[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4185-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Feb 10 01:38:01 PST 2020 

Synopsis: USN-4185-1 can now be patched using Ksplice
CVEs: CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-11135 CVE-2019-15098 CVE-2019-17052 CVE-2019-17053 CVE-2019-17054 CVE-2019-17055 CVE-2019-17056 CVE-2019-17666 CVE-2019-18806 CVE-2019-19533

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4185-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference when registering Prodikeys PC-MIDI Keyboard.

A missing check when registering Prodikeys PC-MIDI Keyboard could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free in raw HID device driver.

A missing check in ioctl handler of raw HID device driver could lead to
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service in sysfs power supply property read.

A failure to rate limit the printing of error messages associated with an
invalid read of a power supply property in sysfs could allow a userspace
application to execute a denial-of-service attack via flooding the system
with error messages.


* Use-after-free in PCI Hyper-V device removal.

A logic error in the PCI hyper-v code could allow a use-after-free when
removing a PCI hyper-v device.


* Invalid bitmap setting in malicious F2FS image causes denial-of-service.

Missing sanitization when reading segments from an Flash-Friendly
Filesystem mount could cause a kernel assertion failure. Mounting a
malicious image exploiting this flaw could cause a denial-of-service.


* Denial-of-service when reading corrupted XFS inode.

Missing error handling when reading data from a corrupted XFS inode with
missing copy-on-write fork verifier could result in a kernel crash.
Mounting a malicious XFS filesystem image could thereby result in a
denial-of-service.


* Stack overflow when receiving packets over ARCnet device.

A logic error when receiving packets over ARCnet device could lead to a
stack overflow. A remote attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using Network emulator driver.

A missing check when using Network emulator driver could lead to a
divide by zero error. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service Multi-purpose USB Networking Framework.

Missing checks on USB endpoint configuration could lead to multiple
divide by zero errors. A local attacker could use this flaw and a
malicious USB device to cause a denial-of-service.


* CVE-2019-17055: Permission bypass when creating a Modular ISDN socket.

A missing check on user capabilities when creating a Modular ISDN socket
could lead to a permission bypass.


* CVE-2019-17054: Permission bypass when creating a Appletalk socket.

A missing check on user capabilities when creating a Appletalk socket
could lead to a permission bypass.


* CVE-2019-17052: Permission bypass when creating a Amateur Radio AX.25 Level 2 socket.

A missing check on user capabilities when creating a Amateur Radio AX.25
Level 2 socket could lead to a permission bypass.


* CVE-2019-17053: Permission bypass when creating a IEEE 802.15.4 socket.

A missing check on user capabilities when creating a IEEE 802.15.4
socket could lead to a permission bypass.


* CVE-2019-17056: Permission bypass when creating a NFC socket.

A missing check on user capabilities when creating a NFC socket could
lead to a permission bypass.


* NULL pointer dereference when configuring ADC in ICEnsemble ICE1712 driver.

A logic error when configuring ADC in ICEnsemble ICE1712 driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Use of uninitialized value in GSPCA based webcams drivers.

A missing zeroing of uninitialized data in error path when using GSPCA
based webcams drivers could lead to using uninitialized memory. A local
attacker could use this flaw to cause a denial-of-service.


* Out-of-bounds access when registering Hauppauge HD PVR USB driver.

A missing NULL termination of a string when registering Hauppauge HD PVR
USB driver could lead to an out-of-bounds access. A local attacker could
use this flaw to cause a denial-of-service.


* Memory leak when doing USB transfers in CPiA2 Video driver.

A missing free of resources when doing USB transfers in CPiA2 Video
driver could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.


* CVE-2019-19533: Information leak in Technotrend/Hauppauge USB DEC driver.

A missing zeroing of memory when doing transfers in Technotrend /
Hauppauge USB DEC driver could lead to an information leak.  A local
attacker could use this flaw to gain information about running kernel
and facilitate an attack.


* Use-after-free when using BTRFS tree.

A logic error when using BTRFS tree could lead to a use-after-free. A
local attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when setting connector property in Radeon driver.

A missing check when setting connector property in Radeon driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Use-after-free in BPF while freeing JITed program.

A failure to properly order operations to account for concurrent users
of the same BPF program can lead to a use-after free scenario when
trying to unlink that program.  This could potentially be exploited
to cause a system to exhibit unexpected behavior.


* NULL pointer dereference when using Option USB device.

A missing check on device endpoint when using Option USB device could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Invalid memory access when handling v4mapped packets on IPV6 socket.

A missing check when handling v4mapped packets on IPV6 socket could lead
to an invalid memory access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2019-18806: Memory leak when allocating large buffers in QLogic QLA3XXX Network driver.

A missing free of resources when allocating large buffers in QLogic
QLA3XXX Network driver could lead to a memory leak. A local attacker
could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Memory leak when binding a NFC socket fails.

A logic error when binding a NFC socket fails could lead to a memory
leak. A local attacker could use this flaw to exhaust kernel memory and
cause a denial-of-service.


* NULL pointer dereference when initializing Differentiated Services marker driver.

A missing check when initializing Differentiated Services marker driver
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Invalid memory access when adding RDS over Infiniband and iWARP device.

A logic error when adding RDS over Infiniband and iWARP device could
lead to an invalid memory access. A local attacker could use this flaw
to cause a denial-of-service.


* NULL pointer dereference during ring buffer iteration in Xen network frontend driver.

A logic error in the Xen network frontend driver resulted in a valid return code to
be interpreted as an error. In certain circumstances, this could lead to a NULL
pointer dereference, resulting in a kernel crash.


* NULL pointer deference when using the Class-Based Queueing (CBQ) packet scheduling algorithm.

