From ksplice-support_ww at oracle.com Thu Jan 9 04:39:49 2020 From: ksplice-support_ww at oracle.com (Oracle Ksplice) Date: Thu, 9 Jan 2020 12:39:49 GMT Subject: [Ksplice][Ubuntu-19.04-Updates] New Ksplice updates for Ubuntu 19.04 Disco (USN-4226-1) Message-ID: <2xdrx9x164-1@aserp3020.oracle.com> Synopsis: USN-4226-1 can now be patched using Ksplice CVEs: CVE-2019-10220 CVE-2019-14895 CVE-2019-14896 CVE-2019-14897 CVE-2019-14901 CVE-2019-16231 CVE-2019-16233 CVE-2019-17075 CVE-2019-17133 CVE-2019-18813 CVE-2019-19045 CVE-2019-19049 CVE-2019-19052 CVE-2019-19055 CVE-2019-19060 CVE-2019-19065 CVE-2019-19067 CVE-2019-19072 CVE-2019-19075 CVE-2019-19083 CVE-2019-19524 CVE-2019-19526 CVE-2019-19529 CVE-2019-19532 CVE-2019-19534 CVE-2019-19807 CVE-2019-19922 CVE-2019-2214 Systems running Ubuntu 19.04 Disco can now use Ksplice to patch against the latest Ubuntu Security Notice, USN-4226-1. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running Ubuntu 19.04 Disco install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * CVE-2019-19075: Memory leak when registering Cascoda CA8210 transceiver driver. A logic error when registering Cascoda CA8210 transceiver driver could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * CVE-2019-19067: Memory leaks when registering AMD Audio CoProcessor driver. Multiple logic errors when registering AMD Audio CoProcessor driver could lead to memory leaks. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * CVE-2019-19083: Memory leak when registering clock for AMD display driver. A missing free of resources when registering clock for AMD display driver could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * CVE-2019-19065: Memory leak when initializing Intel OPA Gen1 driver. A missing free of resources in error path when initializing Intel OPA Gen1 driver could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * CVE-2019-19060: Memory leak in Analog Devices ADIS* driver when scanning devices. A missing free of resources on allocation failure in Analog Devices ADIS* driver when scanning devices could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * CVE-2019-19532: Denial-of-service when initializing HID devices. A failure to properly check a device-controlled parameter in the USB HID (bluetooth) subsystem lead to reading or writing past memory bounds. An attacker can exploit this bug with a specially crafted USB device to escalate privileges or cause a denial-of-service. * CVE-2019-19526: Use-after-free when registering USB NFC PN533 device. A logic error in error path when registering USB NFC PN533 device could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-19052: Memory leak when opening USB Socket CAN device driver. A missing free of resources when opening USB Socket CAN device driver fails could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * CVE-2019-19529: Use-after-free when disconnecting Microchip CAN BUS Analyzer device. A logic error when disconnecting Microchip CAN BUS Analyzer device could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-19534: Information leak using PEAK PCAN-USB/USB Pro interfaces for CAN 2.0b/CAN-FD. A missing zeroing of heap buffer passed to user space in PEAK PCAN-USB/USB Pro interfaces for CAN 2.0b/CAN-FD driver could lead to an information leak. A local attacker could use this flaw to leak information about running kernel and facilitate an attack. * CVE-2019-19045: Memory leak when creating CQ in Mellanox Technologies Innova driver. A missing free of resources when creating CQ in Mellanox Technologies Innova driver fails could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * CVE-2019-18813: Memory leak when registering USB DWC3 driver fails. A missing free of resources in error path when registering USB dwc3 driver fails could lead to a memory leak. A local attacker could use this flaw to leak information about running kernel and facilitate an attack. * CVE-2019-19524: Use-after-free when unregistering memoryless force-feedback driver. A missing free of a timer when unregistering memoryless force-feedback driver could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-19072: Memory leak when parsing tracing event filters. A missing free of resources when parsing tracing event filters could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * CVE-2019-19055: Memory leak when retrieving FTM responder statistics in cfg80211 driver. A missing free of resources when retrieving FTM responder statistics in cfg80211 driver could lead to a memory leak. A local attacker could use this flaw to leak information about running kernel and facilitate an attack. * CVE-2019-14895: Denial-of-service when receiving Country WLAN element in Marvell WiFi-Ex driver. A logic error when receiving Country WLAN element in Marvell WiFi-Ex driver could lead to an invalid memory access. