[Ksplice][Ubuntu-18.10-Updates] New Ksplice updates for Ubuntu 18.10 Cosmic (USN-3878-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Tue Feb 19 10:15:14 PST 2019
Synopsis: USN-3878-1 can now be patched using Ksplice
CVEs: CVE-2018-14625 CVE-2018-16882 CVE-2018-19407 CVE-2018-19854
Systems running Ubuntu 18.10 Cosmic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3878-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 18.10
Cosmic install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Improved fix for Spectre v1: bounds-check bypass in PTP clock driver.
A missing use of the indirect call protection macro in the PTP clock
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.
* Improved fix for Spectre v1: bounds-check bypass in Infiniband driver.
A missing use of the indirect call protection macro in the Infiniband
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.
* Use-after-free when mounting a JFFS2 filesystem with an invalid mount option.
A missing free of resources when mounting a JFFS2 filesystem with an
invalid mount option could lead to a use-after-free. A local attacker
could use this flaw to cause a denial-of-service.
* Denial-of-service when using an ioctl of LSI Logic MegaRAID SAS RAID Module.
A missing check when using FIRMWARE32 ioctl of LSI Logic MegaRAID SAS
RAID Module could lead to a an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.
* Use-after-free in the journaling layer for block devices.
A locking error in the journaling layer for block devices could lead to
a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when mounting a GFS2 filesystem.
A missing check on user input when mounting a GFS2 filesystem could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.
* Improved fix for Spectre v1: bounds-check bypass in Human Input Device driver.
Information controlled by userspace can be used to disclose kernel
memory via speculation in the Human Input Device driver. A local user
could use this flaw to facilitate a further attack on the system.
* Out-of-bounds access in LRW crypto driver.
A logic error in LRW crypto driver could lead to an overflow and an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.
* Out-of-bounds access when using security filesystem of Integrity Measurement Architecture.
An array size issue when using security filesystem of Integrity
Measurement Architecture could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.
* Reserved page accounting imbalance with hugetlbfs mappings.
Incorrect handling of dirty hugetlbfs pages could result in a reserved
page count underflow when dropping filesystem caches under specific
conditions.
* Denial-of-service when closing NFSD transport layer.
A logic error when closing NFSD transport layer could lead to a kernel
panic. A local attacker could use this flaw to cause a
denial-of-service.
* Out-of-bounds access in a print in lockd driver.
A logic error in a print in lockd driver could lead to an out-of-bounds
access. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when using ioctl of Multiple devices driver.
A logic error when using ioctl of Multiple devices driver could lead to
an invalid memory access. A local attacker could use this flaw to cause
a denial-of-service.
* Denial-of-service in the Xen block backend driver when finding a queue.
Failure to reset the number of rings when handling a low memory condition
in the Xen block backend driver could lead to a kernel panic.
* Out-of-bounds access when using a crafted CRAMFS filesystem.
A logic error when reading block offsets in a CRAMFS filesystem could
lead to an out-of-bounds access. A local attacker could use a crafted
CRAMFS filesystem to cause a denial-of-service.
* Denial-of-service when walking up BTRFS tree.
A logic error when walking up BTRFS tree could lead to a kernel assert.
A local attacker could use this flaw and a crafted BTRFS filesystem to
cause a denial-of-service.
* Denial-of-service when allocating BTRFS tree.
A missing check when allocating BTRFS tree could cause a deadlock. A
local attacker could use this flaw with a crafted BTRFS filesystem to
cause a denial-of-service.
* Denial-of-service when using caching on BTRFS filesystem.
A logic error when using caching on BTRFS filesystem could lead to a
kernel assert. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference on compressing in BTRFS filesystem.
A logic error when compressing in BTRFS filesystem could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.
* Use-after-free when dumping free space in BTRFS filesystem.
A locking issue when dumping free space in BTRFS filesystem could lead
to a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* Out-of-bounds access in AMD GPU gamma updates.
An incorrect loop termination when updating gamma controls could result
in a out-of-bounds memory access and kernel crash.
* NULL pointer dereference in TTY driver lookup.
Incorrect string validation could result in a NULL pointer dereference
and kernel crash when looking for a polling console driver.
* Undefined behaviour in UDF read-write remounting.
Failure to check features when remounting a UDF filesystem as read-write
could allow the filesystem to be mounted writable when certain features
should prohibit mounting. This flaw could allow a local user to trigger
untested and unsupported features.
* Use-after-free in Plan9 network protocol statistics cleanup.
Failure to reinitialize pointers on Plan9 statistics cleanup could
result in a use-after-free and kernel crash.
* Kernel crash in OverlayFS file handle verification.
Incorrect error handling in the OverlayFS file handle verification could
result in dereferencing an invalid pointer and a subsequent kernel
crash.
* Denial-of-service in OverlayFS file removal.
