[Ksplice-Fedora-28-updates] New Ksplice updates for Fedora 28 (FEDORA-2018-59e4747e0f)

[Oracle Ksplice]

Synopsis: FEDORA-2018-59e4747e0f can now be patched using Ksplice
CVEs: CVE-2018-16658 CVE-2018-3620 CVE-2018-3646

Systems running Fedora 28 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-59e4747e0f.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 28
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service due to improperly initialized pointer in SMB2 signing code.

There is a pointer that is improperly initialized in smb2_calc_signature, which
will trigger a panic when dereferenced, causing denial-of-service.


* Denial-of-service due to failed allocation in CIFS authentication code.

Memory allocation to a pointer was not checked in build_ntlmssp_auth_blob.  If
the unchecked allocation were to fail, dereferencing this pointer would result in
denial-of-service.


* Btrfs failure to mount after hard link creation.

Through creation of a specially crafted hard link, a malicious user
could corrupt a btrfs filesystem in such a way that it will no longer
mount.


* Potential denial-of-service in btrfs writeback path.

There exists unneeded code in the btrfs writeback path which can trigger a
deadlock when executed, under certain scenarios.


* Buffer overrun in ext4 mount path.

Upon mounting a corrupted or maliciously crafted ext4 filesystem image,
there length of the extended attributes buffer can be miscalculated,
resulting in a buffer overrun, causing a denial-of-service can occur.


* Improved fix to CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.

The original fix for L1 Terminal Fault/Foreshadow could prevent loading
of microcode when hyperthreading was disabled or failure to mprotect
specific memory mappings.

Orabug: 28488808


* Denial-of-service in fuse write path.

A locking issue in the fuse write path could result in a buffer being allocated
without sufficient space to store necessary data.  This scenario will lead to
write errors, and could be exploited to cause denial-of-service to a fuse
filesystem.


* Denial-of-service in fuse read path.

A logic error in the fuse read path error handling code can leave memory pages
unintentionally locked.  If another task attempts to lock these pages, it will
hang, potentially leading to denial-of-service.


* Denial-of-service in KMS driver for UDL devices.

Accesses to uninitialized memory in the udl-kms driver can lead to a kernel
panic.  This could be exploited to cause a denial-of-service.


* Potential information leak in b43 wireless adapter drivers.

There is a logic error in the b43 and b43legacy drivers that could lead to
unprivileged accesses to kernel memory.  A local attacker could potentially
use these flaws to leak information about the running system.


* Denial-of-service in SiRF SoC USP PCM bus driver.

A logic error in this driver's probe function can lead to a NULL pointer
dereference, and subsequent kernel panic.  This could be used to cause a
denial-of-service.


* Denial-of-service in x86 NMI handler.

A race condition in the x86 NMI handler can potentially lead to a process
copying from the wrong location in memory.  This could potentially be exploited
to cause a denial-of-service.


* Improved fix for Spectre v1: Information leak in NCT6775 driver.

A missing sanitization of array index in the NCT6775 driver could lead to an
information leak.  A local attacker could use this flaw to leak information
about the running system.


* Potential information leak in kprobes debug utilities.

The permissions on two of the kprobes debugfs files are set to allow
unprivileged users to access sensitive address information.  A local attacker
could use this flaw to gain information about the running system.


* Denial-of-service in mpt3sas driver reset path.

A logic error in the mpt3sas driver reset path can lead to a kernel panic.  This
could be used to cause a denial-of-service.


* Potential deadlock in mpt3sas driver error handling path.

A locking issue in the mpt3sas driver's error handling code could lead to a
deadlock and potential denial-of-service.


* Denial-of-service in SCSI device removal code path.

A logic error in the SCSI device removal code path can lead to a deadlock.  This
could potentially be used to cause a denial-of-service.


* CVE-2018-16658: Information leak in CDROM driver.

A logic error in the CDROM driver could allow unprivileged access to kernel
memory.  A local attacker could exploit this flaw to leak information about
the running system.


* Information leak in x86 stack dump path.

A logic error in the x86 stack dump code could allow a local attacker to trick
the kernel into dumping kernel memory to dmesg.  This flaw could be exploited to
leak information about the running system.


* Denial-of-service in 6lowpan over IEEE 802.15.4.

A logic error in the code that provides 6lowpan support over IEEE 802.15.4
can cause a kernel panic.  A local user could send a specially crafted packet
to trigger this panic and cause a denial-of-service.


