From ksplice-support_ww at oracle.com Thu Feb 28 00:37:35 2019 From: ksplice-support_ww at oracle.com (Oracle Ksplice) Date: Thu, 28 Feb 2019 08:37:35 GMT Subject: [Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (4.9.144-3) Message-ID: <201902280837.x1S8bZH6018277@aserv0021.oracle.com> Synopsis: 4.9.144-3 can now be patched using Ksplice CVEs: CVE-2017-18249 CVE-2017-5715 CVE-2018-1129 CVE-2018-12896 CVE-2018-13053 CVE-2018-13096 CVE-2018-13097 CVE-2018-13100 CVE-2018-14610 CVE-2018-14611 CVE-2018-14612 CVE-2018-14614 CVE-2018-14633 CVE-2018-16862 CVE-2018-17972 CVE-2018-18281 CVE-2018-18690 CVE-2018-18710 CVE-2018-19407 CVE-2018-3639 CVE-2018-5848 Systems running Debian 9.0 Stretch can now use Ksplice to patch against the latest Debian kernel update, 4.9.144-3. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running Debian 9.0 Stretch install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * Invalid memory access when getting user queue pairs in VMware VMCI driver. A logic error when getting user queue pairs in VMware VMCI driver could lead to an invalid memory access. A local attacker could use this flaw to cause a denial-of-service. * Denial-of-service when handling packets over IPv6 over Low power Wireless Personal Area Network. A logic error when handling packets over IPv6 over Low power Wireless Personal Area Network could lead to a kernel assert. A local attacker could use this flaw to cause a denial-of-service. * CVE-2018-13053: Integer overflow in alarm_timer_nsleep. The alarm_timer_nsleep function in the kernel timekeeping code does not check for overflow when adding two time values together, potentially causing undefined behavior in the kernel. * Use-after-free when registering error detection and correction driver for Intel i7 processors. Wrong error handling when registering error detection and correction driver for Intel i7 processors could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * Use-after-free when claiming USB interface. A logic error in error path when claiming USB interface could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * NULL pointer dereference when configuring USB host. A missing check when configuring USB host could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Denial-of-service in Intel Omin-Path HFI SDMA request. A failure to properly validate user input in the Intel hfi code could result in a NULL pointer dereference. This could be exploited to cause a denial-of-service. * CVE-2018-14633: Permission bypass in SCSI authentication request process. A logic error in SCSI authentication request process could lead to a buffer overflow. A local attacker could use this flaw to expose SCSI content without permission. * NULL pointer dereference when setting ring parameters of e1000 network interface. A logic error when setting ring parameters of e1000 network interface could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Memory leak when setting ring parameters of e1000 network interface. A missing free of resources when setting ring parameters of e1000 network interface could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * NULL pointer dereference when passing Fast Transition Information Element to the WLAN driver. A missing check when passing Fast Transition Information Element to the WLAN driver could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization. Incorrect locking when initializing an OCFS2 DLM lock resource could result in memory corruption and a kernel crash. * Kernel crash during device mapper cache resize operation. A failure to reload dm-cache information during a resize operation can result in a kernel crash. * Deadlock in CPU hotplug cgroup migration. A logic error can result in a terminating process causing a deadlock if it is migrated between cpuset cgroups whilst it is being terminated. * Use-after-free in ath10k command tracing. A race condition in the ath10k driver can result in a tracepoint handler accessing memory which has already been freed. * Denial-of-service during Flash-Friendly filesystem mount. A logic error in the f2fs mount code could lead to an invalid memory access and possible kernel panic. This could be exploited to cause a denial-of-service. * Use-after-free during RMDA Userspace Connection Manager close. A race condition between closing a userspace RDMA connection and an IP resolution call can result in a use-after-free. A local user with access to RDMA could use this flaw to cause a kernel crash or potentially escalate privileges. * NULL pointer dereference during UBIFS mount. A missing NULL pointer check when reading the device name in a UBIFS filesystem can result in a NULL pointer dereference, leading to a kernel crash. * Kernel crash during ath10k scan operation. A logic error when calculating the size of a scan message in the ath10k driver can result in an out-of-bounds write, leading to memory corruption and a kernel crash. * Kernel crash in ebtables target validation. A failure to