[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (4.4.0-142.168)

[Oracle Ksplice]

Synopsis: 4.4.0-142.168 can now be patched using Ksplice
CVEs: CVE-2015-7833 CVE-2018-10883 CVE-2018-14678 CVE-2018-16862 CVE-2018-18281 CVE-2018-19407 CVE-2018-19824

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.4.0-142.168.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Undefined behavior in XFRM selector.

A failure to properly validate user input in the xfrm selector can
lead to undefined and invalid behavior.


* Denial-of-service in XFRM user templates with IP_XFRM_POLICY.

A failure to validate user input in the xfrm code could lead to
a invalid memory read and possible kernel panic.  This could be
exploited to cause a denial-of-service.


* Denial-of-service in Bluetooth device unpair.

A race condition in the Bluetooth code could cause an invalid memory
access and subsequent kernel crashing if unpair_device gets called
at the same time that a device pairing is in progress.


* Invalid memory access in CHELSIO T3 ioctl.

A failure to completely verify user-supplied memory in the cxgb3 code
could allow a malicious user to modify memory used in the driver, leading
to undefined behavior.


* Denial-of-service in radix tree iteration.

Incomplete initialization of the radix tree iterator could result in an
invalid memory dereference and kernel crash.


* Resource leak in BTRFS orphan cleanup.

Incorrect error handling during BTRFS orphan cleanup could result in a
resource leak.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Improved fix to CVE-2015-7833: Denial-of-service when probing USBvision device.

The original fix for CVE-2015-7833 could result in leaking references to
USB devices or a use-after-free and a kernel crash.


* Memory leak when receiving L2TP control frames.

Incorrect reference counting when handling control frames from an L2TP socket
can trigger a kernel memory leak and subsequent kernel panic.


* Denial-of-service when bonding multiple IPOIB devices.

An incorrect header length initialization when bonding multiple
IP-over-InfiniBand (IPOIB) devices could lead to a kernel bug assertion.
A local attacker could create a bond device using IPOIB slaves to cause
a denial-of-service.


* Use-after-free in IPv6 multicast check.

A race condition in the ipv6 code could lead to a use-after-free
condition while checking the packet.  This could be used for a
denial-of-service attack.


* Invalid memory access in ethtool ioctl.

A failure to properly check user-supplied memory in the ethtool code
could allow a malicious user to modify memory that is used by the kernel,
leading to undefined behavior.


* Use-after-free in SCTP ID association lookup.

A race condition in the sctp code could result in a use-after-free
condition.  This could be exploited to cause a denial-of-service.


* Improved fix for Spectre v1: Bounds check bypass in Vhost ioctl.

A missing use of the indirect call protection macro in the vhost ioctl
code could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.


* Uninitialized memory access in Rtnetlink forwarding database configuration.

A failure to properly check the device type in rtnetlink could cause the
rtnetlink code to attempt to configure an invalid device, making it
use uninitialized memory.  This could be exploited by a malicious user.


* Memory leak when handling L2TP control frames.

Incorrect reference counting when handling control frames from an L2TP socket
can trigger a kernel memory leak and subsequent kernel panic.


* Improved fix for Spectre v1: bounds-check bypass in Human Input Device driver.

Information controlled by userspace can be used to disclose kernel
memory via speculation in the Human Input Device driver. A local user
could use this flaw to facilitate a further attack on the system.


* Reserved page accounting imbalance with hugetlbfs mappings.

Incorrect handling of dirty hugetlbfs pages could result in a reserved
page count underflow when dropping filesystem caches under specific
conditions.


* NULL pointer dereference in TTY driver lookup.

Incorrect string validation could result in a NULL pointer dereference
and kernel crash when looking for a polling console driver.


* Use-after-free in Plan9 network protocol statistics cleanup.

Failure to reinitialize pointers on Plan9 statistics cleanup could
result in a use-after-free and kernel crash.


* Use-after-free in FUSE filesystem device reads and writes.

A race condition when performing reads and writes to a FUSE filesystem
device could result in a use-after-free and kernel crash.


* Task hang in FUSE filesystem request completion.

