[Ksplice-Fedora-27-updates] New Ksplice updates for Fedora 27 (FEDORA-2018-a0a96d42a8)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Jun 8 10:10:29 PDT 2018 

Synopsis: FEDORA-2018-a0a96d42a8 can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2018-1000200 CVE-2018-10323 CVE-2018-11508

Systems running Fedora 27 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-a0a96d42a8.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 27
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service when accessing audio frames from 32 bits userspace.

A logic error in compat ioctl when reading or writing audio frames from
32 bits userspace could lead to kernel log flood. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when streaming audio over FireWire.

A logic error in computation of number of packets to send while streaming
audio over Firewire could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Use-after-free while using ALSA Generic loopback driver.

A locking error when using ALSA Generic loopback driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using TCM/IBLOCK Subsystem Plugin for Linux/BLOCK.

A logic error when using TCM/IBLOCK Subsystem Plugin for Linux/BLOCK
could lead to a kernel assert. A local attacker could use this flaw to
cause a denial-of-service.


* Out-of-bounds access when registering a new input device led.

A logic error when registering a new input device led could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when accessing a dead Mellanox Connect-IB HCA MR.

A logic error when accessing a dead Mellanox Connect-IB HCA MR could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Out-of-bounds access when setting Queue Pair size in Mellanox Connect-IB HCA driver.

A missing check when setting Queue Pair size in Mellanox Connect-IB HCA
driver could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.


* Use-after-free when handling BTRFS extent trees.

A locking error when handling BTRFS extent trees could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when releasing resources in DRM driver for VMware Virtual GPU.

A logic error when releasing resources in DRM driver for VMware Virtual
GPU could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Use-after-free when releasing device in USB XHCI driver.

A logic error when releasing device in USB XHCI driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using USB Handspring Visor driver.

A logic error when parsing descriptor in USB Handspring Visor driver
could lead to a memory leak and invalid memory access. A local attacker
could use this flaw with a crafted USB device to cause a
denial-of-service.


* Denial-of-service in routing table locking implementation.

Multiple race conditions in the routing table locking can result in a
deadlock or hung tasks. A local user could use this flaw to cause a
denial-of-service.


* Denial-of-service in Reliable Datagram Socket connection management.

Incorrect locking can result in the Kernel attempting to sleep when in
interrupt context, leading to a Kernel crash. A local user could use
this flaw to cause a denial-of-service.


* Denial-of-service during binding of cryptographic userspace interface.

A validation failure in the cryptographic userspace interface
implementation can result in the reading of uninitialised memory,
leading to undefined behaviour. A local user could use this flaw to
cause a denial-of-service.


* Denial-of-service in netlink sendmsg implementation.

A validation failure in the netlink sendmsg implementation can result in
the reading of uninitialised memory, leading to undefined behaviour. A
local user could use this flaw to cause a denial-of-service.


* Denial-of-service in netlink routing configuration interface.

A validation failure in the netlink interface for routing information
can result in the reading of uninitialised memory, leading to undefined
behaviour. A local user could use this flaw to cause a
denial-of-service.


* Undefined behaviour in socket buffer cloning.

A failure to initialise a variable when cloning a socket buffer can
result in undefined behaviour.


* Undefined behaviour in IPv6 Duplicate Address Detection.

A logic error when processing hardware addresses during IPv6 Duplicate
Address Detection can result in reading of uninitialised memory, leading
to undefined behaviour.


* Denial-of-service in memory cgroup resource freeing.

Incorrect error handling of a memory allocation failure in the memory
cgroup can result in a NULL pointer dereference, leading to a Kernel
crash. A local user could use this flaw to cause a denial-of-service.


* Denial-of-service in i2c-dev read/write ioctl.

A logic error when allocating a zero length buffer in the i2c-dev driver
can result in the dereference of an invalid pointer, leading to a Kernel
crash. A local user with access to an i2c-dev device could use this flaw
to cause a denial-of-service.


* Denial-of-service in block backing device release.

A logic error can result in a failure to correctly shutdown writeback
queues when a device is released. A local user could use this flaw to
cause a denial-of-service.


* NULL pointer dereference when shutting down writeback workqueue.

A race condition when shutting down a block backing device writeback
workqueue can result in a NULL pointer dereference, leading to a Kernel
crash.


* CVE-2018-11508: Information disclosure in 32-bit timex syscall.

A failure to correctly initialize memory can result in a leak of
sensitive Kernel memory to userspace. A local user could use this flaw
to facilitate a further attack.


* NULL pointer dereference during failed GPIO line event creation.

A failure to handle a GPIO request failure can result in a NULL pointer
dereference, leading to a Kernel crash.


* Undefined behaviour in integrity block device memory allocation.

An incorrect free in the integrity block device could result in
undefined behaviour, leading to a Kernel crash.


* CVE-2018-1000200: Denial-of-service during OOM killer memory unmapping.

A race condition in the OOM killer can result in a double free of mmap
memory, leading to a Kernel crash. A local user with the ability to
trigger the OOM killer could use this flaw to cause a denial-of-service.


* Invalid memory access when using ALSA virmidi sequencer.

A locking error when using ALSA virmidi sequencer could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service in Ceph direct read/write implementation.

A failure to validate buffer sizes from userspace can result in an
assertion failure, leading to a Kernel crash. A local user with access
to a Ceph filesystem could use this flaw to cause a Denial-of-service.


* Improved fix for CVE-2017-5753: Bounds-check bypass in ATM LAN emulation.

A missing use of the indirect call protection macro in the ATM LAN
emulation driver could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Improved fix for CVE-2017-5753: Bounds-check bypass in scheduler userspace interface.

A missing use of the indirect call protection macro in the scheduler
userspace interface could lead to speculative execution. A local
attacker could use this flaw to leak information about the running
system.


* Improved fix for CVE-2017-5753: Bounds-check bypass in perf subsystem.

Multiple missing uses of the indirect call protection macro in the perf
subsystem could lead to speculative execution. A local attacker could
use this flaw to leak information about the running system.


* CVE-2018-10323: NULL pointer dereference when converting extents-format to B+tree in XFS filesystem.

A logic error when converting extents-format to B+tree in XFS filesystem
could lead to a NULL pointer dereference. A local attacker could use
this flaw with a crafted XFS image to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-27-Updates mailing list