[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4390-1)

[Oracle Ksplice]

Synopsis: USN-4390-1 can now be patched using Ksplice
CVEs: CVE-2020-0067 CVE-2020-0543 CVE-2020-10751 CVE-2020-12114 CVE-2020-12464 CVE-2020-1749

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4390-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2020-12464: Use-after-free in USB scatter-gather library.

Use-after-free could happen in usb_sg_cancel() of USB core scatter
gather implementation when cancellation of the S-G transfer races
with the transfer completion and could result in a system crash.


* Memory corruption when writing audit record to audit log.

Submitting a userspace audit record of an invalid length to the audit
log could result in a memory corruption and eventually kernel crash.
A local user having a permission to submit userspace audit records could
use this flaw.


* Information leak in ioctls of frame buffer driver.

A flaw in ioctl of frame buffer driver could lead to an out-of-bounds
read causing the information leak when accessing the frame buffer
driver. A local user could use this flaw to get memory disclosure.


* CVE-2020-10751: SELinux bypass in netlink message validation.

A failure to correctly process multiple netlink messages in the SELinux
implementation can result in incorrectly allowing messages to be sent. A
local user could use this flaw to bypass SELinux restrictions.


* Denial of service in quota file writes of F2FS filesystem.

A flaw in F2FS filesystem implementation of quota file writes could
lead to a NULL pointer dereference causing a system crash. A local
user could use this flaw to cause a denial-of-service.


* Invalid memory access in SiS USB video driver.

Invalid memory access in SiS USB video driver could happen due to
signed to unsigned integers mismatch and sign integer overflow.


* CVE-2020-0067: Out-of-bounds read due to no bounds check in F2FS filesystem support.

Missing bounds check in Extended attribute LIST operations of F2FS
filesystem support implementation could lead to local information
disclosure. A local user could use this flaw to cause the information
leak.


* CVE-2020-12114: Denial-of-service in pivot root reference counting.

A race condition in the reference counting implementation for mount
points can result in reference count corruption, leading to a
kernel crash. A local user could use this flaw to cause a
denial-of-service.


* Denial-of-service in device open of data acquisition driver.

A memory leak could happen in the error handling path of device open
method in Control and Measurement Interface (Comedi). A local user could
use this flaw to cause a system to run out of kernel memory and
a denial-of-service.


* Denial-of-service in receives of CCITT X.25 Packet Layer.

A memory leak could happen in one of the frame receive paths of CCITT
X.25 Packet Layer. A local user could use this flaw to cause a system
to run out of kernel memory and a denial-of-service.


* Out-of-bounds reads in ioctls of Non-Volatile Memory Device driver.

A flaw in ioctl of Non-Volatile Memory Device driver could lead to an
out-of-bounds read causing sensitive information leak from other
memory locations or a system crash. A local user could use this flaw
to get memory disclosure or cause a denial-of-service (DoS).


* Denial-of-service in ceph_get_caps of CEPH distributed filesystem.

A certain sequence of events in CEPH distributed filesystem could result
in infinite loop inside ceph_get_caps. The flaw could be exploited to
force the kernel to enter an infinite loop and lead to a denial of
service (DoS).


* Denial-of-service in XFS whiteout renames.

Incorrect locking when performing renames with RENAME_WHITEOUT set could
result in deadlock and a kernel hang.  A local, unprivileged user could
use this flaw to hang the system.


* CVE-2020-0543: Side-channel information leak using SRBDS.

A side-channel information leak on some generations of Intel processors
could allow the leaking of internal microarchitectural buffers used by
instructions like RDRAND, RDSEED and SGX EGETKEY.

Updated microcode is required for this vulnerability to be mitigated.

The status of the mitigation can be found using the following command:
$ cat /sys/devices/system/cpu/vulnerabilities/srbds


* CVE-2020-1749: Information disclosure in IPv6 IPSec tunneling.

A logic error in the IPv6 implementation of IPSec can lead to some
protocols being routed outside of the IPSec tunnel in an unencrypted
form. A network based attacker could use this flaw to read confidential
information.


* Denial-of-service in remap_vmalloc_range() of Memory Manager.

A flaw in Memory Manager implementation could result in a null pointer
dereference. A local, unprivileged user could use this flaw by calling
mmap() on a BPF map with an invalid size and cause a denial-of-service.


* Invalid memory access in remoteproc driver while freeing vrings.

An arithemtic error in the remoteproc driver's vring free path can lead
to an out-of-bounds write.  A local attacker could potentially exploit
this flaw to cause unexpected behavior, including a denial-of-service.


* Denial-of-service in NFS access control list reference counting.

A refrence count manipulation error when freeing NFSv3 access control
lists can result in a memory leak. A local user with the ability to
configure access control lists could use this flaw to cause a
denial-of-service.


* Kernel crash due to xenbus ring allocation failure.

A failure to check for an error code from the Xen hypervisor when
mapping memory for the xenbus interface can result in a kernel crash.


* Deadlock in shmem PTE fill path while splitting THPs.

If certain shmem operations occur while transparent hugepages are being
split, a deadlock can occur in the shmem driver.  It may be possible for
a malicious local attacker to exploit this flaw to cause a
denial-of-service


* Deadlock between XFS filesystem freezer and scanners.

When certain background scans are occurring while the kernel is
attempting to freeze an XFS filesystem, a race condition can occur,
which may lead to a deadlock.  This could be used to cause a
denial-of-service.


* Instruction encoding error in BPF JIT compiler.

A failure to encode certain instructions properly in the BPF JIT
compiler can cause BPF programs to read data from an incorrect
register at runtime.  This could cause BPF programs to behave
unexpectedly, and could potentially result in a denial-of-service.


* Buffer overflow in Atheros wil6210 firmware command processing.

An arithmetic error in the wil6210 driver's firmware command dispatch
path can lead to a buffer overflow.  This coult potentially be exploited
by a local attacker to escalate privilege or cause a denial-of-service.


* Use of uninitialized data during XFS extent remapping.

A failure to properly initialize all fields of a structure can result
in the XFS driver attempting to use uninitialized data.  This could
cause a system to exhibit unexpected behavior, and could lead to
filesystem corruption or a denial-of-service.


* Denial-of-service while processing hugepages.

A race condition can occur when the kernel attempts to perform various
operations on hugepages, which can result in a kernel panic.  This flaw
could potentially be exploited by a local attacker to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.