[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3696-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Jul 13 12:10:21 PDT 2018 

Synopsis: USN-3696-1 can now be patched using Ksplice
CVEs: CVE-2017-18255 CVE-2017-18257 CVE-2018-1000204 CVE-2018-10021 CVE-2018-10087 CVE-2018-10124 CVE-2018-1068 CVE-2018-3665 CVE-2018-5814 CVE-2018-7755

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3696-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved fix for Spectre v1: Align with upstream implementation.

Upstream kernel implementation has been thoroughly tested across
architectures so prefer using it to prevent Spectre v1 exploit.


* Improved fix for Spectre v1: Bounds-check bypass when adding MPLS route.

An array access when adding a route in MultiProtocol Label Switching (MPLS)
subsystem leads to userspace controlled arbitrary out-of-bounds speculation.
This could serve as a side-channel leaking privileged memory into userspace.


* Improved fix for Spectre v1: Bounds-check bypass in ATM LAN emulation.

A missing use of the indirect call protection macro in the ATM LAN
emulation driver could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass in perf subsystem.

Multiple missing uses of the indirect call protection macro in the perf
subsystem could lead to speculative execution. A local attacker could
use this flaw to leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass in getrlimit syscall.

The 'resource' parameter of the getrlimit syscall is vulnerable to a
Spectre variant 1 speculative execution attack.


* Improved fix for Spectre v1: Bounds-check bypass in various ALSA sound drivers.

Various arrays in the ALSA sound driver code are potentially vulnerable
to a Spectre variant 1 speculative execution attack.


* Improved fix for Spectre v1: Bounds-check bypass in userspace interaction.

A missing sanitization of array index after bounds check in get_user()
could lead to an information leak. A local attacker could use this flaw
to leak information about running system.


* Improved fix for Spectre v1: Bounds-check bypass in nl80211 Wireless driver.

A missing sanitization of array index after bounds check in nl80211
Wireless driver could lead to an information leak. A local attacker
could use this flaw to leak information about running system.


* Improved fix for Spectre v1: Bounds-check bypass in ZeitNet ZN1221/ZN1225 driver.

A missing sanitization of array index after bounds check in ZeitNet
ZN1221/ZN1225 driver could lead to an information leak. A local attacker
could use this flaw to leak information about running system.


* CVE-2018-7755: Information leak through floppy disk driver ioctl.

A logic error when using floppy disk driver ioctl could lead to a kernel
address leak.  A local attacker could use this flaw to get address of
running kernel and facilitate an attack.


* Denial-of-service while reading files using filesystem caching.

A race condition when reading files using filesystem caching could lead
to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-18255: Integer overflow when setting allocated CPU time for perf events.

A missing check on user input when setting allocated CPU time for perf
events could lead to an integer overflow. A local attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service when accessing audio frames from 32 bits userspace.

A logic error in compat ioctl when reading or writing audio frames from
32 bits userspace could lead to kernel log flood. A local
attacker could use this flaw to cause a denial-of-service.


* Invalid memory access when using ALSA virmidi sequencer.

A locking error when using ALSA virmidi sequencer could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free while using ALSA Generic loopback driver.

A locking error when using ALSA Generic loopback driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when registering a new input device led.

A logic error when registering a new input device led could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when setting Queue Pair size in Mellanox Connect-IB HCA driver.

A missing check when setting Queue Pair size in Mellanox Connect-IB HCA
driver could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.


* Memory leak when releasing resources in DRM driver for VMware Virtual GPU.

A logic error when releasing resources in DRM driver for VMware Virtual
GPU could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Denial-of-service when using USB Handspring Visor driver.

A logic error when parsing descriptor in USB Handspring Visor driver
could lead to a memory leak and invalid memory access. A local attacker
could use this flaw with a crafted USB device to cause a
denial-of-service.


* Denial-of-service in routing table locking implementation.

Multiple race conditions in the routing table locking can result in a
deadlock or hung tasks. A local user could use this flaw to cause a
denial-of-service.


* Denial-of-service during binding of cryptographic userspace interface.

A validation failure in the cryptographic userspace interface
implementation can result in the reading of uninitialised memory,
leading to undefined behaviour. A local user could use this flaw to
cause a denial-of-service.


* Denial-of-service in netlink sendmsg implementation.

A validation failure in the netlink sendmsg implementation can result in
the reading of uninitialised memory, leading to undefined behaviour. A
local user could use this flaw to cause a denial-of-service.


* Denial-of-service in netlink routing configuration interface.

A validation failure in the netlink interface for routing information
can result in the reading of uninitialised memory, leading to undefined
behaviour. A local user could use this flaw to cause a
denial-of-service.


* Undefined behaviour in socket buffer cloning.

A failure to initialise a variable when cloning a socket buffer can
result in undefined behaviour.


* Undefined behaviour in IPv6 Duplicate Address Detection.

A logic error when processing hardware addresses during IPv6 Duplicate
Address Detection can result in reading of uninitialised memory, leading
to undefined behaviour.


* NULL pointer dereference when shutting down writeback workqueue.

A race condition when shutting down a block backing device writeback
workqueue can result in a NULL pointer dereference, leading to a Kernel
crash.


* CVE-2017-18257: Deadlock when using FIEMAP ioctl of F2FS filesystem.

A missing variable conversion when using FIEMAP ioctl of F2FS filesystem
could lead to a deadlock. A local attacker could use this flaw to cause
a denial-of-service.


* Memory leaks when using IPV4 UDP and ping sockets.

