[Ksplice][Ubuntu-18.10-Updates] New Ksplice updates for Ubuntu 18.10 Cosmic (USN-3878-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue Feb 19 10:15:14 PST 2019


Synopsis: USN-3878-1 can now be patched using Ksplice
CVEs: CVE-2018-14625 CVE-2018-16882 CVE-2018-19407 CVE-2018-19854

Systems running Ubuntu 18.10 Cosmic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3878-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.10
Cosmic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved fix for Spectre v1: bounds-check bypass in PTP clock driver.

A missing use of the indirect call protection macro in the PTP clock
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.


* Improved fix for Spectre v1: bounds-check bypass in Infiniband driver.

A missing use of the indirect call protection macro in the Infiniband
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.


* Use-after-free when mounting a JFFS2 filesystem with an invalid mount option.

A missing free of resources when mounting a JFFS2 filesystem with an
invalid mount option could lead to a use-after-free. A local attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service when using an ioctl of LSI Logic MegaRAID SAS RAID Module.

A missing check when using FIRMWARE32 ioctl of LSI Logic MegaRAID SAS
RAID Module could lead to a an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.


* Use-after-free in the journaling layer for block devices.

A locking error in the journaling layer for block devices could lead to
a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when mounting a GFS2 filesystem.

A missing check on user input when mounting a GFS2 filesystem could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Improved fix for Spectre v1: bounds-check bypass in Human Input Device driver.

Information controlled by userspace can be used to disclose kernel
memory via speculation in the Human Input Device driver. A local user
could use this flaw to facilitate a further attack on the system.


* Out-of-bounds access in LRW crypto driver.

A logic error in LRW crypto driver could lead to an overflow and an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when using security filesystem of Integrity Measurement Architecture.

An array size issue when using security filesystem of Integrity
Measurement Architecture could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.


* Reserved page accounting imbalance with hugetlbfs mappings.

Incorrect handling of dirty hugetlbfs pages could result in a reserved
page count underflow when dropping filesystem caches under specific
conditions.


* Denial-of-service when closing NFSD transport layer.

A logic error when closing NFSD transport layer could lead to a kernel
panic. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access in a print in lockd driver.

A logic error in a print in lockd driver could lead to an out-of-bounds
access. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using ioctl of Multiple devices driver.

A logic error when using ioctl of Multiple devices driver could lead to
an invalid memory access. A local attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service in the Xen block backend driver when finding a queue.

Failure to reset the number of rings when handling a low memory condition
in the Xen block backend driver could lead to a kernel panic.


* Out-of-bounds access when using a crafted CRAMFS filesystem.

A logic error when reading block offsets in a CRAMFS filesystem could
lead to an out-of-bounds access. A local attacker could use a crafted
CRAMFS filesystem to cause a denial-of-service.


* Denial-of-service when walking up BTRFS tree.

A logic error when walking up BTRFS tree could lead to a kernel assert.
A local attacker could use this flaw and a crafted BTRFS filesystem to
cause a denial-of-service.


* Denial-of-service when allocating BTRFS tree.

A missing check when allocating BTRFS tree could cause a deadlock. A
local attacker could use this flaw with a crafted BTRFS filesystem to
cause a denial-of-service.


* Denial-of-service when using caching on BTRFS filesystem.

A logic error when using caching on BTRFS filesystem could lead to a
kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference on compressing in BTRFS filesystem.

A logic error when compressing in BTRFS filesystem could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when dumping free space in BTRFS filesystem.

A locking issue when dumping free space in BTRFS filesystem could lead
to a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access in AMD GPU gamma updates.

An incorrect loop termination when updating gamma controls could result
in a out-of-bounds memory access and kernel crash.


* NULL pointer dereference in TTY driver lookup.

Incorrect string validation could result in a NULL pointer dereference
and kernel crash when looking for a polling console driver.


* Undefined behaviour in UDF read-write remounting.

Failure to check features when remounting a UDF filesystem as read-write
could allow the filesystem to be mounted writable when certain features
should prohibit mounting.  This flaw could allow a local user to trigger
untested and unsupported features.


* Use-after-free in Plan9 network protocol statistics cleanup.

Failure to reinitialize pointers on Plan9 statistics cleanup could
result in a use-after-free and kernel crash.


* Kernel crash in OverlayFS file handle verification.

Incorrect error handling in the OverlayFS file handle verification could
result in dereferencing an invalid pointer and a subsequent kernel
crash.


* Denial-of-service in OverlayFS file removal.

Failure to correctly handle file removal from an OverlayFS upper level
could result in a kernel crash.  A local, unprivileged user could use
this flaw to cause a denial of service.


* Use-after-free in FUSE filesystem device reads and writes.