validate information from userspace can result in an out-of-bounds memory access leading to a kernel crash. * Kernel crash during HD audio device initialisation. A race condition during initialisation of an HD audio device can result in an interrupt being delivered before the driver is ready to receive it, leading to a kernel crash. * Kernel crash in ACPI i2c transaction execution. A failure to correctly set the length of an i2c transaction can result in the kernel reading an invalid value, leading to a kernel crash. * Denial-of-service in IPv4 and IPv6 tunnel packet transmission. An incorrect assumption in the IPv4 and IPv6 tunnel implementations can result in attempting to access uninitialized memory, leading to undefined behavior. A local user with access to an IP tunnel could use this flaw to cause a denial of service. * Use-after-free in IP ancillary message reception. Reading a stale IP header value in the ancillary message path can result in a use-after-free. * Use-after-free in IPv6 raw socket header sending. A failure in the ipv6 error handling code could lead to a use-after-free and possible kernel panic. This could be exploited to cause a denial-of-service. * Denial-of-service in netlink IPv4 netlabel management. An incorrect assumption about the format of a netlink netlabel request can result in a NULL pointer dereference, leading to a kernel crash. A local user with the ability to configure netlabels could use this flaw to cause a kernel crash. * Kernel crash during SMSC75xx unbinding. A failure to cancel delayed work in the SMSC75xx USB network driver can result in a NULL pointer dereference after the driver has been unbound. * Deadlock during enslave of network interface to team device. Attaching the same network interface to a team device can result in a double lock, leading to a deadlock. A local user with the ability to configure network interfaces could use this flaw to cause a denial-of-service. * Out-of-bounds write in AF9035 DVB tuner i2c implementation. A logic error when transferring a small number of bytes via an i2c interface to an AF9035 DVB tuner can result in an integer underflow, leading to an out-of-bounds memory write. A local user with access to an AF9035 DVB tuner could use this flaw to cause a denial-of-service. * Invalid memory access in Advanced B.A.T.M.A.N sysfs access. Logic errors in the batman-advanced code could result in an invalid memory access and possible memory corruption or kernel panic. This could be exploited to generate a denial-of-service. * Invalid memory access in IBM vSCSI target string handling. Logic errors in the ibm vscsi code could result in invalid memory accesses, which could be exploited for a denial-of-service attack. * Kernel crash during USB serial gadget TTY close. A race condition when closing a TTY session for a USB serial device gadget can result in a NULL pointer dereference, leading to a kernel crash. * Invalid memory access in Intel Omin-Path HFI Service Level handling. A failure to validate user input in the service level handling code for the Intel hfi could cause an out-of-bounds array access, leading to possible memory corruption or kernel crash. This could be used to cause a denial-of-service. * CVE-2018-17972: Information leak in kernel stack dumps in /proc. A missing permissions check in the proc code could allow an unprivileged user to access the kernel stack memory space. * CVE-2018-18281: Information leak in mremap syscall. A logic error in the mremap code could allow one process to access memory of a different process. * Invalid memory access when reopening a TTY device. A race condition when reopening a TTY device could lead to an invalid memory access. A local attacker could use this flaw to cause a denial-of-service. * Undefined behavior in XFRM selector. A failure to properly validate user input in the xfrm selector can lead to undefined and invalid behavior. * Denial-of-service in XFRM user templates with IP_XFRM_POLICY. A failure to validate user input in the xfrm code could lead to a invalid memory read and possible kernel panic. This could be exploited to cause a denial-of-service. * Improved fix for Spectre v1: Bounds check bypass on nl80211 with TXRATE_HT. A missing use of the indirect call protection macro in the nl80211 code with NL80211_TXRATE_HT set could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Denial-of-service in Bluetooth device unpair. A race condition in the Bluetooth code could cause an invalid memory access and subsequent kernel crashing if unpair_device gets called at the same time that a device pairing is in progress. * Invalid memory access in CHELSIO T3 ioctl. A failure to completely verify user-supplied memory in the cxgb3 code could allow a malicious user to modify memory used in the driver, leading to undefined behavior. * Use-after-free when sending command over MLX5 driver. Redundant free when sending command over Mellanox Technologies ConnectX-4 and Connect-IB (MLX5) driver