Failure to correctly handle file removal from an OverlayFS upper level
could result in a kernel crash. A local, unprivileged user could use
this flaw to cause a denial of service.
* Use-after-free in FUSE filesystem device reads and writes.
A race condition when performing reads and writes to a FUSE filesystem
device could result in a use-after-free and kernel crash.
* Task hang in FUSE filesystem request completion.
Incorrect synchronization could result in failure to wake up a task on
FUSE filesystem request completion leading to application hangs.
* Deadlock in OverlayFS file links.
Recursive locking in the OverlayFS file linking code could result in
deadlock. A local, unprivileged user could use this flaw to crash the
system.
* Use-after-free in Ceph dentry splicing.
Incorrect reference counting could result in a use-after-free and kernel
crash when splicing a Ceph dentry to an inode.
* Use-after-free in SCSI request completion.
A race condition between request completion and queue cleanup could
result in a kernel crash under specific conditions.
* Use-after-free in OCFS2 metadata corruption cleanup.
Incorrect reference counting could result in a use-after-free of a block
buffer head.
* Kernel crash in OCFS2 direct IO failure.
Failure to correctly free resources on direct IO failure could result in
triggering a kernel assertion and a kernel crash.
* Kernel crash in memory hotplug removal with NMI watchdog.
Insufficient scheduling in the memory hotplug removal code could result
in triggering the NMI watchdog and kernel panic during removal of a
large memory device.
* Kernel crash in TTY baud rate setting.
Missing bounds checking in the TTY baud rate setting code could result
in an out-of-bounds access and kernel crash or information leak.
* BTRFS filesystem corruption in transaction aborts.
Missing locking when destroying a pinned extent could result in
filesystem corruption during transaction aborts.
* Kernel crash in BTRFS copy-on-write failure.
Incorrect cleanup during copy-on-write failure for a BTRFS filesystem
could result in triggering a kernel assertion and crash.
* Task hang in BTRFS file deduplication.
A logic error when handling deduplication of blocks between two files
could result in an infinite loop and a task hang.
* BTRFS file corruption during block cloning.
Failure to clone the final block of a file could result in data
corruption of the cloned file under specific conditions.
* Denial-of-service in EXT4 buffer management.
Multiple buffer leaks in the EXT4 filesystem could result in resource
leaks and a denial of service.
* Information leak via bind mount manipulation.
A logic error when checking mount permissions can result in a namespaced
process being able to view filesystem content outside of its namespace.
A local user could use this flaw to view restricted information.
* Use-after-free in FUSE asynchronous direct IO.
A use-after-free when performing FUSE asynchronous direct IO operations
could result in a kernel crash. A local, unprivileged user could use
this flaw to crash the system.
* Resource leak in FUSE filesystem notification response.
Missing error handling could result in a resource leak and unkillable
tasks under specific conditions during connection reset.
* Out-of-bounds access in SELinux SCTP connect().
Missing validation in the SELinux SCTP connect hook could result in
dereferencing invalid memory leading to a kernel crash or information
leak.
* Memory leak in GFS2 filesystem bitmap buffers.
Missing resource frees for a GFS2 filesystem could result in a memory
leak. A local user with privileges to mount a filesystem could use this
flaw to exhaust system memory.
* CVE-2018-19854: Information leak in cryptography socket NETLINK_CRYPTO call.
Incorrect string copying in the NETLINK_CRYPTO report could result in
leaking the contents of kernel stack memory to an unprivileged local
user.
* Kernel crash in HugeTLB copying during unsharing.
A race condition when changing the protections of a HugeTLB page and
forking the process could result in triggering a kernel assertion and
crash.
* Denial-of-service during TTY reopen.
A locking error in the TTY subsystem can result in a NULL pointer dereference
if a TTY device is reopened whilst it's in use. A local user with access to a
TTY device could use this flaw to cause a kernel crash, leading to a
denial-of-service.
* CVE-2018-19407: Denial-of-service in KVM IOAPIC scan.
A missing safety check in KVM's IOAPIC scan path can cause the kernel
to attempt access certain objects that have not been initialized. This
can cause unexpected behavior, including a potential system crash.
* CVE-2018-14625: Kernel information leak when releasing a vsock.
A use-after-free bug when releasing an AF_VSOCK socket may allow an
attacker to read kernel memory from inside VM guest. This could be
exploited to leak privileged information and possibly impersonate
AF_VSOCK messages destined to other clients.
* Out-of-bounds access in USB-IP hub control.
A failure to validate a port index supplied from userspace can result in an
out-of-bounds memory access. A local user could use this flaw to cause a kernel
crash.
* Kernel crash in DRM CRTC modesetting configuration.
A failure to handle an error case when performing CRTC modesetting can result
in a use-after-free, leading to a kernel crash.
