[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (4.15.0-1035.38)

[Oracle Ksplice]

Synopsis: 4.15.0-1035.38 can now be patched using Ksplice
CVEs: CVE-2019-15217 CVE-2019-19051 CVE-2019-19056 CVE-2019-19058 CVE-2019-19066 CVE-2019-19068 CVE-2020-2732 CVE-2020-8832

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu kernel update, 4.15.0-1035.38.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-19066: Denial-of-service int SCSI bfa driver.

While querying port statistics in the SCSI bfa driver, incorrect error
handling causes a memory leak. An attacker could possibly exploit this
to cause a denial-of-service.


* CVE-2019-19068: Denial-of-service in realtek wifi driver.

Incorrect error handling on some Realtek wifi drivers could cause memory
leak. A malicious device could trigger this to cause a denial-of-service.


* CVE-2019-15217: NULL pointer deference when using USB ZR364XX Camera driver.

A missing check when querying capabilities of USB ZR364XX Camera device
from user space could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2019-19051: Memory leak when changing power status of Intel Wireless WiMAX Connection 2400 driver.

A missing free of resources when changing power status of Intel Wireless
WiMAX Connection 2400 driver could lead to a memory leak. A local
attacker could use this flaw to leak information about running kernel
and facilitate an attack.


* CVE-2019-19058: Denial-of-service in iwlwifi firmware interface.

A memory leak while querying iwlwifi firmware debug interface could
cause kernel memory exhaustion. An attacker with permission to read the
firmware debug file could exploit this to cause a denial-of-service.


* CVE-2019-19056: Denial-of-service in the Marvell mwifiex PCIe driver.

Failure to handle error during initialization of Marvell mwifiex PCIe
driver leads to memory leak. An attacker could exploit this to exhaust
kernel memory that eventually may cause a denial-of-service.


* Denial-of-service due to missing synchronization in netfilter teardown.

When exiting a netfilter network namespace, missing synchronization
could cause teardown to occur in an unexpected order, resulting in a
kernel crash and denial-of-service.


* NULL dereference when connecting wireless device with RF switching support.

When connecting a wireless device that supports RF switching, the
generic RF switch subsystem does not properly validate that the driver
has correctly constructed its device structure. Accessing a device with
a flawed driver might therefore cause a NULL dereference and
denial-of-service.


* Soft lockup when iterating filesystem inodes causes denial-of-service.

Several base filesystem iterators fail to properly yield to the
scheduler when iterating inodes. A malicious user or crafted filesystem
image might be able to exploit this to deny the system of CPU resources,
resulting in a denial-of-service.


* Memory leak when failing to write to generic block device.

Failing to write data to a block device might result in the leak of
associated iovec structure. A malicious user with write access to a
block device could exploit this to starve the system of resources.


* Memory leak when transmitting data on LAN78XX USB ethernet device.

When transmitting data over a Microchip LAN78XX USB ethernet adapter,
unexpected errors could result in the underlying packet buffer being
leaked, eventually resulting in performance degradation or a
denial-of-service.


* Denial-of-service when connecting USB device with duplicate endpoints.

Connecting a USB device with an invalid configuration containing
duplicate endpoint addresses could cause those addresses to be written
to mistakenly. A malicious device might exploit this to cause memory
corruption or a denial-of-service.


* Memory leak when replying to SCTP command encounters error.

When generating a reply to a Stream Control Transmission Protocol
command packet, an unexpected error might result in the leak of the
command's associated memory chunk structure. A malicious client might be
able to exploit this by starving the system of memory, causing
performance degradation or a denial-of-service.


* Memory leak when creating netlink socket on VLAN ethernet fails.

A mishandled error condition when creating a netlink socket for a
VLAN ethernet device could result in the leak of the VLAN device
structure.


* Race condition when accessing voltage regulator causes denial-of-service.

Incorrect synchronization when accessing voltage regulator devices could
result in a use-after-free, possibly corrupting memory. Accessing
regulator devices in this way could therefore cause a denial-of-service.


* Memory leak when setting ioctl options on ethernet devices.

