[Ksplice-Fedora-28-updates] New Ksplice updates for Fedora 28 (FEDORA-2018-ca0e10fc6e)

[Oracle Ksplice]

Synopsis: FEDORA-2018-ca0e10fc6e can now be patched using Ksplice
CVEs: CVE-2018-14734

Systems running Fedora 28 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-ca0e10fc6e.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 28
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in PMEM namespace removal.

A missing check in the memory remapping code could lead to a
General Protection Fault when removing a pmem namespace that
is smaller than the section size.  This could be used to cause a
denial-of-service.


* Denial-of-service in event trigger tracing.

A flaw in the trace_events code could lead to a double free
of memory, leading to memory corruption and possible kernel
panic.  A malicious user could exploit this to cause a denial-
of-service.


* Information leak in trace code when creating kthreads.

A race condition in the kthread code could allow an unterminated string
to be printed into the task structure, potentially leaking memory into
other threads.  This could lead to an information leak or memory corruption
and possible kernel panic.


* Denial-of-service in fork with large number of Virtual Memory Areas.

If a process with a large number of Virtual Memory Areas (VMAs) is being
forked when selected by the OOM killer it may block the OOM killer from
properly being able to kill it and reclaim the memory.  This could be used
to cause a denial-of-service.


* Denial-of-service in NFSv4 delegation error path.

A logic error in the NFSv4 code could lead to memory corruption and a
kernel crash.  This could be used to cause a denial-of-service.


* Use-after-free in NFSv4 device info decode.

A specifically crafted request with a malformed xdr array from a NFSv4
client could result in a use-after-free condition and possible kernel
crash.  A malicious client could exploit this to generate a denial-of-service
attack.


* Information leak in /proc pagemap swap entries.

A missing security check in the mm code could allow unprivileged
users to view pagemap swap entries, allowing an unprivileged user
access to information about the memory of another process.


* Use-after-free in ceph statfs.

A race condition in the ceph code could allow a use-after-free when
calling ceph-statfs.  This could be exploited to cause a denial-of-service.


* CVE-2018-14734: Use-after-free in Infiniband leave_multicast function.

A race condition in the infiniband code could allow the leave_multicast
function to use a structure that was allocated but subsequently freed in
the process_join function, leading to memory corruption and possible system
crash.


* Denial-of-service in LightNVM pblk error handling.

Logic errors in the lightnvm pblk code could lead to memory
corruption and system crash.  A malicious user could use this to
cause a denial-of-service.


* Denial-of-service in BTRFS with a large number of dirty pages.

A failure to properly handle dirty pages in btrfs code could lead to a
condition in which the size of the dirty metadata far exceeds the actual
size of the writes.  This causes BTRFS to end up using a significant amount
of memory to deal with the dirty pages.  A malicious user could exploit this
for a denial-of-service.


* Denial-of-service in Intel Wireless driver receive buffer allocation.

A race condition in the Intel PCIe wireless driver when the receive buffer
allocator is ran at the same time as the receive init function could result
in memory corruption and a kernel panic.  This could be used to cause a
denial-of-service.


* Denial-of-service in sysfs PCI device disable.

A failure to verify if a device still has a driver attached or not
when sysfs disables a device could lead to an inconsistent system
state for the device driver, leading to possible memory corruption or
kernel panic.  This could be exploited by a malicious user to cause
a denial-of-service.


* Use-after-free in NVMe RDMA admin queue start.

A failure to properly handle error conditions in the nvme rdma code
during the creation of the nvme rdma admin queue could lead to an
use-after-free condition, causing memory corruption and possible kernel
panic.


* Denial-of-service in Marvell mwifiex histogram data.

A logic error when entering the histogram data for the mwifiex
driver could result in a buffer underflow, leading to memory
corruption or a kernel panic.  This could be used to cause a
denial-of-service.


* Denial-of-service in pty character insert with multiple threads.

A race condition in the pty code could allow multiple threads to insert
input characters at the same time, leading to an out-of-bounds memory
write, causing memory corruption and kernel panic.  A malicious user could
use this to cause a denial-of-service.


* Denial-of-service in SCSI 3ware chrdev ioctl.

A missing privilege check in the scsi 3ware driver code could
allow a user without sufficient privileges to pass user memory
into the ioctl and then manipulate the memory, potentially causing
memory corruption and a kernel panic.  This could be used for a
denial-of-service attack.


* Denial-of-service in SCSI QLogic QEDF Virtual Port removal.

A failure to signal that a vport is being removed in the qedf driver code
could allow requests made during the time a vport is being removed to get
stuck and never return.  This could be used to cause a denial-of-service.


* Denial-of-service while reading TPC stats in the ath10k driver.

A logic error in the ath10k driver could result in writing past the
end of an array while reading TPC stats, leading to memory corruption
and kernel panic.  This could be exploited to cause a denial-of-service.


* Denial-of-service in ALSA compressed drivers during component open.

A failure to properly deal with errors during component open to the ALSA
soc-compress code could lead to NULL pointer dereferences in other compressed
drivers, causing a kernel panic.  This could be used to cause a
denial-of-service attack.


* Information leak in crypto IPsec authenc key setting.

A failure to initialize memory when setting up authen keys in the
crypto code could leak pointers to the authenc keys.


* Denial-of-service with corrupt squashfs image.

A failure to properly deal with metadata corruption in squashfs could
result in a kernel oops.  This could be exploited for a denial-of-service.


* Denial-of-service in ext4 bitmap validation with chdir command.

A race condition in the ext4 bitmap validation code results in corrupt
inodes.  This could be exploited to cause a denial-of-service attack.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.