[Ksplice-Fedora-27-updates] New Ksplice updates for Fedora 27 (FEDORA-2018-a13691074b)

[Oracle Ksplice]

Synopsis: FEDORA-2018-a13691074b can now be patched using Ksplice
CVEs: CVE-2018-1093 CVE-2018-1108

Systems running Fedora 27 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-a13691074b.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 27
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL-pointer dereference in ext4 filesystem with aborted journal.

If the ext4 journaling process is run on an aborted journal, the
associated journal handle is set to NULL but later dereferenced in the
error path. This can be exploited by a malicious user to cause a
denial-of-service.


* CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check.

A failure to correctly validate bitmap information from an ext4
filesystem can result in an out-of-bounds read, leading to a Kernel
crash. A local user with the ability to mount an ext4 filesystem could
use this flaw to cause a denial-of-service.


* Improved fix for CVE-2018-1108: Information leak in kernel random number generator.

The fix for CVE-2018-1108 might produce insufficiently random data if the
backing random number generator is not properly initialized.


* Information leak in usbip event debug message.

A debug message in the USB-over-IP device sharing event system printed
an un-sanitized kernel address, potentially allowing an attacker to
map the randomized memory layout of the kernel.


* Denial-of-service due to erroneous error condition in tty device driver.

An inappropriately strict error condition in the terminal device driver
could cause a kernel panic despite functioning correctly. A malicious
user could potentially use this to cause a denial-of-service.


* Speculative execution attacks in various ALSA sound drivers.

Various arrays in the ALSA sound driver code are potentially vulnerable
to a Spectre variant 1 speculative execution attack.


* Denial-of-service when loading filesystem over Quad-SPI.

An out-of-bounds read in the Cadence QSPI driver could additionally read
over a page boundary when loading a root filesystem. A malicious
attacker could exploit this to cause a denial-of-service.


* Double free of random bits generator leads to memory corruption.

The random bits generator for the generic crypto subsystem can in rare
cases be reused, resulting in a double free if an error is encountered
during setup.


* NULL-pointer dereference in Ceph write on non-active connection.

A race condition when reading data across the Ceph messaging protocol
could cause an attempted write on a NULL socket pointer, causing a
denial-of-service.


* File system corruption on ext4 with fallocate.

The fallocate operation does not properly sanitize the "insert range"
parameter, potentially causing an overflow and corrupting filesystem
data.


* Buffer overrun in USB-over-IP driver causes memory corruption.

The USB-over-IP hub control driver can, in some cases, access memory out
of bounds if it receives a port number less than 0.


* NULL-pointer dereference in tty driver when restoring line discipline.

When encountering an error while restoring a line discipline, the return
pointer from tty_ldisc_get() is not properly checked for error,
resulting in a potential denial-of-service.


* NULL-pointer dereference when initializing SCSI block device state.

When initializing a SCSI block device, the initial state is not set
correctly, potentially allowing a race condition where the device
teardown is called early, resulting in a NULL-pointer dereference and
denial-of-service.


* Memory corruption due to reused pointers in block device scheduler.

The block device I/O scheduler re-uses its I/O context pointers for each
request. These are not re-initialized, and so might cause memory
corruption when re-used in later requests that pass through the
scheduler.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.