[Ksplice][Fedora-15-updates] New updates available via Ksplice (FEDORA-2012-3715)

[Sasha Levin]

Synopsis: FEDORA-2012-3715 can now be patched using Ksplice
CVEs: CVE-2012-1146 CVE-2012-1179 CVE-2012-1568

Systems running Fedora 15 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2012-3715.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 15 install
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* Denial of service in async IO hot-removal handler.

When an async IO operation is interrupted (by hot-removal of the target device
for example), the async IO subsystem won't get notified of the change, and internal
kernel data structures will remain in memory and the originating process will
remain hung.


* CVE-2012-1146: Denial of service in the cgroup eventfd handling.

The cgroup event handler didn't check whether there are any events registered for
a specific memory cgroup before trying to unregister them. This would lead to a
kernel OOPS if there weren't any events to be unregistered.


* Initialize the 802.11 subsystem to use correct rate control values.

The 802.11 subsystem was initializing device drivers with incorrect rate control
values. This could lead to crashes in the device drivers which are based on the
802.11 subsystem.


* Plug memory leak in software RAID subsystem.

If the parameters passed to the software RAID device were empty, the memory used
to store the parameters would get leaked.


* Fix crash on discard in the software RAID driver.

The IO module in the software RAID subsystem didn't properly handle DISCARD messages
when using a configuration which has disk mirroring on top of a DISCARD enabled
hardware. This would lead to kernel BUGs.


* Use-after-free in Async IO creation and deletion.

A race condition in the Async IO context creation and destruction code
may result in a use-after-free.


* Use after free due to race between Async IO and memory mapping.

A race between the destruction of an Async IO context and an munmap call
may result in a use after free.


* CVE-2012-1179: Denial of service in page mapping of the hugepage subsystem.

In some cases, the hugepage subsystem would allocate new PMDs when not expected
by the memory management subsystem. A privileged user in the KVM guest can use
this flaw to crash the host, an unprivileged local user could use this flaw to
crash the system.


* Use after free in the 802.11 RX reorder timer.

The RX reorder timer might be armed even after the session has been
stopped due to RCU grace period. This can lead to a use after free
when the timer tries to access a non-existing session.


* Memory corruption in iSCSI target reservations.

Wrong handling of error codes returned from the iSCSI transport layer
can lead to iscsi-target thinking that the session has been established
while it wasn't, leading to a memory corruption.


* Invalid reference counting on complete walks in the VFS subsystem.

A complete walk of VFS descriptor would lead to a double put of that descriptor.
This would cause kernel OOPS since the second put may access invalid memory.


* Denial of service in the RapidIO device driver doorbell handler.

The RapidIO driver didn't handle the case when the received doorbell count is larger
than the number of entries in the doorbell queue. This would lead to a kernel panic.


* CVE-2012-1568: A predictable base address with shared libraries and ASLR.

Address space layout randomization (ASLR) is a security method which
involves randomly arranging the positions of key data areas,
usually including the base of the executable and position of libraries,
heap, and stack, in a process's address space.

When running a binary with a lot of shared libraries, predictable base
address is used for one of the loaded libraries. This flaw could be
used to bypass ASLR.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.