[Ksplice][Ubuntu-19.04-Updates] New Ksplice updates for Ubuntu 19.04 Disco (USN-4184-1)

Jamie Iles jamie.iles at oracle.com
Mon Dec 23 03:38:42 PST 2019 

Synopsis: USN-4184-1 can now be patched using Ksplice
CVEs: CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-11135 CVE-2019-15098 CVE-2019-15791 CVE-2019-15792 CVE-2019-15793 CVE-2019-15794 CVE-2019-16746 CVE-2019-17052 CVE-2019-17053 CVE-2019-17054 CVE-2019-17055 CVE-2019-17056 CVE-2019-17666 CVE-2019-18806 CVE-2019-19076 CVE-2019-19080 CVE-2019-19081 CVE-2019-19523 CVE-2019-19525 CVE-2019-19528 CVE-2019-19533

Systems running Ubuntu 19.04 Disco can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4184-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 19.04
Disco install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-0155: Privilege escalation in Intel i915 graphics driver.

Missing validation of MMIO commands to the Intel i915 device driver could
result in illicit page table modifications. An attacker could use this to
access sensitive information or elevate privileges.


* CVE-2019-0154: Denial-of-service in Intel i915 graphics driver.

Due to a hardware error, the Intel i915 device state could get corrupted.
A malicious user could use this to cause denial-of-service.


* Out-of-bounds access during USB device reset.

A logic error during USB device reset could lead to an out-of-bounds
access. A local attacker could use this flaw to cause a
denial-of-service.


* Double free when disconnecting TV Master TM5600/6000/6010 USB device.

A logic error when disconnecting TV Master TM5600/6000/6010 USB device
while transfers are on-going could lead to a double free. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference in Xen network device error handling.

Incorrect error handling when filling fragments for a Xen network device
could result in a NULL pointer dereference and kernel crash.


* Improved fix for Spectre v1: Bounds check bypass in nl80211 CQM RSSI.

A missing use of the indirect call protection macro in the Netlink 802.11
code when updating the cqm rssi parameters could lead to speculative
execution. A local attacker could use this flaw to leak information about
the running system.


* NULL pointer dereference when accessing a revoked key.

A missing check when accessing a revoked key could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access in floppy disk driver.

A logic error when copying data to userspace from floppy disk driver
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* Stack corruption when invoking elf loader directly.

A logic error in the memory mapping of a process when invoking an elf
loader directly could lead to a leak of the heap region to the stack
region and corrupt the stack. A local attacker could use this flaw to
cause a denial-of-service.


* Potential use-after-free in BPF Flow Dissector.

Improper RCU protections on certain BPF program structures can lead to
a use-after-free scenario in the Flow Dissector's program-detach path.
This could potentially cause a system to exhibit unexpected behavior,
and may result in a denial-of-service.


* Invalid memory access when probing Prodikeys MIDI device.

When connecting a Prodikeys MIDI keyboard device, the device's output is
not properly validated. A malicious device could exploit this flaw to
cause a system denial-of-service.


* Out-of-bounds read in Raw HID driver ioctl causes denial-of-service.

The hidraw_ioctl() function for raw access to generic Human Interface
Devices has missing sanitization of whether the specified device has been
removed. When used on a non-existent device, the ioctl can read memory
out of bounds and cause a denial-of-service.


* Invalid bitmap setting in malicious F2FS image causes denial-of-service.

Missing sanitization when reading segments from an Flash-Friendly
Filesystem mount could cause a kernel assertion failure. Mounting a
malicious image exploiting this flaw could cause a denial-of-service.


* Denial-of-service when reading corrupted XFS inode.

Missing error handling when reading data from a corrupted XFS inode with
missing copy-on-write fork verifier could result in a kernel crash.
Mounting a malicious XFS filesystem image could thereby result in a
denial-of-service.


* NULL pointer dereference in Reliable Datagram Socket binding.

Missing NULL pointer checks during binding of a Reliable Datagram Socket
could result in a NULL Pointer dereference and kernel crash.


* CVE-2019-15098: NULL pointer dereference when using Atheros ath6kl usb driver.

