1. Release Notes for Unbreakable Enterprise Kernel Release 6 Update 1
  2. Security Fixes for CVEs

2 Security Fixes for CVEs

This chapter lists security vulnerabilities and exposures (CVEs) that are specifically addressed in this release. Note that CVEs are continually handled in patch updates that are made available as errata builds for the current release. For this reason, it is absolutely critical that you keep your system up to date with the latest package updates for this kernel release.

You can keep up to date with the latest CVE information at https://linux.oracle.com/cve.

List of CVEs fixed in this release

The following list describes the CVEs that are fixed in this release. The content provided here is automatically generated and includes the CVE identifier and a summary of the issue. The associated internal Oracle bug identifiers are also included to reference work that was carried out to address each issue.

  • CVE-2019-16089

    An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.An improper return check flaw was found in the Linux kernel’s network block device driver functionality when the user call query to check the status of existing network block devices. This flaw allows a local user to crash the system. (Bug: 31972480 )

  • CVE-2019-19054

    A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b. A flaw was found in the Linux kernel. The CX23888 Integrated Consumer Infrared Controller probe code handles resource cleanup low memory conditions. A local attacker able to induce low memory conditions could use this flaw to crash the system. The highest threat from this vulnerability is to system availability. (Bug: 31351668 )

    See https://linux.oracle.com/cve/CVE-2019-19054.html for more information.

  • CVE-2019-19073

    Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10. (Bug: 31351566 )

    See https://linux.oracle.com/cve/CVE-2019-19073.html for more information.

  • CVE-2019-19076

    ** DISPUTED ** A memory leak in the nfp_abm_u32_knode_replace() function in drivers/net/ethernet/netronome/nfp/abm/cls.c in the Linux kernel before 5.3.6 allows attackers to cause a denial of service (memory consumption), aka CID-78beef629fd9. NOTE: This has been argued as not a valid vulnerability. The upstream commit 78beef629fd9 was reverted. A flaw was found in the way the NFP4000/NFP6000 Advanced buffer management NIC driver in the Linux kernel handled memory release on error handling. This flaw allows an attacker to cause a denial of service and crash the system.

  • CVE-2019-19377

    In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c. A flaw was found in the Linux kernel's implementation of the BTRFS file system. A local attacker, with the ability to mount a file system, can create a use-after-free memory fault after the file system has been unmounted. This may lead to memory corruption or privilege escalation.

    See https://linux.oracle.com/cve/CVE-2019-19377.html for more information.

  • CVE-2019-19448

    In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure. A flaw was found in the Linux kernel's implementation of BTRFS free space management, where the kernel does not correctly manage the lifetime of internal data structures used. An attacker could use this flaw to corrupt memory or escalate privileges.

  • CVE-2019-19769

    In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function (related to include/trace/events/lock.h).A use-after-free flaw was found when wakeup a waiter was in race in the locks_delete_block in fs/locks.c function in the Linux kernel's filesystem. A local attacker with a special user account (or root) may cause a denial of service, a system crash, or a leak in the internal kernel information.

    See https://linux.oracle.com/cve/CVE-2019-19769.html for more information.

  • CVE-2019-19770

    ** DISPUTED ** In the Linux kernel 4.19.83, there is a use-after-free (read) in the debugfs_remove function in fs/debugfs/inode.c (which is used to remove a file or directory in debugfs that was previously created with a call to another debugfs function such as debugfs_create_file). NOTE: Linux kernel developers dispute this issue as not being an issue with debugfs, instead this is an issue with misuse of debugfs within blktrace.A use-after-free flaw was found in the debugfs_remove function in the Linux kernel. The flaw could allow a local attacker with special user (or root) privilege to crash the system at the time of file or directory removal. This vulnerability can lead to a kernel information leak. The highest threat from this vulnerability is to system availability.

  • CVE-2020-0543

    Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.A new domain bypass transient execution attack known as Special Register Buffer Data Sampling (SRBDS) has been found. This flaw allows data values from special internal registers to be leaked by an attacker able to execute code on any core of the CPU. An unprivileged, local attacker can use this flaw to infer values returned by affected instructions known to be commonly used during cryptographic operations that rely on uniqueness, secrecy, or both. (Bug: 31352778 31555697 )

    See https://linux.oracle.com/cve/CVE-2020-0543.html for more information.

