[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4946-1)

Wed Jun 2 22:29:12 PDT 2021

Synopsis: USN-4946-1 can now be patched using Ksplice
CVEs: CVE-2021-20292 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-28038 CVE-2021-28688 CVE-2021-29264 CVE-2021-29265 CVE-2021-29650 CVE-2021-30002

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4946-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2021-20292: Double Free in Nouveau DRM subsystem.

A flaw in nouveau_sgdma_create_ttm() in Nouveau DRM subsystem results
in double free. An local attacker with a root privilege, can leverage
this vulnerability to escalate privileges and execute code in the
kernel context.

* Denial-of-service in NTFS when mounting a filesystem.

Missing validation of standard information attribute in NTFS could lead
to a system crash when mounting a filesystem. A local user could use
maliciously crafted filesystem images to cause a denial-of-service.

* CVE-2021-29265: Denial-of-service in usbip driver due to race conditions.

Race conditions in the stub-up sequence of the usbip driver during
an update of the local and shared status could lead to a system crash.
A local attacker could use this flaw to cause a denial-of-service.

* Denial-of-service in the Xen backend network driver when checking receive slots availability.

Missing locking in the Xen netback device during checking of receive
slots availability could lead to a system crash. An attacker could
use this flaw to cause a host denial-of-service.

* CVE-2021-26932, XSA-361: Denial-of-host-service by malicious Xen frontend.

Batched mapping operations can be potentially mishandled by the Linux
Xen backend, resulting in incorrectly reported success or failure of the
operation. Running a malicious or buggy frontend could result in a
denial-of-service on the host.

* CVE-2021-26930, XSA-365: Bad error handling of blkback grant references.

The Xen blkback driver can incorrectly ignore errors when mapping grant
references, potentially reporting a false success, and causing unmapped
memory to be accessed. Hosting a malicious or buggy frontend driver
might result in a denial-of-service on the host.

* CVE-2021-30002: Denial-of-service in V4L2 driver due to memory leaks.

A flaw in the exit code sequence of V4L2 driver could lead to memory
leaks. A local user could use this flaw to cause a denial-of-service.

* CVE-2021-29650: Denial-of-service in Netfilter due to incorrect memory barrier.

Lack of a full memory barrier upon the assignment of a new table value
in the Netfilter subsystem could result in a system crash. A local user
could use this flaw to cause a denial-of-service.

* Out-of-bounds memory accesses when accessing HID devices array fields.

Out-of-bounds reads and writes in HID driver during HID device
registration could lead to information disclosure and corruption of
internal data structures. A local attacker could use this flaw
to cause a denial-of-service or as an aid in another type of
attack.

* CVE-2021-29264: Denial-of-service in Gianfar Ethernet driver with jumbo frames and NAPI enabled.

A frame size calculation flaw in the Freescale Gianfar Ethernet driver
could lead to a system crash in situations involving an rx queue overrun
when jumbo packets and NAPI are enabled. A local user could use this
flaw for a denial-of-service.

Note: Oracle will not provide a zero-downtime update for CVE-2021-29264.

CVE-2021-29264 is a denial-of-service in the Freescale Gianfar driver,
which is not compiled on any bionic kernels.

* CVE-2021-28038, CVE-2021-26931, XSA-362, XSA-367: Mishandling of errors causes denial-of-service of Xen backend.

Error conditions in the net Xen backend driver may incorrectly cause
kernel assertion failures. A malicious or buggy Xen frontend might
trigger these conditions, causing a denial-of-service in the host.

* Use-after-free in Virtual Socket protocol when closing a connection.

A flaw in Virtual Socket protocol could lead to a use-after-free when
operating on a closed or released socket. A local user could use this
flaw for a denial-of-service or privileges escalation.

* CVE-2021-28688, XSA-371: Xen Hypervisor persistant grant leakage.

A logic error when initializing pointers under certain circumstances
may overwrite unreclamied values. A local user could use to exhaust
system resources, leading to a denial-of-service.

* Use-after-free in GFS2 DLM locking during glocks unlock in EX with lvbs.

A flaw in the locking interface between GFS2 and the DLM could lead to a
use-after-free. A local attacker could use this to corrupt internal data
structures of the kernel or as an aid in another type of attack.

* Use-after-free in the HugeTLB driver when freeing a page.

A race condition in HugeTLB during a page freeing could lead to a
system crash. A local attacker could use this flaw to cause a
denial-of-service or as an aid in another type of attack.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.