[Ksplice][Ubuntu-19.04-Updates] New Ksplice updates for Ubuntu 19.04 Disco (USN-4069-1)

[Oracle Ksplice]

Synopsis: USN-4069-1 can now be patched using Ksplice
CVEs: CVE-2019-11487 CVE-2019-11833 CVE-2019-11884

Systems running Ubuntu 19.04 Disco can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4069-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 19.04
Disco install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference during Echo Audio driver initialization.

A failure to ensure that an ioremap operation was successful can lead to
a NULL pointer dereference in snd_echo_create.  This could potentially
be used to cause a denial-of-service.


* Potential panic in Infiniband driver while handling inetdev event.

A failure to check if a pointer is set before attempting to dereference
it can lead to a NULL pointer dereference in the i40iw driver's inetdev
event processing path.  This flaw could potentially be used to cause a
denial-of-service.


* NULL pointer dereference in SCSI ioctl handler path.

Some incorrect assumptions about the existence of a SCSI request's CPU
pointer can lead to a NULL dereference when handling certain ioctl()s.
This could potentially cause a denial-of-service.


* Filesystem data corruption during certain ext4 operations.

Under certain conditions, it is possible for an ext4 filesystem to
attempt to clear out unused space using information gathered from stale
metadata.  This could lead to portions of filesystem data being erased
unexpectedly.


* Potential system crash in f2fs extended attribute code.

Several functions in the f2fs code related to extended file attributes
attempt to free memory improperly, which can lead to a kernel panic.
This flaw could potentially be exploited by a malicious local user
to cause a denial-of-service.


* Improved fix for Spectre v1: Information leak in ATM LAN emulation driver.

A failure to sanitize a user controlled array index in the Asynchronous
Transfer Mode LAN emulation driver can lead to kernel memory being
leaked to userspace.  A local attacker could exploit this flaw to leak
information about the running system.


* Use-after-free in the Foo-over-UDP driver's packet receive path.

In certain cases, it's possible for the FOU driver to attempt to access
packet header data which may have already been freed.  This can cause
a system to exhibit unexpected behavior, and could lead to a
denial-of-service.


* Memory leak during TLS context structure teardown.

A logic error in the code path that handles the freeing of certain
structures used for TLS transactions can result in a memory leak.  This
flaw could potentially be exploited to waste system resources and
degrade performance.


* Denial-of-service in Stream Parser receive path.

A flaw exists in the Stream Parser's receive path that can lead to a
stack overflow, and a potential kernel panic.  A remote attacker could
potentially exploit this flaw to cause a denial-of-service.


* NULL dereference during IPv6 PMTU update.

A failure to check if a pointer is set before attempting to access it
can lead to a NULL pointer dereference in the IPv6 PMTU update path.
This could potentially cause a denial-of-service.


* Out-of-bounds access during CIFS mount.

A subtle error in handling certain combinations of mount options can
cause a out-of-bounds access in the CIFS mount path.  This could cause
a system to exhibit unexpected behavior, and may lead to a
denial-of-service.


* Memory leak in CIFS symlink query path.

A failure to close a file handle under certain conditions can lead to
a memory leak in the CIFS code path that deals with symlinks.  This
flaw could potentially be exploited by a malicious local user to waste
system resources and degrade performance.


* Guest VM leaks bits into host control register, causing host to panic.

In the event that a guest VM schedules out during a machine check error,
the host's XCR0 register may get populated with incorrect values.  This
will cause a general protection fault on the host, leading to a
denial-of-service.


* Potential deadlock in in MT76 driver's transmit path.

A lock ordering issue in the MT76 driver core can lead to a deadlock
in certain cases.  This could be used to cause a denial-of-service.


* Memory leak in CIFS file read path.

When SMB2_read encounters certain types of errors, small portions of
memory are not properly freed, leading to a memory leak.  This could
potentially be exploited by a local or remote attacker to waste system
resources and degrade performance.


* Denial-of-service to filesystem in CIFS rename code path.