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-14896, CVE-2019-14897: Denial-of-service when parsing BSS in Marvell 8xxx Libertas WLAN driver. A missing check when parsing BSS in Marvell 8xxx Libertas WLAN driver could lead to buffer overflows. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-14901: Denial-of-service when parsing TDLS action frame in Marvell WiFi-Ex driver. Missing checks when parsing TDLS action frame in Marvell WiFi-Ex driver could lead to a buffer overflow. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-19807: Use-after-free when registering timer in ALSA driver. A logic error when registering timer in ALSA driver fails could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-2214: Denial-of-service in during binder transactions. A missing check during binder transactions could lead to an out-of-bounds access. A local attacker could use this flaw to cause a denial-of-service. * Oracle will not provide zero-downtime update for CVE-2019-19049. Oracle has determined that the vulnerability does not affect a running system. * CVE-2019-19922: Denial-of-service using specific workloads. A logic error in the kernel scheduler could lead to a mismanagement of userspace processes under a specific workload. A local attacker could use this flaw to cause a denial- of-service. * Denial-of-service when removing TUSB3410 USB device. Incorrect locking when closing a port leads to a use-after-free bug when removing TUSB3410 serial USB device. A malicious device could exploit this bug to cause a denial-of-service or possibly to escalate privilege. * Information leak when reading from LD Didactic USB device. Incorrect read implementation in LD Didactic USB driver leads to uninitialized kernel memory leaked to the device. A malicious device could exploit this to escalate privilege. * CVE-2019-17133: Denial-of-service in WiFI SIOCGIWESSID ioctl(). Missing bounds checks when copying an SSID in the SIOCGIWESSID ioctl() for an 802.11 WiFi device could result in a buffer overflow and kernel crash. * Denial-of-service when scanning APs in mac80211 subsystem. Missing SSID length validation in mac80211 subsystem could lead to out-of-bound read in the kernel when scanning access points. A malicious AP could exploit this to cause a denial-of-service. * CVE-2019-17075: Denial-of-service in Chelsio T4/T5 RDMA TPT entries. Incorrect mapping of transfer buffers could result in performing DMA to an incorrect physical address leading to memory corruption and use of uninitialized values. An attacker could use this flaw to crash the system. * Denial-of-service when creating extra attributes in OCFS2. Missing check for memory allocation failure when creating extra attribute in an OCFS2 filesystem leads to a NULL pointer dereference. An unprivileged local user could exploit this bug to cause a denial-of-service. * Denial-of-service when enumerating free inodes number on ocfs2. A missing error check when allocating memory leads to NULL pointer dereference when performing OCFS2_INFO_FREEINODE ioctl operation. A local user could exploit this to cause a denial-of-service. * Memory leak in NFS client when handling SETCLIENTID. Multiple concurrent SETCLIENTID operation when mounting an NFS filesystem could lead to memory leak. A local attacker with mount privilege could exploit this to exhaust kernel memory and cause a denial-of-service. * Data corruption when opening a file from a FUSE mount. When opening a file with O_TRUNC flag from a FUSE mounted path, incorrect locking could lead to operation reordering. This could cause inadvertent data loss. * Memory corruption when reading from a USB device. Inadequate locking when reading from an LD Didactic-based USB device could corrupt kernel memory. An attacker could exploit this bug to cause a denial-of-service. * Denial-of-service in whiteheat USB to serial converter. Failing to sanitize user input in the whiteheat driver causes kernel memory corruption. An attacker can craft a malicious device that exploits this bug to cause a denial-of-service and possibly escalate privilege. * Denial-of-service when establishing connection in LLC subsystem. a reference counting error in the connect call in LLC socket subsystem could cause allocated memory not being cleaned up after use. This causes kernel memory exhaustion and could lead to a denial-of-service eventually. * Denial-of-service when reading from CIFS (SMB2) filesystem. Incorrect locking in the CIFS