A race condition when performing reads and writes to a FUSE filesystem
device could result in a use-after-free and kernel crash.


* Task hang in FUSE filesystem request completion.

Incorrect synchronization could result in failure to wake up a task on
FUSE filesystem request completion leading to application hangs.


* Deadlock in OverlayFS file links.

Recursive locking in the OverlayFS file linking code could result in
deadlock.  A local, unprivileged user could use this flaw to crash the
system.


* Use-after-free in Ceph dentry splicing.

Incorrect reference counting could result in a use-after-free and kernel
crash when splicing a Ceph dentry to an inode.


* Use-after-free in SCSI request completion.

A race condition between request completion and queue cleanup could
result in a kernel crash under specific conditions.


* Use-after-free in OCFS2 metadata corruption cleanup.

Incorrect reference counting could result in a use-after-free of a block
buffer head.


* Kernel crash in OCFS2 direct IO failure.

Failure to correctly free resources on direct IO failure could result in
triggering a kernel assertion and a kernel crash.


* Kernel crash in memory hotplug removal with NMI watchdog.

Insufficient scheduling in the memory hotplug removal code could result
in triggering the NMI watchdog and kernel panic during removal of a
large memory device.


* Kernel crash in TTY baud rate setting.

Missing bounds checking in the TTY baud rate setting code could result
in an out-of-bounds access and kernel crash or information leak.


* BTRFS filesystem corruption in transaction aborts.

Missing locking when destroying a pinned extent could result in
filesystem corruption during transaction aborts.


* Kernel crash in BTRFS copy-on-write failure.

Incorrect cleanup during copy-on-write failure for a BTRFS filesystem
could result in triggering a kernel assertion and crash.


* Task hang in BTRFS file deduplication.

A logic error when handling deduplication of blocks between two files
could result in an infinite loop and a task hang.


* BTRFS file corruption during block cloning.

Failure to clone the final block of a file could result in data
corruption of the cloned file under specific conditions.


* Denial-of-service in EXT4 buffer management.

Multiple buffer leaks in the EXT4 filesystem could result in resource
leaks and a denial of service.


* Information leak via bind mount manipulation.

A logic error when checking mount permissions can result in a namespaced
process being able to view filesystem content outside of its namespace.
A local user could use this flaw to view restricted information.


* Use-after-free in FUSE asynchronous direct IO.

A use-after-free when performing FUSE asynchronous direct IO operations
could result in a kernel crash.  A local, unprivileged user could use
this flaw to crash the system.


* Resource leak in FUSE filesystem notification response.

Missing error handling could result in a resource leak and unkillable
tasks under specific conditions during connection reset.


* Out-of-bounds access in SELinux SCTP connect().

Missing validation in the SELinux SCTP connect hook could result in
dereferencing invalid memory leading to a kernel crash or information
leak.


* Memory leak in GFS2 filesystem bitmap buffers.

Missing resource frees for a GFS2 filesystem could result in a memory
leak.  A local user with privileges to mount a filesystem could use this
flaw to exhaust system memory.


* CVE-2018-19854: Information leak in cryptography socket NETLINK_CRYPTO call.

Incorrect string copying in the NETLINK_CRYPTO report could result in
leaking the contents of kernel stack memory to an unprivileged local
user.


* Kernel crash in HugeTLB copying during unsharing.

A race condition when changing the protections of a HugeTLB page and
forking the process could result in triggering a kernel assertion and
crash.


* Denial-of-service during TTY reopen.

A locking error in the TTY subsystem can result in a NULL pointer dereference
if a TTY device is reopened whilst it's in use. A local user with access to a
TTY device could use this flaw to cause a kernel crash, leading to a
denial-of-service.


* CVE-2018-19407: Denial-of-service in KVM IOAPIC scan.

A missing safety check in KVM's IOAPIC scan path can cause the kernel
to attempt access certain objects that have not been initialized.  This
can cause unexpected behavior, including a potential system crash.


* CVE-2018-14625: Kernel information leak when releasing a vsock.

A use-after-free bug when releasing an AF_VSOCK socket may allow an
attacker to read kernel memory from inside VM guest. This could be
exploited to leak privileged information and possibly impersonate
AF_VSOCK messages destined to other clients.


* Out-of-bounds access in USB-IP hub control.

A failure to validate a port index supplied from userspace can result in an
out-of-bounds memory access. A local user could use this flaw to cause a kernel
crash.


* Kernel crash in DRM CRTC modesetting configuration.

A failure to handle an error case when performing CRTC modesetting can result
in a use-after-free, leading to a kernel crash.


* Use-after free during NVMe sibling removal.

