[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2015-c1c2f5e168)

[Oracle Ksplice]

Synopsis: FEDORA-2015-c1c2f5e168 can now be patched using Ksplice
CVEs: CVE-2013-7446 CVE-2015-7550 CVE-2015-8543

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-c1c2f5e168.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free in Unix socket on concurrent reads while splicing.

A race condition in the Unix socket code on concurrent reads while splicing
could cause a socket buffer to be freed while in use by the splicing code,
leading to a kernel panic.  A local unprivileged user could use this flaw
to cause a denial-of-service.


* Use-after-free in Unix stream socket on concurrent writes.

A flaw in the Unix socket could cause a use-after-free on concurrent writes
to a stream socket.  A local, unprivileged user could use this flaw to
cause a denial-of-service.


* List corruption in Unix sockets when adding a socket buffer to the receive queue.

Incorrect locking when appending a socket buffer to a receive queue on a
Unix socket could lead to list corruptions and kernel panic.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* NULL pointer dereference when routing IPv6 with DST_NOCACHE.

A missing NULL pointer check when routing IPv6 with DST_NOCACHE could lead
to a NULL pointer dereference.  An attacker could use this flaw to cause a
denial-of-service.


* Deadlock in Mellanox Ethernet driver when releasing save counters.

A sleeping function was being called with a spinlock held in the Mellanox
Ethernet driver, potentially leading to a kernel deadlock.


* NULL pointer dereference in Cavium Ethernet driver when removing the interface.

A missing check for NULL before removing a Cavium Ethernet driver NIC could
lead to a NULL pointer dereference.


* Out-of-memory condition when sending a TCP message.

A flaw in the TCP stack allows a local, unprivileged user to cause a huge
contiguous memory allocation, potentially leading to an out-of-memory
condition.


* Integer underflow when receiving an odd number of file descriptors through Unix sockets.

Mis-calculation of the message size when passing an odd number of file
descriptors through a Unix socket could lead to an integer underflow.  A
local, unprivileged user could use this flaw to cause a denial-of-service.


* Memory leak when removing routing table in the IPv4 and IPv6 stacks.

Incorrect reference counting when destroying a routing table in the IPv4
and IPv6 stacks leads to a memory leak.  A local user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* Out-of-bounds memory access when updating elements of a Berkeley Packet Filter array.

A logic error when copying elements of a Berkeley Packet Filter to an array
could lead to an out-of-bounds memory read.  A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference when dumping proxy entries.

A missing check for NULL when dumping proxy entries could lead to a NULL
pointer dereference when the proxy entry is device agnostic.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Data loss on Btrfs when cloning an inline extent.

A flaw in the Btrfs filesystem clone ioctl() causes data loss when cloning
a file with inline extent to a larger file with inline extent.


* Kernel BUG when running delayed references on Btrfs.

A kernel BUG assertion can be triggered in the Btrfs driver when running
delayed references under certain conditions.  A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Use-after-free in Rados block device when queueing work.

Incorrect reference counting in the Rados block device when queueing work
could lead to a use-after-free and kernel panic.  A local attacker could
use this flaw to cause a denial-of-service.


* Multiple kernel BUG assertions in the ext4 crypto filesystem.

Multiple different kernel BUG assertions in the ext4 crypto subsystem could
be triggered by unprivileged users and lead to a denial-of-service.


* Use-after-free in the ext4 filesystem when stopping journaling.

A flaw in the ext4 filesystem when stopping journaling leads to a
use-after-free.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Data corruption on ext4 filesystem when recording an error into the super block.

A race condition in the ext4 filesystem when using JDB2 journaling could
cause non recoverable data corruption under certain circumstances.  A
local, unprivileged user could use this flaw to cause permanent data
corruption.


* Denial-of-service in the NFSv4 client code when allocating an ID.

Incorrect reference counting when allocating an ID in the NFSv4 client code
could lead to a kernel crash under certain circumstances.  A local,
unprivileged user with access to a NFSv4 mount could use this flaw to cause
a denial-of-service.


* Umask bypass when creating a block or character file on OCFS2.

A flaw in the OCFS2 filesystem causes the current umask to be ignored when
creating a block or character special file.  A local, unprivileged user
could get access to those special files and potentially use it to escalate
privileges.


* Permission bypass on overlayfs when setting file extended attributes.

A flaw in the overlayfs when setting file extended attributes could allow
an otherwise restricted user to change capabilities on a file.  A local,
unprivileged user could use this flaw to elevate privileges.


* Memory leak when closing an SCTPv6 socket.

The SCTPv6 failed to release its associated IPv6 socket when closing the
socket, leading to a memory leak.  A local, unprivileged user could use
this flaw to exhaust the memory on the system and cause a
denial-of-service.


* CVE-2013-7446: Use after free in Unix sockets.

Invalid reference counting in the kernel Unix socket subsystem can
trigger a use after free condition. A local unprivileged user could use
this flaw to bypass permission checks on Unix sockets or potentially
escalate privileges.


* CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.

A race condition in the cryptographic key management sub-system could lead
to a kernel crash when revoking and reading a key concurrently.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.

It was discovered that a local user permitted to create raw sockets could
cause a denial-of-service by specifying an invalid protocol number for the
socket.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.