could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * Divide by zero error when using Mellanox Technologies ConnectX-4 Ethernet driver. A missing check when using Mellanox Technologies ConnectX-4 driver could lead to a divide by zero error. A local attacker could use this flaw to cause a denial-of-service. * Deadlock when using Mellanox Technologies ConnectX-4 and Connect-IB core driver. A locking error in health code of Mellanox Technologies ConnectX-4 and Connect-IB core driver could lead to a deadlock. A local attacker could use this flaw to cause a denial-of-service. * Reference leak in RDS endpoint setup. Missing reference count releases when setting up an Infiniband RDS endpoint could result in later RDS socket failures. * Denial-of-service while copying large file on OCFS2 filesystem. A locking error while copying large file on OCFS2 filesystem while changing file attributes could lead to a dead lock. A local attacker could use this flaw to cause a denial-of-service. * NULL pointer dereference when accepting or peeling off a SCTP socket. A logic error when accepting or peeling off a SCTP socket could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Memory leak when using IEEE 802.1AE MAC-level encryption. A missing free when encrypting or decrypting MAC addresses with IEEE 802.1AE MAC-level encryption could lead to a memory leak. A local attacker could use this flaw to cause a denial-of-service. * Denial-of-service when removing USB3 device. A double-free bug when removing USB3 devices leads to a NULL pointer dereference. This can be triggered in the device's "safely remove" feature path and lead to a denial-of-service. * NULL pointer dereference during Elastic Network Adapter bringup. A race condition during the initialization of the ENA network driver can result in a kernel crash. * Denial-of-service in IPv6 netfilter with IPv6 defragmentation. A logic error in the netfilter code could result in a kernel crash with ipv6 packets. This could be used for a denial-of-service. * Use-after-free in IPv6 multicast check. A race condition in the ipv6 code could lead to a use-after-free condition while checking the packet. This could be used for a denial-of-service attack. * Invalid memory access in ethtool ioctl. A failure to properly check user-supplied memory in the ethtool code could allow a malicious user to modify memory that is used by the kernel, leading to undefined behavior. * Use-after-free in SCTP ID association lookup. A race condition in the sctp code could result in a use-after-free condition. This could be exploited to cause a denial-of-service. * Improved fix for Spectre v1: Bounds check bypass in Vhost ioctl. A missing use of the indirect call protection macro in the vhost ioctl code could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Privilege escalation in ethtool ethcmd. A failure to properly check user input in the ethtool code could allow a malicious user to change memory in use by the ethtool code in order to execute commands they lack the privilege for. * Uninitialized memory access in Rtnetlink forwarding database configuration. A failure to properly check the device type in rtnetlink could cause the rtnetlink code to attempt to configure an invalid device, making it use uninitialized memory. This could be exploited by a malicious user. * Denial-of-service when resetting a AHCI SATA controller. A missing check of return code when resetting a AHCI SATA controller could lead to an invalid memory access. A local attacker could use this flaw to cause a denial-of-service. * Improved fix for Spectre v1: bounds-check bypass in PTP clock driver. A missing use of the indirect call protection macro in the PTP clock driver could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: bounds-check bypass in Infiniband driver. A missing use of the indirect call protection macro in the Infiniband driver could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Use-after-free when mounting a JFFS2 filesystem with an invalid mount option. A missing free of resources when mounting a JFFS2 filesystem with an invalid mount option could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * Denial-of-service when using an ioctl of LSI Logic MegaRAID SAS RAID Module. A missing check when using FIRMWARE32 ioctl of LSI Logic MegaRAID SAS RAID Module could lead to an invalid memory access. A local attacker could use this flaw to cause a denial-of-service. * Stack corruption in Infiniband ICMP send control buffer management. A failure to clear a control buffer when sending an ICMP packet over Infiniband can result in stack corruption. * Use-after-free in VMWare Virtual Machine Communication Interface wildcards. A validation failure when adding VMCI resources can result in a duplicate entry leading to refcount errors which can result in a use-after-free. A local user with the ability to configure VMCI could use this flaw to cause a kernel crash or potentially escalate privileges. * Out-of-bounds access in iwlwifi