A race condition between removing an NVMe namespace sibling and performing IO
operations on that sibling can result in a use-after-free. A local user with
the ability to configure an NVMe device could use this flaw to cause a kernel
crash or potentially escalate privileges.


* Kernel crash in eBPF XDP socket destruction.

A logic error when destroying XDP sockets with associated eBPF XSKMAPs can
result in a sleep-in-atomic, leading to a kernel crash.


* Denial-of-service in LightNVM state interface.

Incorrect locking in the LightNVM driver can result in multiple race conditions
which could lead to a kernel crash. A local user with access to a LightNVM
device could use this flaw to cause a denial-of-service.


* Memory leak in MD memory pool implementation.

A failure to free memory when flushing IO requests or stopping an MD device can
result in a memory leak.


* Stack corruption in Infiniband ICMP send control buffer management.

A failure to clear a control buffer when sending an ICMP packet over Infiniband
can result in stack corruption.


* Use-after-free in VMWare Virtual Machine Communication Interface wildcards.

A validation failure when adding VMCI resources can result in a duplicate entry
leading to refcount errors which can result in a use-after-free. A local user
with the ability to configure VMCI could use this flaw to cause a kernel crash
or potentially escalate privileges.


* Permissions bypass in Smack ptrace capability handling.

Multiple errors in capability checks for ptrace when using Smack can result in
incorrectly allowing a process to be ptraced. A local user could use this flaw
to bypass existing process restrictions.


* Deadlock in F2FS dirty page writeback handling.

A logic error when clearing flags on writeback buffers can result in a count
mismatch and lead to an IO deadlock.


* Out-of-bounds access in iwlwifi rate management.

A failure to handle an error case can result in an out-of-bounds memory access,
leading to undefined behavior or a kernel crash.


* Kernel crash in pmem disk bad block initialization.

A logic error when initializing bad block information for a pmem device can
result in the use of uninitialized memory, leading to a kernel crash or
undefined behavior.


* Permissions bypass in EXT4 quota management.

Incorrect checks when modifying the project of an inode can result in a bypass
of quota restrictions on an EXT4 filesystem. A local user could use this flaw
to bypass filesystem quota limits.


* Out-of-bounds access in 32-bit siginfo read.

A type error can result in an out-of-bounds memory access when reading a 32-bit
siginfo structure from userspace. A local user could use this flaw to cause a
kernel crash or other undefined behavior.


* Denial-of-service in smaps_rollup sysfs interface.

A logic error when iterating over mappings can result in a NULL pointer
dereference, leading to a kernel crash. A local user could use this flaw to
cause a denial-of-service.


* Denial-of-service in heterogeneous memory page faulting.

A type confusion error in page table management for heterogeneous memory
devices can result in an endless page fault loop. A local user with access to a
heterogeneous memory device could use this flaw to cause a denial-of-service.


* Kernel crash in heterogeneous memory unregistration.

A race condition when unregistering a heterogeneous memory region can result in
a NULL pointer dereference, leading to a kernel crash.


* Deadlock in NFS page IO error handling.

A failure to handle errors when performing page IO can result in a missing
unlock, leading to a deadlock of a page.


* Memory leak in NFS delegation management.

A failure to decrement a reference count when allocating a new delegation can
result in a memory leak.


* Denial-of-service in V4L2 Test Pattern Generator.

A type error when displaying test patterns in V4L2 can result in an
out-of-bounds memory access, leading to a kernel crash. A local user could use
this flaw to cause a denial-of-service.


* Out-of-bounds access in TVP5150 V4L2 driver menu query.

A logic error when creating menu items in the TVP5150 V4L2 driver can result in
an out-of-bounds memory access, leading to a kernel crash or other undefined
behavior.


* Kernel crash during IO error handling in BTRFS shutdown.

A logic error when encountering an IO error during unmount of a BTRFS
filesystem can result in a NULL pointer dereference, leading to a kernel crash.


* Deadlock in BTRFS space cache allocation.

A failure to prevent disk IO when allocating memory for space cache inodes can
result in a deadlock.


* Denial-of-service in BTRFS hole management.

An assertion failure in BTRFS hole management when a filesystem is mounted with
the no-holes flag can result in a kernel crash. A local user with the ability
to access a BTRFS filesystem could use this flaw to cause a denial-of-service.


* Use-after-free during BTRFS inode eviction.

A race condition when evicting an inode from a BTRFS filesystem can result in a
use-after-free. A local user with access to a BTRFS filesystem could use this
flaw to cause a kernel crash.


* CVE-2018-16882: Privilege escalation in nested Intel KVM interrupts.

A use-after-free in the Intel KVM posted interrupt handling code could
allow a privileged user in a guest to gain code execution on the L1
hypervisor.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.





More information about the Ksplice-Ubuntu-18.10-updates mailing list