  • CVE-2020-10757

    . A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system. A flaw was found in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.

    See https://linux.oracle.com/cve/CVE-2020-10757.html for more information.

  • CVE-2020-10767

    . A flaw was found in the Linux kernel before 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality. A flaw was found in the Linux kernel’s implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality. (Bug: 31557801 )

    See https://linux.oracle.com/cve/CVE-2020-10767.html for more information.

  • CVE-2020-10768

    . A flaw was found in the Linux Kernel before 5.8-rc1 in the prctl() function, where it can be used to enable indirect branch speculation after it has been disabled. This call incorrectly reports it as being 'force disabled' when it is not and opens the system to Spectre v2 attacks. The highest threat from this vulnerability is to confidentiality. A flaw was found in the prctl() function, where it can be used to enable indirect branch speculation after it has been disabled. This call incorrectly reports it as being 'force disabled' when it is not and opens the system to Spectre v2 attacks. The highest threat from this vulnerability is to confidentiality. (Bug: 31557899 )

    See https://linux.oracle.com/cve/CVE-2020-10768.html for more information.

  • CVE-2020-11494

    An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4. A flaw was discovered in slc_bump in drivers/net/can/slcan.c in CAN Communication Protocol. It allows a local attacker with special user privilege (or root) to read sensitive kernel stack information (considering CONFIG_INIT_STACK_ALL is not enabled) when a partially initialized data structure is exposed over the network layer. (Bug: 31136749 )

    See https://linux.oracle.com/cve/CVE-2020-11494.html for more information.

  • CVE-2020-11884

    In the Linux kernel through 5.6.7 on the s390 platform, code execution may occur because of a race condition, as demonstrated by code in enable_sacf_uaccess in arch/s390/lib/uaccess.c that fails to protect against a concurrent page table upgrade, aka CID-3f777e19d171. A crash could also occur. A flaw was found in the Linux kernel on s390 architecture. The issue occurs on multiprocessing systems when one s390 CPU is in Secondary Address Mode and another CPU does a kernel page table upgrade. An inter-processor interrupt (IPI) is then sent to each active CPU to update the control registers with new page table addresses. In Secondary Address Mode the CPU's CR1 register may hold kernel space address to fetch instructions from, but after IPI processing, the same CR1 register is set to point to a user space address. An unprivileged user or process on the system may use this flaw to crash the system or escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

    See https://linux.oracle.com/cve/CVE-2020-11884.html for more information.

  • CVE-2020-12655

    An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767. A flaw was discovered in the XFS source in the Linux kernel. This flaw allows an attacker with the ability to mount an XFS filesystem, to trigger a denial of service while attempting to sync a file located on an XFS v5 image with crafted metadata. (Bug: 31350919 )

    See https://linux.oracle.com/cve/CVE-2020-12655.html for more information.

  • CVE-2020-12768

    ** DISPUTED ** An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak at the boot, the size is negligible, and it can't be triggered at will.A flaw was found in the Linux kernel. A memory leak in svm_cpu_init() is possible leading to a system crash. The highest threat from this vulnerability is to system availability. (Bug: 31331480 )

    See https://linux.oracle.com/cve/CVE-2020-12768.html for more information.

  • CVE-2020-12770

    An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040.A vulnerability was found in sg_write in drivers/scsi/sg.c in the SCSI generic (sg) driver subsystem. This flaw allows an attacker with local access and special user or root privileges to cause a denial of service if the allocated list is not cleaned with an invalid (Sg_fd * sfp) pointer at the time of failure, also possibly causing a kernel internal information leak problem. (Bug: 31350694 )

    See https://linux.oracle.com/cve/CVE-2020-12770.html for more information.