filesystem read / write operation could cause a deadlock in case of network outage. This could lead to a denial-of-service. * Denial-of-service when allocating page fragment for socket buffer. Out-of-bound write due to incorrect page fragment allocation in the socket subsystem leads to kernel memory corruption. An attacker could exploit this to cause a denial-of-service and possibly escalate privilege. * Data race when queueing UDP packets. Unprotected concurrent access when queuing and dequeing datagram packets leads to undefined behavior in the kernel. This could cause a denial-of-service. * Use of uninitialized memory when getting MTU of a NCM USB device. A missing check when getting MTU of a NCM USB device could lead to a use of uninitialized memory. A local attacker could use this flaw to cause a denial-of-service. * Invalid memory access when reading properties of NFC FDP I2C device. A logic error when reading properties of Intel Fields Peak NFC over I2C could lead to an invalid memory access. A local attacker could use this flaw to cause a denial-of-service. * Double free in STMicroelectronics ST21NFCA NFC driver. A logic error in STMicroelectronics ST21NFCA NFC driver could lead to a double free. A local attacker could use this flaw to cause a denial-of- service. * Use-after-free when clearing capabilities of a freed inode in Ceph distributed file system. A logic error when clearing capabilities of a freed inode in Ceph distributed file system could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service. * Use-after-free when disconnecting USB2CAN "8 devices". A logic error when disconnecting USB2CAN "8 devices" could lead to a use-after-free. A local attacker could use this flaw to cause a denial- of-service. * Double free when cleaning usb gadgets composite. A logic error when cleaning usb gadgets composite could lead to a double free. A local attacker could use this flaw to cause a denial-of-service. * Denial-of-service by accessing /proc/pagetypeinfo. Incorrect permission of /proc/pagetypeinfo could let an attacker read this file in a loop and cause a denial-of-service. * Memory leaks when setting ring parameters in Intel(R) PRO/1000 Gigabit Ethernet driver. A logic error in error path when setting ring parameters in Intel(R) PRO/1000 Gigabit Ethernet driver fails could lead to a memory leak. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of-service. * Kernel crash in OCFS2 direct IO cluster allocation. Missing locking when allocating clusters during a direct IO operation could result in triggering a kernel assertion and subsequent crash. * Missing MDS and Spectre v2 mitigations on EIBRS supported CPUs. On systems that support Enhanced IBRS (EIBRS), the mitigations could be incorrectly set when toggling the symmetric multithreading (SMT) feature at runtime. * Information leak when binding ASIX AX88xxx Based USB 2.0 Ethernet driver. A missing check when binding ASIX AX88xxx Based USB 2.0 Ethernet driver could lead to an information leak. A local attacker could use this flaw to leak information about running kernel and facilitate an attack. * Memory leaks when opening Serial / USB serial CAN Adaptors device. A logic error in error path when opening Serial / USB serial CAN Adaptors device fails could lead to memory leaks. A local attacker could use this flaw to exhaust kernel memory and cause a denial-of- service. * Invalid memory accesses when looking up dentries in ecryptfs driver. Logic errors when looking up dentries in ecryptfs driver could lead to invalid memory accesses. A local attacker could use this flaw to cause a denial-of-service. * Denial-of-service when adding packet action. An infinite loop during sendmsg in Packet Action API interface could block a kernel thread indefinitely. An attacker with permission to add packet action could exploit this bug to cause a denial-of-service. * CVE-2019-16233: NULL pointer dereference when registering QLogic Fibre Channel driver. A missing check when registering QLogic Fibre Channel driver fails could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-16231: NULL pointer dereference when registering FUJITSU Extended Socket Network Device driver. A missing check when registering FUJITSU Extended Socket Network Device driver fails could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * CVE-2019-10220: Privileges escalation when parsing directory from a bad SMB server. A logic error in the way path are parsed in SMB client could let an attacker running a SMB server manipulating files outside shared mount point on the client side. SUPPORT Ksplice support is available at ksplice-support_ww at oracle.com.