[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4287-1)

Tue Feb 25 07:31:17 PST 2020

Synopsis: USN-4287-1 can now be patched using Ksplice
CVEs: CVE-2019-10220 CVE-2019-14615 CVE-2019-15099 CVE-2019-15291 CVE-2019-16229 CVE-2019-16232 CVE-2019-18683 CVE-2019-18809 CVE-2019-18885 CVE-2019-19037 CVE-2019-19056 CVE-2019-19057 CVE-2019-19062 CVE-2019-19063 CVE-2019-19071 CVE-2019-19078 CVE-2019-19082 CVE-2019-19227 CVE-2019-19332 CVE-2019-19767 CVE-2019-19965 CVE-2019-20096 CVE-2019-5108 CVE-2020-7053

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4287-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2020-7053: Use-after-free when destroying i915 GEM context.

A locking error when destroying GEM context in the i915 graphic driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2019-19767: Use-after-free in with malformed ext4 filesystems.

Missing error handling in the ext4 inode size handling code could result
in a use-after-free and kernel crash.  A malformed ext4 filesystem could
crash the system at mount time.

* CVE-2019-19332: Denial-of-service in KVM cpuid emulation reporting.

A failure to correctly validate a request for KVM cpuid emulation
information a can lead to an out-of-bounds memory access, leading to a
kernel crash. A local user with the ability to use KVM could use this
flaw to cause a denial-of-service.

* CVE-2019-19227: Denial-of-service during AppleTalk protocol registration.

A failure to correctly handle memory allocation failures can result in a
NULL pointer dereference, leading to a kernel crash. A local user with
the ability to trigger a load of the AppleTalk protocol could use this
flaw to cause a denial-of-service.

* CVE-2019-19078: Memory leak when using Atheros 802.11ac wireless cards.

A logic error when initializing Atheros 802.11ac wireless cards could
lead to a memory leak. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2019-19082: Memory leak when creating memory pool in AMD Display driver.

A missing free of resources when creating memory pools in AMD Display
driver could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.

* CVE-2019-18885: Denial-of-service in BTRFS extent verification.

A logic error when verifying extents during mount of a BTRFS filesystem
can result in a NULL pointer dereference, leading to a kernel crash. A
local user with the ability to mount a crafted BTRFS image could use
this flaw to cause a denial-of-service.

* CVE-2019-20096: Memory leak while changing DCCP socket SP feature values.

Under certain conditions, it is possible for the __feat_register_sp
function to leak small amounts of memory.  This could potentially be
exploited by a local attacker to waste system resources and degrade
performance, or to aid in another type of attack.

* CVE-2019-19037: Denial-of-service when handling empty directories in ext4 filesystem.

A logic error when handling empty directories in ext4 filesystem with
holes could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.

* CVE-2019-19965: NULL-pointer dereference when discovering SCSI ports.

A flaw in the libsas library used by SCSI devices could trigger a race
condition, resulting in a NULL-pointer dereference and
denial-of-service when a SCSI device was added.

* CVE-2019-5108: Denial-of-service of a wireless access point during roaming of a station.

A logic error in protocol implementation when a station connect to an
access point during roaming could let an attacker within the internal
network cause a denial-of-service of the access point.

* Denial-of-service in the XFS filesystem when writeback cache is enabled.

A lock acquisition order violation when writing to a file in an XFS
filesystem leads to a deadlock when writeback cache is enabled. An
unprivileged local user could trigger this bug and cause a
denial-of-service.

* CVE-2019-15291: Denial-of-service in B2C2 FlexCop driver probing.

Incorrect device validation when probing a B2C2 FlexCop driver could
result in a NULL pointer dereference and kernel crash.  A local user
with the ability to insert USB devices could use this flaw to crash the
system.

* Data corruption in OCFS2 when unmounting with dirty journal.

In rare cases, umounting an OCFS2 filesystem while operations with
uncommitted metadata could cause journal corruption, resulting in data
corruption or a later kernel panic.

* CVE-2019-19071: Denial-of-service in the Redpine wifi driver.

Incomplete error handling when preparing management frame fails in the
Redpine wifi module driver leads to memory leak. An attacker could
exploit this to cause a denial-of-service.

