[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4320-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Apr 22 05:49:19 PDT 2020 

Synopsis: USN-4320-1 can now be patched using Ksplice
CVEs: CVE-2019-14895 CVE-2020-8428

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4320-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak when reading capabilities in Virtio GPU driver.

A missing check on user input when reading capabilities in Virtio GPU
driver could lead to an information leak. A local attacker could use
this flaw to leak information about running kernel and facilitate an
attack.


* Potential out-of-bounds access in Infiniband Emulex One Connect HCA driver.

An improper length check on an array index can lead to an out of bounds
access in the Emulex One Connect HCA driver's partition key query path.
This could cause a system to exhibit unexpected behavior, including a
potential denial-of-service.


* NULL dereference in IPWireless driver.

A failure to check for an error condition in the IPWireless driver's
setup packet send path can lead to a NULL dereference and subsequent
kernel panic.  This could potentially be exploited to cause a
denial-of-service.


* Memory leak in ANSI/IEEE 802.2 LLC type 2 driver.

Missing release of resources when using ANSI/IEEE 802.2 LLC type 2
driver could lead to a memory leak. A local attacker could use this flaw
to cause a denial-of-service.


* Deadlock in iSCSI if socket is never read.

If a iSCSI socket connection is created but the receive side is never
read, the system might potentially deadlock while attempting to send the
reply.


* Improved fix for CVE-2019-14895: Denial-of-service in Marvell WiFi-Ex driver.

A logic error when receiving Country WLAN element in Marvell WiFi-Ex
driver could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Invalid assertion in btrfs when running fsync on no-holes mount.

An incorrect assertion condition when running the 'fsync' command on a
btrfs filesystem mounted with the 'no-holes' option can cause a
denial-of-service when the filesystem was in fact operating correctly.


* Denial-of-service when terminating process with pending semaphore operation.

Trying to cleanup semaphore operation without proper locking when
terminating process could cause a deadlock and possibly crash the
kernel. An attacker could exploit this to cause a denial-of-service.


* CVE-2020-8428: Denial-of-service when file is being moved.

A race condition while opening a sticky file and moving it to a
different location in parallel could trigger a use-after-free
vulnerability. An unprivileged local user could exploit this bug to
cause a denial-of-service.


* Information leak in recvmsg when copying socket address structure.

Incorrect length validation when copying socket address structure during
recvmsg in the AF_PACKET subsystem could cause unsafe memory access. An
attacker could exploit this to cause a denial-of-service and possibly
read privileged kernel memory.


* Denial-of-service in the non-blocking interface of X.25 protocol.

A bug in the non-blocking connection interface of the X.25
point-to-point protocol causes NULL pointer dereference. A local user
capable of establishing point-to-point connection could call connect
multiple times asynchronously in quick succession to trigger a
denial-of-service.


* Denial-of-service when configuring hardware param in ALSA driver.

When configuring an ALSA PCM substream over ioctl interface, a missing
sanity check allows invalid device memory access. An attacker may be
able to exploit this bug to cause a denial-of-service.


* Denial-of-service when initializing USB infrared dongle.

Failing to sanity-check USB infrared device endpoint could allow a NULL
pointer dereference. An attacker could craft a malicious device to cause
a denial-of-service by exploiting this bug.


* Denial-of-service in network packet scheduler subsystem.

When using extended match in the traffic control framework, failure to
validate ematch configuration could lead to memory leak. A malicious
user with permission to configure traffic control could exploit this bug
to exhaust kernel memory and cause a denial-of-service.


* Denial-of-service in the crypto subsystem when destroying a socket.

Incorrect locking in the crypto subsystem could lead to a deadlock when
releasing a socket. An attacker could exploit this bug to cause a
denial-of-service.


* Denial-of-service when removing Si470x FM Radio Receiver device.

Incorrect cleanup operation when removing Si470x USB FM receiver device could
lead to a use-after-free bug. An attacker could exploit this to cause a
denial-of-service or possibly escalate privilege.


* Information leak when executing ioctl command in Aironet driver.

A bug in the ioctl interface of Cisco Aironet driver could return buffer
allocated in kernel context to userspace without scrubbing. An attacker
could exploit this bug to leak privileged kernel memory.


