[Oraclevm-errata] OVMSA-2020-0044 Important: Oracle VM 3.4 Unbreakable Enterprise kernel security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Fri Oct 9 10:33:32 PDT 2020 

Oracle VM Security Advisory OVMSA-2020-0044

The following updated rpms for Oracle VM 3.4 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
kernel-uek-4.1.12-124.43.4.el6uek.x86_64.rpm
kernel-uek-firmware-4.1.12-124.43.4.el6uek.noarch.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/kernel-uek-4.1.12-124.43.4.el6uek.src.rpm



Description of changes:

[4.1.12-124.43.4.el6uek]
- kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) 
(Jann Horn) [Orabug: 29434845] {CVE-2019-6974}
- KVM: nVMX: unconditionally cancel preemption timer in free_nested 
(CVE-2019-7221) (Peter Shier) [Orabug: 29434898] {CVE-2019-7221}
- KVM: x86: work around leak of uninitialized stack contents 
(CVE-2019-7222) (Paolo Bonzini) [Orabug: 29434924] {CVE-2019-7222}
- net: arc_emac: fix koops caused by sk_buff free (Alexander Kochetkov) 
[Orabug: 30254239] {CVE-2016-10906}
- GFS2: don't set rgrp gl_object until it's inserted into rgrp tree (Bob 
Peterson) [Orabug: 30254251] {CVE-2016-10905}
- GFS2: Fix rgrp end rounding problem for bsize < page size (Bob 
Peterson) [Orabug: 30254251] {CVE-2016-10905}
- x86/apic/msi: update address_hi on set msi affinity (Joe Jin) [Orabug: 
31477035] - x86/apic/msi: check and sync apic IRR on msi_set_affinity 
(Joe Jin) [Orabug: 31477035] - net: ipv6_stub: use ip6_dst_lookup_flow 
instead of ip6_dst_lookup (Sabrina Dubroca) [Orabug: 31872821] 
{CVE-2020-1749}
- nfs: Fix getxattr kernel panic and memory overflow (Jeffrey Mitchell) 
[Orabug: 31872910] {CVE-2020-25212}
- rbd: require global CAP_SYS_ADMIN for mapping and unmapping (Ilya 
Dryomov) [Orabug: 31884169] {CVE-2020-25284}
- mm/hugetlb: fix a race between hugetlb sysctl handlers (Muchun Song) 
[Orabug: 31884239] {CVE-2020-25285}
- ext4: fix potential negative array index in do_split() (Eric Sandeen) 
[Orabug: 31895331] {CVE-2020-14314}

[4.1.12-124.43.3.el6uek]
- ARM: amba: Fix race condition with driver_override (Geert 
Uytterhoeven) [Orabug: 29671212] {CVE-2018-9415}
- block: blk_init_allocated_queue() set q->fq as NULL in the fail case 
(xiao jin) [Orabug: 30120513] {CVE-2018-20856}
- USB: serial: omninet: fix reference leaks at open (Johan Hovold) 
[Orabug: 30484761] {CVE-2017-8925}
- nl80211: validate beacon head (Johannes Berg) [Orabug: 30556264] 
{CVE-2019-16746}
- cfg80211: Use const more consistently in for_each_element macros 
(Jouni Malinen) [Orabug: 30556264] {CVE-2019-16746}
- cfg80211: add and use strongly typed element iteration macros 
(Johannes Berg) [Orabug: 30556264] {CVE-2019-16746}
- cfg80211: add helper to find an IE that matches a byte-array (Luca 
Coelho) [Orabug: 30556264] {CVE-2019-16746}
- cfg80211: allow finding vendor with OUI without specifying the OUI 
type (Emmanuel Grumbach) [Orabug: 30556264] {CVE-2019-16746}
- dccp: Fix memleak in __feat_register_sp (YueHaibing) [Orabug: 
30732821] {CVE-2019-20096}
- fs/proc/proc_sysctl.c: Fix a NULL pointer dereference (YueHaibing) 
[Orabug: 30732938] {CVE-2019-20054}
- fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links 
(YueHaibing) [Orabug: 30732938] {CVE-2019-20054}
- scsi: libsas: stop discovering if oob mode is disconnected (Jason Yan) 
[Orabug: 30770913] {CVE-2019-19965}
- kernel/sysctl.c: fix out-of-bounds access when setting file-max (Will 
Deacon) [Orabug: 31350720] {CVE-2019-14898}
- sysctl: handle overflow for file-max (Christian Brauner) [Orabug: 
31350720] {CVE-2019-14898}
- ath9k_htc: release allocated buffer if timed out (Navid Emamdoost) 
[Orabug: 31351572] {CVE-2019-19073}
- can: gs_usb: gs_can_open(): prevent memory leak (Navid Emamdoost) 
[Orabug: 31351682] {CVE-2019-19052}
- ALSA: usb-audio: Avoid access before bLength check in 
build_audio_procunit() (Takashi Iwai) [Orabug: 31351837] {CVE-2019-15927}
- media: usb: siano: Fix general protection fault in smsusb (Alan Stern) 
[Orabug: 31351875] {CVE-2019-15218}
- crypto: vmac - separate tfm and request context (Eric Biggers) 
[Orabug: 31584410] - SUNRPC: Fix a race with XPRT_CONNECTING (Trond 
Myklebust) [Orabug: 31796770] - SUNRPC: Fix disconnection races (Trond 
Myklebust) [Orabug: 31796770] - SUNRPC: Add a helper to wake up a 
sleeping rpc_task and set its status (Trond Myklebust) [Orabug: 
31796770] - SUNRPC: Reduce latency when send queue is congested (Trond 
Myklebust) [Orabug: 31796770] - SUNRPC: RPC transport queue must be low 
latency (Trond Myklebust) [Orabug: 31796770] - SUNRPC: Fix a potential 
race in xprt_connect() (Trond Myklebust) [Orabug: 31796770] - SUNRPC: 
ensure correct error is reported by xs_tcp_setup_socket() (NeilBrown) 
[Orabug: 31796770] - SUNRPC: Fix races between socket connection and 
destroy code (Trond Myklebust) [Orabug: 31796770] - SUNRPC: Prevent 
SYN+SYNACK+RST storms (Trond Myklebust) [Orabug: 31796770] - SUNRPC: 
Report TCP errors to the caller (Trond Myklebust) [Orabug: 31796770] - 
SUNRPC: Ensure we release the TCP socket once it has been closed (Trond 
Myklebust) [Orabug: 31796770] - net-gro: fix use-after-free read in 
napi_gro_frags() (Eric Dumazet) [Orabug: 31856195] {CVE-2020-10720}
- PCI: Probe bridge window attributes once at enumeration-time (Bjorn 
Helgaas) [Orabug: 31867577]