Failure to properly initialize a structure when setting ioctl options on
ethernet devices (Marvell octeontx2, possibly others) could result in
the buffer structure being leaked. A malicious user able to change
network settings might be able to exploit this to cause a
denial-of-service.


* Use-after-free when failing to open file on character device.

A mishandled error case when opening a file on a generic character
device might result in a write to an invalid pointer, potentially
resulting in memory corruption or a denial-of-service.


* Out-of-bounds read in USB HID report descriptor size.

The size field for USB hardware ID reports is not correctly checked
against the maximum possible total buffer size, allowing for a
possibility where the report field extends past the total length of the
buffer. A malicious device might be able to exploit this to leak kernel
information or cause a denial-of-service.


* Information leak when transmitting CAN packet.

When generating a Controller Area Network packet for transmission
through a virtual CAN bus, uninitialized data might be inadvertently
included in an unused area of the CAN packet's buffer and transmitted
over the virtual network.


* USB keyboard device with invalid keycodes causes out-of-bounds write.

The USB HID input driver looks up keys in an array-indexed table. A
malicious device with invalid keycodes could therefore trigger an
out-of-bounds write, potentially causing memory corruption or a
denial-of-service.


* Uninitialized structures in netfilter ARP tables causes NULL-pointer dereference.

An uninitialized network namespace pointer in the netfilter arptables
could result in a NULL-pointer dereference if a user sets a rule via
setsockopt() for the ARP or UNPSEC protocols. A user with the
CAP_NET_ADMIN permission could exploit this to cause a
denial-of-service.


* NULL-pointer dereference when handling netfilter ipset with ATTR_LINENO.

If a netfilter ipset has the attribute IPSET_ATTR_LINENO, calling the
IPSET_CMD_TEST command on it from userspace will result in a
NULL-pointer dereference and denial-of-service. A malicious user with
the CAP_NET_ADMIN permission could exploit this to cause a
denial-of-service.


* NULL-pointer dereference when using netfilter with DCCP and SCTP protocols.

When using netfilter conntrack interface, the netfilter implementation for
the DCCP and SCTP protocols does not properly validate input. In
particular, a NULL timeout pointer will still be dereferenced, resulting
in a kernel crash and denial-of-service.


* Denial-of-service when reading from ALSA sequencer procfs.

A race condition when reading ALSA sequencer timer through the procfs
interface could cause a use-after-free error. An attacker could exploit
this bug to cause a denial-of-service.


* Denial-of-service in edgeport USB serial driver callbacks.

Synchronization and sanitization bugs in the edgeport USB serial
driver interrupt and completion callback path leads to multiple NULL
pointer dereference and deadlock. An attacker could exploit these to
cause a denial-of-service.


* Denial-of-service when configuring keyspan USB serial device.

Missing error handling during control request completion in the keyspan
USB serial driver could cause a NULL pointer dereference. An attacker
could exploit this flaw to cause a denial-of-service.


* Denial-of-service when querying quatech2 USB serial device.

Missing error handling in the quatech2 USB serial driver could cause a
NULL pointer dereference when querying line or modem status. An attacker
could exploit this to cause a denial-of-service.


* Denial-of-service when writing back dirty pages to reclaim memory.

A division-by-zero error in the memory management subsystem when
determining whether to write back dirty pages to disk could cause a
kernel panic. This could inadvertently lead to a denial-of-service.


* Denial-of-service when releasing ipset.

A use-after-free bug when releasing an ipset in the netfilter subsystem
could cause kernel crash, and eventual denial-of-service  or possibly
allow an attacker to escalate privilege.


* Denial-of-service when initializing realtek rtl8152 driver.

An out-of-bound memory access when loading rtl8152 driver leads to a
NULL pointer dereference. An attacker could exploit this flaw to cause a
denial-of-service.


* Denial-of-service when configuring some mac80211-based wifi devices.

Trying to set device parameters on certain wireless device which don't
allow such configuration causes a NULL pointer dereference. An attacker
could exploit this to cause a denial-of-service.


* Potential out-of-bounds access in Infiniband Emulex One Connect HCA driver.