* Denial-of-service in mac802154 network stack.

A logic error in the transmit path of the mac802154 network stack can cause
certain structures to be allocated with insufficient space to hold necessary
data.  This could be used to cause a denial-of-service.


* Use-after-free in block device core.

A failure to initialize part of a structure in the block device allocation
path can lead to a use-after-free of certain kernel structures, which can
result in a kernel panic.  This could be used to cause a denial of service.


* Denial-of-service in block device core.

A logic error in the code path responsible for associating request queues with
cgroup controllers can lead to a NULL pointer dereference, and subsequent kernel
panic, when one of several drivers is loaded.  This could be used to cause a
denial-of-service.


* Denial-of-service in dma-buf driver.

A logic error in the dma-buf driver's object reservation code path could result
in a kernel assertion failure, and denial-of-service.


* Information leak in mlx5 Infiniband driver.

A kernel structure was not fully initialized in the mlx5 driver's user-mode
memory reservation code, which could lead to kernel stack memory being leaked to
userspace.  This flaw could be exploited by a local attacker to leak information
about the running system.


* Potential deadlock in Infiniband error handling path.

A logic error in the Infiniband error handling code path can lead to a potential
deadlock.  This could be used to cause a denial-of-service.


* Integer overflow in mlx5 RDMA path.

An unsafe arithmetic shift in the mlx5 driver's RDMA code path can result in an
integer overflow, which can cause further unpredictable behavior.  This could
potentially be used to cause a denial-of-service.


* Use-after-free in Infiniband SRP target driver.

A print statement in the ib_srpt driver attempts to access a member of a
structure after it may have already been freed.  This could be used to
cause a denial-of-service.


* Multiple denial-of-service vectors in Plan 9 transport code.

Several logic errors in the Plan 9 transport code could lead to a NULL pointer
dereference, and subsequent kernel panic.  This could be used to cause a
denial-of-service.


* Denial-of-service in Plan 9 client initialization code.

A logic error in the Plan 9 client initialization code path can cause the
kernel to attempt to free a pointer that was never initialized, which can result
in a kernel panic.  This could be used to cause a denial-of-service.


* Denial-of-service in device-mapper writeback code.

A logic error in the device-mapper write path could cause the kernel to read
past the end of a buffer, potentially leading to a panic.  This could be used
to cause a denial-of-service.


* Denial-of-service in UART shutdown path.

A race condition in the UART shutdown path can lead to a kernel panic.  This
could potentially be used by a local attacker to cause a denial-of-service.


* Improved fix to CVE-2018-3646: Information leak in Intel CPUs under terminal fault.

A logic error in KVM x86 CPU cache flushing code can result in a guest VM
causing a panic on the host machine.  This could be used to cause a
denial-of-service.


* Denial-of-service in NFS exported Overlayfs filesystem code.

A locking issue in the code that handles Overlayfs filesystems exported via NFS
can cause kernel warning messages to appear, and can eventually lead to a kernel
panic.  This could be used to cause a denial-of-service.


* Potential deadlock in NFS writeback path.

An incorrect lock was being taken in the NFS writeback path.  This could lead to
a deadlock, which could be used to caused a denial-of-service.


* Potential deadlock in NFS RPC processing path.

A locking error in the code path responsible for processing certain NFS RPC
requests can lead to a deadlock.  This could be used to cause a
denial-of-service.


* Denial-of-service in UTS namespace code.

A locking issue in some of the code used to provide UTS namespace functionality
could lead to a namespace admin stalling all processes that need to take a
particular lock.  A local attacker could exploit this to cause a
denial-of-service.


* Denial-of-service in user namespace code.

A logic error in the the user namespace code path can cause a lock to be held
indefinitely.  A local attacker could use this to cause a denial-of-service.


* Memory leak in ubifs self-checks.

Under certain conditions, one of the ubifs self-checks can leak small amounts
of memory.  This could be used to waste system resources, and potentially
cause a denial-of-service.


* Information leak in filesystem core.

A logic error in filesystem core code can allow small amounts of kernel memory
to be leaked to userspace.  This flaw could be used by a local attacker to leak
information about the running system.


* Improved fix for Spectre v1: Information leak in filesystem quota control code.

A missing sanitization of an array index in filesystem quota control code can
lead to kernel memory being leaked to userspace.  A local attacker could exploit
this flaw to leak information about the running system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.