to cause
denial-of-service.

Orabug: 36329600


* Enable support for non-anonymous transparent hugepages.

Non-anonymous THP is explicitly disabled in the memory management
code, which can cause some features which depend on it to not work.
Lack of such features may allow, for example, a physical attacker
to surreptitiously corrupt the memory.

Orabug: 36223690


* CVE-2024-26645: Denial-of-service due to warnings about duplicates when tracing.

Due to ARM64 CPUs reordering the writes issued by the core kernel
tracing code, a duplicate key can be added in the tracing map. A
local attacker can exploit this flaw to cause denial-of-service or
facilitate an attack.


* CVE-2023-52623: Denial-of-service in SUNRPC networking stack.

A locking error when using SUNRPC subsystem could lead to a race
condition. A local attacker could use this flaw to cause a
denial-of-service or facilitate an attack.


* CVE-2024-26671: Denial-of-service in block subsystem.

Lack of a CPU barrier in block multiqueue core code can lead to
re-ordering of some calls which leads to IO hang due to a race.
A local attacker can exploit this flaw to cause denial-of-service.


* CVE-2023-52622: Denial-of-service in ext4 filesystem.

Missing checks for block group size provided by a user to resize an
ext4 filesystem online can lead to an attempt to allocate an oversized
array, which would fail and thus the resize fails. A local attacker can
exploit this flaw to cause denial-of-service.


* CVE-2024-26673: Missing validation in netfilter subsystem.

Custom expectations handling in the netfilter subsystem did not verify
or sanitize the given protocol. A local attacker can exploit this flaw
to facilitate an attack.


* Note: Oracle will not provide a zero-downtime update for CVE-2024-26684.

Unhandled data-path parity errors during direct memory access in
devices handled by the STMicroelectronics Multi-Gigabit Ethernet driver
can lead to an interrupt storm. A physical attacker may exploit this
flaw to cause denial-of-service.

Data with parity error straight from faulty hardware may have bigger
implications. Changing the running kernel unnecessarily for a physical
hardware fault should be avoided.


* CVE-2024-26664: Out-of-bounds write in Intel CPU temperature sensor driver.

An out-of-bounds write can happen before an out-of-bounds check in the
Intel CPU temperature sensor driver. A local attacker can exploit this
flaw to cause privilege escalation or denial-of-service.


* CVE-2024-26679: Denial-of-service in IP networking stack.

Reception of error can race with socket mutating from IPv6 to IPv4,
leading to no reception. A local attacker can exploit this flaw to
cause denial-of-service.


* CVE-2024-26663: Denial-of-service in TIPC networking stack.

Missing bearer type check while adding IP addresses in TIPC bearer can
lead to a null-pointer dereference. A local attacker can exploit this
flaw to cause denial-of-service.


* CVE-2024-26675: Denial-of-service in PPP async serial channel driver.

Lack of maximum size check when setting Maximum Receive Unit using the
ppp_async ioctl can lead to an attempt to allocate an oversized sockets,
which would fail and thus the ioctl operation fails. A local attacker
can exploit this flaw to cause denial-of-service.


* CVE-2024-26720: Denial-of-service in kernel memory manager.

Incorrect cast of a divisor while setting dirty page writeback limits
can lead to a divide-by-zero error. A local privileged attacker can
exploit this flaw to cause denial-of-service.


* CVE-2024-26704: Denial-of-service in ext4 filesystem.

When moving extents in ext4 filesystem, a failure to cope for an
unsuccessful loop exit when calculating the moved length can lead
to a double-free and divide-by-zero error. A local attacker can
exploit this flaw to cause denial-of-service or aid in other types
of attacks.


* Note: Oracle has determined that CVE-2024-26722 is not applicable.

Missing mutex unlock in RT5645 ALSA SoC audio codec driver can lead to
a deadlock. A local attacker can exploit this flaw to cause
denial-of-service.

The kernel is not affected by CVE-2024-26722 since the code under
consideration is not compiled (driver not present).


* Note: Oracle has determined that CVE-2024-26702 is not applicable.

Missing bound check in PNI RM3100 3-Axis Magnetometer driver can lead
to an out-of-bounds read due to underlying hardware failures. A local
or physical attacker can exploit this flaw to cause denial-of-service.

The kernel is not affected by CVE-2024-26702 since the code under
consideration is not compiled (driver not present).


* Note: Oracle has determined that CVE-2024-26697 is not applicable.