* CVE-2019-19062: Denial-of-service in the crypto subsystem.

Incomplete error handling while reporting statistics through procfs
in the crypto subsystem leads to memory leak. An unprivileged local
user could exploit this to exhaust kernel memory and cause a
denial-of-service.

* Race condition in SunRPC auth cache causes NULL-pointer dereference.

A race condition exists in the SunRPC generic auth cache implementation
that could result in an uninitialized cache entry being loaded. This
invalid entry might then be dereferenced, resulting in a kernel crash
and denial-of-service.

* Out-of-bounds access when receiving data over STMicroelectronics 10/100/1000/EQOS Ethernet interface.

A wrong DMA configuration when receiving data over STMicroelectronics
10/100/1000/EQOS Ethernet interface could lead to an out-of-bounds
access. A remote attacker could use this flaw to cause a
denial-of-service.

* CVE-2019-19063: Denial-of-service in the rtlwifi driver.

A bug in the error path during initialization in rtlwifi USB driver leads
to memory leak. An attacker with physical access may possibly exploit
this bug to cause a denial-of-service.

* CVE-2019-19056, CVE-2019-19057: Denial-of-service in the Marvell mwifiex PCIe driver.

Failure to handle error during initialization of Marvell mwifiex PCIe
driver leads to memory leak. An attacker could exploit this to exhaust
kernel memory that eventually may cause a denial-of-service.

* NULL-pointer dereference when failing to bind socket for iSCSI connection.

The iSCSI initiator mode handler does not properly check that the
sockets it creates are correctly bound before use. An error in this path
could result in a NULL-pointer dereference and denial-of-service.

* Permissions bypass when using EVENT_FORK with userfaultfd.

The userfault feature UFFD_EVENT_FORK might be exploitable to read file
descriptors with elevated privileges, and should therefore be restricted
to users with CAP_SYS_PTRACE.

* CVE-2019-10220: Privileges escalation when parsing directory from a bad SMB server.

A logic error in the way path are parsed in SMB client could let an
attacker running a SMB server manipulating files outside shared mount
point on the client side.

* Out-of-bounds read in netfilter ebtables validation.

When parsing netfilter ebtables entries, structure padding is not
properly computed, potentially allowing an entry to trigger an
out-of-bounds read.

* Sending TCP packet with empty skb might cause denial-of-service.

A race condition when sending TCP packets might cause sendmsg() to
dispatch a packet backed by an empty kernel memory buffer, resulting
in a kernel crash and denial-of-service.

* Missing configuration validation for GTP-U causes denial-of-service.

The hashtable size parameter for the GRPS Tunneling Protocol driver is
not properly checked. Setting the IFLA_GTP_PDP_HASHSIZE attribute to
zero could result in a kernel panic and denial-of-service.

* Use-after-free when failing to create iclog when mounting XFS image.

When mounting an XFS image, a failure to create the in-core log
structure could result in a use-after-free and kernel crash. A malicious
image might be able to exploit this issue to create a denial-of-service
if mounted.

* CVE-2019-15099: NULL pointer dereference when sending data over Atheros ath10k USB device.

A missing check on a USB buffer when sending data over Atheros ath10k
USB device could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.

* CVE-2019-18683: Privilege escalation in Virtual Video Test driver.

A locking error in Virtual Video Test driver could lead to a race
condition and use-after-free. A local attacker could use this flaw to
escalate privileges.

* CVE-2019-16232: NULL pointer dereference when registering Marvell Libertas 8385/8686/8688 SDIO 802.11b/g cards.

A missing check when registering Marvell Libertas 8385/8686/8688 SDIO
802.11b/g cards could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.

* CVE-2019-16229: NULL pointer dereference when initializing interrupt in AMD GPU driver.

A missing check when initializing interrupt in AMD GPU driver could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2019-18809: Memory leak when identifying state in Afatech AF9005 DVB-T USB1.1 driver.

A logic error when identifying state in Afatech AF9005 DVB-T USB1.1
driver fails could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.

* CVE-2019-14615: Information leak in Intel i915 generation 9 devices.

Missing pipeline flushing when switching i915 contexts could lead to
information leaks between unrelated GPU contexts. A malicious user
could potentially use this to obtain sensitive information.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.