El-errata: ELSA-2020-5755 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2020-5755
http://linux.oracle.com/errata/ELSA-2020-5755.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
x86_64:
kernel-uek-4.14.35-1902.304.6.el7uek.x86_64.rpm
kernel-uek-debug-4.14.35-1902.304.6.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.14.35-1902.304.6.el7uek.x86_64.rpm
kernel-uek-devel-4.14.35-1902.304.6.el7uek.x86_64.rpm
kernel-uek-tools-4.14.35-1902.304.6.el7uek.x86_64.rpm
kernel-uek-doc-4.14.35-1902.304.6.el7uek.noarch.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.14.35-1902.304.6.el7uek.src.rpm
Description of changes:
[4.14.35-1902.304.6.el7uek]
- bpf: fix sanitation rewrite in case of non-pointers (Daniel Borkmann) [Orabug: 31552243]
[4.14.35-1902.304.5.el7uek]
- acpi: disallow loading configfs acpi tables when locked down (Jason A. Donenfeld) [Orabug: 31493187]
- selftests/bpf: do not run test_kmod.sh for UEK5 (Alan Maguire) [Orabug: 31540213]
- bpf: do not allow root to mangle valid pointers (Alexei Starovoitov) [Orabug: 31540213]
- x86/mitigations: reset default value for srbds_mitigation (Mihai Carabas) [Orabug: 31515075]
- x86/cpu: clear X86_BUG_SRBDS before late loading (Mihai Carabas) [Orabug: 31515075]
- x86/mitigations: update MSRs on all CPUs for SRBDS (Mihai Carabas) [Orabug: 31515075]
- p54usb: Fix race between disconnect and firmware loading (Alan Stern) [Orabug: 31351863] {CVE-2019-15220}
- media: rc: prevent memory leak in cx23888_ir_probe (Navid Emamdoost) [Orabug: 31351671] {CVE-2019-19054}
- mm: Fix mremap not considering huge pmd devmap (Fan Yang) [Orabug: 31452398] {CVE-2020-10757} {CVE-2020-10757}
- tcp: implement coalescing on backlog queue (Eric Dumazet) [Orabug: 31517079]
- tcp: drop dst in tcp_add_backlog() (Eric Dumazet) [Orabug: 31517079]
- bpf: Fix up bpf_skb_adjust_room helper's skb csum setting (Daniel Borkmann) [Orabug: 31517079]
[4.14.35-1902.304.4.el7uek]
- rds: Fix potential use after free in rds_ib_inc_free (Hans Westgaard Ry) [Orabug: 31504054]
- cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM (Josh Poimboeuf) [Orabug: 31421904]
- RDMA/cm: Spurious WARNING triggered in cm_destroy_id() (Ka-Cheong Poon) [Orabug: 31483289]
- RDMA/cm: Make sure the cm_id is in the IB_CM_IDLE state in destroy (Jason Gunthorpe) [Orabug: 31483289]
- RDMA/cm: Allow ib_send_cm_sidr_rep() to be done under lock (Jason Gunthorpe) [Orabug: 31483289]
- RDMA/cm: Allow ib_send_cm_rej() to be done under lock (Jason Gunthorpe) [Orabug: 31483289]
- RDMA/cm: Allow ib_send_cm_drep() to be done under lock (Jason Gunthorpe) [Orabug: 31483289]
- RDMA/cm: Allow ib_send_cm_dreq() to be done under lock (Jason Gunthorpe) [Orabug: 31483289]
- RDMA/cm: Add some lockdep assertions for cm_id_priv->lock (Jason Gunthorpe) [Orabug: 31483289]
- RDMA/cm: Add missing locking around id.state in cm_dup_req_handler (Jason Gunthorpe) [Orabug: 31483289]
- RDMA/cm: Make the destroy_id flow more robust (Jason Gunthorpe) [Orabug: 31483289]
- RDMA/cm: Remove a race freeing timewait_info (Jason Gunthorpe) [Orabug: 31483289]
- RDMA/cm: Use refcount_t type for refcount variable (Danit Goldberg) [Orabug: 31483289]
- net/rds: NULL pointer de-reference in rds_ib_add_one() (Ka-Cheong Poon) [Orabug: 31501438]
