[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (4.4.0-138.164)

[Oracle Ksplice]

Synopsis: 4.4.0-138.164 can now be patched using Ksplice
CVEs: CVE-2017-17053 CVE-2018-10938 CVE-2018-14734 CVE-2018-16658 CVE-2018-3620 CVE-2018-3646 CVE-2018-5391 CVE-2018-9363

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.4.0-138.164.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak in IPv6 raw sockets with IP(V6)_ORIGDSTADDR.

A specially crafted IPv6 packet could force the IPv6 code to read beyond
the end of a buffer, causing a potential information leak of kernel
memory.


* Denial-of-service in event trigger tracing.

A flaw in the trace_events code could lead to a double free
of memory, leading to memory corruption and possible kernel
panic.  A malicious user could exploit this to cause a denial-
of-service.


* Use-after-free in NFSv4 device info decode.

A specifically crafted request with a malformed xdr array from a NFSv4
client could result in a use-after-free condition and possible kernel
crash.  A malicious client could exploit this to generate a denial-of-service
attack.


* CVE-2018-14734: Use-after-free in Infiniband leave_multicast function.

A race condition in the infiniband code could allow the leave_multicast
function to use a structure that was allocated but subsequently freed in
the process_join function, leading to memory corruption and possible system
crash.


* Denial-of-service in Intel Wireless driver receive buffer allocation.

A race condition in the Intel PCIe wireless driver when the receive buffer
allocator is ran at the same time as the receive init function could result
in memory corruption and a kernel panic.  This could be used to cause a
denial-of-service.


* Denial-of-service in sysfs PCI device disable.

A failure to verify if a device still has a driver attached or not
when sysfs disables a device could lead to an inconsistent system
state for the device driver, leading to possible memory corruption or
kernel panic.  This could be exploited by a malicious user to cause
a denial-of-service.


* Denial-of-service in Marvell mwifiex histogram data.

A logic error when entering the histogram data for the mwifiex
driver could result in a buffer underflow, leading to memory
corruption or a kernel panic.  This could be used to cause a
denial-of-service.


* Denial-of-service in pty character insert with multiple threads.

A race condition in the pty code could allow multiple threads to insert
input characters at the same time, leading to an out-of-bounds memory
write, causing memory corruption and kernel panic.  A malicious user could
use this to cause a denial-of-service.


* Denial-of-service in SCSI 3ware chrdev ioctl.

A missing privilege check in the scsi 3ware driver code could
allow a user without sufficient privileges to pass user memory
into the ioctl and then manipulate the memory, potentially causing
memory corruption and a kernel panic.  This could be used for a
denial-of-service attack.


* Information leak in crypto IPsec authenc key setting.

A failure to initialize memory when setting up authen keys in the
crypto code could leak pointers to the authenc keys.


* Denial-of-service with corrupt squashfs image.

A failure to properly deal with metadata corruption in squashfs could
result in a kernel oops.  This could be exploited for a denial-of-service.


* Denial-of-service in ext4 bitmap validation with chdir command.

A race condition in the ext4 bitmap validation code results in corrupt
inodes.  This could be exploited to cause a denial-of-service attack.


* Improved fix for CVE-2018-5391: Remote denial-of-service in IP fragment handling.

A malicious remote user can use a flaw in IP fragment handling to starve
IP processing on the system causing loss of connectivity.


* CVE-2018-9363: Remote code execution in Bluetooth HIDP driver.

An integer overflow in the Bluetooth HIDP driver could result in a
buffer overflow and memory corruption.  A remote user could use this
flaw to trigger a denial of service or potentially, gain code execution.


* CVE-2017-17053: Use-after-free in process initialisation during fork.

A failure to handle an error case during a fork can result in duplicate
references to a structure which is later freed when one task ends,
resulting in a use-after-free. A local user could use this flaw to cause
a denial-of-service or potentially escalate privileges.


* CVE-2018-10938: Remote denial-of-service in IPv4 options handling.

A flaw in IPv4 CIPSO option handling could cause an infinite loop,
allowing a remote attacker to trigger a denial of service with crafted
packets in some configurations.


* Denial-of-service due to failed allocation in CIFS authentication code.

Memory allocation to a pointer was not checked in build_ntlmssp_auth_blob.  If
the unchecked allocation were to fail, dereferencing this pointer would result in
denial-of-service.


* Buffer overrun in ext4 mount path.