A missing check when using Atheros ath6kl usb driver with a malicious
usb device could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2019-17052: Permission bypass when creating a Amateur Radio AX.25 Level 2 socket.

A missing check on user capabilities when creating a Amateur Radio AX.25
Level 2 socket could lead to a permission bypass.


* CVE-2019-17053: Permission bypass when creating a IEEE 802.15.4 socket.

A missing check on user capabilities when creating a IEEE 802.15.4
socket could lead to a permission bypass.


* CVE-2019-17054: Permission bypass when creating a Appletalk socket.

A missing check on user capabilities when creating a Appletalk socket
could lead to a permission bypass.


* CVE-2019-17055: Permission bypass when creating a Modular ISDN socket.

A missing check on user capabilities when creating a Modular ISDN socket
could lead to a permission bypass.


* CVE-2019-17056: Permission bypass when creating a NFC socket.

A missing check on user capabilities when creating a NFC socket could
lead to a permission bypass.


* Stack overflow when receiving packets over ARCnet device.

A logic error when receiving packets over ARCnet device could lead to a
stack overflow. A remote attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using CDC NCM driver with malicious USB device.

A missing check when checking endpoints of a CDC NCM USB device could
lead to a divide by zero error. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2019-19081: Memory leak when initializing virtual NIC in NFP4000/NFP6000 TC Flower offload driver.

A missing check when initializing virtual NIC in NFP4000/NFP6000 TC
Flower offload driver fails could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Denial-of-service when using Network emulator driver.

A missing check when using Network emulator driver could lead to a
divide by zero error. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service Multi-purpose USB Networking Framework.

Missing checks on USB endpoint configuration could lead to multiple
divide by zero errors. A local attacker could use this flaw and a
malicious USB device to cause a denial-of-service.


* CVE-2019-19080: Memory leak on allocation failure in NFP4000/NFP6000 TC Flower offload driver.

A missing check on allocation failure in NFP4000/NFP6000 TC Flower
offload driver. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Out-of-bounds access when registering many Hauppauge HD PVR devices.

A logic error when registering many Hauppauge HD PVR devices could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference when configuring ADC in ICEnsemble ICE1712 driver.

A logic error when configuring ADC in ICEnsemble ICE1712 driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Use of uninitialized value in GSPCA based webcams drivers.

A missing zeroing of uninitialized data in error path when using GSPCA
based webcams drivers could lead to using uninitialized memory. A local
attacker could use this flaw to cause a denial-of-service.


* Use-after-free when registering Silicon Labs Si470x FM Radio Receiver USB driver.

A logic error when registering Silicon Labs Si470x FM Radio Receiver USB
driver fails could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Out-of-bounds access when registering Hauppauge HD PVR USB driver.

A missing NULL termination of a string when registering Hauppauge HD PVR
USB driver could lead to an out-of-bounds access. A local attacker could
use this flaw to cause a denial-of-service.


* Memory leak when registering Hexium Gemini frame grabber driver.

A missing free of resources when registering Hexium Gemini frame grabber
driver fails could lead to a memory leak.  A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* Memory leak when doing USB transfers in CPiA2 Video driver.

A missing free of resources when doing USB transfers in CPiA2 Video
driver could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.


* CVE-2019-19533: Information leak in Technotrend/Hauppauge USB DEC driver.

A missing zeroing of memory when doing transfers in Technotrend /
Hauppauge USB DEC driver could lead to an information leak.  A local
attacker could use this flaw to gain information about running kernel
and facilitate an attack.


* Use-after-free when using BTRFS tree.

A logic error when using BTRFS tree could lead to a use-after-free. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2019-17666: Out-of-bounds access when using Realtek Wireless Network driver in P2P mode.

A logic error when using Realtek Wireless Network driver in P2P mode
could lead to an out-of-bounds access. A remote attacker within the
wireless radio range of the victim could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when setting connector property in Radeon driver.

A missing check when setting connector property in Radeon driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* NULL pointer dereference in Simplified Mandatory Access Control Kernel driver.

