[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4210-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue Feb 11 08:26:27 PST 2020 

Synopsis: USN-4210-1 can now be patched using Ksplice
CVEs: CVE-2019-0155 CVE-2019-16746 CVE-2019-17075 CVE-2019-17133 CVE-2019-19060 CVE-2019-19065 CVE-2019-19075 CVE-2019-19523 CVE-2019-19525 CVE-2019-19526 CVE-2019-19528 CVE-2019-19532

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4210-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-19525: Use-after-free during ATUSB device disconnect.

The ATUSB driver attempts to access a previously freed structure in its
device disconnect path.  The flaw could potentially be exploited using
a specially crafted USB device to cause a system to exhibit unexpected
behavior, including a potential denial-of-service.


* NULL pointer dereference when encoding NFS attributes.

A missing check when encoding NFS attributes could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak in Character Device in Userspace init path.

If certain operations fail when attempting to initialize a CUSE device
small amounts of memory will be leaked.  This flaw could be exploited
by a local attacker to waste system resources and degrade performance.


* CVE-2019-16746: Buffer overflow when receiving beacon over wireless network.

A missing check a beacon header received over wireless network could
lead to a buffer overflow. A remote attacker could use this flaw to
cause a denial-of-service.


* CVE-2019-19523: Use-after-free when disconnecting Ontrak ADU device due to race condition.

When disconnecting an Ontrak Control Systems ADU family USB relay
device, a race condition between the device disconnection and release
callback could result in a use-after-free, potentially causing memory
corruption or a denial-of-service.


* CVE-2019-19528: Use-after-free when disconnecting IO Warrior USB device.

Logic errors when disconnecting IO Warrior USB device could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when using USB Keyspan USA-xxx Serial driver.

A missing check on endpoints when using USB Keyspan USA-xxx Serial
driver could lead to a NULL pointer dereference. A local attacker could
use a malicious USB device to cause a denial-of-service.


* Information leak when registering Microtek X6USB scanner driver.

A missing check when registering Microtek X6USB scanner driver could
lead to an information leak. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.


* Information leak when registering USB Lego Infrared Tower driver.

A missing check when registering USB Lego Infrared Tower driver could
lead to an information leak. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.


* Memory leak when registering VIA Technologies VT6655 driver fails.

A missing free of resources when registering VIA Technologies VT6655
driver fails could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.


* CVE-2019-19075: Memory leak when registering Cascoda CA8210 transceiver driver.

A logic error when registering Cascoda CA8210 transceiver driver could
lead to a memory leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.


* CVE-2019-17133: Denial-of-service in WiFI SIOCGIWESSID ioctl().

Missing bounds checks when copying an SSID in the SIOCGIWESSID ioctl()
for an 802.11 WiFi device could result in a buffer overflow and kernel
crash.


* CVE-2019-17075: Denial-of-service in Chelsio T4/T5 RDMA TPT entries.

Incorrect mapping of transfer buffers could result in performing DMA to
an incorrect physical address leading to memory corruption and use of
uninitialized values.  An attacker could use this flaw to crash the
system.


* CVE-2019-19065: Memory leak when initializing Intel OPA Gen1 driver.

A missing free of resources in error path when initializing Intel OPA
Gen1 driver could lead to a memory leak. A local attacker could use this
flaw to exhaust kernel memory and cause a denial-of-service.


* CVE-2019-19532: Denial-of-service when initializing HID devices.

A failure to properly check a device-controlled parameter in the USB
HID (bluetooth) subsystem lead to reading or writing past memory
bounds. An attacker can exploit this bug with a specially crafted USB
device to escalate privileges or cause a denial-of-service.


* CVE-2019-19526: Use-after-free when registering USB NFC PN533 device.

A logic error in error path when registering USB NFC PN533 device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service when mounting a network block device.

Failure to validate user-controlled parameter when mounting a network
block device leads to a kernel crash. A malicious attacker with mount
privilege could exploit this to cause a denial-of-service.


* Denial-of-service when updating file size in CIFS filesystem.

Incorrect locking when updating the file size associated with an inode
in the CIFS filesystem leads to a kernel panic. An unprivileged local
user could exploit this to cause a denial-of-service.


* Denial-of-service when reading from mac80211 debugfs.

Trying to read an invalid file from debugfs associated with certain
mac80211 interfaces causes a NULL pointer dereference. This could lead
to an inadvertent denial-of-service.


* Memory leak when sending a message over SCTP socket.

Incorrect initialization of SCTP socket leads to memory leak when
performing sendmsg call. An unprivileged local attacker could exploit
this bug to cause kernel memory exhaustion.


* Denial-of-service when sealing a file descriptor.

Incorrect locking when adding a seal to a file descriptor triggers a
kernel fail-safe protection. A local attacker can exploit this bug to
cause a kernel crash and an eventual denial-of-service.


* Denial-of-service when removing TUSB3410 USB device.

Incorrect locking when closing a port leads to a use-after-free bug when
removing TUSB3410 serial USB device. A malicious device could exploit
this bug to cause a denial-of-service or possibly to escalate privilege.


* Information leak when reading from LD Didactic USB device.

Incorrect read implementation in LD Didactic USB driver leads to
uninitialized kernel memory leaked to the device. A malicious device
could exploit this to escalate privilege.


* Denial-of-service when scanning APs in mac80211 subsystem.

Missing SSID length validation in mac80211 subsystem could lead to
out-of-bound read in the kernel when scanning access points. A malicious
AP could exploit this to cause a denial-of-service.


* Privilege escalation in the exec syscall.