rate management. A failure to handle an error case can result in an out-of-bounds memory access, leading to undefined behavior or a kernel crash. * Use-after-free in the journaling layer for block devices. A locking error in the journaling layer for block devices could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * NULL pointer dereference when mounting a GFS2 filesystem. A missing check on user input when mounting a GFS2 filesystem could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Improved fix for Spectre v1: bounds-check bypass in Human Input Device driver. Information controlled by userspace can be used to disclose kernel memory via speculation in the Human Input Device driver. A local user could use this flaw to facilitate a further attack on the system. * Out-of-bounds access in LRW crypto driver. A logic error in LRW crypto driver could lead to an overflow and an out-of-bounds access. A local attacker could use this flaw to cause a denial-of-service. * Reserved page accounting imbalance with hugetlbfs mappings. Incorrect handling of dirty hugetlbfs pages could result in a reserved page count underflow when dropping filesystem caches under specific conditions. * Denial-of-service when closing NFSD transport layer. A logic error when closing NFSD transport layer could lead to a kernel panic. A local attacker could use this flaw to cause a denial-of-service. * Out-of-bounds access in a print in lockd driver. A logic error in a print in lockd driver could lead to an out-of-bounds access. A local attacker could use this flaw to cause a denial-of-service. * Denial-of-service when using ioctl of Multiple devices driver. A logic error when using ioctl of Multiple devices driver could lead to an invalid memory access. A local attacker could use this flaw to cause a denial-of-service. * Denial-of-service in V4L2 Test Pattern Generator. A type error when displaying test patterns in V4L2 can result in an out-of-bounds memory access, leading to a kernel crash. A local user could use this flaw to cause a denial-of-service. * Out-of-bounds access in TVP5150 V4L2 driver menu query. A logic error when creating menu items in the TVP5150 V4L2 driver can result in an out-of-bounds memory access, leading to a kernel crash or other undefined behavior. * Out-of-bounds access when using a crafted CRAMFS filesystem. A logic error when reading block offsets in a CRAMFS filesystem could lead to an out-of-bounds access. A local attacker could use a crafted CRAMFS filesystem to cause a denial-of-service. * Denial-of-service when walking up BTRFS tree. A logic error when walking up BTRFS tree could lead to a kernel assert. A local attacker could use this flaw and a crafted BTRFS filesystem to cause a denial-of-service. * Denial-of-service when allocating BTRFS tree. A missing check when allocating BTRFS tree could cause a deadlock. A local attacker could use this flaw with a crafted BTRFS filesystem to cause a denial-of-service. * Kernel crash during IO error handling in BTRFS shutdown. A logic error when encountering an IO error during unmount of a BTRFS filesystem can result in a NULL pointer dereference, leading to a kernel crash. * Denial-of-service when using caching on BTRFS filesystem. A logic error when using caching on BTRFS filesystem could lead to a kernel assert. A local attacker could use this flaw to cause a denial-of-service. * NULL pointer dereference on compressing in BTRFS filesystem. A logic error when compressing in BTRFS filesystem could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * NULL pointer dereference in TTY driver lookup. Incorrect string validation could result in a NULL pointer dereference and kernel crash when looking for a polling console driver. * Use-after-free in Plan9 network protocol statistics cleanup. Failure to reinitialize pointers on Plan9 statistics cleanup could result in a use-after-free and kernel crash. * CVE-2018-18710: Information leak when checking the CD-ROM slot status. An incorrect bounds check in the CD-ROM driver could allow an out-of-bounds access and kernel information leak to an unprivileged user. * Use-after-free in FUSE filesystem device reads and writes. A race condition when performing reads and writes to a FUSE filesystem device could result in a use-after-free and kernel crash. * Task hang in FUSE filesystem request completion. Incorrect synchronization could result in failure to wake up a task on FUSE filesystem request completion leading to application hangs. * Denial-of-service when querying ethernet statistics. Failure to validate stat type when performing a query on e1000 network adapter leads to a NULL pointer dereference. A local user could exploit this to cause a denial-of-service. * Information leak when getting information about QLogic BR-series Converged Network adapter. A logic error when getting information about QLogic BR-series Converged Network adapter could lead to an information leak. A local attacker could use this flaw to