A missing check in Simplified Mandatory Access Control Kernel (SMACK)
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Use-after-free in BPF while freeing JITed program.

A failure to properly order operations to account for concurrent users
of the same BPF program can lead to a use-after free scenario when
trying to unlink that program.  This could potentially be exploited
to cause a system to exhibit unexpected behavior.


* NULL pointer dereference when using Option USB device.

A missing check on device endpoint when using Option USB device could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Invalid memory access when handling v4mapped packets on IPV6 socket.

A missing check when handling v4mapped packets on IPV6 socket could lead
to an invalid memory access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2019-18806: Memory leak when allocating large buffers in QLogic QLA3XXX Network driver.

A missing free of resources when allocating large buffers in QLogic
QLA3XXX Network driver could lead to a memory leak. A local attacker
could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Memory leak when binding a NFC socket fails.

A logic error when binding a NFC socket fails could lead to a memory
leak. A local attacker could use this flaw to exhaust kernel memory and
cause a denial-of-service.


* NULL pointer dereference when initializing Differentiated Services marker driver.

A missing check when initializing Differentiated Services marker driver
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Invalid memory access when adding RDS over Infiniband and iWARP device.

A logic error when adding RDS over Infiniband and iWARP device could
lead to an invalid memory access. A local attacker could use this flaw
to cause a denial-of-service.


* NULL pointer dereference during ring buffer iteration in XEN network frontend driver.

A logic error in the Xen network frontend driver resulted in a valid return code to
be interpreted as an error. In certain circumstances, this could lead to a NULL
pointer dereference, resulting in a kernel crash.


* NULL pointer deference when using the Class-Based Queueing (CBQ) packet scheduling algorithm.

A missing validation of user input when using the Class-Based Queueing
(CBQ) packet scheduling algorithm could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Permission bypass when LSM_UNSAFE_PTRACE is set using smack.

A logic error when LSM_UNSAFE_PTRACE is set using smack could lead to a
permission bypass. A local attacker could use this flaw to facilitate an
attack.


* Deadlock when creating a file on ext4 filesystem with smack enabled.

A logic error when creating a file on ext4 filesystem with smack enabled
could lead to a deadlock. A local attacker could use this flaw to cause
a denial-of-service.


* Invalid memory access when using NFC netlink interface.

A missing check on user input when using NFC netlink interface could
lead to an invalid memory access. A local attacker could use this flaw
to cause a denial-of-service.


* KSLICE: Add ksplice_helpers compilation unit.




* Ksplice helpers to access cpuids.




* CVE-2019-11135: Side-channel information leak in Intel TSX.

A side-channel information leak on some generations of Intel processors
could allow the leaking of internal microarchitectural buffers during
asynchronous aborts in a TSX transaction.  For CPUs that are vulnerable
to Microarchitectural Data Sampling, existing mitigations cover
CVE-2019-11135, for newer CPUs with hardware fixes for MDS, TSX is
transparently disabled.  On these newer CPUs, TSX functionality can be
restored by writing 0 to /sys/kernel/debug/x86/tsx_force_abort.


* CVE-2019-15791: Use-after-free in shiftfs btrfs ioctl handling.

A logic error shiftfs btrfs ioctl handling could lead to a reference
count underflow and to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2019-15792: Invalid memory access in shiftfs file descriptor handling.

A type confusion when casting opaque data in shiftfs file descriptor
handling could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2019-15793: Permission bypass in shiftfs implementation.

A logic error in the shifts implementation could lead to a permission by
pass when the lower filesystem is not in the init user namespace. A
local attacker could use this flaw to access sensitive information.


* CVE-2018-12207: Machine Check Exception on page size change.

A hardware bug in Intel x86 processors can result in a Machine Check Exception
when a page table mapping for currently executing instructions is changed. A
privileged user in a guest VM could use this flaw to crash the host, leading to
a denial-of-service.


* CVE-2019-17666: Remote code execution in Realtek peer-to-peer Wifi.

Missing validation could result in a kernel buffer overflow and
potentially code-execution.  A remote attacker in proximity to the
device could use this flaw to crash the system or potentially, execute
code.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-19.04-updates mailing list