If a path-based rename fails with EBUSY in cifs_do_rename on an SMB2+
mount, the kernel will attempt to fall back to using the SMB protocol,
which will force a session close.  This could be exploited by a
malicious attacker to disrupt service to the filesystem.


* Denial-of-service during CEPH request creation.

Improper locking in the CEPH filesystem's create_request_message path
can cause a kernel BUG to be triggered under certain conditions. This
could potentially be exploited to cause a denial-of-service.


* Multiple denial-of-service vectors in ext4 filesystem core.

Several logic errors in various ext4 error paths can cause the kernel
to attempt to treat certain error codes as pointers.  These flaws could
potentially be used to cause a denial-of-service.


* Use of uninitialized data during TIPC error handling.

Improper handling of an error case in tipc_nl_compat_dumpit can lead to
uninitialized data being accessed.  This could cause a bad paging
request, leading to a kernel panic and denial-of-service.


* Multiple denial-of-service vectors in TIPC command handler.

Improper length checks while handling certain TIPC commands can cause
uninitialized data to be accessed.  A remote attacker could potentially
exploit these flaws to cause a denial-of-service.


* Use of uninitialized data in RDS bind/connect paths.

An incorrect length check in the rds_bind/connect code paths can cause
the kernel to attempt to access uninitialized data.  This flaw could be
exploited by a malicious local user to cause unexpected behavior,
including a potential denial-of-service.


* Potential NULL pointer dereference in RxRPC packet receive path.

Missing RCU protections in rxrpc_input_packet can lead to a NULL
pointer dereference and subsequent kernel panic.  This could be used
to cause a denial-of-service.


* Out-of-bounds memory access in IPv4 link failure path.

Missing sanity checks in the ipv4_link_failure can lead to
out-of-bounds memory accesses.  This could cause a system to exhibit
unexpected behavior, and could potentially be exploited to cause a
denial-of-service.


* Potential denial-of-service while processing loopback data in Rose driver.

A failure to properly rate-limit the processing of the ROSE driver's
loopback_queue can lead to CPU lockups when the queue grows large.
This flaw could potentially be exploited by an attacker to cause a
denial-of-service.


* Multiple use-after-free scenarios in Mellanox driver while handling XDP packets.

Logic errors in the Mellanox driver's code paths which handle XDP traffic can
result in use-after-free scenarios.  These flaws could potentially be exploited
to cause a denial-of-service or other unexpected behavior.


* Potential deadlock in TLS device offload path.

Improper locking in the TLS driver's tls_set_device_offload_rx function
can lead to a deadlock.  This could potentially be used cause a
denial-of-service.


* CVE-2019-11884: Information leak in Bluetooth HIDP HIDPCONNADD ioctl().

Missing string termination in the Bluetooth HIDP HIDPCONNADD ioctl()
could result in leaking the contents of the kernel stack to a local
user.


* Integer overflow when building the bitmap of idle pages.

An integer overflow when aligning the last page frame number of a file
mapped in memory when building the bitmap of idle pages could lead to
undefined behaviour.  A local attacker could use this flaw to cause a
kernel crash or potentially access memory otherwise protected.


* CVE-2019-11833: Information leak in ext4 extent tree block.

A missing zeroing of uninitialized memory in ext4 extent tree block
could lead to an information leak. A local attacker could use this flaw
to leak information about running kernel and facilitate an attack.


* Denial-of-service when discovering expander in SAS Domain Transport Attributes fails.

A logic error when discovering expander in SAS Domain Transport
Attributes fails could lead to a kernel assert. A local attacker could
use this flaw to cause a denial-of-service.


* NULL pointer dereference when attaching Velleman VM110/VM140 USB Board fails.

A logic error when attaching Velleman VM110/VM140 USB Board fails could
lead to using an uninitialized semaphore and a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* Double free when allocating tx buffer using Velleman VM110/VM140 USB Board.

A logic error when allocating tx buffer using Velleman VM110/VM140 USB
Board fails could lead to a double free. A local attacker could use this
flaw to cause a denial-of-service.


* Double free when allocating rx buffer using National Instruments USB-6501 device.