- scsi: mpt3sas: Introduce module parameter to override queue depth (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: Fix memset() in non-RDPQ mode (Suganath Prabu S) [Orabug: 31486216]
- scsi: mpt3sas: Fix reply queue count in non RDPQ mode (Suganath Prabu S) [Orabug: 31486216]
(Samuel Zou) [Orabug: 31486216]
- scsi: mpt3sas: Fix double free warnings (Suganath Prabu S) [Orabug: 31486216]
- scsi: mpt3sas: Disable DIF when prot_mask set to zero (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: Capture IOC data for debugging purposes (Suganath Prabu) [Orabug: 31486216]
- scsi: mpt3sas: Use true, false for ioc->use_32bit_dma (Jason Yan) [Orabug: 31486216]
- scsi: mpt3sas: Remove NULL check before freeing function (Jason Yan) [Orabug: 31486216]
- scsi: mpt3sas: Update mpt3sas version to 33.101.00.00 (Suganath Prabu) [Orabug: 31486216]
- scsi: mpt3sas: Handle RDPQ DMA allocation in same 4G region (Suganath Prabu) [Orabug: 31486216]
- scsi: mpt3sas: Separate out RDPQ allocation to new function (Suganath Prabu) [Orabug: 31486216]
- scsi: mpt3sas: Rename function name is_MSB_are_same (Suganath Prabu) [Orabug: 31486216]
- scsi: mpt3sas: Don't change the DMA coherent mask after allocations (Christoph Hellwig) [Orabug: 31486216]
- scsi: mpt3sas: use true,false for bool variables (Jason Yan) [Orabug: 31486216]
- scsi: mpt3sas: Update drive version to 33.100.00.00 (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: Remove usage of device_busy counter (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: Print function name in which cmd timed out (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: Optimize mpt3sas driver logging (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: print in which path firmware fault occurred (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: Handle CoreDump state from watchdog thread (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: Add support IOCs new state named COREDUMP (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: renamed _base_after_reset_handler function (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: Add support for NVMe shutdown (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: Update MPI Headers to v02.00.57 (Sreekanth Reddy) [Orabug: 31486216]
- scsi: mpt3sas: Fix double free in attach error handling (Dan Carpenter) [Orabug: 31486216]
- scsi: mpt3sas: change allocation option (Tomas Henzl) [Orabug: 31486216]
- KVM: VMX: check descriptor table exits on instruction emulation (Oliver Upton) [Orabug: 31397358]
[4.14.35-1902.304.3.el7uek]
- rebuild bumping release
[4.14.35-1902.304.2.el7uek]
- bpf: fix sanitation of alu op with pointer / scalar type from different paths (Daniel Borkmann) [Orabug: 31350800] {CVE-2019-7308}
- bpf: prevent out of bounds speculation on pointer arithmetic (Daniel Borkmann) [Orabug: 31350800] {CVE-2019-7308}
- bpf: restrict unknown scalars of mixed signed bounds for unprivileged (Daniel Borkmann) [Orabug: 31350800] {CVE-2019-7308}
- bpf: move {prev_,}insn_idx into verifier env (Daniel Borkmann) [Orabug: 31350800] {CVE-2019-7308}
- bpf: reduce verifier memory consumption (Alexei Starovoitov) [Orabug: 31350800] {CVE-2019-7308}
- bpf: Prevent memory disambiguation attack (Alexei Starovoitov) [Orabug: 31350800] {CVE-2019-7308}
- Revert "rds: Do not cancel RDMAs that have been posted to the HCA" (Gerd Rausch) [Orabug: 31476562]
