[Ksplice][Ubuntu-19.04-Updates] New Ksplice updates for Ubuntu 19.04 Disco (USN-4005-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Jul 15 14:40:29 PDT 2019 

Synopsis: USN-4005-1 can now be patched using Ksplice
CVEs: CVE-2019-11477 CVE-2019-11478 CVE-2019-11486 CVE-2019-11810 CVE-2019-11815

Systems running Ubuntu 19.04 Disco can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4005-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 19.04
Disco install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-11477, CVE-2019-11478: Remote Denial-of-service in TCP stack.

A number of errors in the TCP stack could result in a remotely
triggerable denial of service on links with a small Maximum Segment Size
(MSS).  A remote user could use a maliciously crafted TCP stream to
either panic the system or exhaust resources.


* NULL pointer dereference when registering NVMe over Fabrics FC Transport Loopback Test driver.

A missing check when registering NVMe over Fabrics FC Transport Loopback
Test driver could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* Out-of-bounds access when changing channels number on Mellanox 5th generation network interface.

A missing check when changing channels number on Mellanox 5th generation
network interface while it is down could lead to an out-of-bounds
access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when setting vport rate in Mellanox Technologies MLX5 SRIOV E-Switch driver.

A logic error when setting vport rate in Mellanox Technologies MLX5
SRIOV E-Switch driver could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.


* Use of uninitialized memory when migrating NUMA memory policy.

A missing check when migrating NUMA memory policy could lead to use of
uninitialized memory and thus to unpredictable behavior.


* NULL pointer dereference on node creation of OCFS2 file system.

A logic error on node creation of OCFS2 file system could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when using device mapper with Thin provisioning support.

A missing check when using device mapper with Thin provisioning support
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* NULL pointer dereference when mounting a CIFS filesystem with invalid mount option.

A missing check when mounting a CIFS filesystem with an invalid devname
as a mount option could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when using Netfilter nf_tables chains.

A missing check when using Netfilter nf_tables chains could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Permission bypass when using IOMMU with Address Translation Service.

A missing check when using IOMMU with Address Translation Service could
let a malicious peripheral device access restricted memory.


* NULL pointer dereference when merging extra information element in Wilocity 60g WiFi card wil6210 driver.

A missing check when merging extra information element in Wilocity 60g
WiFi card wil6210 driver could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.


* Use-after-free when removing VLANs in Intel(R) Ethernet Connection E800 Series driver.

A logic error when removing VLANs in Intel(R) Ethernet Connection E800
Series driver could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* NULL pointer dereference when suspending ALSA PCM drivers.

A missing check when suspending ALSA PCM drivers could lead to a NULL
pointer dereference for some of the PCM drivers. A local attacker could
use this flaw to cause a denial-of-service.


* Stack out-of-bounds when terminating USB gadget mode.

When shutting down the USB peripheral-side driver, a pending callback
might potentially corrupt stack memory, leading to memory corruption or
a panic and denial-of-service.


* Out-of-bounds access when trying to display a logo bigger than screen size.

A missing check when trying to display a logo bigger than screen size in
the framebuffer driver could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in Netfilter tables dynamic operations .

A logic error in the netfilter code could result in a use-after-free
condition, leading to possible memory corruption or kernel panic. This
could be used for a denial-of-service attack.


* Use-after-free condition in IPv6 tunnel receive.

A logic error in the ipv6 code could result in a use-after-free condition
while getting headers during a receive.


* Denial-of-service during KCM device registration.

A race condition in the KCM code while creating KCM sockets during device
registration could result in a NULL pointer dereference and subsequent
kernel crash or memory corruption.  This could be exploited to cause a
denial-of-service attack.


* CVE-2019-11815: Use-after-free in RDS socket creation.

A logic error in the RDS code could fail to properly clean up a socket once
it is destroyed, which could then lead to a use-after-free on a new socket
creation.  This could be used to cause a denial-of-service.


* Kernel information leak during SCTP socket IPv4 address copying.

A failure to properly initialize the ipv4 address before copying it to the
user could leak some kernel memory to the user.


* Denial-of-service with TCP IPv4 socket initialization failure.

A failure to properly handle error conditions in the TCP ipv4 code
could result in a NULL pointer dereference, which could be used for a
denial-of-service attack.


* Use-after-free in Encapsulated Remote Switch Port Analyzer packet receive.

A logic error in the IP GRE remote span code could result in a use-after-free
condition on received packets, possibly resulting in a kernel panic or
memory corruption.  This could be exploited for a denial-of-service attack.