Upon mounting a corrupted or maliciously crafted ext4 filesystem image,
there length of the extended attributes buffer can be miscalculated,
resulting in a buffer overrun, causing a denial-of-service can occur.


* Denial-of-service in fuse write path.

A locking issue in the fuse write path could result in a buffer being allocated
without sufficient space to store necessary data.  This scenario will lead to
write errors, and could be exploited to cause denial-of-service to a fuse
filesystem.


* Denial-of-service in fuse read path.

A logic error in the fuse read path error handling code can leave memory pages
unintentionally locked.  If another task attempts to lock these pages, it will
hang, potentially leading to denial-of-service.


* Denial-of-service in KMS driver for UDL devices.

Accesses to uninitialized memory in the udl-kms driver can lead to a kernel
panic.  This could be exploited to cause a denial-of-service.


* Denial-of-service in SCSI device removal code path.

A logic error in the SCSI device removal code path can lead to a deadlock.  This
could potentially be used to cause a denial-of-service.


* CVE-2018-16658: Information leak in CD-ROM status ioctl.

An incorrect bounds check in the CD-ROM driver could allow an
out-of-bounds access and kernel information leak to an unprivileged
user.


* Denial-of-service in 6lowpan over IEEE 802.15.4.

A logic error in the code that provides 6lowpan support over IEEE 802.15.4
can cause a kernel panic.  A local user could send a specially crafted packet
to trigger this panic and cause a denial-of-service.


* Denial-of-service in mac802154 network stack.

A logic error in the transmit path of the mac802154 network stack can cause
certain structures to be allocated with insufficient space to hold necessary
data.  This could be used to cause a denial-of-service.


* Denial-of-service in Plan 9 client initialization code.

A logic error in the Plan 9 client initialization code path can cause the
kernel to attempt to free a pointer that was never initialized, which can result
in a kernel panic.  This could be used to cause a denial-of-service.


* Information leak in trace code when creating kthreads.

A race condition in the kthread code could allow an unterminated string
to be printed into the task structure, potentially leaking memory into
other threads.  This could lead to an information leak or memory corruption
and possible kernel panic.


* Multiple denial-of-service vectors in Plan 9 transport code.

Several logic errors in the Plan 9 transport code could lead to a NULL pointer
dereference, and subsequent kernel panic.  This could be used to cause a
denial-of-service.


* Denial-of-service in user namespace code.

A logic error in the the user namespace code path can cause a lock to be held
indefinitely.  A local attacker could use this to cause a denial-of-service.


* Memory leak in ubifs self-checks.

Under certain conditions, one of the ubifs self-checks can leak small amounts
of memory.  This could be used to waste system resources, and potentially
cause a denial-of-service.


* Information leak in filesystem core.

A logic error in filesystem core code can allow small amounts of kernel memory
to be leaked to userspace.  This flaw could be used by a local attacker to leak
information about the running system.


* Improved fix for Spectre v1: Information leak in filesystem quota control code.

A missing sanitization of an array index in filesystem quota control code can
lead to kernel memory being leaked to userspace.  A local attacker could exploit
this flaw to leak information about the running system.


* Memory leak in cachefiles during vmscan.

Missing reference counting under memory pressure when fscache was
enabled could result in a leak of pages and eventual memory exhaustion.


* Race condition in Trusted Platform Module common write function.

Missing locking in the Trusted Platform Module common write code could
allow two simultaneous TPM device accesses to overwrite each other's
data, potentially resulting in a denial-of-service or other unspecified
behavior.


* Denial-of-service in UTS namespace code.

A locking issue in some of the code used to provide UTS namespace functionality
could lead to a namespace admin stalling all processes that need to take a
particular lock.  A local attacker could exploit this to cause a
denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass during netlink creation.

A missing use of the indirect call protection macro during netlink
creation could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Denial-of-service when disconnecting a CPC-USB/ARM7 CAN/USB device.

A missing free when disconnecting a CPC-USB/ARM7 CAN/USB device could
lead to a memory leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in socketcall syscall.

A missing use of the indirect call protection macro in socketcall
syscall could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Denial-of-service when migrating pages while using virtio ballooning.

A locking error while decreasing or increasing the amount of memory for
a KVM guest during pages migration could lead to a page fault. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when opening a SCSI device.

A missing free of resources when opening a scsi device via /dev/sg
fails could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.


* Denial-of-service when opening a CD-ROM while power management is enabled.