A logic error in error path when allocating rx buffer using National
Instruments USB-6501 device fails could lead to a double free. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when using Intel(R) Trace Hub controller.

A logic error when using Intel(R) Trace Hub controller could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2019-11487: Invalid memory access when overflowing pages refcount.

A reference count issue could let an attacker overflow pages reference
count and leads to invalid memory accesses. A local attacker could use
this flaw to cause a denial-of-service.


* NULL pointer dereference when matching IPV6 Segment Routing Header (SRH) parameters.

A missing check when matching IPV6 Segment Routing Header (SRH)
parameters could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* NULL pointer dereference when transmitting data over Realtek RTL8188EU Wireless LAN NIC.

A missing check when transmitting data over Realtek RTL8188EU Wireless
LAN NIC could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* NULL pointer dereference when allocating skb fails in Realtek RTL8822BE Wireless Network Adapter driver.

A missing check when allocating skb fails in Realtek RTL8822BE Wireless
Network Adapter driver could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when reading network traffic control chain index.

A logic error when reading network traffic control chain index could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* NULL pointer dereference when using the bitmap library.

A race condition when using the bitmap library could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when binding socket in QLogic ISP4XXX and ISP82XX host adapter family driver.

A missing check when binding socket in QLogic ISP4XXX and ISP82XX host
adapter family driver could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Invalid memory access when using SATA Zero Power Optical Disc Drive driver.

Usage of on-stack buffer for DMA transfers in SATA Zero Power Optical
Disc Drive driver could lead to invalid memory accesses. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when using IPSec XFRM cryptography-offload acceleration with non-IPsec hardware.

A missing check when using IPSec XFRM cryptography-offload acceleration
with non-IPsec hardware could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.


* Use-after-free when handling IPV6 routes.

Multiple errors when handling IPV6 route could lead to a use-after-free.
A local attacker could use this flaw to cause a denial-of-service.


* Permission bypass when using ipv6 flowlabel manager.

A logic error when using ipv6 flowlabel manager could let a process with
a recycled PID configure flowlabel owned by a previous process having
same PID.


* Use-after-free when getting reference on tunnel in Layer Two Tunneling Protocol.

A reference count error when getting reference on tunnel in Layer Two Tunneling
Protocol (L2TP) could lead to a use-after-free. A local attacker could
use this flaw to cause a denial-of-service.


* Out-of-bounds access in Broadcom Starfighter 2 Ethernet switch driver.

A missing check on user input when using Broadcom Starfighter 2 Ethernet
switch driver could lead to an out-of-bounds access. A local attacker
could use this flaw to cause a denial-of-service.


* Out-of-bounds access when getting stats in Marvell PHYs driver.

A logic error when getting stats in Marvell PHYs driver could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when handling skb in Transport Layer Security HW offload driver.

A logic error when handling skb in Transport Layer Security HW offload
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Use-after-free in RxRPC session sockets network namespace cleanup.

A locking error in RxRPC session sockets network namespace cleanup could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Invalid memory access during open in Broadcom NetXtreme-C/E driver.

Missing check after an error occurs when opening Broadcom NetXtreme-C/E
interface could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Buffer overflow in reencrypt path of Transport Layer Security driver.

A logic error in reencrypt path of Transport Layer Security driver could
lead to a buffer overflow. A local attacker could use this flaw to cause
a denial-of-service.


* Invalid memory accesses when using Line 6 POD USB driver.

Usage of on-stack buffer for DMA transfer in Line 6 POD USB driver could
lead to invalid memory accesses. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference when creating debugfs for Intel Wireless WiFi MVM Firmware driver.

A missing check when creating debugfs for Intel Wireless WiFi MVM
Firmware driver could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Use-after-free when setting seccomp filter.

A logic error when setting seccomp filter could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access when renaming debugfs in Generic IEEE 802.11 Networking Stack.

A missing check when renaming debugfs in Generic IEEE 802.11 Networking
Stack could lead to an invalid memory access. A local attacker could use
this flaw to cause a denial-of-service.