[4.1.12-124.43.2.el6uek]
- ALSA: seq: Cancel pending autoload work at unbinding device (Takashi 
Iwai) [Orabug: 31352045] {CVE-2017-16528}
- USB: serial: io_ti: fix information leak in completion handler (Johan 
Hovold) [Orabug: 31352084] {CVE-2017-8924}
- sample-trace-array: Fix sleeping function called from invalid context 
(Kefeng Wang) [Orabug: 31543032] - sample-trace-array: Remove 
trace_array 'sample-instance' (Kefeng Wang) [Orabug: 31543032] - 
tracing: Sample module to demonstrate kernel access to Ftrace instances. 
(Divya Indi) [Orabug: 31543032] - tracing: Adding new functions for 
kernel access to Ftrace instances (Aruna Ramakrishna) [Orabug: 31543032] 
- tracing: Adding NULL checks for trace_array descriptor pointer (Divya 
Indi) [Orabug: 31543032] - tracing: Verify if trace array exists before 
destroying it. (Divya Indi) [Orabug: 31543032] - tracing: Declare newly 
exported APIs in include/linux/trace.h (Divya Indi) [Orabug: 31543032] - 
tracing: Kernel access to Ftrace instances (Divya Indi) [Orabug: 31543032]

[4.1.12-124.43.1.el6uek]
- blktrace: Protect q->blk_trace with RCU (Jan Kara) [Orabug: 31123576] 
{CVE-2019-19768}
- media: technisat-usb2: break out of loop at end of buffer (Sean Young) 
[Orabug: 31224554] {CVE-2019-15505}
- btrfs: merge btrfs_find_device and find_device (Anand Jain) [Orabug: 
31351746] {CVE-2019-18885}
- RDMA/cxgb4: Do not dma memory off of the stack (Greg KH) [Orabug: 
31351783] {CVE-2019-17075}
- mwifiex: Abort at too short BSS descriptor element (Takashi Iwai) 
[Orabug: 31351916] {CVE-2019-3846}
- mwifiex: Fix possible buffer overflows at parsing bss descriptor 
(Takashi Iwai) [Orabug: 31351916] {CVE-2019-3846} {CVE-2019-3846}
- repair kABI breakage from "fs: prevent page refcount overflow in 
pipe_buf_get" (Dan Duval) [Orabug: 31351941] {CVE-2019-11487}
- mm: prevent get_user_pages() from overflowing page refcount (Linus 
Torvalds) [Orabug: 31351941] {CVE-2019-11487}
- mm: add 'try_get_page()' helper function (Linus Torvalds) [Orabug: 
31351941] {CVE-2019-11487}
- fs: prevent page refcount overflow in pipe_buf_get (Matthew Wilcox) 
[Orabug: 31351941] {CVE-2019-11487}
- mm: make page ref count overflow check tighter and more explicit 
(Linus Torvalds) [Orabug: 31351941] {CVE-2019-11487}
- sctp: implement memory accounting on tx path (Xin Long) [Orabug: 
31351960] {CVE-2019-3874}
- sunrpc: use SVC_NET() in svcauth_gss_* functions (Vasily Averin) 
[Orabug: 31351995] {CVE-2018-16884}
- sunrpc: use-after-free in svc_process_common() (Vasily Averin) 
[Orabug: 31351995] {CVE-2018-16884}
- af_packet: set defaule value for tmo (Mao Wenan) [Orabug: 31439107] 
{CVE-2019-20812}
- selinux: properly handle multiple messages in selinux_netlink_send() 
(Paul Moore) [Orabug: 31439369] {CVE-2020-10751}
- selinux: Print 'sclass' as string when unrecognized netlink message 
occurs (Marek Milkovic) [Orabug: 31439369] {CVE-2020-10751}