A logic error when opening a CD-ROM while power management is enabled
could lead to a kernel hang. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service while using filesystem mount points.

Multiple race conditions in filesystem mount points handling could lead
to use-after-frees. A local attacker could use this flaw to cause a
denial-of-service.


* Information leak in error print of kprobes driver.

Error prints in kprobes driver could leak kernel addresses. A local
attacker could use this flaw to gain information about running system
and facilitate an attack.


* Use-after-free when using Layer Two Tunneling Protocol with UDP.

A missing check when using Layer Two Tunneling Protocol with UDP could
lead to multiple use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free when looking for a Service Access Point in Logical Link control driver.

A logic error when looking for a Service Access Point in Logical Link
control driver could lead to a use-after-free. A local attacker could
use this flaw to cause a denial-of-service.


* Denial-of-service when deleting Traffic-Control Index filters.

A logic error when deleting Traffic-Control Index filters could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service when allocating memory for ALSA transfers.

A logic error when allocating memory for ALSA transfers could lead to
out-of-bounds accesses. A local attacker could use this flaw to cause a
denial-of-service.


* Deadlock when closing Sierra USB-to-WWAN device.

A locking error when closing Sierra USB-to-WWAN device could lead to a
deadlock. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when closing a SCO Bluetooth link.

A logic error when closing a SCO Bluetooth link could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Information leak when using Integrated Services Digital Network driver.

IIOCDBGVAR ioctl of Integrated Services Digital Network driver could be
used to leak internal kernel addresses. A local attacker could use this
flaw to leak information about running kernel and facilitate an attack.


* NULL pointer dereference when handling interrupt in QLogic QED 25/40/100Gb core driver.

A logic error when handling interrupt in QLogic QED 25/40/100Gb core
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Use-after-free when sending packet with specific length over a TCP socket.

A logic error when sending packet with specific length over a TCP socket
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* Out-of-bounds access in Nvidia Nouveau GEM driver.

An error when checking index of an array in Nvidia Nouveau GEM driver
could lead to an out-of-bounds access. A local attacker could use this
flaw to cause a denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in ext4 multiblocks allocation routines.

A missing use of the indirect call protection macro in ext4 multiblocks
allocation routines could lead to speculative execution. A local
attacker could use this flaw to leak information about the running
system.


* Information leak when retrieving policy from XFRM user interface.

A missing initialization when retrieving policy from XFRM user interface
could lead to a kernel information leak. A local attacker could use this
flaw to facilitate an attack.


* Out-of-bounds access when setting a TCP ring.

A missing check when setting a TCP ring could lead to an out-of-bounds
access. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when registering a PCI hotplug slot fails.

A missing free of resources when registering a PCI hotplug slot fails
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Use-after-free when unregistering PCI Express Hotplug driver.

A logic error when unregistering PCI Express Hotplug driver could lead
to a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when listing extended attributes on reiser filesystem.

A missing check when listing extended attributes on reiser filesystem
could lead to an out-of-bounds access. A local attacker could use this
flaw to cause a denial-of-service.


* Memory leaks when looking up route in XFRM user interface.

Missing free of resources when looking up route in XFRM user interface
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Memory leak when multicasting a netlink message in XFRM user interface.

Missing free of resources when multicasting a netlink message in XFRM
user interface could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* NULL pointer dereference in libiscsi when checking Task Management Function.

An invalid debug print in libiscsi when checking Task Management
Function could cause a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Out-of-bounds access when receiving packet over Atheros L1C Gigabit Ethernet device.

An allocation error when receiving packet over Atheros L1C Gigabit
Ethernet device could lead to an out-of-bounds access. An attacker could
use this flaw to cause a denial-of-service.


* Invalid memory access when configuring RSS hash in Broadcom NetXtremeII 10Gb driver.

A missing check when configuring RSS hash in Broadcom NetXtremeII 10Gb
driver could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* NULL pointer dereference when accessing physical device memory using kernel interface.

A missing check when accessing physical device memory using kernel
interface could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* Invalid memory access when passing a zero sized GEM user pointer to i915 driver.

A missing check on user input in i915 ioctl could lead to an invalid
memory access. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when creating a iscsi session fails.

A logic error when creating a iscsi session fails could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Improved fix for CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.

A flaw in terminal fault handling on Intel CPUs could result in
information leaks across privilege boundaries including between
processes on a system or between virtual machines.


* Information leak when forking a process.

A missing zeroing of stack used for new forked process could lead to an
information leak of the heap. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.