[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4414-1)

Mon Aug 10 15:51:37 PDT 2020

Synopsis: USN-4414-1 can now be patched using Ksplice
CVEs: CVE-2019-16089 CVE-2019-19036 CVE-2019-19039 CVE-2019-19318 CVE-2019-19377 CVE-2019-19642 CVE-2019-19813 CVE-2019-19816 CVE-2019-20908 CVE-2020-0543 CVE-2020-10711 CVE-2020-10757 CVE-2020-11935 CVE-2020-12770 CVE-2020-13143 CVE-2020-15780

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4414-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2020-12770: Information leak/DoS in SCSI generic userspace write.

When copying data from userspace to a SCSI generic (sg) device, the
associated list entry is not properly removed, potentially causing a
denial-of-service or leaking sensitive kernel information.

* CVE-2020-10711: NULL pointer dereference when using CIPSO network packet labeling.

A logic error when receiving CIPSO network packets could lead to a NULL
pointer dereference. A remote attacker could use this flaw to cause a
denial-of-service.

* CVE-2020-13143: Out-of-bounds read when connecting to UDC.

When connecting via USB in gadget mode, the USB gadgetfs copies input
fields with strcpy, which can result in the copied buffers being smaller
than the originals. Accessing these new buffers can then result in an
out-of-bounds memory access, potentially leaking information or causing
a denial-of-service.

* Denial-of-service in Stochastic Fairness Queueing (SFQ).

A logic error in Stochastic Fairness Queueing (SFQ) could lead to an
infinite loop. A local attacker could use this flaw to cause a denial-
of-service.

* Denial-of-service when using Generic Segmentation Offload.

A logic error when using Generic Segmentation Offload could lead to an
out-of-bounds access.  A local attacker could use this flaw to cause a
denial-of-service.

* Denial-of-service when writing 'throughput_override' sysfs entry of B.A.T.M.A.N. Advanced Meshing Protocol.

A reference count leak when writing 'throughput_override' sysfs entry of
B.A.T.M.A.N. Advanced Meshing Protocol could lead to a memory leak. A
local attacker could use this flaw to cause a denial-of-service.

* Out-bounds access when getting ethtool strings in Micrel PHYs driver.

A logic error when getting ethtool strings in Micrel PHYs driver could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.

* Information leak when using RAW Midi driver.

A missing initialization of heap buffer when using RAW midi driver could
lead to an information leak. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.

* Out-of-bounds read when using Garmin GPS driver.

A missing check when receiving data over Garmin GPS USB device could
lead to an out-of-bound read. A local attacker could use this flaw to
cause a denial-of-service.

* Permission bypass when ptracing the interpreter of a script.

A logic error when checking if a process can be ptraced could let an
unprivileged user ptrace the interpreter of a script. A local attacker
could use this flaw to escalate privileges.

* Reference leak on reconnect in CIFS driver.

A reference count error during reconnect when re queuing a write in CIFS
driver could lead to a reference leak. A local attacker could use this
flaw to exhaust kernel memory and cause a denial-of-service.

* Invalid memory access when using Extended Verification Module.

A logic error in error path when using Extended Verification Module
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.

* Use-after-free when resizing buffer in RAWMidi driver.

A logic error when resizing buffer in RAWMidi driver while read and
write are on-going could lead to a use-after-free. A local unprivileged
user could use this flaw to cause a denial-of-service.

* Improved fix for CVE-2020-0543: Side-channel information leak using SRBDS.

The mitigation for CVE-2020-0543 might attempt to erroneously access
the control MSR even if supported CPU microcode was not availble,
potentially reporting the system's vulnerability state incorrectly.

* CVE-2019-19642: Denial-of-service in kernel relay file open path.

A failure to properly check the return value of certain calls when
opening a kernel relay file can lead to a NULL pointer dereference, and
subsequent kernel panic.  This flaw could be exploited by a local
unprivileged user to cause a denial-of-service.

* CVE-2019-16089: Denial-of-service while checking NBD netlink status.

A failure to check for errors from certain function calls in the NBD
netlink status path can lead to a NULL pointer dereference and
subsequent kernel panic.  A local user could potentially exploit this
flaw to cause a denial-of-service.

* CVE-2019-19813, CVE-2019-19816: Invalid memory accesses during btrfs filesystem sync.

A failure to properly validate certain metadata in a btrfs filesystem
image can lead to out-of-bounds writes and use-after-free issues.  Using
a specially crafted btrfs image, a local attacker could potentially
exploit these flaws to escalate privilege or cause other unexpected
behavior, including a denial-of-service.

* CVE-2019-19318: Use-after free when mounting a btrfs image twice.

A logic error in the btrfs mount path can lead to a use-after-free
scenario if a btrfs image is mounted twice.  A local attacker could use
a specially crafted btrfs image to trigger this bug, which could cause
a system to exhibit unexpected behavior, or trigger a kernel assertion,
resulting in a denial-of-service.

* CVE-2019-19036: Denial-of-service during btrfs btree operations.

A logic error in the btrfs code path which handles btree operations can
lead to a kernel assertion being triggered, resulting in a system panic.
A local attacker could exploit this flaw using a crafted btrfs image to
cause a denial-of-service.

* CVE-2019-19039, CVE-2019-19377: Invalid memory access during btrfs filesystem unmount.

When unmounting a btrfs filesystem, it is possible for the kernel to
encounter a use-after-free scenario.  A local attacker could exploit
this flaw with a crafted btrfs image in order to cause a system to
exhibit unexpected behavior, including a potential denial-of-service.

* CVE-2020-10757: Flaw in DAX page mapping allows privilege escalation.

A flaw in the kernel handling for remapping huge pages mishandles pages
mapped for the DAX (direct userspace access) subsystem. A user with
access to DAX-mapped storage could exploit this to escalate their
privileges.

* CVE-2020-15780: SecureBoot bypass through ACPI table loading.

A missing check that the kernel is not locked down when loading ACPI tables
from userspace can allow the root user to escape SecureBoot or a kernel
lock down.

* CVE-2019-20908: Incorrect permissions ACPI variable can allow SecureBoot bypass.

Incorrect access permissions for the EFI SSDT ACPI variable could be used by
attackers to bypass lockdown or SecureBoot restrictions.

* CVE-2020-11935: Denial-of-service attack with aufs inode reference counts.

A logic error in the aufs dentry_open function could result in invalid
reference counts, leading to a kernel BUG().  An attacker could potentially
exploit this to cause a denial-of-service attack.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.