- Revert "rds: Introduce rds_conn_to_path helper" (Gerd Rausch) [Orabug: 31476562]
- Revert "rds: Three cancel fixes" (Gerd Rausch) [Orabug: 31476551]
- scsi: megaraid_sas: Update driver version to 07.714.04.00-rc1 (Chandrakanth Patil) [Orabug: 31481643]
- scsi: megaraid_sas: TM command refire leads to controller firmware crash (Sumit Saxena) [Orabug: 31481643]
- scsi: megaraid_sas: Replace undefined MFI_BIG_ENDIAN macro with __BIG_ENDIAN_BITFIELD macro (Shivasharan S) [Orabug: 31481643]
- scsi: megaraid_sas: Remove IO buffer hole detection logic (Sumit Saxena) [Orabug: 31481643]
- scsi: megaraid_sas: Limit device queue depth to controller queue depth (Kashyap Desai) [Orabug: 31481643]
- scsi: megaraid: make two symbols static in megaraid_sas_base.c (Jason Yan) [Orabug: 31481643]
- scsi: megaraid: make some symbols static in megaraid_sas_fusion.c (Jason Yan) [Orabug: 31481643]
- scsi: megaraid_sas: Use scnprintf() for avoiding potential buffer overflow (Takashi Iwai) [Orabug: 31481643]
- scsi: megaraid_sas: silence a warning (Tomas Henzl) [Orabug: 31481643]
- scsi: megaraid_sas: fix indentation issue (Colin Ian King) [Orabug: 31481643]
- scsi: megaraid_sas: fixup MSIx interrupt setup during resume (Hannes Reinecke) [Orabug: 31481643]
- scsi: megaraid_sas: Update driver version to 07.713.01.00-rc1 (Anand Lodnoor) [Orabug: 31481643]
- scsi: megaraid_sas: Limit the number of retries for the IOCTLs causing firmware fault (Anand Lodnoor) [Orabug: 31481643]
- scsi: megaraid_sas: Re-Define enum DCMD_RETURN_STATUS (Anand Lodnoor) [Orabug: 31481643]
- scsi: megaraid_sas: Do not set HBA Operational if FW is not in operational state (Anand Lodnoor) [Orabug: 31481643]
- scsi: megaraid_sas: Do not kill HBA if JBOD Seqence map or RAID map is disabled (Anand Lodnoor) [Orabug: 31481643]
- scsi: megaraid_sas: Do not kill host bus adapter, if adapter is already dead (Anand Lodnoor) [Orabug: 31481643]
- scsi: megaraid_sas: Update optimal queue depth for SAS and NVMe devices (Anand Lodnoor) [Orabug: 31481643]
- scsi: megaraid_sas: Set no_write_same only for Virtual Disk (Anand Lodnoor) [Orabug: 31481643]
- scsi: megaraid_sas: Reset adapter if FW is not in READY state after device resume (Anand Lodnoor) [Orabug: 31481643]
- scsi: megaraid_sas: Make poll_aen_lock static (YueHaibing) [Orabug: 31481643]
- scsi: megaraid_sas: remove unused variables 'debugBlk','fusion' (zhengbin) [Orabug: 31481643]
- scsi: megaraid_sas: Unique names for MSI-X vectors (Chandrakanth Patil) [Orabug: 31481643]
- scsi: megaraid_sas: Make some functions static (YueHaibing) [Orabug: 31481643]
- scsi: megaraid_sas: fix spelling mistake "megarid_sas" -> "megaraid_sas" (Colin Ian King) [Orabug: 31481643]
- media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (Tomas Bortoli) [Orabug: 31351117] {CVE-2019-19533}
- ALSA: core: Fix card races between register and disconnect (Takashi Iwai) [Orabug: 31351890] {CVE-2019-15214}
- ALSA: info: Fix racy addition/deletion of nodes (Takashi Iwai) [Orabug: 31351890] {CVE-2019-15214}
- rds: Deregister all FRWR mr with free_mr (Hans Westgaard Ry) [Orabug: 31441472]
- uek-rpm: disable CONFIG_IP_PNP (Anjali Kulkarni) [Orabug: 31454846]
- x86/speculation: Add SRBDS vulnerability and mitigation documentation (Mark Gross) [Orabug: 31352781] {CVE-2020-0543}
