[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4076-1)

[Oracle Ksplice]

Synopsis: USN-4076-1 can now be patched using Ksplice
CVEs: CVE-2015-2150 CVE-2017-5967 CVE-2018-20836 CVE-2018-3620 CVE-2018-3646 CVE-2019-11833 CVE-2019-11884 CVE-2019-5489

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4076-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service to filesystem in CIFS rename code path.

If a path-based rename fails with EBUSY in cifs_do_rename on an SMB2+
mount, the kernel will attempt to fall back to using the SMB protocol,
which will force a session close.  This could be exploited by a
malicious attacker to disrupt service to the filesystem.


* Use of uninitialized data during TIPC error handling.

Improper handling of an error case in tipc_nl_compat_dumpit can lead to
uninitialized data being accessed.  This could cause a bad paging
request, leading to a kernel panic and denial-of-service.


* Denial-of-service when using Intel(R) Trace Hub controller.

A logic error when using Intel(R) Trace Hub controller could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Out-of-bounds memory access in IPv4 link failure path.

Missing sanity checks in the ipv4_link_failure can lead to
out-of-bounds memory accesses.  This could cause a system to exhibit
unexpected behavior, and could potentially be exploited to cause a
denial-of-service.


* NULL pointer dereference when binding socket in QLogic ISP4XXX and ISP82XX host adapter family driver.

A missing check when binding socket in QLogic ISP4XXX and ISP82XX host
adapter family driver could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Invalid memory access when using SATA Zero Power Optical Disc Drive driver.

Usage of on-stack buffer for DMA transfers in SATA Zero Power Optical
Disc Drive driver could lead to invalid memory accesses. A local
attacker could use this flaw to cause a denial-of-service.


* Permission bypass when using ipv6 flowlabel manager.

A logic error when using ipv6 flowlabel manager could let a process with
a recycled PID configure flowlabel owned by a previous process having
same PID.


* Use-after-free when removing a USB Yurex device.

A logic error when removing a USB Yurex device could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when connecting DS2490 USB to W1 transport layer for 1-wire.

A logic error when connecting DS2490 USB to W1 transport layer for
1-wire could lead to an out-of-bounds access. A local attacker could
use this flaw to cause a denial-of-service.


* Out-of-bounds access when getting USB string descriptor.

A logic error when getting USB string descriptor could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free during symlink traversal on Journalling Flash File System v2.

A logic error during symlink traversal on Journalling Flash File System
v2 could lead to a use-after-free. A local attacker could use this flaw
to cause a denial-of-service.


* Memory leak when creating node on a hugetlb filesystem.

A logic error when creating node on a hugetlb filesystem could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* CVE-2018-20836: Use-after-free in SCSI SAS timeout.

A logic error when performing task completion for a SCSI SAS SMP timeout
could result in a use-after-free and kernel crash.


* Use-after-free when changing interrupt affinity notifier.

A logic error when changing interrupt affinity notifier could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when setting region-size in QLogic QLA2XXX Fibre Channel driver.

A logic error when setting region-size in QLogic QLA2XXX Fibre Channel
driver could lead to an out-of-bounds access. A local attacker could use
this sysfs entry to cause a denial-of-service.


* CVE-2019-11884: Information leak in Bluetooth HIDP HIDPCONNADD ioctl().

Missing string termination in the Bluetooth HIDP HIDPCONNADD ioctl()
could result in leaking the contents of the kernel stack to a local
user.


* NULL pointer dereference on DMA setup fail in Audio Intel SST Firmware Loader.

A missing check on DMA setup fail in Audio Intel SST Firmware Loader
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Integer overflow when building the bitmap of idle pages.

An integer overflow when aligning the last page frame number of a file
mapped in memory when building the bitmap of idle pages could lead to
undefined behaviour.  A local attacker could use this flaw to cause a
kernel crash or potentially access memory otherwise protected.


* CVE-2019-11833: Information leak in ext4 extent tree block.

A missing zeroing of uninitialized memory in ext4 extent tree block
could lead to an information leak. A local attacker could use this flaw
to leak information about running kernel and facilitate an attack.


* CVE-2019-5489: Information leak in the mincore() syscall implementation.

Missing checks in the mincore() syscall could let a local attacker
observes page cache access patterns on other process in the system and
lead to an information leak.


* Kernel crash in OCFS2 reading of deleted inodes.

A race condition when reading an inode that has been deleted could
result in a kernel crash under specific conditions.


* Denial-of-service in ANSI/IEEE 802.2 LLC type 2 packet transmission.

