[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2016-e7162262b0)

[Oracle Ksplice]

Synopsis: FEDORA-2016-e7162262b0 can now be patched using Ksplice
CVEs: CVE-2015-2085 CVE-2015-8812 CVE-2016-2383 CVE-2016-2384

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-e7162262b0.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in F2FS filename decryption.

Incorrect assumptions about the in-memory location of filename strings
could cause a kernel assertion to fail when decrypting a filename.  A
local user with access to an encrypted F2FS filesystem could use this
flaw to crash the system.


* Denial-of-service in cryptographic algorithm sockets.

Incorrect assumptions about sequencing of calls to hash algorithms could
result in a kernel crash with specific algorithms if accept() was called
on the socket before data was received.  A local, unprivileged user
could use this flaw to crash the system.


* Kernel panic when encrypting zero-length data.

The kernel crypto subsystem does not correctly handle encrypting
zero-length data which can lead to a kernel panic. A local, unprivileged
user could use this flaw to cause a denial of service.


* Memory leak in Multiple Devices (MD) persistent data driver.

In certain circumstances, a missing error check during btree splitting
could cause the MD persistent data driver to leak memory. A malicious
local user with sufficient privileges could use this to cause denial of
service.


* Denial-of-service when hot-removing memory on missing sections.

A logic error in the routine checking the pages in a memory zone could lead
to a kernel crash when offlining memory.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Deadlock in NFS share exported from OCFS2 filesystem.

Incorrect locking can trigger a deadlock and kernel panic when OCFS2 is
used to export an NFS share.


* Denial-of-service in out-of-memory killer.

A race condition between selecting a victim during out-of-memory
conditions and sending the SIGKILL signal could allow a malicious user
to exhaust memory and crash the system.


* Buffer overflow in hexadecimal memory dumping.

An off-by-one error in the hexadecimal memory dumping could result in
overflowing a buffer by a single byte, writing a NUL byte.  A user able
to trigger this flaw could cause a kernel crash, or possibly escalate
privileges.


* Corrupted root FAT filesystem directory causes readdir to never terminate.

A corrupted root directory could cause fat_get_entry() to fail causing
progress to not be reported to VFS. The result is that userspace will
never see the end of the directory, causing e.g. 'ls' to hang in a loop.


* Kernel BUG during huge page table page fault handling.

A race between page migration/hardware poisoning and huge page handling
could cause an assertion failure. A malicious local user with access to
huge pages could use this to cause denial of service.


* Kernel panic in OCFS2 when extending size of filesystem.

A logic error in the OCFS2 filesystem driver can trigger an assertion
failure and kernel panic when extending the size of an existing
filesystem. A local user could use this flaw to trigger a
denial-of-service.


* Use-after-free in OCFS2 distributed lock manager.

Incorrect reference counting in the OCFS2 filesystem driver can trigger
a use-after-free and kernel panic when migrating a lock.


* Memory leak in SPI stack when allocating master device.

A reference was taken on the wrong device when allocating a SPI master
device, leading to a memory leak.  A local user could use this flaw to
exhaust the memory on the system.


* Untrusted certificates can be loaded on the IMA trusted keyring.

Improper handling of certificate loading in the security subsystem could
result in a certificate being loaded without verifying that it is signed
by a trusted key in the system keyring.


* Deadlock in memory technology device subsystem.

Incorrect ordering of locking calls could result in a deadlock during
concurrent accesses to an MTD device.  A local user with access to the
MTD device could use this flaw to hang the system.


* Improved fix to denial-of-service in PCI numa_node sysfs attribute.

Missing range checks could result in an out-of-bounds access when
writing to the num_node override attribute of a PCI device triggering a
kernel crash, or possibly allowing privilege escalation. The original
version of this update did not handle checking for negative numbers.


* Crash in Kernel tracing of printk_formats.

Improper handling of list indexes in the Kernel tracing subsystem
causes a crash when iterating printk_formats. A local, privileged user
could use this flaw to cause a denial-of-service.


* Use-after-free in tracing filesystem.

A reference count imbalance could result in a use-after-free of the
tracefs filesystem.