leak information about running kernel and facilitate an attack. * Use-after-free in Ceph dentry splicing. Incorrect reference counting could result in a use-after-free and kernel crash when splicing a Ceph dentry to an inode. * Use-after-free in OCFS2 metadata corruption cleanup. Incorrect reference counting could result in a use-after-free of a block buffer head. * Kernel crash in TTY baud rate setting. Missing bounds checking in the TTY baud rate setting code could result in an out-of-bounds access and kernel crash or information leak. * Kernel crash in BTRFS copy-on-write failure. Incorrect cleanup during copy-on-write failure for a BTRFS filesystem could result in triggering a kernel assertion and crash. * BTRFS file corruption during block cloning. Failure to clone the final block of a file could result in data corruption of the cloned file under specific conditions. * Denial-of-service in EXT4 buffer management. Multiple buffer leaks in the EXT4 filesystem could result in resource leaks and a denial of service. * Information disclosure via bind mount manipulation. A logic error when checking mount permissions can result in a namespaced process being able to view filesystem content outside of its namespace. A local user could use this flaw to view restricted information. * Information leak via bind mount manipulation. A logic error when checking mount permissions can result in a namespaced process being able to view filesystem content outside of its namespace. A local user could use this flaw to view restricted information. * Use-after-free in FUSE asynchronous direct IO. A use-after-free when performing FUSE asynchronous direct IO operations could result in a kernel crash. A local, unprivileged user could use this flaw to crash the system. * Resource leak in FUSE filesystem notification response. Missing error handling could result in a resource leak and unkillable tasks under specific conditions during connection reset. * Kernel crash in HugeTLB copying during unsharing. A race condition when changing the protections of a HugeTLB page and forking the process could result in triggering a kernel assertion and crash. * Potential denial-of-service in Broadcom TG3 ethernet driver. In extremely high-traffic scenarios, the Broadcom TG3 ethernet driver might cause a lockup in the associated device's layer-1 chip, potentially resulting in a denial of network service. * NULL dereference while cloning files on CIFS. There is a potential NULL dereference while cloning a range of bytes for copy-on-write on a CIFS filesystem. This could potentially be exploited by a local attacker to cause a denial-of-service. * Memory leak in GFS2 filesystem bitmap buffers. Missing resource frees for a GFS2 filesystem could result in a memory leak. A local user with privileges to mount a filesystem could use this flaw to exhaust system memory. * BTRFS filesystem corruption in transaction aborts. Missing locking when destroying a pinned extent could result in filesystem corruption during transaction aborts. * NULL dereference while loading userspace I/O driver. The userspace I/O driver can potentially attempt to access an uninitialized pointer while the module is loading. This leads to a NULL dereference and subsequent kernel panic. This flaw could potentially be exploited to cause a denial-of-service. * Improved fix for Spectre v1: Information leak in SGI GRU driver. An unsanitized user-controlled value is used as an index to a buffer in SGI's Global Reference Unit driver. This could be exploited to leak information about the running system. * Information leak in uhid character device driver. Under certain circumstances, the uhid character device driver will allow kernel memory to be copied from a user specified location. This flaw could be exploited to leak information about the running system. * Memory corruption when failing readdir on 9Pfs. When failing a readdir on the Plan 9 Filesystem Protocol, the stat structure might be improperly freed twice, resulting in memory corruption or a potential denial-of-service. * Use-after-free when disconnecting sctp connection with outstanding data. If an sctp connection is shut down with data still remaining to be sent, in rare cases the structures holding this data can be accessed after they are freed, resulting in potential memory corruption or a denial-of-service. * Use-after-free in link-layer with non-TCP/DCCP traffic. When receiving data from a non-TCP or DCCP protocol, a race condition might occur between processing data received on the link and freeing it. This results in a use-after-free, and potential memory corruption or denial-of-service. * Denial-of-service when accessing arvif list in Atheros 802.11ac wireless cards driver. A locking error when accessing arvif list in Atheros 802.11ac wireless cards driver could lead to a kernel panic. A local attacker could use this flaw to cause a denial-of-service. * NULL pointer dereference when dequeuing skb in Marvell WiFi-Ex driver. A