Chapter 2 Security Fixes for CVEs

This chapter lists security vulnerabilities and exposures (CVEs) that are specifically addressed in this release. Note that CVEs are continually handled in patch updates that are made available as errata builds for the current release. For this reason, it is absolutely critical that you keep your system up to date with the latest package updates for this kernel release.

You can keep up to date with the latest CVE information at https://linux.oracle.com/cve.

2.1 List of CVEs fixed in this release

The following list describes the CVEs that are fixed in this release. The content provided here is automatically generated and includes the CVE identifier and a summary of the issue. The associated internal Oracle bug identifiers are also included to reference work that was carried out to address each issue.

  • CVE-2018-10322.  The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image. (Bug: 28906188 29044524 )

    See https://linux.oracle.com/cve/CVE-2018-10322.html for more information.

  • CVE-2018-10940.  The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory. (Bug: 28906151 )

    See https://linux.oracle.com/cve/CVE-2018-10940.html for more information.

  • CVE-2018-12126.  No information available. (Bug: 29526898 29725301 )

  • CVE-2018-12127.  No information available. (Bug: 29526898 29725301 )

  • CVE-2018-12130.  No information available. (Bug: 29526898 29725301 )

  • CVE-2018-12928.  In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem. (Bug: 28312743 )

  • CVE-2018-13053.  The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used. (Bug: 29269150 )

    See https://linux.oracle.com/cve/CVE-2018-13053.html for more information.

  • CVE-2018-14612.  An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf in fs/btrfs/tree-checker.c. (Bug: 28693496 )

    See https://linux.oracle.com/cve/CVE-2018-14612.html for more information.

  • CVE-2018-14625.  A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients. (Bug: 29212490 )

  • CVE-2018-16658.  An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940. (Bug: 28906151 )

    See https://linux.oracle.com/cve/CVE-2018-16658.html for more information.

  • CVE-2018-16862.  A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one. (Bug: 29364664 )

    See https://linux.oracle.com/cve/CVE-2018-16862.html for more information.

  • CVE-2018-17972.  An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents. (Bug: 29258950 )

    See https://linux.oracle.com/cve/CVE-2018-17972.html for more information.

  • CVE-2018-18397.  The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c. (Bug: 29189776 )

    See https://linux.oracle.com/cve/CVE-2018-18397.html for more information.

  • CVE-2018-18445.  In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bit right shifts. (Bug: 28855418 )

    See https://linux.oracle.com/cve/CVE-2018-18445.html for more information.

  • CVE-2018-18710.  An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658. (Bug: 28906151 )

    See https://linux.oracle.com/cve/CVE-2018-18710.html for more information.

  • CVE-2018-19406.  kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized. (Bug: 29364725 )

  • CVE-2018-19407.  The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized. (Bug: 29010225 )

    See https://linux.oracle.com/cve/CVE-2018-19407.html for more information.

  • CVE-2018-19824.  In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c. (Bug: 29011303 )

    See https://linux.oracle.com/cve/CVE-2018-19824.html for more information.

  • CVE-2018-19985.  The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space. (Bug: 29613789 )

  • CVE-2018-3620.  Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. (Bug: 28961067 )

    See https://linux.oracle.com/cve/CVE-2018-3620.html for more information.

  • CVE-2018-5333.  In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference. (Bug: 28020561 )

    See https://linux.oracle.com/cve/CVE-2018-5333.html for more information.

  • CVE-2018-5848.  In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. (Bug: 28569708 )

    See https://linux.oracle.com/cve/CVE-2018-5848.html for more information.

  • CVE-2018-6554.  Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket.

  • CVE-2018-6555.  The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket.

  • CVE-2018-7755.  An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.

    See https://linux.oracle.com/cve/CVE-2018-7755.html for more information.

  • CVE-2018-8043.  The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service (NULL pointer dereference). (Bug: 29012327 )

    See https://linux.oracle.com/cve/CVE-2018-8043.html for more information.

  • CVE-2019-11091.  No information available. (Bug: 29721933 )

  • CVE-2019-3459.  A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. (Bug: 29526424 )

  • CVE-2019-3701.  An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. The privileged user "root" with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames. (Bug: 29215295 )

    See https://linux.oracle.com/cve/CVE-2019-3701.html for more information.

  • CVE-2019-3819.  A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ("root") can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable. (Bug: 29629479 )

  • CVE-2019-3882.  A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable. (Bug: 29681377 )

  • CVE-2019-5489.  The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. (Bug: 29187400 )

    See https://linux.oracle.com/cve/CVE-2019-5489.html for more information.

  • CVE-2019-6974.  In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free. (Bug: 29408540 )

    See https://linux.oracle.com/cve/CVE-2019-6974.html for more information.

  • CVE-2019-7221.  The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. (Bug: 29408587 )

    See https://linux.oracle.com/cve/CVE-2019-7221.html for more information.

  • CVE-2019-7222.  The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (Bug: 29408573 )

    See https://linux.oracle.com/cve/CVE-2019-7222.html for more information.

  • CVE-2019-8912.  In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr. (Bug: 29454835 )

    See https://linux.oracle.com/cve/CVE-2019-8912.html for more information.

  • CVE-2019-8980.  A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures. (Bug: 29454811 )

    See https://linux.oracle.com/cve/CVE-2019-8980.html for more information.

  • CVE-2019-9213.  In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task. (Bug: 29501960 )

    See https://linux.oracle.com/cve/CVE-2019-9213.html for more information.