Incorrect synchronization could result in failure to wake up a task on
FUSE filesystem request completion leading to application hangs.


* Denial-of-service when querying ethernet statistics.

Failure to validate stat type when performing a query on e1000 network
adapter leads to a NULL pointer dereference. A local user could exploit
this to cause a denial-of-service.


* Use-after-free in OCFS2 metadata corruption cleanup.

Incorrect reference counting could result in a use-after-free of a block
buffer head.


* Kernel crash in TTY baud rate setting.

Missing bounds checking in the TTY baud rate setting code could result
in an out-of-bounds access and kernel crash or information leak.


* BTRFS file corruption during block cloning.

Failure to clone the final block of a file could result in data
corruption of the cloned file under specific conditions.


* Resource leak in FUSE filesystem notification response.

Missing error handling could result in a resource leak and unkillable
tasks under specific conditions during connection reset.


* Kernel crash in HugeTLB copying during unsharing.

A race condition when changing the protections of a HugeTLB page and
forking the process could result in triggering a kernel assertion and
crash.


* Potential denial-of-service in Broadcom TG3 ethernet driver.

In extremely high-traffic scenarios, the Broadcom TG3 ethernet driver
might cause a lockup in the associated device's layer-1 chip,
potentially resulting in a denial of network service.


* Memory leak in GFS2 filesystem bitmap buffers.

Missing resource frees for a GFS2 filesystem could result in a memory
leak.  A local user with privileges to mount a filesystem could use this
flaw to exhaust system memory.


* BTRFS filesystem corruption in transaction aborts.

Missing locking when destroying a pinned extent could result in
filesystem corruption during transaction aborts.


* NULL dereference while loading userspace I/O driver.

The userspace I/O driver can potentially attempt to access an
uninitialized pointer while the module is loading.  This leads
to a NULL dereference and subsequent kernel panic.  This flaw
could potentially be exploited to cause a denial-of-service.


* Improved fix for Spectre v1: Information leak in SGI GRU driver.

An unsanitized user-controlled value is used as an index to a buffer
in SGI's Global Reference Unit driver.  This could be exploited to leak
information about the running system.


* Denial-of-service when removing USB3 device.

A double-free bug when removing USB3 devices leads to a NULL pointer
dereference. This can be triggered in the device's "safely remove"
feature path and lead to a denial-of-service.


* Memory corruption when failing readdir on 9Pfs.

When failing a readdir on the Plan 9 Filesystem Protocol, the stat
structure might be improperly freed twice, resulting in memory
corruption or a potential denial-of-service.


* Use-after-free when disconnecting sctp connection with outstanding data.

If an sctp connection is shut down with data still remaining to be sent,
in rare cases the structures holding this data can be accessed after
they are freed, resulting in potential memory corruption or a
denial-of-service.


* Use-after-free in link-layer with non-TCP/DCCP traffic.

When receiving data from a non-TCP or DCCP protocol, a race condition
might occur between processing data received on the link and freeing it.
This results in a use-after-free, and potential memory corruption or
denial-of-service.


* Potential information leak via lingering terminal buffer.

In several cases, data in terminal buffers is not cleared after use.
This data would be a valuable target for malicious users.


* CVE-2018-19407: Denial-of-service in KVM IOAPIC scan.

A missing safety check in KVM's IOAPIC scan path can cause the kernel
to attempt access certain objects that have not been initialized.  This
can cause unexpected behavior, including a potential system crash.


* Shadow page table corruption during emulated writes.

A race condition while writing to KVM's shadow page tables can lead
to guest PTEs and shadow PTEs being out of sync.  This can cause
unexpected behavior, including improper memory accesses.


* Buffer overflow in btrfs_control_ioctl.

A failure to check that a user-supplied string is NULL-terminated can
lead to a buffer overflow in the btrfs ioctl handler.  This could lead
to unexpected behavior, including a potential denial-of-service.


* Shift overflow during AC97-SPSA control write.

A logic error in the AC97 driver's snd_ac97_put_spsa routine can cause
a bitwise shift exponent to be calculated incorrectly, resulting in a
shift operation that overflows beyond the 32 bits allocated to store
the result.  This could result in unexpected behavior on some systems.