- mac80211: Do not send Layer 2 Update frame before authorization (Jouni 
Malinen) [Orabug: 31473652] {CVE-2019-5108}
- cfg80211/mac80211: make ieee80211_send_layer2_update a public function 
(Dedy Lansky) [Orabug: 31473652] {CVE-2019-5108}
- crypto: authenc - fix parsing key with misaligned rta_len (Eric 
Biggers) [Orabug: 31535529] {CVE-2020-10769}
- vgacon: Fix for missing check in scrollback handling (Yunhai Zhang) 
[Orabug: 31705121] {CVE-2020-14331} {CVE-2020-14331}
- rename kABI whitelists to lockedlists (Dan Duval) [Orabug: 31783151]

[4.1.12-124.42.4.el6uek]
- rds/ib: Make i_{recv,send}_hdrs non-contigious (Hans Westgaard Ry) 
[Orabug: 30634865] - md: get sysfs entry after redundancy attr group 
create (Junxiao Bi) [Orabug: 31683116] - md: fix deadlock causing by 
sysfs_notify (Junxiao Bi) [Orabug: 31683116]

[4.1.12-124.42.3.el6uek]
- can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices (Tomas 
Bortoli) [Orabug: 31351221] {CVE-2019-19535}
- media: hdpvr: Fix an error handling path in hdpvr_probe() (Arvind 
Yadav) [Orabug: 31352053] {CVE-2017-16644}
- fs/binfmt_misc.c: do not allow offset overflow (Thadeu Lima de Souza 
Cascardo) [Orabug: 31588258] - clear inode and truncate pages before 
enqueuing for async inactivation (Gautham Ananthakrishna) [Orabug: 31744270]

[4.1.12-124.42.2.el6uek]
- mm: create alloc_last_chance debugfs entries (Mike Kravetz) [Orabug: 
31295499] - mm: perform 'last chance' reclaim efforts before allocation 
failure (Mike Kravetz) [Orabug: 31295499] - mm: let page allocation 
slowpath retry 'order' times (Mike Kravetz) [Orabug: 31295499] - fix 
kABI breakage from "netns: provide pure entropy for net_hash_mix()" (Dan 
Duval) [Orabug: 31351904] {CVE-2019-10638} {CVE-2019-10639}
- netns: provide pure entropy for net_hash_mix() (Eric Dumazet) [Orabug: 
31351904] {CVE-2019-10638} {CVE-2019-10639}
- hrtimer: Annotate lockless access to timer->base (Eric Dumazet) 
[Orabug: 31380495] - rds: ib: Revert "net/rds: Avoid stalled connection 
due to CM REQ retries" (Håkon Bugge) [Orabug: 31648141] - rds: Clear 
reconnect pending bit (Håkon Bugge) [Orabug: 31648141] - RDMA/netlink: 
Do not always generate an ACK for some netlink operations (Håkon Bugge) 
[Orabug: 31666975] - genirq/proc: Return proper error code when 
irq_set_affinity() fails (Wen Yaxng) [Orabug: 31723450]

[4.1.12-124.42.1.el6uek]
- fs/binfmt_elf.c: allocate initialized memory in 
fill_thread_core_info() (Alexander Potapenko) [Orabug: 31350639] 
{CVE-2020-10732}
- crypto: user - fix memory leak in crypto_report (Navid Emamdoost) 
[Orabug: 31351640] {CVE-2019-19062}
- of: unittest: fix memory leak in unittest_data_add (Navid Emamdoost) 
[Orabug: 31351702] {CVE-2019-19049}
- IB/sa: Resolv use-after-free in ib_nl_make_request() (Divya Indi) 
[Orabug: 31656992] - net-sysfs: call dev_hold if kobject_init_and_add 
success (YueHaibing) [Orabug: 31687545] {CVE-2019-20811}

More information about the Oraclevm-errata mailing list