logic error when dequeuing skb in Marvell WiFi-Ex driver could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Out-of-bounds accesses in Universal Flash Storage Controller driver. Multiple errors in Universal Flash Storage Controller driver could lead to out-of-bounds accesses or NULL pointer dereferences. A local attacker could use this flaw to cause a denial-of-service. * Potential information leak via lingering terminal buffer. In several cases, data in terminal buffers is not cleared after use. This data would be a valuable target for malicious users. * Denial-of-service in tmpfs page release path. When a hugepage backed tmpfs filesystem is under heavy load, a kernel assertion can fail while attempting to free backing pages, due to a race with a hugepage split operation. A malicious local attacker could exploit this flaw to cause a denial-of-service. * Unsafe locking in hugepage split path. The hugepage split path attempts to take a lock that is not IRQ-safe, without disabling interrupts. This can lead to unexpected behavior, including a potential deadlock. * Use-after-free when disconnecting a Empia EM28xx USB device. A logic error when disconnecting a Empia EM28xx USB device could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Packet loss due to incorrect flagging in networking core. A failure to clear a flag on forwarded packets in the networking core can lead to the packets being blocked unexpectedly. This could cause unexpected behavior. * Use-after-free in RapidIO Ethernet over messaging driver. A logic error in RapidIO Ethernet over messaging driver could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * Shadow page table corruption during emulated writes. A race condition while writing to KVM's shadow page tables can lead to guest PTEs and shadow PTEs being out of sync. This can cause unexpected behavior, including improper memory accesses. * Improved fix for CVE-2017-5715: Information leak due to missing IBPB calls in SVM. A potential Spectre v2 attack vector exists in the KVM code that supports SVM-enabled processors, due to a failure to call indirect_branch_prediction_barrier when freeing vcpus. This can be exploited by a local attacker to leak information about the running system. * CVE-2018-19407: Denial-of-service in KVM IOAPIC scan. A missing safety check in KVM's IOAPIC scan path can cause the kernel to attempt access certain objects that have not been initialized. This can cause unexpected behavior, including a potential system crash. * Buffer overflow in btrfs_control_ioctl. A failure to check that a user-supplied string is NULL-terminated can lead to a buffer overflow in the btrfs ioctl handler. This could lead to unexpected behavior, including a potential denial-of-service. * Shift overflow during AC97-SPSA control write. A logic error in the AC97 driver's snd_ac97_put_spsa routine can cause a bitwise shift exponent to be calculated incorrectly, resulting in a shift operation that overflows beyond the 32 bits allocated to store the result. This could result in unexpected behavior on some systems. * Use-after-free in sound driver control interface. A race condition that exists in the sound driver core, when processes attempt to concurrently add and remove user control elements. This race condition can result in a use-after-free scenario, which can cause unexpected behavior, including a potential system crash. * Use-after-free when setting extended attributes for EXT2 filesystems. A refcount error when setting extended attributes for EXT2 filesystems could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * NULL dereference in DRM open path. Improper handling of an error condition while attempting to open the /dev/drm device file can lead to a NULL dereference and subsequent kernel panic. This could potentially be used by a local attacker to cause a denial-of-service. * Information leak when getting attributes in Chelsio Communications FCoE driver. Mutliple logic errors when getting attributes in Chelsio Communications FCoE driver could lead to an information leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * Race condition when creating vcpu on SVM causes guest failure. Missing synchronization when creating the vcpu for an SVM guest could result in a race condition, preventing the proper creation of a memory region and causing a disruption in guest machine creation. * Use-after-free when dumping free space in BTRFS filesystem. A locking issue when dumping free space in BTRFS filesystem could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * CVE-2018-16862: Potential memory corruption in inode truncation path. A logic error in the memory manager's inode truncation path can lead to an inode not being properly cleaned up. If another file is created with the same inode, it is possible to read old leftover data, instead of the expected data, when attempting to read the new file. This could cause a system to exhibit unexpected behavior. * Improved fix to CVE-2018-3639: