1 |
type: security |
2 |
subject: Updated kernel-linus packages fixes security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2018-12126 |
5 |
- CVE-2018-12127 |
6 |
- CVE-2018-12130 |
7 |
- CVE-2018-1000026 |
8 |
- CVE-2019-3882 |
9 |
- CVE-2019-7308 |
10 |
- CVE-2019-9213 |
11 |
- CVE-2019-11091 |
12 |
- CVE-2019-11486 |
13 |
- CVE-2019-11599 |
14 |
src: |
15 |
6: |
16 |
core: |
17 |
- kernel-linus-4.14.119-1.mga6 |
18 |
description: | |
19 |
This kernel update provides the upstream 4.14.119 that adds the kernel side |
20 |
mitigations for the Microarchitectural Data Sampling (MDS, also called |
21 |
ZombieLoad attack) vulnerabilities in Intel processors that can allow |
22 |
attackers to retrieve data being processed inside a CPU. To complete the |
23 |
mitigations new microcode is also needed, either by installing the |
24 |
microcode-0.20190514-1.mga6 package, or get an updated bios / uefi |
25 |
firmware from the motherboard vendor. |
26 |
|
27 |
The fixed / mitigated issues are: |
28 |
|
29 |
Modern Intel microprocessors implement hardware-level micro-optimizations |
30 |
to improve the performance of writing data back to CPU caches. The write |
31 |
operation is split into STA (STore Address) and STD (STore Data) |
32 |
sub-operations. These sub-operations allow the processor to hand-off |
33 |
address generation logic into these sub-operations for optimized writes. |
34 |
Both of these sub-operations write to a shared distributed processor |
35 |
structure called the 'processor store buffer'. As a result, an |
36 |
unprivileged attacker could use this flaw to read private data resident |
37 |
within the CPU's processor store buffer. (CVE-2018-12126) |
38 |
|
39 |
Microprocessors use a ‘load port’ subcomponent to perform load operations |
40 |
from memory or IO. During a load operation, the load port receives data |
41 |
from the memory or IO subsystem and then provides the data to the CPU |
42 |
registers and operations in the CPU’s pipelines. Stale load operations |
43 |
results are stored in the 'load port' table until overwritten by newer |
44 |
operations. Certain load-port operations triggered by an attacker can be |
45 |
used to reveal data about previous stale requests leaking data back to the |
46 |
attacker via a timing side-channel. (CVE-2018-12127) |
47 |
|
48 |
A flaw was found in the implementation of the "fill buffer", a mechanism |
49 |
used by modern CPUs when a cache-miss is made on L1 CPU cache. If an |
50 |
attacker can generate a load operation that would create a page fault, |
51 |
the execution will continue speculatively with incorrect data from the |
52 |
fill buffer while the data is fetched from higher level caches. This |
53 |
response time can be measured to infer data in the fill buffer. |
54 |
(CVE-2018-12130) |
55 |
|
56 |
Uncacheable memory on some microprocessors utilizing speculative execution |
57 |
may allow an authenticated user to potentially enable information disclosure |
58 |
via a side channel with local access. (CVE-2019-11091) |
59 |
|
60 |
|
61 |
It also fixes atleast the following security issues: |
62 |
|
63 |
Linux Linux kernel version at least v4.8 onwards, probably well before |
64 |
contains a Insufficient input validation vulnerability in bnx2x network |
65 |
card driver that can result in DoS: Network card firmware assertion takes |
66 |
card off-line. This attack appear to be exploitable via An attacker on a |
67 |
must pass a very large, specially crafted packet to the bnx2x card. |
68 |
This can be done from an untrusted guest VM (CVE-2018-1000026) |
69 |
|
70 |
A flaw was found in the Linux kernel's vfio interface implementation that |
71 |
permits violation of the user's locked memory limit. If a device is bound |
72 |
to a vfio driver, such as vfio-pci, and the local attacker is |
73 |
administratively granted ownership of the device, it may cause a system |
74 |
memory exhaustion and thus a denial of service (DoS) (CVE-2019-3882). |
75 |
|
76 |
kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable |
77 |
out-of-bounds speculation on pointer arithmetic in various cases, including |
78 |
cases of different branches with different state or limits to sanitize, |
79 |
leading to side-channel attacks (CVE-2019-7308). |
80 |
|
81 |
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks |
82 |
a check for the mmap minimum address, which makes it easier for attackers |
83 |
to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is |
84 |
related to a capability check for the wrong task (CVE-2019-9213). |
85 |
|
86 |
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the |
87 |
Linux kernel before 5.0.8 has multiple race conditions (CVE-2019-11486). |
88 |
|
89 |
The coredump implementation in the Linux kernel before 5.0.10 does not use |
90 |
locking or other mechanisms to prevent vma layout or vma flags changes while |
91 |
it runs, which allows local users to obtain sensitive information, cause a |
92 |
denial of service, or possibly have unspecified other impact by triggering |
93 |
a race condition with mmget_not_zero or get_task_mm calls (CVE-2019-11599). |
94 |
|
95 |
It also fixes signal handling issues causing powertop to crash and some |
96 |
tracing tools to fail on execve tests. |
97 |
|
98 |
For other uptstream fixes in this update, see the referenced changelogs. |
99 |
references: |
100 |
- https://bugs.mageia.org/show_bug.cgi?id=24775 |
101 |
- https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html |
102 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.101 |
103 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.102 |
104 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.103 |
105 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.104 |
106 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.105 |
107 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.106 |
108 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.107 |
109 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.108 |
110 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.109 |
111 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.110 |
112 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.111 |
113 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.112 |
114 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.113 |
115 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114 |
116 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.115 |
117 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.116 |
118 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.117 |
119 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.118 |
120 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.119 |
121 |
ID: MGASA-2019-0172 |