* Privileged escalation in the Aironet driver ioctl interface.

Failing to validate permission before certain privileged ioctl operation
in the Cisco Aironet driver could allow a user without CAP_NET_ADMIN to
read WEP keys. An attacker could use the key to decrypt network traffic
and leak sensitive information.


* Denial-of-service when tearing down crypto instance.

A data race in the crypto subsystem could lead to a use-after-free when
tearing down algo instance. An attacker could exploit this to cause a
denial-of-service.


* Denial-of-service when committing transaction in btrfs fails.

Failure to properly clean up after an attempt to commit a transaction
fails in the btrfs filesystem could cause a NULL pointer dereference. An
attacker could exploit this bug to cause a denial-of-service.


* Information leak when running a VM in emulation mode (Spectre v1).

A spectre v1-type gadget when running a VM in emulation mode in the KVM
subsystem could allow a user to read privileged kernel memory. An
attacker could exploit this bug to escalate privilege.


* Speculative execution in KVM when reading or writing debug register.

Array access for debug register is missing protection against Spectre
v1-type attack. An attacker with KVM_CAP_DEBUGREGS capability could
exploit this flaw to read kernel memory and possibly escalate privilege.


* Information leak when accessing crash data in Hyper-V guest.

Array access for crash MSR is missing protection against Spectre v1
type attack. An attacker could exploit this bug to leak privileged
kernel information.


* Information leak when accessing IOAPIC register in KVM.

Array access for IOAPIC register is missing protection against Spectre
v1-type attack. An attacker could exploit this bug to read privileged
kernel memory.


* Information leak when reading performance counter in KVM.

Array access for performance counter is missing protections against
Spectre v1-type attack. An attacker could exploit this to to read
privileged kernel memory.


* Information leak when reading MCE registers in KVM.

Array access when reading Machine Check Exception register is missing
protection against Spectre v1-type attack. An attacker could exploit this
bug to read privileged kernel memory.


* Denial-of-service when transmitting packet through ALB bond.

Incorrect header offset calculation when transmitting IPX packet through
ALB (Adaptive Load Balancing) bond leads to a use-after-free. An
attacker could exploit this bug to cause a denial-of-service.


* Denial-of-service when querying WMM status in mwifiex driver.

If an AP sends a malicious query to the station for WMM status, a buffer
overflow could occur. If an attacker can compromise the AP, this bug
could be triggered to cause a denial-of-service.


* Denial-of-service when scanning for APs in mwifiex driver.

Failing to validate user-defined length parameter could cause an
out-of-bound memory access while scanning for APs in mwifiex driver. An
attacker could exploit this bug to cause a denial-of-service.


* Information leak when writing to APIC register in KVM.

Array access when writing to local APIC register in KVM is missing
protection against Spectre v1-type attack. An attacker could exploit
this bug to disclose privileged kernel information.


* Information leak when accessing performance counter in KVM.

Array access when reading performance counter register in KVM is missing
protection against Spectre v1-type attack. An attacker with privilege to
read performance counter could exploit this bug to read sensitive kernel
memory.


* Information leak when writing to interrupt controller in KVM.

Array access when writing to PIC device in KVM is missing protection
against Spectre v1-type attack. An attacker could exploit this flaw to
leak privileged kernel memory.


* Out-of-bounds access when classifying network packets with traffic control index.

A logic error when classifying network packets with traffic control
index could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.


* NULL pointer dereference when handling frame in High-availability Seamless Redundancy driver.

A missing check when handling frame in High-availability Seamless
Redundancy driver could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in the NFS readdir syscall.

Multiple memory leak and corruption bugs in the NFS filesystem during
readdir syscall could exhaust kernel memory and possible crash the
kernel. An attacker could exploit this bug to cause a denial-of-service.


* Memory leak in RPCSEC_GSS server authentication driver.

A wrong expiry time when using RPCSEC_GSS server authentication driver
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Memory leak when unmounting reiser file system.

A missing free of resources when unmounting reiser file system could
lead to a memory leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.


* Out-of-bounds access when setting memory policy for a tmpfs mount.

A logic error when setting memory policy for a tmpfs mount could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list