[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4162-1)

[Oracle Ksplice]

Synopsis: USN-4162-1 can now be patched using Ksplice
CVEs: CVE-2018-21008 CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-14821 CVE-2019-15117 CVE-2019-15118 CVE-2019-15505 CVE-2019-15902

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4162-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak when receiving frontend notification in Xen block-device backend driver.

A missing free of resources when receiving frontend notification in Xen
block-device backend driver could lead to a memory leak.  A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* CVE-2019-15118: Stack overflow when checking input source type in ALSA USB driver.

A logic error when checking input source type in ALSA USB driver could
lead to a stack overflow. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2019-15117: Out-of-bounds access when parsing USB descriptor in ALSA USB driver.

A missing check when parsing USB descriptor in ALSA USB driver could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free in sound sequencer driver when deleting pools.

A missing locking when deleting pools in sound sequencer driver from
user space could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Use-after-free when disconnecting USB Wireless device.

A race condition when disconnecting USB Wireless device while transfers
are on-going could lead to a use-after-free. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* Memory leak when adding a station in mac80211 stack fails.

A logic error when adding a station in mac80211 stack fails could lead
to a memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* CVE-2019-15902: Bounds-check bypass in sys_ptrace().

An error when backporting original Spectre v1 fix for ptrace in stable
kernels makes it vulnerable to Spectre v1. A local attacker could
exploit this flaw to gain information about the running system.


* NULL pointer dereference when sending ICMP packets with a particular configuration.

A missing check when sending ICMP packets with a particular configuration could
lead to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Memory leak when setting up a request in Cavium LiquidIO driver.

A missing free of resources when setting up a request in Cavium LiquidIO
driver could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.


* Memory leak when creating resources in Mellanox ConnectX HCA driver.

A missing free of resources in error path when creating resources in
Mellanox ConnectX HCA driver could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Use-after-free when setting xattr in Ceph distributed file system.

A logic error when setting xattr in Ceph distributed file system could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Use-after-free when dropping packets in netpoll.

A logic error when dropping packets in netpoll could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when setting IPv6 multicast socket options.

A logic missing free of resources when setting IPv6 multicast socket
options could lead to a memory leak. A local attacker could use this
flaw to exhaust kernel memory and cause a denial-of-service.


* Memory leak when looking up an invalid cell name in Andrew File System driver.

A missing free of resources in error path when looking up an invalid
cell name in Andrew File System driver could lead to a memory leak. A
local attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* NULL pointer dereference when scrubbing a BTRFS filesystem.

A missing initialization when scrubbing a BTRFS filesystem could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service during page writeback on BTRFS filesystem.

A logic error during page writeback on BTRFS filesystem could lead to a
deadlock. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using block device as cache driver.

A kernel assert when using block device as cache driver could lead to a
kernel panic. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid write access for mapped pages in MLX5 driver.

A logic error in the mlx5 page fault handler could incorrectly give write
access to mapped pages instead of read-only.


* Guest VM leaks bits into host control register, causing host to panic.

In the event that a guest VM schedules out during a machine check error,
the host's XCR0 register may get populated with incorrect values.  This
will cause a general protection fault on the host, leading to a
denial-of-service.


* Out-of-bounds access during CIFS mount.

A subtle error in handling certain combinations of mount options can
cause a out-of-bounds access in the CIFS mount path.  This could cause
a system to exhibit unexpected behavior, and may lead to a
denial-of-service.


* Use-after-free in Thin provisioning target driver.

A logic error in Thin provisioning target driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access in CAPI2.0 driver.

A logic error when writing to CAPI2.0 device could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds memory access during btrfs image validation.

A failure to properly check the length of a particular string when
validating a btrfs image can lead to an out-of-bounds read.  A local
attacker could potentially craft a special image to exploit this flaw,
which could cause a system to exhibit unexpected behavior.


* Denial-of-service during fsync on btrfs filesystem.

A reference count error during fsync on btrfs filesystem could lead to a
use-after-free or a kernel assert. A local attacker could use this flaw
to cause a denial-of-service.


* Information leak when emulating VMPTRST in KVM.

A missing zeroing of on-stack data on host side when emulating VMPTRST
in KVM could lead to an information leak. A local attacker from a guest
could use this flaw to leak information about the host an facilitate an
attack.


* Out-of-bounds access during USB device reset.

A logic error during USB device reset could lead to an out-of-bounds
access. A local attacker could use this flaw to cause a
denial-of-service.


* Double free when disconnecting TV Master TM5600/6000/6010 USB device.

A logic error when disconnecting TV Master TM5600/6000/6010 USB device
while transfers are on-going could lead to a double free. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference in Xen network device error handling.

Incorrect error handling when filling fragments for a Xen network device
could result in a NULL pointer dereference and kernel crash.


* CVE-2019-14821: Denial-of-service in KVM MMIO coalesced writes.

An out-of-bounds access to the coalesced MMIO ring buffer could result
in a kernel crash.  A malicious guest could use this flaw to crash the
hypervisor or potentially, escalate privileges.


* Improved fix for Spectre v1: Bounds check bypass in nl80211 CQM RSSI.

A missing use of the indirect call protection macro in the Netlink 802.11
code when updating the cqm rssi parameters could lead to speculative
execution. A local attacker could use this flaw to leak information about
the running system.


* Out-of-bounds access when reading packaets in B.A.T.M.A.N. V protocol driver.

A logic error when reading packaets in B.A.T.M.A.N. V protocol driver
could lead to an out-of-bounds access. A local attacker could use this
flaw to cause a denial-of-service.


* NULL pointer dereference when accessing a revoked key.

A missing check when accessing a revoked key could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access in floppy disk driver.

A logic error when copying data to userspace from floppy disk driver
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* Stack corruption when invoking elf loader directly.

A logic error in the memory mapping of a process when invoking an elf
loader directly could lead to a leak of the heap region to the stack
region and corrupt the stack. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2018-21008: Use-after-free when de-initializing mac80211 stack in Redpine Signals Inc 91x WLAN driver.

A logic error when de-initializing mac80211 stack in Redpine Signals Inc
91x WLAN driver could lead to a use-after-free. A local attacker could
use this flaw to cause a denial-of-service.


* NULL pointer dereference when removing publication info in TIPC driver.

A logic error when removing publication info in TIPC driver could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Denial-of-service when parsing access point settings in Marvell WiFi-Ex driver.

Logic errors when parsing access point settings in Marvell WiFi-Ex
driver could lead to buffer overflows. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2019-15505: Out-of-bounds access in Technisat DVB-S/S2 USB2.0 driver.

A logic error when receiving data over Technisat DVB-S/S2 USB2.0 driver
could lead to an out-of-bounds access. A remote attacker could use this
flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.