Speculative Store Bypass information leak for eBPF. Malicious eBPF programs can be vulnerable to a speculative store bypass attack without hardening or having the SSBD mitigation enabled whilst running an eBPF program. * CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver. Improper length validation could lead to integer overflow and undefined behaviour. A local user could use this flaw to cause a memory corruption and potentially escalate privileges. * CVE-2018-14611: Use-after-free when reading invalid BTRFS chunk. A failure to validate the type of a BTRFS chunk can result in a use-after-free. A local user with the ability to mount a crafted BTRFS filesystem could use this flaw to potentially escalate privileges. * CVE-2018-14610: Denial-of-service due to invalid BTRFS chunk block mappings. A failure to validate chunk and block mappings during mount of a BTRFS filesystem can result in a kernel crash. A local user with the ability to mount a BTRFS filesystem could use this flaw to cause a denial-of-service. * CVE-2018-18690: XFS filesystem failure during extended attribute replacement. Incorrect handling of extended attribute replacement on an XFS filesystem could result in a filesystem shutdown. A local, unprivileged user could use this flaw to trigger a denial of service. * CVE-2018-12896: Denial-of-service via POSIX timer overflow. The POSIX timer overrun value can potentially overflow an integer value if the timer has a sufficiently long interval and expiry time. A malicious user to create such a timer to cause a denial-of-service. * CVE-2018-1129: Signature check bypass of cephx message. A wrong computation of message's signature in the cephx authentication protocol could let an attacker bypass signature check and alter message payload. Note that any existing ceph client will not be protected against this CVE and needs to be restarted. * CVE-2018-14612: NULL pointer dereference when using btrfs image with missing group items. A missing check when using a crafted btrfs image with an unbalanced number of chunks and groups could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * CVE-2017-18249: Denial-of-service when handling node ids in F2FS filesystem. A race condition in the way node ids are handled in F2FS filesystem could lead to a denial-of-service. A local attacker could use this flaw to cause a denial-of-service. * CVE-2018-13097: Out-of-bounds access in superblock of F2FS filesystem. A missing check in code handling superblock of F2FS filesystem could lead to an out-of-bounds access or a divide by zero error. A local attacker could use this flaw to cause a denial-of-service. * CVE-2018-14614: Out-of-bounds access when removing dirty segment in F2FS filesystem. A logic error when removing dirty segment in F2FS filesystem could lead to an out-of-bounds access. A local attacker could use this flaw to cause a denial-of-service. * NULL pointer dereference when uninitializing framebuffer for bochs driver. A logic error when uninitializing framebuffer for bochs driver could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * Invalid memory access when doing an incremental send in BTRFS driver. A logic error when doing an incremental send in BTRFS driver could lead to an invalid memory access. A local attacker could use this flaw to cause a denial-of-service. * Use-after-free in perf subsystem when iterating children siblings. A race condition in perf subsystem when iterating children siblings could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * Use-after-free when unloading USB/IP virtual USB device controller driver. A logic error when unloading USB/IP virtual USB device controller driver could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * Multiple memory leaks in QLogic QED driver. Several logic errors in the QLogic QED driver can lead to memory leaks. These flaws could potentially be exploited to waste system resources and degrade performance. * Denial-of-service when using platform CAN driver. A missing check when using platform CAN driver could lead to a kernel assert. A local attacker could use this flaw to cause a denial-of-service. * Denial-of-service when building SIT entries in F2FS filesystem. A missing check when building SIT entries in F2FS filesystem could lead to an invalid memory access. A local attacker could use this flaw to cause a denial-of-service. * CVE-2018-13096: Out-of-bounds access when mounting F2FS image. A logic error when mounting a specially crafted F2FS image with an abnormal bitmap size could lead to an out-of-bounds access. A local attacker could use this flaw to cause a denial-of-service. * CVE-2018-13100: Denial-of-service when mounting a crafted F2FS image with an invalid secs_per_zone. A missing check when mounting a crafted F2FS image with an invalid secs_per_zone could lead to a divide by zero error. A local attacker could use this flaw to cause a denial-of-service. SUPPORT Ksplice support is available at ksplice-support_ww at oracle.com.