* Use-after-free in sound driver control interface.

A race condition that exists in the sound driver core, when processes
attempt to concurrently add and remove user control elements.  This
race condition can result in a use-after-free scenario, which can cause
unexpected behavior, including a potential system crash.


* CVE-2018-16862: Potential memory corruption in inode truncation path.

A logic error in the memory manager's inode truncation path can lead to
an inode not being properly cleaned up.  If another file is created with
the same inode, it is possible to read old leftover data, instead of
the expected data, when attempting to read the new file.  This could
cause a system to exhibit unexpected behavior.


* Denial-of-service when handling page request in Intel VT-d subsystem.

Incorrect error handling in the Intel VT-d subsystem when handling page
request leads to a NULL pointer dereference. This could be exploited to
cause a denial-of-service.


* Denial-of-service in the BATMAN advanced meshing protocol.

When receiving unicast packet in the BATMAN meshing protocol, a fragment
merge operation triggers a kernel BUG. This could lead to a
denial-of-service.


* CVE-2018-19824: Use-after-free when registering a malicious USB audio device.

A wrong error handling when registering a malicious USB audio device
exposing 0 interface could lead to a use-after-free. A local attacker
could use this flaw to cause a denial-of-service.


* Information leak via bind mount manipulation.

A logic error when checking mount permissions can result in a namespaced
process being able to view filesystem content outside of its namespace.
A local user could use this flaw to view restricted information.


* Denial-of-service in EXT4 buffer management.

Multiple buffer leaks in the EXT4 filesystem could result in resource
leaks and a denial of service.


* Division by zero error in ALSA timer CONTINUE ioctl.

A division by zero and kernel panic can be triggered when the ALSA
subsystem handles the SNDRV_TIMER_IOCTL_CONTINUE ioctl.


* Denial-of-service in Broadcom IEEE802.11n embedded FullMAC WLAN driver.

A logic error in Broadcom IEEE802.11n embedded FullMAC WLAN driver could
lead to memory leaks. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-18281: Information leak in mremap syscall.

A logic error in the mremap code could allow one process to access
memory of a different process.


* CVE-2018-10883: Out-of-bounds access in EXT4 block journal handling.

A logic error in ext4 block journal handling could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 filesystem to cause a denial-of-service.


* FUSE filesystem data corruption in device reads.

Incorrect locking when reading from a FUSE filesystem could result in
processing an incomplete request leading to data corruption.


* Memory leak when setting up a keyring.

A missing free of resources in error path when setting up a keyring
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Denial-of-service when a guest access a CIFS share.

A wrong return code when a guest access a CIFS Windows share that
requires authentication could lead to an infinite loop. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when resetting a AHCI SATA controller.

A missing check of return code when resetting a AHCI SATA controller
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* Use-after-free when mounting a JFFS2 filesystem with an invalid mount option.

A missing free of resources when mounting a JFFS2 filesystem with an
invalid mount option could lead to a use-after-free. A local attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service when using an ioctl of LSI Logic MegaRAID SAS RAID Module.

A missing check when using FIRMWARE32 ioctl of LSI Logic MegaRAID SAS
RAID Module could lead to a an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.


* Use-after-free in the journaling layer for block devices.

A locking error in the journaling layer for block devices could lead to
a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when mounting a GFS2 filesystem.

A missing check on user input when mounting a GFS2 filesystem could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Out-of-bounds access in LRW crypto driver.

A logic error in LRW crypto driver could lead to an overflow and an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when using security filesystem of Integrity Measurement Architecture.

An array size issue when using security filesystem of Integrity
Measurement Architecture could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when closing NFSD transport layer.

A logic error when closing NFSD transport layer could lead to a kernel
panic. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access in a print in lockd driver.

A logic error in a print in lockd driver could lead to an out-of-bounds
access. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using ioctl of Multiple devices driver.

A logic error when using ioctl of Multiple devices driver could lead to
an invalid memory access. A local attacker could use this flaw to cause
a denial-of-service.