A missing validation of user input when using the Class-Based Queueing
(CBQ) packet scheduling algorithm could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Permission bypass when LSM_UNSAFE_PTRACE is set using smack.

A logic error when LSM_UNSAFE_PTRACE is set using smack could lead to a
permission bypass. A local attacker could use this flaw to facilitate an
attack.


* Deadlock when creating a file on ext4 filesystem with smack enabled.

A logic error when creating a file on ext4 filesystem with smack enabled
could lead to a deadlock. A local attacker could use this flaw to cause
a denial-of-service.


* Invalid memory access when using NFC netlink interface.

A missing check on user input when using NFC netlink interface could
lead to an invalid memory access. A local attacker could use this flaw
to cause a denial-of-service.


* CVE-2019-15098: NULL pointer dereference when using Atheros ath6kl usb driver.

A missing check when using Atheros ath6kl usb driver with a malicious
usb device could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2019-17666: Out-of-bounds access when using Realtek Wireless Network driver in P2P mode.

A logic error when using Realtek Wireless Network driver in P2P mode
could lead to an out-of-bounds access. A remote attacker within the
wireless radio range of the victim could use this flaw to cause a
denial-of-service.


* Denial-of-service when using CDC NCM driver with malicious USB device.

A missing check when checking endpoints of a CDC NCM USB device could
lead to a divide by zero error. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service in MACsec with device over virtual ethernet.

A race condition in the MACsec code could result in a use-after-free
condition, leading to possible memory corruption or a kernel crash. This
could be exploited for a denial-of-service attack.


* Use-after-free in Qualcom IPC router while processing incoming messages.

A logic error in the Qualcom router code could allow a use-after-free
condition.  This could be used to cause a denial-of-service.


* Memory leak during close in Point-to-Point Protocol.

A logic error in the ppp code could allow memory to not be properly freed,
leading to a memory leak.  This could be used to cause a denial-of-service.


* Memory leak in DVB media creation.

A failure to properly deal with an error condition in the dvb code could
cause a memory leak.  This could be exploited for a denial-of-service.


* Denial-of-service with AMD machines under heavy memory pressure.

Under heavy memory pressure conditions, the AMD iommu could throw endless
warnings, potentially generating a lot of serial console output and causing
high CPU usage.  This could be used to cause a denial-of-service.


* NULL pointer dereference with Cgroup kmem limit set.

A logic error in the memory control code could allow a NULL pointer
dereference when the kmem limit is hit and cgroup kmem limit is set. This
could be exploited to cause a denial-of-service.


* Denial-of-service in BTRFS with Qgroup enabled when freeing data space.

A logic error in the btrfs code could allow a memory leak to occur when
data space is being freed with qgroup enabled.  This could be used for a
denial-of-service attack.


* Possible memory corruption in CIFS extended attribute setting.

An invalid check on the maximum size of an xattr in CIFS could cause
memory corruption to occur due to an invalid memory copy.


* Use-after-free in dma-buf with SW sync.

A race condition in the dma-buf code could create a use-after-free condition.


* NULL pointer dereference in SMACK socket receive.

Some missing NULL pointer checks in the Simplified Mandatory Access Control
Kernel (SMACK) code could lead to a NULL pointer dereference during socket
receive.


* Kernel panic with Chelsio T4 MSI-X array access.

A missing error check could lead to an out-of-bounds memory access
and subsequent kernel panic.  This could be used for a
denial-of-service attack.


* Out-of-bounds access when registering many Hauppauge HD PVR devices.

A logic error when registering many Hauppauge HD PVR devices could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free when registering Silicon Labs Si470x FM Radio Receiver USB driver.

A logic error when registering Silicon Labs Si470x FM Radio Receiver USB
driver fails could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Memory leak when registering Hexium Gemini frame grabber driver.

A missing free of resources when registering Hexium Gemini frame grabber
driver fails could lead to a memory leak.  A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* NULL pointer dereference in IPv6 during link takedown.

A race condition in the ipv6 code could result in a NULL pointer
dereference when a link gets taken down, leading to a kernel panic
or memory corruption.


* Denial-of-service in kexec when a process is killed with SIGKILL.

A logic error in the kexec code could lead to the kexec code trying
to allocate a large amount of memory for a process after it was
sent a SIGKILL.  This could be exploited as a denial-of-service attack.


* NULL pointer dereference when doing a vmread in KVM.

A logic error when doing a vmread in KVM could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* KSLICE: Add ksplice_helpers compilation unit.




* Ksplice helpers to access cpuids.




* CVE-2019-0155: Privilege escalation in Intel i915 graphics driver.

Missing validation of MMIO commands to the Intel i915 device driver could
result in illicit page table modifications. An attacker could use this to
access sensitive information or elevate privileges.


* CVE-2019-0154: Denial-of-service in Intel i915 graphics driver.

Due to a hardware error, the Intel i915 device state could get corrupted.
A malicious user could use this to cause denial-of-service.


* CVE-2019-11135: Side-channel information leak in Intel TSX.

A side-channel information leak on some generations of Intel processors
could allow the leaking of internal microarchitectural buffers during
asynchronous aborts in a TSX transaction.  For CPUs that are vulnerable
to Microarchitectural Data Sampling, existing mitigations cover
CVE-2019-11135, for newer CPUs with hardware fixes for MDS, TSX is
transparently disabled.  On these newer CPUs, TSX functionality can be
restored by writing 0 to /sys/kernel/debug/x86/tsx_force_abort.


* CVE-2018-12207: Machine Check Exception on page size change.

A hardware bug in Intel x86 processors can result in a Machine Check Exception
when a page table mapping for currently executing instructions is changed. A
privileged user in a guest VM could use this flaw to crash the host, leading to
a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-Oracle-Updates mailing list