Incorrect offset calculation during block recovery in NILFS2 filesystem
can allow a local attacker to cause data corruption or leak sensitive
information from the kernel memory.

The kernel is not affected by CVE-2024-26697 since the code under
consideration is not compiled (entire filesystem is not compiled).


* Note: Oracle has determined that CVE-2024-26696 is not applicable.

Conditional waiting for writeback to complete in NILFS2 filesystem can
lead to a deadlock. A local attacker can exploit this flaw to cause
denial-of-service.

The kernel is not affected by CVE-2024-26696 since the code under
consideration is not compiled (entire filesystem is not compiled).


* Note: Oracle has determined that CVE-2024-26685 is not applicable.

Faulty manipulation of flags during async write in NILFS2 filesystem
can lead to a kernel BUG. A local attacker can exploit this flaw to
cause denial-of-service.

The kernel is not affected by CVE-2024-26685 since the code under
consideration is not compiled (entire filesystem is not compiled).


* Note: Oracle has determined that CVE-2023-52637 is not applicable.

Modification of filters using setsockopt while receiving packets in the
SAE J1939 CAN networking stack can lead to a use-after-free. A local
attacker can exploit this flaw to cause denial-of-service or privilege
escalation.

The kernel is not affected by CVE-2023-52637 since the code under
consideration is not compiled (SAE J1939 support is not enabled).


* Note: Oracle has determined that CVE-2024-26825 is not applicable.

A device may get deallocated while receiving packets in NFC subsystem,
leading to socket buffers being leaked. A local attacker can exploit
this flaw to exhaust kernel memory and cause a denial-of-service.

The kernel is not affected by CVE-2024-26825 since the code under
consideration is not compiled (NFC support is not enabled).


* CVE-2024-26917: Denial-of-service in Fibre Channel over Ethernet module.

Incorrect type of locking when handling controllers in FCoE module
results in interrupts by the FCoE devices being missed. A local
attacker can exploit this flaw to cause a denial-of-service.


* Note: Oracle will not provide a zero-downtime update for CVE-2024-26820.

When the Microsoft Hyper-V virtual network driver is reloaded, virtual
function (VF) registration can fail. A privileged attacker can exploit
this flaw to cause a denial-of-service.

If the attacker has root access necessary to exploit this flaw (as
modules cannot be loaded or unloaded without root privileges), the
attacker is already in the system, so it is unnecessary to modify
the running kernel.


* Note: Oracle has determined that CVE-2024-26920 is not applicable.

This CVE is assigned to a commit which is incorrectly backported to the
stable trees, which will break things instead of fixing.

The kernel is not affected by CVE-2024-26920 since the code under
consideration is not compiled (problematic commit not present in
UEK6 trees for version 329.3.2 and earlier).


* Note: Oracle has determined that CVE-2024-26848 is not applicable.

After a change which hides silly-renames in AFS filesystem, an infinite
loop is possible. A local attacker can exploit this flaw to cause a
denial-of-service.

The kernel is not affected by CVE-2024-26848 since the code under
consideration is not compiled (entire filesystem is not present and
also the problematic change does not exist).


* CVE-2023-52464: Out-of-bounds write in Cavium ThunderX EDAC driver.

Use of a wrong string-manipulation function in the Cavium ThunderX
memory controller (EDAC) driver leads to an out-of-bounds write.
A local attacker can exploit this flaw to cause denial-of-service
or privilege escalation.

(Only for UEK6 ARM kernel version 5.4.17-2136.328.3 and before.)


* CVE-2023-52469: Denial-of-service in AMDGPU driver.

A race in the power management code of the AMDGPU driver for CIK ASICs
can lead to a use-after-free error. A local attacker can exploit this
flaw to cause denial-of-service or aid in other types of attacks.

(Only for UEK6 ARM kernel version 5.4.17-2136.328.3 and before.)


* CVE-2021-46931: Stack overflow in Mellanox 5th generation network adapters core driver.

An incorrect cast of an argument during transmission timeout in the
Mellanox ConnectX adapter driver can lead to a stack overflow. A local
attacker can exploit this flaw to cause arbitrary code execution or aid
in other types of attacks.

Orabug: 34382720, 36381742

(Only for UEK6 kernel versions 5.4.17-2136.318.7.2 to 5.4.17-2136.305.5.3.)

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://oss.oracle.com/pipermail/el-errata/attachments/20240424/80f94182/attachment-0001.sig>


More information about the El-errata mailing list