* Use-after-free when removing a USB Yurex device.

A logic error when removing a USB Yurex device could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when connecting DS2490 USB to W1 transport layer for 1-wire.

A logic error when connecting DS2490 USB to W1 transport layer for
1-wire could lead to an out-of-bounds access. A local attacker could
use this flaw to cause a denial-of-service.


* Out-of-bounds access when getting USB string descriptor.

A logic error when getting USB string descriptor could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when initializing Logitech HID++ devices driver.

A missing check when initializing Logitech HID++ devices driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Use-after-free in B.A.T.M.A.N. Advanced Meshing Protocol.

Multiple reference count errors in B.A.T.M.A.N. Advanced Meshing
Protocol could lead to multiple use-after-free. A local attacker could
use this flaw to cause a denial-of-service.


* Denial-of-service when registering Intel(R) 10GbE PCI Express fails.

A logic error when registering Intel(R) 10GbE PCI Express fails could
lead to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access when using Mellanox Technologies MLX5 SRIOV E-Switch driver.

A missing zeroing of data when using Mellanox Technologies MLX5 SRIOV
E-Switch driver could lead to an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.


* Out-of-bounds access when receiving data over STMicroelectronics 10/100/1000/EQOS Ethernet interface.

A wrong DMA configuration when receiving data over STMicroelectronics
10/100/1000/EQOS Ethernet interface could lead to an out-of-bounds
access. A remote attacker could use this flaw to cause a
denial-of-service.


* Memory leak when initializing hardware queue in block device driver.

A missing free of resources when initializing hardware queue in block
device driver could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* Information leak in reencrypt path of Transport Layer Security driver.

A logic error in reencrypt path of Transport Layer Security driver could
lead to an information leak. A local attacker could use this flaw to
leak previously encrypted data.


* Buffer overflow when using SVM guest debug commands.

A missing check when using SVM guest debug commands could lead to a
buffer overflow. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when creating node on a hugetlb filesystem.

A logic error when creating node on a hugetlb filesystem could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Memory leak on command abort in InfiniBand SCSI RDMA Protocol driver.

A logic error on command abort in InfiniBand SCSI RDMA Protocol driver
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Use-after-free when using Infiniband Security Hooks.

A logic error when using Infiniband Security Hooks could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when creating MAD agents in Infiniband Security Hooks.

A missing free of resources when creating MAD agents in Infiniband
Security Hooks could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* Memory leak when creating a queue pair fails in Infiniband driver.

A missing free of resources when creating a queue pair fails in
Infiniband driver could lead to a memory leak. A local attacker could
use this flaw to cause a denial-of-service.


* NULL pointer dereference when releasing resources in ALSA SoC Dynamic Audio Power Management.

A missing check when releasing resources in ALSA SoC Dynamic Audio Power
Management could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* NULL pointer dereference when freeing resources in PCI driver for virtio devices.

A missing check when freeing resources in PCI driver for virtio devices
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Memory leak when unregistering VMware Paravirtualized RDMA driver.

A missing free of resources when unregistering VMware Paravirtualized
RDMA driver could lead to a memory leak.  A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* Use-after-free when changing interrupt affinity notifier.

A logic error when changing interrupt affinity notifier could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when setting region-size in QLogic QLA2XXX Fibre Channel driver.

A logic error when setting region-size in QLogic QLA2XXX Fibre Channel
driver could lead to an out-of-bounds access. A local attacker could use
this sysfs entry to cause a denial-of-service.


* NULL pointer dereference when enabling Bluetooth controller power using Broadcom protocol.

A missing check when enabling Bluetooth controller power using Broadcom
protocol could lead to a NULL pointer dereference on Intel Macs. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference on DMA setup fail in Audio Intel SST Firmware Loader.

A missing check on DMA setup fail in Audio Intel SST Firmware Loader
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Buffer overflow when parsing some /proc/sys entries.

A logic error when parsing some /proc/sys entries could lead to a buffer
overflow. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when cancelling request in NVMe driver.

A logic error when cancelling request in NVMe driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.