* Use-after free during NVMe sibling removal.
A race condition between removing an NVMe namespace sibling and performing IO
operations on that sibling can result in a use-after-free. A local user with
the ability to configure an NVMe device could use this flaw to cause a kernel
crash or potentially escalate privileges.
* Kernel crash in eBPF XDP socket destruction.
A logic error when destroying XDP sockets with associated eBPF XSKMAPs can
result in a sleep-in-atomic, leading to a kernel crash.
* Denial-of-service in LightNVM state interface.
Incorrect locking in the LightNVM driver can result in multiple race conditions
which could lead to a kernel crash. A local user with access to a LightNVM
device could use this flaw to cause a denial-of-service.
* Memory leak in MD memory pool implementation.
A failure to free memory when flushing IO requests or stopping an MD device can
result in a memory leak.
* Stack corruption in Infiniband ICMP send control buffer management.
A failure to clear a control buffer when sending an ICMP packet over Infiniband
can result in stack corruption.
* Use-after-free in VMWare Virtual Machine Communication Interface wildcards.
A validation failure when adding VMCI resources can result in a duplicate entry
leading to refcount errors which can result in a use-after-free. A local user
with the ability to configure VMCI could use this flaw to cause a kernel crash
or potentially escalate privileges.
* Permissions bypass in Smack ptrace capability handling.
Multiple errors in capability checks for ptrace when using Smack can result in
incorrectly allowing a process to be ptraced. A local user could use this flaw
to bypass existing process restrictions.
* Deadlock in F2FS dirty page writeback handling.
A logic error when clearing flags on writeback buffers can result in a count
mismatch and lead to an IO deadlock.
* Out-of-bounds access in iwlwifi rate management.
A failure to handle an error case can result in an out-of-bounds memory access,
leading to undefined behavior or a kernel crash.
* Kernel crash in pmem disk bad block initialization.
A logic error when initializing bad block information for a pmem device can
result in the use of uninitialized memory, leading to a kernel crash or
undefined behavior.
* Permissions bypass in EXT4 quota management.
Incorrect checks when modifying the project of an inode can result in a bypass
of quota restrictions on an EXT4 filesystem. A local user could use this flaw
to bypass filesystem quota limits.
* Out-of-bounds access in 32-bit siginfo read.
A type error can result in an out-of-bounds memory access when reading a 32-bit
siginfo structure from userspace. A local user could use this flaw to cause a
kernel crash or other undefined behavior.
* Denial-of-service in smaps_rollup sysfs interface.
A logic error when iterating over mappings can result in a NULL pointer
dereference, leading to a kernel crash. A local user could use this flaw to
cause a denial-of-service.
* Denial-of-service in heterogeneous memory page faulting.
A type confusion error in page table management for heterogeneous memory
devices can result in an endless page fault loop. A local user with access to a
heterogeneous memory device could use this flaw to cause a denial-of-service.
* Kernel crash in heterogeneous memory unregistration.
A race condition when unregistering a heterogeneous memory region can result in
a NULL pointer dereference, leading to a kernel crash.
* Deadlock in NFS page IO error handling.
A failure to handle errors when performing page IO can result in a missing
unlock, leading to a deadlock of a page.
* Memory leak in NFS delegation management.
A failure to decrement a reference count when allocating a new delegation can
result in a memory leak.
* Denial-of-service in V4L2 Test Pattern Generator.
A type error when displaying test patterns in V4L2 can result in an
out-of-bounds memory access, leading to a kernel crash. A local user could use
this flaw to cause a denial-of-service.
* Out-of-bounds access in TVP5150 V4L2 driver menu query.
A logic error when creating menu items in the TVP5150 V4L2 driver can result in
an out-of-bounds memory access, leading to a kernel crash or other undefined
behavior.
* Kernel crash during IO error handling in BTRFS shutdown.
A logic error when encountering an IO error during unmount of a BTRFS
filesystem can result in a NULL pointer dereference, leading to a kernel crash.
* Deadlock in BTRFS space cache allocation.
A failure to prevent disk IO when allocating memory for space cache inodes can
result in a deadlock.
* Denial-of-service in BTRFS hole management.
An assertion failure in BTRFS hole management when a filesystem is mounted with
the no-holes flag can result in a kernel crash. A local user with the ability
to access a BTRFS filesystem could use this flaw to cause a denial-of-service.
* Use-after-free during BTRFS inode eviction.
A race condition when evicting an inode from a BTRFS filesystem can result in a
use-after-free. A local user with access to a BTRFS filesystem could use this
flaw to cause a kernel crash.
* CVE-2018-16882: Privilege escalation in nested Intel KVM interrupts.
A use-after-free in the Intel KVM posted interrupt handling code could
allow a privileged user in a guest to gain code execution on the L1
hypervisor.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-18.10-updates
mailing list