[Ksplice][Ubuntu-19.04-Updates] New Ksplice updates for Ubuntu 19.04 Disco (USN-4157-1)

[Oracle Ksplice]

Synopsis: USN-4157-1 can now be patched using Ksplice
CVEs: CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-14821 CVE-2019-15504 CVE-2019-15505 CVE-2019-15902 CVE-2019-16714 CVE-2019-2181

Systems running Ubuntu 19.04 Disco can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4157-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 19.04
Disco install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-14821: Denial-of-service in KVM MMIO coalesced writes.

An out-of-bounds access to the coalesced MMIO ring buffer could result
in a kernel crash.  A malicious guest could use this flaw to crash the
hypervisor or potentially, escalate privileges.


* CVE-2019-16714: Information leak in Reliable Datagram Sockets IPv6 message info.

Missing initialization could result in copying stale kernel stack
contents to user-space when copying IPv6 message info for an RDS socket.


* Multiple use-after-free in NVMe subsystem.

Multiple logic errors in the NVMe subsystem could lead to
use-after-frees. A local attacker could use these flaws to cause a
denial-of-service.


* Memory leak when receiving frontend notification in Xen block-device backend driver.

A missing free of resources when receiving frontend notification in Xen
block-device backend driver could lead to a memory leak.  A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* NULL pointer dereference when sending ICMP packets with a particular configuration.

A missing check when sending ICMP packets with a particular configuration could
lead to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free in sound sequencer driver when deleting pools.

A missing locking when deleting pools in sound sequencer driver from
user space could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Use-after-free when disconnecting USB Wireless device.

A race condition when disconnecting USB Wireless device while transfers
are on-going could lead to a use-after-free. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* Memory leak when adding a station in mac80211 stack fails.

A logic error when adding a station in mac80211 stack fails could lead
to a memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* CVE-2019-15902: Bounds-check bypass in sys_ptrace().

An error when backporting original Spectre v1 fix for ptrace in stable
kernels makes it vulnerable to Spectre v1. A local attacker could
exploit this flaw to gain information about the running system.


* Memory leak when setting IPv6 multicast socket options.

A logic missing free of resources when setting IPv6 multicast socket
options could lead to a memory leak. A local attacker could use this
flaw to exhaust kernel memory and cause a denial-of-service.


* Use-after-free when dropping packets in netpoll.

A logic error when dropping packets in netpoll could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when setting up a request in Cavium LiquidIO driver.

A missing free of resources when setting up a request in Cavium LiquidIO
driver could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.


* Memory leak when creating resources in Mellanox ConnectX HCA driver.

A missing free of resources in error path when creating resources in
Mellanox ConnectX HCA driver could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Use-after-free when setting xattr in Ceph distributed file system.

A logic error when setting xattr in Ceph distributed file system could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Memory leak when looking up an invalid cell name in Andrew File System driver.

A missing free of resources in error path when looking up an invalid
cell name in Andrew File System driver could lead to a memory leak. A
local attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Use-after-free in Thin provisioning target driver.

A logic error in Thin provisioning target driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access in CAPI2.0 driver.

A logic error when writing to CAPI2.0 device could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when removing publication info in TIPC driver.

A logic error when removing publication info in TIPC driver could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service during fsync on btrfs filesystem.

A reference count error during fsync on btrfs filesystem could lead to a
use-after-free or a kernel assert. A local attacker could use this flaw
to cause a denial-of-service.


* Information leak when emulating VMPTRST in KVM.

A missing zeroing of on-stack data on host side when emulating VMPTRST
in KVM could lead to an information leak. A local attacker from a guest
could use this flaw to leak information about the host an facilitate an
attack.


* CVE-2019-15505: Out-of-bounds access in Technisat DVB-S/S2 USB2.0 driver.

A logic error when receiving data over Technisat DVB-S/S2 USB2.0 driver
could lead to an out-of-bounds access. A remote attacker could use this
flaw to cause a denial-of-service.


* CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Denial-of-service when parsing access point settings in Marvell WiFi-Ex driver.

Logic errors when parsing access point settings in Marvell WiFi-Ex
driver could lead to buffer overflows. A local attacker could use this
flaw to cause a denial-of-service.


* Out-of-bounds memory access during btrfs image validation.

A failure to properly check the length of a particular string when
validating a btrfs image can lead to an out-of-bounds read.  A local
attacker could potentially craft a special image to exploit this flaw,
which could cause a system to exhibit unexpected behavior.


* CVE-2019-15504: Double-free in RSI 91x WLAN driver.

When errors are detected while reading from the RSI 91x USB device,
it is possible for a particular device structure to be free twice.
This flaw could potentially be used to cause a denial-of-service, or
other unexpected behavior, and may be remotely exploitable if usbip or
usbredir are in use.


* CVE-2019-2181: Privilege escalation in Binderfs transaction processing.

An out-of-bounds write caused by an integer overflow in Binderfs's
transaction processing path can lead to a privilege escalation.  This
flaw could be exploited by a local attacker to perform actions which
they would not otherwise be permitted to perform.


* Potential NULL dereference in AFS directory read path.

A missing NULL pointer check in the AFS directory read path can lead a
NULL pointer dereference and subsequent kernel panic.  This flaw could
potentially be exploited to cause a denial-of-service.


* Divide-by-zero in USB TMC driver.

A failure to properly sanitize data provided from a connected USB
device can cause the USB TMC driver to attempt to divide by zero, which
will lead to a kernel panic.  A malicious attacker could exploit this
flaw with a specially crafted USB device to cause a denial-of-service.


* Denial-of-service in HSR driver transmit path.

A failure to properly check the return value from hsr_port_get_hsr in
the High-availability Seamless Redundancy driver's packet transmit path
can lead to a NULL pointer dereference and subsequent kernel panic.
This flaw could potentially be exploited to cause a denial-of-service.


* Use-after-free in TCMU driver when processing timed out commands.

A logic error in the TCMU driver's handling of timed out iSCSI commands
can lead to a use-after-free.  A remote attacker could potentially
exploit this flaw on a busy system to cause unexpected behavior,
including a potential denial-of-service.


* Denial-of-service due to xfrm list corruption.

A logic error in several functions used in the IP transform driver can
lead to certain lists that the driver relies on becoming corrupted.
Later attempts to access the corrupted lists can lead to a kernel
panic, resulting in a denial-of-service.


* Out-of-bounds copy from kernel stack to Infiniband driver HW queues.

When preparing for certain RDMA operations, it is possible for the
Infiniband Netxtreme HCA driver to copy past the end of some command
structure which are stored on the stack, causing stack data to be
leaked into the hardware queues.  This flaw could potentially be used
in conjunction with another exploit to cause a system to exhibit
unexpected behavior, or to leak privileged information.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.