[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2015-cd94ad8d7c)

[Oracle Ksplice]

Synopsis: FEDORA-2015-cd94ad8d7c can now be patched using Ksplice
CVEs: CVE-2015-5307 CVE-2015-7799 CVE-2015-7990 CVE-2015-8104

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-cd94ad8d7c.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in AMD IOMMU driver with PROT_NONE mappings.

Incorrect handling of file mappings with PROT_NONE protections could
result in triggering a kernel assertion and crash.  A local,
unprivileged user could use this flaw to crash the system under specific
conditions.


* Integer overflow in DRM blob creation.

Missing integer overflow checks could result in an incorrect allocation
size of user supplied data.  A local user with access to the DRM device
could use this flaw to trigger an out-of-bounds access and crash the
system or potentially escalate privileges.


* Denial-of-service in PCI numa_node sysfs attribute.

Missing range checks could result in an out-of-bounds access when
writing to the num_node override attribute of a PCI device triggering a
kernel crash, or possibly allowing privilege escalation.


* Memory leak in overlayfs mount and unmount.

Missing resource freeing in the mount and unmount paths of overlayfs
could trigger a memory leak.


* Memory leak in overlayfs copying to upper filesystem.

Incorrect error handling could result in a memory leak when the
overlayfs filesystem failed to copy files from the lower to upper
filesystem.


* Denial-of-service in software RAID5 stripe cleaning.

Incorrect locking during stripe cleaning could result in an infinite
loop and system crash.  A local, unprivileged user with write access to
a filesystem on a RAID5 device could use this flaw to crash the system.


* NULL pointer dereference in Marvell 88SE64XX/88SE94XX task preparation.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when performing tasks on a Marvell 88SE64XX/88SE94XX
device under low memory conditions.


* Deadlock in netfilter ipset rule addition.

Incorrect memory allocation could result in deadlock, effectively
crashing the system.  A local, privileged user could use this flaw to
crash the system.


* Memory leak in btrfs file system on issuing a balance ioctl.

A lack of releasing allocated resources when the argument check fails in
the btrfs file system balance ioctl leads to a memory leak.  A local,
privileged user could use this flaw to exhaust the kernel memory and cause
a denial-of-service.


* Denial-of-service in KVM irqchip routing.

Missing resource freeing could result in a memory leak when setting the
IRQ routing for a KVM irqchip.  A local user with access to the KVM
device could use this flaw to crash the system.


* Use-after-free in Infiniband Connected Mode Service ID Resolution.

Incorrect handling of Service ID Resolution requests could result in a
use-after-free condition and kernel crash.


* Kernel crash in Intel Knights Landing CPU frequency scaling.

A divide by zero error in the CPU frequency scaling driver for the
Knights Landing platform could result in a kernel crash under specific
conditions.


* Kernel hang in NVMe command retry.

A memory leak during NVMe command retry could result in a kernel hang if
an NVMe device was removed when the DMA pool was busy.


* CVE-2015-7990: Race condition when sending a message on unbound RDS socket.

Incorrect locking when checking the state of a socket before sending a
message could lead to a NULL pointer dereference.  A local, un-privileged
user could use this flaw to cause a denial-of-service.


* Denial-of-service in ISDN PPP device opening.

Missing allocation failure checks could result in a NULL pointer
dereference when opening an ISDN PPP device.  A local user with access
to the device could use this flaw to crash the system.


* CVE-2015-7799: Denial-of-service in PPP compression slot parameters.

Missing validation of VJ compression slot parameters for a PPP device
could result in a NULL pointer dereference and kernel crash.  A local
user with access to the PPP device could use this flaw to crash the
system.


* CVE-2015-5307: KVM host denial-of-service in alignment check.

A guest could cause a denial-of-service on a KVM host by triggering an
infinite stream of alignment check exceptions and causing the processor
microcode to enter an infinite loop.  A privileged user in a guest could
use this flaw to crash the host.


* CVE-2015-8104: KVM host denial-of-service in debug exception.

A guest could cause a denial-of-service on a KVM host by triggering a
debug exception to fire during an existing debug exception.  This could
cause the host to get trapped in an infinite loop causing a
denial-of-service.  A privileged user in a guest could use this flaw to
crash the host.


* Kernel stack overflow in Replicated Block Device driver when mapping an image.

Unlimited recursion in the Replicated Block Device driver when mapping and
image with a long chain could lead to a stack overflow.  A local user with
ability to mount handcrafted RBD images could use this flaw to cause a
denial-of-service or potentially escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.