Incorrect determination of the interpreter path during the exec system
call could allow execution of attacker controlled binary in a privileged
context. This bug could potentially be used to escalate privilege.


* Denial-of-service when creating extra attributes in OCFS2.

Missing check for memory allocation failure when creating extra
attribute in an OCFS2 filesystem leads to a NULL pointer dereference. An
unprivileged local user could exploit this bug to cause a
denial-of-service.


* Denial-of-service when enumerating free inodes number on ocfs2.

A missing error check when allocating memory leads to NULL pointer
dereference when performing OCFS2_INFO_FREEINODE ioctl operation.
A local user could exploit this to cause a denial-of-service.


* Memory leak in NFS client when handling SETCLIENTID.

Multiple concurrent SETCLIENTID operation when mounting an NFS
filesystem could lead to memory leak. A local attacker with mount
privilege could exploit this to exhaust kernel memory and cause a
denial-of-service.


* Data corruption when opening a file from a FUSE mount.

When opening a file with O_TRUNC flag from a FUSE mounted path, incorrect
locking could lead to operation reordering. This could cause inadvertent
data loss.


* Memory corruption when reading from a USB device.

Inadequate locking when reading from an LD Didactic-based USB device
could corrupt kernel memory. An attacker could exploit this bug to cause
a denial-of-service.


* Denial-of-service in whiteheat USB to serial converter.

Failing to sanitize user input in the whiteheat driver causes kernel
memory corruption. An attacker can craft a malicious device that
exploits this bug to cause a denial-of-service and possibly escalate
privilege.


* Denial-of-service when establishing connection in LLC subsystem.

A reference counting error in the connect call in LLC socket subsystem
could cause allocated memory to not be cleaned up after use. This causes
kernel memory exhaustion and could lead to a denial-of-service
eventually.


* Denial-of-service when adding packet action.

An infinite loop during sendmsg in Packet Action API interface could
block a kernel thread indefinitely. An attacker with permission to add
packet action could exploit this bug to cause a denial-of-service.


* Denial-of-service when mounting an ocfs2 filesystem.

A NULL pointer dereference when mounting an ocfs2 filesystem causes
kernel panic. A malicious device can trigger this bug to cause a
denial-of-service.


* Denial-of-service when examining the page table.

A NULL pointer dereference when examining the kernel page table through
procfs causes a kernel crash. A local user with read privilege to the
procfs entries /proc/kpagecount, /proc/kpageflags or /proc/kpagecgroup
could run into this bug and cause a denial-of-service.


* Use-after-free when deleting a file in the CIFS filesystem.

A data race in the CIFS filesystem allows a process to open a deleted
file if a handle still exists in memory corresponding to that file. An
unprivileged local user could exploit this race to cause a
denial-of-service.


* Data loss when using device mapper for caching.

A bug in how memory allocation failure is handled when device mapper is
used as a cache causes corrupted data to be written to disk. This could
lead to silent data loss.


* Denial-of-service in the zram sysfs interface.

A race between read from and write to the zram sysfs interface could
lead to a kernel panic. This could cause a denial-of-service.


* Denial-of-service when unmounting an f2fs filesystem with disk quota.

When quota is enabled on an f2fs filesystem, a NULL pointer dereference
can be triggered with quotaoff prior to unmounting the disk. A malicious
user can exploit this bug to cause a denial-of-service.


* Denial-of-service when initializing rtl8188eu USB wifi device.

Incorrect error handling in the initialization path of the rtl8188eu USB
wifi device could cause a NULL pointer dereference. This could lead to a
denial-of-service.


* Data loss in ocfs2 filesystem when performing direct IO.

A bug in the direct IO path in the ocfs2 filesystem causes dirty data to
be written to disk. This could lead to inadvertent data loss.


* Denial-of-service in Chelsio iSCSI target driver.

A NULL pointer dereference when validating checksum of received data
causes kernel panic in the Chelsio iSCSI target driver. This could lead
to a denial-of-service.


* Denial-of-service during sendmsg call in the rxrpc subsystem.

A use-after-free bug in sendmsg path while receiving call in the rxrpc
subsystem could cause a kernel panic and a subsequent denial-of-service.
Due to the nature of the bug, possibility of privilege escalation cannot
be ruled out either.


* Denial-of-service during buffered write in the btrfs filesystem.

A race condition between buffered write and extent mapping in the btrfs
filesystem leads to memory leak. An attacker could exploit this to cause
a denial-of-service.


* CVE-2019-19060: Memory leak in Analog Devices ADIS* driver when scanning devices.

A missing free of resources on allocation failure in Analog Devices
ADIS* driver when scanning devices could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Information leak when querying a sr9800 network device over mdio.

An uninitialized variable in the kernel memory leaks into the userspace
while querying a network device over mdio interface. This could allow a
an unprivileged user to read kernel stack.


* Denial-of-service during fsync on an ocfs2 filesystem.

When writing to an ocfs2 filesystem, a NULL pointer dereference leads to
a kernel crash. A local user could exploit this bug to cause a
denial-of-service.


* Improved fix to CVE-2019-0155: Privilege escalation in Intel i915 graphics driver.

The original vendor fix for CVE-2019-0155 did not completely mitigate
the vulnerability for 64-bit systems.  A local unprivileged user could
use this flaw to elevate privileges.


* Intel KVM guest creation failure with EPT disabled.

A logic error in masking reserved bits when configuring paging could
result in failing to boot 64-bit guests when Intel EPT was not available
in hardware or disabled by software.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-Oracle-Updates mailing list