* Untimely page reclaim when truncating files in Ext4/OCFS2 filesystems.

When an Ext4/OCFS2 filesystem is mounted with data=journal mode,
truncating a file can cause the pages belonging to that file to remain
in memory for a long time, potentially tying up resources for other
users.


* Kernel panic in OCFS2 when committing data to jbd2 device.

An interaction between the OCFS2 filesystem and the jbd2 journalling
driver can trigger an assertion failure and kernel panic when committing
data to disk.


* Integer overflow in /dev/kmsg facility.

Integer overflow of the /dev/kmsg facility could allow a local user to
spoof kernel messages in the kernel log.


* NULL pointer dereference in Virtual Video Test Driver removal.

A missing NULL pointer check during removal of the Virtual Video Test
Driver could result in a kernel crash under specific conditions.


* Symlink corruption in SysV filesystem.

Incorrect handling of inline symlinks in the SysV filesystem driver could
cause a corruption of userspace applications or an information leak where
data that should not be accessible by userspace applications becomes
exposed.


* CVE-2016-2384: Privilege escalation in USB MIDI device driver.

The USB MIDI device driver does not correctly free memory when failing
to initialize an endpoint which can cause a use-after-free condition. A
local unprivileged user can use this flaw to trigger kernel code
execution.


* Memory corruption in ALSA dummy driver when switching timer.

Improper switching between high resolution timers and system timers while a
stream is open can lead to memory corruption.


* Crash in USB serial driver when malicious Treo device is connected.

Improper handling of USB endpoint probing during Treo device initialization
leads to a NULL pointer dereference.


* Data loss in USB Modem driver during suspend and resume.

Improper cleanup in the USB Modem driver leads to data loss during a
suspend and resume sequence.


* NULL pointer dereference in the TTY line discipline on receival.

A missing check for NULL before calling the receive_buf function pointer on
a line discipline could lead to a NULL pointer dereference.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Use-after-free when failing to accept userspace cryptographic sockets.

A logic error in kernel cryptographic subsystem can allow a unprivileged
user to trigger a use after free condition and kernel panic when calling
accept(2) on a cryptographic socket fails.


* Memory corruption when sending data to userspace cryptographic socket.

A logic error in the kernel cryptographic socket subsystem can allow a
local user to trigger kernel memory corruption when sending data to a
cryptographic socket.


* Use-after-free in FS-Cache filesystem registration.

A reference count imbalance could result in premature freeing of a
filesystem and kernel crash under specific conditions.


* Kernel crash in FS-Cache when writing beyond end-of-file marker.

Incorrect handling of accesses to pages beyond the end-of-file marker
could result in triggering an assertion that would crash the system.


* Memory leak in Realtek USB Wireless adapter when receiving malformed frames.

The kernel driver for Realtek USB Wireless adapters does not correctly
free memory when processing frames with incorrect checksums. A remote
attacker could trigger a denial-of-service by intentionally sending
frames with incorrect frames.


* BUG in HugeTLB filesystem file truncation and fallocate hole punch.

Improper handling of offset in the HugeTLB filesystem can cause a BUG
during file truncation or using the fallocate hole punch operation.


* Timing leak in CGM and CCM decryption and ESP ICV verification.

Using non-constant time memcmp() makes the verification of the authentication
tag in the decrypt path vulnerable to timing attacks.


* CVE-2015-8812: Use-after-free in Infiniband CXGB3 driver on network congestion.

A logic error in the Infiniband CXGB3 driver could lead to a use-after-free
of a socket buffer when the network is congested.  A local, unprivileged
user could use this flaw to cause a kernel crash or potentially escalate
privileges.


* Kernel deadlock in the USB HID stack on interrupt.

Incorrect locking in the USB HID stack could lead to recursive deadlocks in
specific conditions, potentially causing the kernel to hang.


* Out of bounds memory accesses when punching holes on huge pages.

The fallocate() hole punching code in the Huge TLB filesystem did not
handle properly holes in the range of pages to be removed, leading to page
accesses outside the specified range.  A local, unprivileged user could use
this flaw to cause a kernel panic.