* Denial-of-service in Network Interface IP receive.

A failure to properly clean up memory in the network interface code could
result in memory corruption and possible kernel crash.  This could be
exploited for a denial-of-service attack.


* NULL pointer dereference in MLX5 message receive failure.

A failure to properly handle an error condition in the mlx5 code could
lead to a NULL pointer dereference and possible memory corruption of kernel
panic.


* CVE-2019-11486: Denial-of-service in Siemens R3964 line discipline drivers.

Multiple race conditions in the r3964 line discipline driver could lead to
various conditions that could be exploited to cause a denial-of-service.


* Denial-of-service in ALSA ioctl calls.

An invalid assumption in the ALSA code could result in an invalid memory
access when accessing userspace strings in the ioctl code.  This could be
used for a denial-of-service attack.


* Denial-of-service in Multi-Queue Block IO queued request handling.

A logic error in the block multi queue code could result in a kernel crash.
This could be used to cause a denial-of-service attack.


* Memory leak in block bio layer when adding a page fails.

A failure to properly handle an error condition with adding a page in the
block bio layer results in a memory leak.  This could be exploited to cause
a denial-of-service attack.


* Invalid write access for mapped pages in MLX5 driver.

A logic error in the mlx5 page fault handler could incorrectly give write
access to mapped pages instead of read-only.


* Denial-of-service in Xen ioctl when processing command input.

A failure to validate user input in the Xen ioctl code could result in an
out of bounds memory access, leading to possible memory corruption or a
kernel panic.  This could be used for a denial-of-service attack.


* NULL pointer dereference in fair schedule load calculation.

A race condition in the fair scheduler code could lead to a NULL pointer
dereference and possible memory corruption or kernel panic.


* Denial-of-service in device mapper integrity argument check.

A logic error in the dm integrity code could lead to an out-of-bounds
memory access and possible segfault.  This could be exploited for a
denial-of-service attack.


* Permissions bypass in shiftfs virtual filesystem superblocks.

Missing permissions checks in shiftfs might allow a malicious user to
remap their uid-shifted filesystem mount with additional privileges.


* Out-of-bounds memory access in ACT8865 power management unit driver.

An off-by-one when computing voltage settings for an ACT8865 power
management unit could result in an out-of-bounds memory access,
potentially resulting in a kernel crash and denial-of-service.


* Denial-of-service when reusing descriptor in Qualcomm HIDMA driver.

The Qualcomm High Speed DMA driver uses asynchronous descriptors to
store behavior flags. These flags are not properly cleared on descriptor
reuse, potentially allowing a malicious user to trigger a kernel
assertion and denial-of-service by triggering asynchronous I/O on the
device.


* Race condition in Qualcomm HIDMA cookie assignment causes denial-of-service.

When generating a channel cookie for a Qualcomm High Speed DMA
transaction, a race condition could result in an asynchronous operation
completing early, resulting in a timeout and kernel assertion failure. A
malicious user might exploit this to create a denial-of-service.


* Divide-by-zero in Micron/Aptina MT9M111 CMOS sensor driver.

The Micron/Aptina MT9M111 CMOS image sensor driver incorrectly sets the
device's capabilities on probe, resulting in a divide-by-zero. A
malicious device might exploit this flaw to cause a denial-of-service.


* NULL-pointer dereference when loading firmware for LP55xx LED driver.

When firmware loading fails for a LP55xx LED device, an unhandled error
case can result in a NULL-pointer dereference and denial-of-service.


* Memory corruption when connecting chipidea USB device.

When probing a chipidea USB device driver with multiple such devices
connected, the driver might bind multiple devices to the same area of
memory, potentially causing memory corruption or a denial-of-service.


* Race condition in VKMS driver causes potential memory corruption.

When receiving a vblank interrupt for a VKMS virtual display driver, a
race condition might cause the interrupt to overwrite data being
processed by another thread, potentially resulting in memory corruption
or a denial-of-service.


* Log spam when punching holes in ext4 bigalloc filesystems.

When fallocating on an ext4 bigalloc filesystem, incorrect code when
freeing clusters might result in a flood of error responses, potentially
resulting in a denial-of-service.


* CVE-2019-11810: NULL-pointer dereference in LSI MegaRAID driver.

Missing error case handling when failing to create a DMA pool for an
LSI Logic MegaRAID device could result in a NULL-pointer dereference. A
malicious user could exploit this to create a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-19.04-updates mailing list