  • CVE-2020-12888

    The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space. A flaw was found in the Linux kernel, where it allows userspace processes, for example, a guest VM, to directly access h/w devices via its VFIO driver modules. The VFIO modules allow users to enable or disable access to the devices' MMIO memory address spaces. If a user attempts to access the read/write devices' MMIO address space when it is disabled, some h/w devices issue an interrupt to the CPU to indicate a fatal error condition, crashing the system. This flaw allows a guest user or process to crash the host system resulting in a denial of service. (Bug: 31439666 31663627 )

    See https://linux.oracle.com/cve/CVE-2020-12888.html for more information.

  • CVE-2020-14331

    . A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

    See https://linux.oracle.com/cve/CVE-2020-14331.html for more information.

  • CVE-2020-14385

    . A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability. A flaw was found in the Linux kernel. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability. (Bug: 31895364 )

    See https://linux.oracle.com/cve/CVE-2020-14385.html for more information.

  • CVE-2020-14386

    . A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.A flaw was found in the Linux kernel. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (Bug: 31866486 )

    See https://linux.oracle.com/cve/CVE-2020-14386.html for more information.

  • CVE-2020-14390

    . A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. A flaw was found in the Linux kernel. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (Bug: 31914650 )

  • CVE-2020-16166

    The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c. A flaw was found in the Linux kernel. The generation of the device ID from the network RNG internal state is predictable. The highest threat from this vulnerability is to data confidentiality. (Bug: 31698077 )

    See https://linux.oracle.com/cve/CVE-2020-16166.html for more information.

  • CVE-2020-25211

    In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.A flaw was found in the Linux kernel. A local attacker, able to inject conntrack netlink configuration, could overflow a local buffer causing crashes or triggering the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (Bug: 31872853 )

  • CVE-2020-25284

    The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe. A flaw was found in the capabilities check of the rados block device functionality in the Linux kernel. Incorrect capability checks could alllow a local user with root priviledges (but no capabilities) to add or remove Rados Block Devices from the system. (Bug: 31884150 )

    See https://linux.oracle.com/cve/CVE-2020-25284.html for more information.

  • CVE-2020-25285

    A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812. A flaw was found in the Linux kernels sysctl handling code for hugepages management. When multiple root level processes would write to modify the /proc/sys/vm/nr_hugepages file it could create a race on internal variables leading to a system crash or memory corruption. (Bug: 31884231 )

    See https://linux.oracle.com/cve/CVE-2020-25285.html for more information.

  • CVE-2020-25641

    . A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability. A flaw was found in the Linux kernel’s implementation of biovecs. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (Bug: 31955136 )

  • CVE-2020-25643

    . A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. A flaw was found in the HDLC_PPP module of the Linux kernel. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (Bug: 31989185 )

  • CVE-2020-25645

    . A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. A flaw was found in the Linux kernel. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (Bug: 32013938 )

  • CVE-2020-26541

    The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database (aka dbx) protection mechanism. This affects certs/blacklist.c and certs/system_keyring.c. A flaw was found in the Linux kernel. The Secure Boot Forbidden Signature Database protection mechanism was found to not be properly enforced. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (Bug: 31961115 )

  • CVE-2020-27152

    A stack overflow flaw via an infinite loop condition issue was found in the KVM hypervisor of the Linux kernel. This flaw occurs while processing interrupts because the IRQ state is erroneously set. This flaw allows a guest user to crash the host kernel, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (Bug: 32066585 )

  • CVE-2020-8647

    There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c. A flaw was found in the Linux kernel’s virtual console resize functionality. An attacker with local access to virtual consoles can use the virtual console resizing code to gather kernel internal data structures.

    See https://linux.oracle.com/cve/CVE-2020-8647.html for more information.

  • CVE-2020-8649

    There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c. A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console. An out-of-bounds read can occur, leaking information to the console.

    See https://linux.oracle.com/cve/CVE-2020-8649.html for more information.

  • CVE-2020-8835

    In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)An out-of-bounds access flaw was found in the Linux kernel’s implementation of the eBPF code verifier, where an incorrect register bounds calculation while checking 32-bit instructions in an eBPF program occurs. This flaw allows an unprivileged user or process to execute eBPF programs to crash the kernel, resulting in a denial of service or potentially gaining root privileges on the system. (Bug: 31117265 )

    See https://linux.oracle.com/cve/CVE-2020-8835.html for more information.