* Memory leak when removing a huge page region descriptor on error.

A missing call to kfree() on error when changing a huge page region
descriptor leads to a memory leak.  A local, unprivileged user could use
this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Infinite loop when unmounting an OCFS2 filesystem using the kernel distributed lock manager.

A logic error when releasing the locks of an OCFS2 recovery master dead
node could lead to an infinite loop when later trying to unmount the OCFS2
filesystem.


* Memory leak when control group memory reclaim is interrupted.

A flaw in the memory resource controller could cause a memory leak when
memory reclaim is interrupted.  A local user with the capabilities to
create a control group could use this flaw to exhaust the memory on the
system.


* Kernel log buffer flood in ALSA rawmidi driver.

The ALSA rawmidi driver would dump the kernel stack to the kernel log
buffer every time userspace would pass it a NULL pointer.  A local,
unprivileged user with access to the ALSA device could use this flaw to
flood the kernel logs, potentially causing a denial-of-service or gaining
information about the running kernel if he's able to read the kernel log.


* Multiple kernel deadlocks in ALSA OSS emulation.

Incorrect locking in the ALSA OSS emulation code could lead to AB-BA
deadlocks when accessing read()/write() and mmap() concurrently.  A local
user could use these flaws to cause a denial-of-service.


* Multiple use-after-free in ALSA sequencers when closing the device.

Incorrect locking in the ALSA sequencers sub-system could lead to different
use-after-free under certain conditions.  A local user could use these
flaws to cause a denial-of-service.


* Denial-of-service in ALSA timer handling.

Multiple locking flaws in the ALSA timer handling could lead to memory
corruptions and denial-of-service on concurrent operations.  A local user
could use these flaws to cause a denial-of-service.


* NULL pointer dereference when removing un-registered sound card.

A lack of NULL pointer check in the ALSA sound sub-system could lead to a
NULL pointer dereference when removing cards that have not been registered.
A local user could use this flaw to cause a denial-of-service.


* Denial-of-service in Qualcomm USB On-The-Go (OTG) on probe failure.

A flaw in the Qualcomm USB OTG driver on probe failure leads to a kernel
crash and denial-of-service.


* Information leak in ALSA sound sub-system when parsing the HDMI EDID-Like-Data (ELD).

Lack of proper bounds checking when copying the HDMI ELD structure could
lead to leaking 256 bytes of kernel memory under certain conditions.


* CVE-2015-2085: Timing side channel attack in EVM integrity module.

The verification routine of the EVM HMAC was using a regular non-constant
memcmp(), allowing attackers to do timing side channel attacks and reduce
the MAC forgery complexity from 2^128 to 2^12.


* Use-after-free in the crypto sub-system when traversing the list of crypto algorithms.

Incorrect locking when traversing the list of crypto algorithms could lead
to a use-after-free when concurrently unregistering an algorithm.  A local,
unprivileged user could use this flaw to cause a kernel crash.


* CVE-2016-2383: Arbitrary read in eBPF when adjusting backwards jumps offset.

A logic error in the kernel BPF verifier when adjusting backwards jumps
offset allows attackers to read arbitrary kernel memory.  A local attacker
could use this flaw to elevate privileges.


* NULL pointer dereference in MGA G200 graphic driver when setting the cursor.

A flaw in the MGA G200 graphic driver when setting the cursor position
could lead to a NULL pointer dereference.  A local attacker could use this
flaw to cause a denial-of-service.


* Memory corruption in ALSA rawmidi driver on concurrent read/write.

Incorrect locking in the ALSA rawmidi driver on concurrent read/write
operations could lead to memory corruptions.  A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Kernel crash when using chacha20-ssse3 crypto driver.

Incorrect stack alignment before using SSSE3 instructions in the chacha20
crypto driver could lead to a kernel crash.  A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Kernel crash in userspace interface for hash algorithm when sending a message.

A failure to wait for the completion of crypto_ahash_init() when using
sendpage()/sendmsg() could cause a kernel crash.  A local, unprivileged
user could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.