[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3676-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Jul 5 14:47:50 PDT 2018 

Synopsis: USN-3676-1 can now be patched using Ksplice
CVEs: CVE-2018-1092 CVE-2018-1093 CVE-2018-10940 CVE-2018-3639 CVE-2018-8087

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3676-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* KPTI enablement for Ksplice.




* Prepare Ksplice options for entry/common.c.

Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>



* Provide an interface to freeze tasks.




* Denial-of-service when changing virtual interface in Marvell WiFi-Ex driver.

A missing check when changing virtual interface in Marvell WiFi-Ex
driver while a scan request is in progress could lead to a kernel crash.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2018-8087: Memory leak when using Simulated radio testing tool for mac80211.

A missing release of resources when creating a new radio in Simulated
radio testing tool for mac80211 could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Denial-of-service when initializing ReseirFs journal.

A format string error in one of the warning print during ReseirFs
journal initialization could lead to a kernel panic. A local attacker
could use this flaw to cause a denial-of-service.


* NULL pointer dereference when remapping shm file.

A logic error when remapping shm file could lead to a NULL-pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when using HID devices.

A variable type error when using HID devices could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-1092: NULL pointer dereference when using unallocated root directory on ext4 filesystem.

A missing check when using unallocated root directory on ext4 filesystem
could lead to a NULL pointer dereference. A local attacker could mount a
crafted ext4 filesystem and cause a denial-of-service.


* NULL pointer dereference when setting RDMA option on an invalid device.

A missing check when user try to set RDMA option on a non-existing
device could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Use-after-free when releasing Audio PCM.

A logic error when releasing Audio PCM could lead to a use-after-free. A
local attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when mounting a corrupted ext4 filesystem.

A missing check when mounting a corrupted ext4 filesystem where metadata
blocks override super block could lead to a memory corruption. A local
attacker could use this flaw to cause a denial-of-service.


* Data loss in ext4 with concurrent direct IO operations.

The ext4 filesystem driver does not correctly handle multiple direct IO
operations on the same file which can lead to data loss.


* Deadlock when expanding EXT4 inline data.

Incorrect locking between expanding EXT4 inline data and writing to inline data
can trigger a deadlock and kernel panic.


* NULL pointer deference when using compat ioctls of ALSA rawmidi driver.

A missing check on user input when using compat ioctls of ALSA rawmidi
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* NULL pointer dereference when removing HID raw devices.

A missing check when removing HID raw devices while calling get_report
ioctl could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Kernel BUG when releasing unused pages in the ext4 filesystem.

Failure to clear the dirty bit when releasing unused pages in the ext4
filesystem could lead to a kernel BUG assertion to trigger.  A local user
could use this flaw to cause a denial-of-service.


* NULL pointer dereference when creating unix domain sockets on CIFS.

Attempting to create a unix domain socket on a mounted CIFS share can
cause a NULL pointer dereference and denial-of-service.


* Denial-of-service when setting a long option name to dns_resolver key.

A missing check on user input when setting a long option name to
dns_resolver key could lead to a flood of kernel log. A local attacker
could use this flaw to cause a denial-of-service.


* Invalid memory access when connecting PPP over L2TP socket.

A missing check when connecting PPP over L2TP socket could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when dumping network neighbor table.

A missing check when dumping network neighbour table could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access when releasing ANSI/IEEE 802.2 LLC type 2 socket.

A missing stop of deferred work when releasing ANSI/IEEE 802.2 LLC type
2 socket could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Out-of-bounds access when parsing TCP MD5 Signature.

A missing check when parsing TCP MD5 Signature could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Kernel assert when setting options in Ethernet team driver.

A logic error when setting 2 times the same option in Ethernet team
driver could lead to a kernel assert if kernel list debug is activated.
A local attacker could use this flaw to cause a denial-of-service.


* Invalid memory access when connecting PPP over Ethernet socket.

A missing check on user input when connecting PPP over Ethernet socket
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* Invalid memory access when setting TCP MD5 signature socket option.

A missing check when setting TCP MD5 signature socket option could lead
to an invalid memory access. A local attacker could use this flaw to
cause a denial-of-service.


* Uninitialized memory access when setting packet ring in raw packet socket.

A locking error when setting packet ring in raw packet socket could lead
to an uninitialized memory access. A local attacker could use this flaw to
cause a denial-of-service.


* Invalid memory access when adding IPv6 route.

A logic error when adding IPv6 route could lead to an invalid memory
access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-10940: Information leak when checking if CD-ROM media changed.

A missing check when user checks if CD-ROM media changed using an IOCTL
could lead to an information leak. A local attacker could use this flaw
to leak information about running kernel and facilitate an attack.


* File system corruption on ext4 with fallocate.

The fallocate operation does not properly sanitize the "insert range"
parameter, potentially causing an overflow and corrupting filesystem
data.


* NULL-pointer dereference in ext4 filesystem with aborted journal.

If the ext4 journaling process is run on an aborted journal, the
associated journal handle is set to NULL but later dereferenced in the
error path. This can be exploited by a malicious user to cause a
denial-of-service.


* CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check.

A failure to correctly validate bitmap information from an ext4
filesystem can result in an out-of-bounds read, leading to a Kernel
crash. A local user with the ability to mount an ext4 filesystem could
use this flaw to cause a denial-of-service.


* Denial-of-service due to erroneous error condition in tty device driver.

An inappropriately strict error condition in the terminal device driver
could cause a kernel panic despite functioning correctly. A malicious
user could potentially use this to cause a denial-of-service.


* NULL-pointer dereference in Ceph write on non-active connection.

A race condition when reading data across the Ceph messaging protocol
could cause an attempted write on a NULL socket pointer, causing a
denial-of-service.


* Kernel crash in AMD KVM CPU execution.

Incorrect handling of speculation restriction when running a KVM guest
on an AMD system could result in an invalid memory dereference and
reboot.


* Denial-of-service when configuring V4L2 output overlay.

A kernel crash when performing V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY ioctl
operation to overlay an image on a V4L2 video stream leads to a
denial-of-service.


* Denial-of-service when removing flash device that enables UBI fastmap.

A double-free bug in the UBI wear-leveling subsystem leads to a kernel
crash when unmounting UBI flash device that enables fastmap in the
image. This could cause to a denial-of-service.


* Denial-of-service when closing LLC socket.

Incorrect reference counting when closing an LLC socket leads to a
use-after-free vulnerability. A malicious unprivileged user can exploit
this to cause a denial-of-service.


* NULL pointer dereference when using pagecache.

A logic error when handling page in the pagecache could lead to a NULL
pointer deference. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when using VLAN tagged packets.

A missing check when using VLAN tagged packets could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Kernel memory exhaustion when creating file or directory.

Under certain circumstances, memory allocated for creating a file or
directory may not be free'd after the operation completes. This could
lead to kernel memory exhaustion and possibly a denial-of-service.


* Improved AMD fix to CVE-2018-3639: Speculative Store Bypass information leak.

The original vendor fix for CVE-2018-3639 did not expose the mitigation
to KVM guests on AMD or correctly handle symmetric multithreading (SMT)
systems.

This update enables the speculative store bypass mitigation full time to
protect guests and SMT systems by default on AMD systems and can be
manually enabled/disable by writing 1/0 to
/proc/sys/vm/ksplice_ssbd_control.  The /proc/sys/vm/ksplice_ssbd_status
file reports the current mitigation status.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list