* Out-of-bounds access when using a crafted CRAMFS filesystem.

A logic error when reading block offsets in a CRAMFS filesystem could
lead to an out-of-bounds access. A local attacker could use a crafted
CRAMFS filesystem to cause a denial-of-service.


* Denial-of-service when walking up BTRFS tree.

A logic error when walking up BTRFS tree could lead to a kernel assert.
A local attacker could use this flaw and a crafted BTRFS filesystem to
cause a denial-of-service.


* Denial-of-service when allocating BTRFS tree.

A missing check when allocating BTRFS tree could cause a deadlock. A
local attacker could use this flaw with a crafted BTRFS filesystem to
cause a denial-of-service.


* Denial-of-service when using caching on BTRFS filesystem.

A logic error when using caching on BTRFS filesystem could lead to a
kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference on compressing in BTRFS filesystem.

A logic error when compressing in BTRFS filesystem could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Information leak when getting information about QLogic BR-series Converged Network adapter.

A logic error when getting information about QLogic BR-series Converged
Network adapter could lead to an information leak. A local
attacker could use this flaw to leak information about running kernel
and facilitate an attack.


* Denial-of-service when accessing arvif list in Atheros 802.11ac wireless cards driver.

A locking error when accessing arvif list in Atheros 802.11ac wireless
cards driver could lead to a kernel panic. A local attacker could use
this flaw to cause a denial-of-service.


* Memory leak when allocating memory in CW1200 WLAN driver.

A logic error when allocating memory in CW1200 WLAN driver could lead to
a memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* NULL pointer dereference when dequeuing skb in Marvell WiFi-Ex driver.

A logic error when dequeuing skb in Marvell WiFi-Ex driver could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Invalid memory access when inserting element in netfilter tables.

A logic error when inserting element in netfilter tables could lead to
an invalid memory access. A local attacker could use this flaw to cause
a denial-of-service.


* Out-of-bounds accesses in Universal Flash Storage Controller driver.

Multiple errors in Universal Flash Storage Controller driver could lead
to out-of-bounds accesses or NULL pointer dereferences. A local attacker
could use this flaw to cause a denial-of-service.


* Memory leak when unregistering Universal Flash Storage Controller driver.

Logic errors when unregistering Universal Flash Storage Controller
driver fails could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* Invalid memory access unloading QLogic QLA2XXX Fibre Channel driver.

A missing check when queuing commands while unloading QLogic QLA2XXX
Fibre Channel driver could lead to an invalid memory access. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference during TTY device initialization.

A race condition when initializing a TTY device while flushing buffer on
this same device could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Invalid memory access when reopening a TTY device.

A race condition when reopening a TTY device could lead to an invalid
memory access. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when disconnecting a Empia EM28xx USB device.

A logic error when disconnecting a Empia EM28xx USB device could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free in RapidIO Ethernet over messaging driver.

A logic error in RapidIO Ethernet over messaging driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when setting extended attributes for EXT2 filesystems.

A refcount error when setting extended attributes for EXT2 filesystems
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* Information leak when getting attributes in Chelsio Communications FCoE driver.

Mutliple logic errors when getting attributes in Chelsio Communications
FCoE driver could lead to an information leak. A local attacker could
use this flaw to exhaust kernel memory and cause a denial-of-service.


* NULL pointer dereference when unregistering LED class device.

A logic error when unregistering LED class device could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when dumping free space in BTRFS filesystem.

A locking issue when dumping free space in BTRFS filesystem could lead
to a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak in error path of perf_event_open() syscall.

A logic error in error path of perf_event_open() syscall could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Improved fix for Spectre v1: bounds-check bypass in PTP clock driver.

A missing use of the indirect call protection macro in the PTP clock
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.


* Improved fix for Spectre v1: bounds-check bypass in Infiniband driver.

A missing use of the indirect call protection macro in the Infiniband
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.


* CVE-2018-14678: Privilege escalation in Xen PV guests.

Incorrect register accounting during paravirtualized failsafe callbacks
could result in the use of uninitialized memory and a kernel crash or
potentially escalation of privileges in a paravirtualized guest.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.