[Ksplice-Fedora-27-updates] New Ksplice updates for Fedora 27 (FEDORA-2018-8484550fff)

[Oracle Ksplice]

Synopsis: FEDORA-2018-8484550fff can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2018-12896 CVE-2018-13053 CVE-2018-13093 CVE-2018-13094 CVE-2018-13095 CVE-2018-13405 CVE-2018-13406 CVE-2018-3639

Systems running Fedora 27 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-8484550fff.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 27
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved fix for CVE-2017-5753: Speculative execution in array accesses.

The current fix for CVE-2017-5753 fails to correctly disable compiler
optimization, which results in some array accesses not being correctly
protected against speculative execution attacks.


* Memory corruption in ALSA Dynamic Power Management driver.

When unloading an ALSA audio device that uses the Dynamic Power
Management feature, the device is not removed from the global list
before being freed. This can result in memory corruption or a
denial-of-service.


* Possible denial-of-service when multiple console writes race.

If multiple threads call the kernel console message utility
printk_safe_log_store() simultaneously, the re-use of local variables
might result in a kernel oops and denial-of-service.


* Use-after-free in FUSE when failing to create superblock.

If an error occurs while creating a Filesystem in Userspace superblock
after the connection to the FUSE service is made, the connection is not
torn down, resulting in a use-after-free and potential denial-of-service
when the superblock is freed.


* NULL-pointer dereference in FUSE when failing to create inode.

If inode creation fails for a Filesystem in Userspace file, the
connection teardown to the FUSE service might improperly try to cleanup
the non-existent inode, resulting in a NULL-pointer dereference and
denial-of-service.


* Out-of-bounds write in Device Tree overlay when resolving new devices.

When resolving a new Device Tree overlay, the device's property offsets
are not properly validated, potentially resulting in an out-of-bounds
write.


* Use-after-free in Trusted Platform Module context load.

In certain error cases, attempting to load the context structure for an
Intel Trusted Platform Module 2.0 device will result in use-after-free,
potentially causing a denial-of-service.


* Race condition in Trusted Platform Module common write function.

Missing locking in the Trusted Platform Module common write code could
allow two simultaneous TPM device accesses to overwrite each other's
data, potentially resulting in a denial-of-service or other unspecified
behavior.


* Invalid assertion in RDMA-over-Infiniband causes denial-of-service.

An invalid assertion could in rare cases cause a kernel panic and
denial-of-service when an unknown work request was received through a
management diagram.


* NULL-pointer dereference in RDMA-over-Infiniband completion queue.

When failing to create an RDMA-over-Infiniband completion queue, the
driver fails to provide a name for the calling function, resulting in a
NULL-pointer dereference when the error history is later inspected via
RDMA restrack.


* Stack corruption in NFSv4 idmapper verification with large uid.

When attempting to verify a uid or gid above 2147483647 in the NFSv4
idmapper code, a single NULL-byte will be written out-of-bounds on the
stack, resulting in a kernel panic and denial-of-service.


* NULL-pointer dereference due to race condition in Ceph backend task.

A race condition when canceling tasks in the Ceph RADOS block backend
might cause a work queue structure to be dereferenced after being
destroyed, resulting in a NULL-pointer dereference and
denial-of-service.


* Denial-of-service in UDF filesystem with incorrect directory size.

If a directory on the UDF filesystem reported a larger-than-accurate
size when being read, the entry could become further corrupted or
result in a denial-of-service.


* Stack overflow in Elan I2C/SMBus touchpad driver.

Incorrectly sized stack structures in the Elan I2C/SMBus touchpad driver
could potentially allow overwriting stack values when initializing or
calibrating the device.


* Denial-of-service when formatting filesystem while using DM-MPIO.

Removing a file on a DM Multipath device while in the process of cloning
the device can result in a race condition and denial-of-service.


* Deadlock when using selinuxfs and userfault.

Reversed lock ordering in the selinuxfs implementation could allow a
deadlock to occur on a file backed by userspace memory, resulting in a
denial-of-service.


* Deadlock with XFS and zoned block device mapper.

Calling fs_reclaim on an XFS filesystem backed by a dm-zoned block
device could result in a lock order reversal, causing a hang and
denial-of-service.


* CVE-2018-13406: Denial-of-service due to overflow in VBE2+ video driver.

Failing to validate the size and number of entries in an array
allocation in the Video BIOS 2.0 driver could result in an overflowed
allocation and denial-of-service.


* Denial-of-service due to overflow in UBIFS journal allocation.

Failing to validate the entry size and length of an array allocation
when allocating a data node for the Unsorted Block Image File System
could result in an overflow in the allocation and denial-of-service.


* Improved fix for CVE-2018-3639: Correctly enable SSB on Xen PV guests.

The speculative store bypass fixes for Spectre variant 4 are not
correctly enabled on Xen Paravirtualization guest machines.


* Denial-of-service with DesignWare USB2 controller driver port bitmap.

Incorrectly applying the port bitmap for a DesignWare High-Speed USB2
Controller device could cause an out-of-bounds write and kernel panic. A
malicious device could exploit this flaw to cause a denial-of-service.


* Information leak in virtual terminal screen buffer allocation.

When creating a virtual terminal device, the memory for the screen
buffer is not properly sanitized, potentially exposing kernel memory to
userspace.


* Denial-of-service due to invalid assertion in netfilter chain.

An invalid assertion when processing an exceptionally long netfilter
chain could cause a denial-of-service.


* CVE-2018-13093: NULL-pointer dereference when reusing inodes in xfs.

If an XFS filesystem becomes corrupted, the local inode cache might
attempt to re-allocate in-use inodes. This can result in a deadlock or
NULL-pointer dereference and denial-of-service.


* CVE-2018-13094: NULL-pointer dereference when shrinking xfs inode.

When attempting to shrink an xfs inode for a file with corrupted
extended attributes, the non-existent attribute buffer might be
dereferenced, resulting in a denial-of-service.


* Denial-of-service when xfs inode has invalid extent size hints.

A corrupted xfs inode with an invalid extent size hint could trigger a
kernel assertion, resulting in a denial-of-service.


* CVE-2018-13095: Denial-of-service on xfs inode with outsize extent count.

The xfs filesystem fails to properly handle an inode with more extents
than fit in the inode fork. Encountering such a file could cause the xfs
verification code to corrupt memory or cause a denial-of-service.


* CVE-2018-13405: Permissions bypass when creating file in SGID directory.

Creating an executable file in an SGID directory can result in the file
having the group ownership of the directory. This can be exploited to
elevate privileges if the file is created in a directory owned by a
privileged group.


* CVE-2018-13053: Integer overflow in alarm_timer_nsleep.

The alarm_timer_nsleep function in the kernel timekeeping code does not
check for overflow when adding two time values together, potentially
causing undefined behavior in the kernel.


* CVE-2018-12896: Denial-of-service via POSIX timer overflow.

The POSIX timer overrun value can potentially overflow an integer value
if the timer has a sufficiently long interval and expiry time. A
malicious user to create such a timer to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.