Incorrect error handling when transmitting packets on an LLC connection
could result in a memory leak and subsequent denial of service.


* Use-after-free in generic receive offload fragmentation.

A use-after-free in the generic receive offload code could result in a
kernel crash when receiving a fragmented packet under specific
conditions.


* Use-after-free in USB networking disconnection.

Incorrect termination of timers on USB networking device disconnection
could result in a use-after-free and kernel crash.


* Information leak in Transparent Inter Process Communication TLV setting.

Incorrect bounds checks could result in copying beyond the end of an
array, leaking the contents of kernel stack memory to user-space.


* CVE-2015-2150: Denial-of-service in Xen host from the guest.

A flaw in the Xen hypervisor allows guests to disable PCI_COMMAND on PCI
device reset, later causing a host crash when the guest tries to access the
device.  A local guest user could use this flaw to cause a
denial-of-service in the host.


* Denial-of-service in USB XHCI BOS descriptor handling.

Incorrect handling of the BOS descriptor for USB XHCI devices could
result in a NULL pointer dereference when disconnecting the device.  A
physically present attacker could use this flaw to crash the system with
a malicious device.


* Kernel crash in USB BOS descriptor access.

Missing range checks could result in out-of-bounds memory writes leading
to memory corruption or a kernel crash when a malicious device was added
to the system.


* Denial-of-service in Siano Mobile Digital TV USB tuner probing.

Missing error checking when setting up endpoints for a Siano Mobile
Digital TV tuner could result in an invalid pointer dereference and
kernel crash.  A physically present user with a malicious device could
use this flaw to crash the system.


* Kernel crash in BTRFS during concurrent fsync().

A race condition when performing fsync() on a BTRFS filesystem could
result in triggering a kernel assertion and crashing the system.


* NULL pointer dereference in CIFS file read during low memory conditions.

Incorrect error handling on low memory conditions during CIFS reads
could result in a NULL pointer dereference and kernel crash when
cleaning up other allocations.


* Integer overflow in GenWQE PCIe Accelerator driver.

A missing check on user input in one of the GenWQE PCIe Accelerator
driver ioctl could lead to an integer overflow. A local attacker could
use this flaw to cause a denial-of-service or escalate privileges.


* Deadlock in NFS4 RPC task callback handling.

A reference counting error in certain callbacks associated with RPC task
structures for NFS4 filesystems can lead to a deadlock.  This could
potentially be exploited by a local or remote attacker to cause a
denial-of-service.


* Multiple denial-of-service vectors in TIPC command handler.

Improper length checks while handling certain TIPC commands can cause
uninitialized data to be accessed.  A remote attacker could potentially
exploit these flaws to cause a denial-of-service.


* CVE-2017-5967: Information leak when reading /proc/timer_stats.

Too verbose messages when reading /proc/timer_stats could leak
information about current PID. An attacker from a PID namespace
could use this flaw to get its real PID.


* Invalid memory accesses when using Line 6 POD USB driver.

Usage of on-stack buffer for DMA transfer in Line 6 POD USB driver could
lead to invalid memory accesses. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free when using HID bus debugfs while removing a device.

A race condition when using HID bus debugfs while removing a device
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* Improved fix for CVE-2018-3620, CVE-2018-3646: Information leak when when updating page table entries.

Compiler optimizations can lead to multiple writes when setting PTEs, resulting
in a race condition with a potentially misconfigured PTE in the process page
tables. A local user could use this flaw to cause a kernel crash or leak
information from the kernel.


* Denial-of-service when sending datagram packet.

Failure to sanitize userspace input while sending packet through a
datagram socket leads to out-of-bound memory access in the kernel. This
could allow a remote attacker to cause a denial-of-service an
potentially read kernel memory.


* Deadlock in getsockopt() with multicast sockets.

Incorrect locking for multicast sockets when performing a getsockopt()
call could result in deadlock.  A local user could use this flaw to hang
the system.


* Privilege escalation when configuring VLAN hardware timestamp.

VLAN ioctl path for hardware timestamp configuration is missing a
privilege check. An otherwise unprivileged user who can make
SIOCSHWTSTAMP ioctl could exploit this vulnerability to escalate
privilege to root.


* Denial-of-service in IPv6 when sending ICMP packet.

A logic error when sending fragmented ICMP packet over IPv6 triggers
a kernel fail-safe. An unprivileged attacker could exploit this flaw
to cause a denial-of-service.


* Denial-of-service when configuring keyboard.