- x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (Mark Gross) [Orabug: 31352781] {CVE-2020-0543}
- x86/cpu: Add 'table' argument to cpu_matches() (Mark Gross) [Orabug: 31352781] {CVE-2020-0543}
- x86/cpu: Add a steppings field to struct x86_cpu_id (Mark Gross) [Orabug: 31352781] {CVE-2020-0543}
- netdev, octeon3-ethernet: move timecounter init to network driver probe() (Dave Aldridge) [Orabug: 31439190]
- rds: Three cancel fixes (Håkon Bugge) [Orabug: 31463014]
- can: peak_usb: fix slab info leak (Johan Hovold) [Orabug: 31351139] {CVE-2019-19534}
- uek-rpm: use expand macro with kernel_reqprovconf (Dave Kleikamp) [Orabug: 31454052]
- can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices (Tomas Bortoli) [Orabug: 31351248] {CVE-2019-19536}
- net/mlx5: Decrease default mr cache size (Artemy Kovalyov) [Orabug: 31410596]
- xfs: fix freeze hung (Junxiao Bi) [Orabug: 31245660]
- netlabel: cope with NULL catmap (Paolo Abeni) [Orabug: 31350492] {CVE-2020-10711}
- mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() (Qing Xu) [Orabug: 31350516] {CVE-2020-12654}
- scsi: sg: add sg_remove_request in sg_write (Wu Bo) [Orabug: 31350698] {CVE-2020-12770}
- block, bfq: fix use-after-free in bfq_idle_slice_timer_body (Zhiqiang Liu) [Orabug: 31350912] {CVE-2020-12657}
- mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() (Qing Xu) [Orabug: 31350931] {CVE-2020-12653}
- USB: core: Fix free-while-in-use bug in the USB S-Glibrary (Alan Stern) [Orabug: 31350965] {CVE-2020-12464}
[4.14.35-1902.304.1.el7uek]
- xfs: add agf freeblocks verify in xfs_agf_verify (Zheng Bin) [Orabug: 31350922] {CVE-2020-12655}
- rds: Do not cancel RDMAs that have been posted to the HCA (Håkon Bugge) [Orabug: 31396425]
- rds: Introduce rds_conn_to_path helper (Håkon Bugge) [Orabug: 31396425]
- mwifiex: Abort at too short BSS descriptor element (Takashi Iwai) [Orabug: 31351915] {CVE-2019-3846}
- mwifiex: Fix possible buffer overflows at parsing bss descriptor (Takashi Iwai) [Orabug: 31351915] {CVE-2019-3846} {CVE-2019-3846}
- bnxt_en: Fix accumulation of bp->net_stats_prev. (Vijayendra Suman) [Orabug: 31390689]
- nfs: initiate returning delegation when reclaiming one that's been recalled (Jeff Layton) [Orabug: 31378792]
- NFS: More excessive attribute revalidation in nfs_execute_ok() (Trond Myklebust) [Orabug: 31378792]
- uek-rpm: Add support for building a kdump kernel on MIPS64 (Dave Kleikamp) [Orabug: 31373682]
- uek-rpm: Add config-mips64-embedded-kdump (Henry Willard) [Orabug: 31373682]
- uek-rpm: Don't build kernel-uek-tools or perf packages for mips64 (Dave Kleikamp) [Orabug: 31373682]
- scsi: mptfusion: Fix double fetch bug in ioctl (Dan Carpenter) [Orabug: 31350940] {CVE-2020-12652}
- ptp: fix the race between the release of ptp_clock and cdev (Vladis Dronov) [Orabug: 31350706] {CVE-2020-10690}
- net/rds: suppress memory allocation failure reports (Manjunath Patil) [Orabug: 31359419]
[4.14.35-1902.304.0.el7uek]
- mips64/octeon: Initialize netdevice in octeon_pow struct (Vijay Kumar) [Orabug: 31388199]
- uek-rpm/ol7/config-mips64: Disable IRQSOFF_TRACER (Henry Willard) [Orabug: 31386710]
- xen/manage: enable C_A_D to force reboot (Dongli Zhang) [Orabug: 31249146]
An Unbreakable Enterprise kernel security update has been released for Oracle Linux 7.