Missing free of resources in error path when sending messages over IPV4
UDP and ping sockets could lead to memory leaks. A local attacker could
use this flaw to exhaust kernel memory and cause a denial-of-service.


* Out-of-bounds access when setting attributes in Open vSwitch driver.

A logic error when setting attributes in Open vSwitch driver could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* Out-of-bounds access when comparing V4 addresses in SCTP IPV6 socket.

A missing check when comparing V4 addresses in SCTP IPV6 socket could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service when releasing DMA resources in Broadcom Tigon3 driver.

A logic error when releasing DMA resources in Broadcom Tigon3 driver
could lead to a kernel assert. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2018-10087: Denial-of-service when using wait() syscall with a too big pid.

A missing check on user input when using wait() syscall with a pid
number higher than integer limit could lead to an overflow. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when destroying broadcast socket.

A use-after-free bug when destroying a broadcast socket could be
exploited by a malicious local user with CAP_NET_BROADCAST to cause
denial-of-service.


* Denial-of-service when establishing TCP connection.

A bug when retransmitting unacknowledged TCP packet in the TCP Fast Open
path triggers a kernel crash. A malicious local user can exploit this to
cause a denial-of-service.


* CVE-2018-10021: Denial-of-service in SAS device abort and failover.

Incorrect error handling when aborting or failing over a SAS device
could result in resource starvation and IO hangs.  A physically present
malicious user could use this flaw to cause a denial of service.


* CVE-2018-1000204: Kernel information leak when performing SG_IO ioctl.

A vulnerability in the SCSI subsystem allows copying uninitialized
kernel memory to userspace. This could provide an attacker with
sensitive kernel information.


* Denial-of-service when registering a new binary type.

A logic error when registering a new binary type with a too big offset
could lead to an overflow. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2018-10124: Denial-of-service when using kill() syscall with a too big pid.

A missing check on user input when using kill() syscall with a pid
number higher than integer limit could lead to an overflow. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when using bind system call on RDS over Infiniband socket.

A logic error when using bind system call on RDS over Infiniband
instance could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* Use-after-free when scheduling a tasklet in DCCP driver.

A logic error when scheduling a tasklet in DCCP driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when setting a small MTU on ANSI/IEEE 802.2 LLC type 2 socket.

A missing check when setting a small MTU on ANSI/IEEE 802.2 LLC type 2
socket could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Denial-of-service when using balancing on BTRFS.

A logic error when remounting a BTFS file system with balancing mode
enabled could lead to a kernel assert. A local attacker could use this
flaw to cause a denial-of-service.


* Race condition between lookup and remove in Amiga Fast File System.

Missing locking on the directory inode in the Amiga Fast File System
could leave the pointer to the directory entry pointing into freed
memory, potentially allowing an attacker to cause a denial-of-service or
other unspecified impact.


* Race condition in generic filesystem asynchronous provider.

Incorrect synchronization when queueing asynchronous work in the generic
filesystem backend could in rare cases leave dangling references to
freed memory, potentially causing a denial-of-service or memory
corruption.


* Denial-of-service when using OHCI-1394 firewire driver with an IOMMU.

A logic error when reading device descriptor through DMA in OHCI-1394
firewire driver while system use an IOMMU could lead to a page fault. A
local attacker could use this flaw to cause a denial-of-service.


* Out-of-bounds access when looking for key in BTRFS tree.

A missing check when looking for key in BTRFS tree could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access while receiving event from Roccat HID device.

A missing check on Roccat HID device input could lead to an
out-of-bounds access. A local attacker could use a crafted input device
to cause a denial-of-service.


* NULL-pointer dereference when removing SCSI device during access.

When removing a SCSI device from the system during load, the SCSI driver
might hold unprotected references to the device structure, potentially
allowing it to be freed and a NULL-pointer dereference to occur.


* NULL-pointer dereference in BTRFS when traversing recovery log tree.

When traversing the BTRFS recovery log tree, an unexpected error could
result in a NULL-pointer dereference and denial-of-service.


* Deadlock in BTRFS when allocating subvolume for writing.

In rare cases, allocating a BTRFS subvolume for write could cause a lock
order reversal, resulting in a system deadlock if an interrupt occurred.


* NULL-pointer dereference in Qualcom Atheros driver when changing bitrate.

Changing the state of Qualcom Atheros driver (for example by updating
the supported bitrates) can in rare cases trigger a race with an
internal worker thread that causes a NULL-pointer dereference and
denial-of-service.


* NULL-pointer dereference in IPMI SMBus system interface warning.

If an IPMI SSIF microcontroller returns an error with no associated
data, the driver can crash attempting to access the invalid data
pointer when printing a warning to the console, resulting in a
denial-of-service.


* Denial-of-service when using buffered I/O on top of bcache device.

A logic error when using buffered I/O on top of bcache device could lead
to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when sending data over OHCI USB driver.

A logic error when sending data over OHCI USB driver in buffered dma
mode could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Denial-of-service when sending vlan packets without headers.

A logic error when sending vlan packets without headers could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-5814: Denial-of-service when registering USB devices using USB/IP.

Locking errors when registering USB devices using USB/IP could lead to a
NULL pointer dereference and a use-after-free. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-1068: Privilege escalation when configuring bridge filtering.

Lack of input validation when configuring bridge filtering from a 32 bits
compat syscall could lead to an out-of-bounds write.  Unprivileged users
with the ability to create namespaces could use this flaw to escalate
privileges.


* CVE-2018-3665: Information leak in floating point registers.

An information leak from floating point registers when lazy FPU context
switching was performed could allow a malicious local user to gain
access to sensitive information across process boundaries.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list