An improper length check on an array index can lead to an out of bounds
access in the Emulex One Connect HCA driver's partition key query path.
This could cause a system to exhibit unexpected behavior, including a
potential denial-of-service.


* NULL dereference in IPWireless driver.

A failure to check for an error condition in the IPWireless driver's
setup packet send path can lead to a NULL dereference and subsequent
kernel panic.  This could potentially be exploited to cause a
denial-of-service.


* Use-after-free when broadcasting ethernet header on vlan.

The generic handling of ethernet headers when broadcasting makes
assumptions about the lifetime of some vlan objects that may not hold
for certain ethernet devices. When using these devices, a local user
might be able to trigger a denial-of-service by repeated broadcast.


* Use-after-free when writing to SLIP serial line.

A locking error when writing to SLIP serial line while the line is being
closed could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.


* NULL pointer dereference when destroying Chelsio T3/T4 iSCSI device.

A missing check when destroying Chelsio T3/T4 iSCSI device could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference when allocating ring in Intel I/OAT DMA driver.

A logic error when allocating ring in Intel I/OAT DMA driver fails could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Memory leak in btrfs qgroup accounting.

A logic error in btrfs qgroup accounting error path could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* NULL pointer dereference in ARP tables driver.

A missing structure initialization in ARP tables driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Use-after-free when releasing clocks in PTP clock driver.

A logic error when releasing clocks in PTP clock driver could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* NULL pointer dereference in the mmu handling of the Nouveau driver.

A missing check in the mmu handling of the Nouveau driver could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference when registering DRM driver for STMicroelectronics SoC stiH4xx Series.

A logic error when registering DRM driver for STMicroelectronics SoC
stiH4xx Series fails could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Information leak when reading capabilities in Virtio GPU driver.

A missing check on user input when reading capabilities in Virtio GPU
driver could lead to an information leak. A local attacker could use
this flaw to leak information about running kernel and facilitate an
attack.


* Out-of-bounds access when doing TX aggregation in Intel Wireless WiFi MVM Firmware driver.

A missing check when doing TX aggregation in Intel Wireless WiFi MVM
Firmware driver could lead to an out-of-bounds access. A local attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service when registering Userspace I/O device.

Logic errors when registering Userspace I/O device could lead to a NULL
pointer dereference or a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.


* Out-of-bounds accesses in Powerventure Semiconductor regulators.

Missing checks on user input in Powerventure Semiconductor regulators
could lead to out-of-bounds accesses. A local attacker could use this
flaw to cause a denial-of-service.


* NULL pointer dereference in NFSv4 flexfiles driver.

A missing check in NFSv4 flexfiles driver could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a denial-of-
service.


* NULL pointer dereference when using RapidIO Channelized Messaging driver.

A logic error in error path when using RapidIO Channelized Messaging
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Use-after-free when registering mmc host.

A logic error when registering mmc host fails could lead to a use-after-
free. A local attacker could use this flaw to cause a denial-of-service.


* Out-of-bounds access when getting volume and cell xattr in AFS driver.

A logic error when getting volume and cell xattr in AFS driver could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* Memory leak in ANSI/IEEE 802.2 LLC type 2 driver.

Missing release of resources when using ANSI/IEEE 802.2 LLC type 2
driver could lead to a memory leak. A local attacker could use this flaw
to cause a denial-of-service.


* Denial-of-service when allocating a too big process stack.

A logic error when allocating a too big process stack within a cgroup
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2020-8832: Information leak in Intel i915 generation 9 devices.

Missing pipeline flushing when switching i915 contexts could lead to
information leaks between unrelated GPU contexts. A malicious user
could potentially use this to obtain sensitive information.


* CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.

Incorrect handling of emulated instructions and IO bitmaps could allow
an unprivileged user in a nested KVM guest instance to crash the system
or potentially, escalate privileges.


* Out-of-bounds read in BPF filter when sending packet.

When running Berkeley Packet Filter programs on outgoing packets, the
possibility exists for the BPF wrapper to access memory out of bounds.
A malicious BPF program might be able to exploit this behavior to cause
a kernel crash and denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.