A use-after-free bug in the keyboard configuration path for virtual
terminal causes a kernel crash. A malicious local user could exploit
this to cause a denial-of-service.


* Data-loss when resizing an ext4 partition.

A logic error during ext4 partition resize causes the inode table to get
into an indeterminate state. This could cause data corruption.


* Denial-of-service when configuring a bcache device.

When configuring a device as cache using the bcache filesystem,
registration and unregistration could race each other and cause a
kernel crash. A malicious local user could exploit this bug to cause a
denial-of-service.


* Data-loss in bcache filesystem journal operation.

A bug in the bcache filesystem causes a failure to write journal data to
disk under certain fault condition, e. g. the system crashing or losing
power abruptly. This could lead to inadvertent data-loss.


* Denial-of-service when re-adding a disk to RAID array.

A null-pointer dereference when re-adding a disk to a RAID array after
failure could cause a kernel crash. This leads to a denial-of-service.


* Denial-of-service when configuring CIFS oplock level.

A data-race in CIFS oplock level configuration path leads to a buffer
overflow. An malicious user could exploit this to cause a
denial-of-service.


* Denial-of-service in NFSv4 client when mounting.

A client bug in NFSv4 subsystem leads to state corruption when mounting
an NFS filesystem in the presence of server trunking. This could lead to
a denial-of-service.


* Data-loss when writing to a FUSE mount on 32-bit systems.

An integer overflow bug when writing to a memory-mapped file on a
FUSE-mounted filesystem causes data being silently discarded. This
could lead to data loss and corruption on 32-bit systems.


* Denial-of-service when validating packet against xfrm policy.

A use-after-free bug in the received packet validation path in the xfrm
subsystem could lead the kernel into executing arbitrary memory. This
could cause a denial-of-service and possibly be exploited by an attacker
to hijack control flow.


* Denial-of-service when writing in btrfs filesystem.

A race-condition when performing a sync operation in the btrfs
filesystem leads to a kernel crash. An unprivileged attacker could
exploit this bug to cause a denial-of-service and possible data
corruption.


* Denial-of-service when configuring framebuffer.

Failure to validate ioctl parameter in the framebuffer subsystem leads
to a division-by-zero error. A local attacker with permission to read
from / write to framebuffer could exploit this to cause a
denial-of-service.


* Denial-of-service when performing ioctl on vivid device.

When performing an ioctl operation to crop video capture from a vivid
device, incorrect attempt to release memory leads to kernel crash. A
local user with permission to capture video through V4L2 interface could
use this flaw to cause a denial-of-service.


* Denial-of-service during fallocate syscall on hugetlbfs file.

When punching hole in a file mapped through hugetlbfs using the
fallocate syscall, a concurrent page fault leads to a data race. A local
attacker could exploit this to cause a denial-of-service.


* Denial-of-service when handling vendor command in cfg80211 subsystem.

A NULL-pointer dereference when handling vendor command leads to kernel
crash. This could allow an untrusted or faulty device to cause a
denial-of-service.


* Denial-of-service when receiving packet in miwifiex driver.

Failure to sanitize userspace data leads to an array overflow in the
miwifiex driver. This could cause kernel memory corruption and a
denial-of-service.


* Denial-of-service when configuring video input in pvrusb2 driver.

An undefined operation when validating configuration parameter from
userspace leads to buffer overflow in the pvrusb2 driver. An attacker
with permission to read from video device could exploit this to cause a
denial-of-service.


* Denial-of-service when allocation fails in the Infiniband subsystem.

A missing check when memory allocation fails in the cxgb4 driver driver
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service when opening video device in au0828 driver.

A race-condition when opening a video device before it is properly
initialized leads to a NULL pointer dereference in the au0828 driver. A
local user with privilege to capture video through V4L2 interface could
use this flaw to cause a denial-of-service.


* Denial-of-service when disconnecting a Broadcom USB wifi device.

A race condition when disconnecting a Broadcom USB wifi device
immediately after connecting it could lead to a deadlock. An attacker
with physical access to the computer could exploit this to cause a
denial-of-service.


* Privilege escalation when handling signals in 32-bit emulation mode.

A bug in the 32-bit signal handling path allows userspace to bypass
Supervisor Mode Access Protection (SMAP). An malicious local process
could exploit this to escalate privilege.


* Denial-of-service in WL128x FM radio driver.

A buffer overflow when sending command to a WL128x radio device could
lead to kernel memory corruption and possibly crash the kernel. This
could cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.