[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2016-746bb5851d)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Mar 17 02:14:53 PDT 2016 

Synopsis: FEDORA-2016-746bb5851d can now be patched using Ksplice
CVEs: CVE-2013-7446

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-746bb5851d.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak in in GRO handling of tunneled traffic.

The kernel networking stack does not correctly handle Generic Receive
Offload when handling tunneled traffic which cause a kernel memory leak.


* Kernel panic when starting fastopen TCP connections.

The kernel TCP stack does not correctly handle starting fastopen
connections which can trigger a NULL pointer deference and kernel panic.


* Memory leak when reading from AF_UNIX socket.

Incorrect reference counting when reading from AF_UNIX can trigger a
memory leak when a signal is delivered to a process.


* Use-after-free when processing switchdev events.

Incorrect locking in the switchdev subsystem can trigger a
use-after-free condition and kernel panic when processing events from a
switchdev device.


* Memory leak when sending IPv4 data with ancillary data.

The kernel IPv4 stack does not free ancillary data when failing to send
IPv4 data which causes a kernel memory leak.


* Improved fix for CVE-2013-7446: Use-after-free in Unix sockets.

The original fix for CVE-2013-7446 did not handle the case where the
specified address is bound to the sending socket or when the socket was
connected to itself.  This flaw could lead to kernel deadlocks or double
unlocking of a spinlock.


* Kernel panic when adding new TIPC nodes.

Incorrect memory management in the Transparent Inter Process
Communication (TIPC) subsystem when adding new TIPC nodes can trigger a
NULL pointer dereference and kernel panic.


* Denial-of-service in block cache driver on device removal.

Lack of testing a kernel thread had been properly started could lead to an
invalid pointer dereference and kernel panic. A local, privileged user
could use this flaw to cause a denial-of-service.


* Deadlock in OCFS2 when failing to delete inode.

Incorrect locking when failing to delete an inode from a OCFS2
filesystem can trigger a deadlock and kernel panic.


* Memory leak in btrfs superblock validation.

Incorrect reference counting in the btrfs filesystem can trigger a
memory leak and kernel panic when an invalid checksum is encountered in
a superblock.


* Kernel panic when writing a single page to a btrfs filesystem.

Incorrect reference counting in the btrfs filesystem can trigger a NULL
pointer dereference when writing a single page to a file.


* Kernel panic when accessing symlinks on btrfs volume.

The btrfs filesystem driver does not handle accessing empty symlinks
which can trigger an assertion and kernel panic.


* Memory leak when creating hard link on btrfs volume.

Incorrect reference counting when creating a hard link on a btrfs
volume can cause a memory leak and subsequent kernel panic.


* Kernel panic when parsing filenames.

A logic error in the generic filesystem subsystem can trigger a NULL
pointer dereference and kernel panic when parsing a filename.


* Denial of service in Topro USB Camera ioctl.

The Topro USB Camera driver does not correctly handle settting the
framerate to zero which can trigger a divide-by-zero and kernel panic.


* Memory leak in device mapper when requeuing requests.

Incorrect reference counting in the device mapper subsystem can trigger
a memory leak and subsequent kernel panic when failing to requeue
requests.


* Kernel panic in Renesas USDHI6ROL0 host controller timeout.

A logic error in the Renesas USDHI6ROL0 host controller can trigger a
NULL pointer dereference and kernel panic when handling a timeout.


* Kernel panic when receiving packets from Bluetooth 6LoWPAN device.

The kernel IPv6 over Low power Wireless Personal Area Network (6LoWPAN)
device driver does not handle corrupted IPv6 packets which can trigger a
NULL pointer dereference and kernel panic.


* Memory leak in virtio balloon driver under memory pressure.

Incorrect locking in the virtio balloon driver can trigger a memory leak
when the system is under memory pressure leading to a kernel panic and
denial of service.


* Use-after-free in virtio balloon driver during compaction.

A race condition in the virtio balloon driver can trigger a use after
free and kernel panic when memory compaction occurs.


* Use-after-free when removing virtio PCI devices.

A logic error in the virtio subsystem can trigger a use-after-free and
kernel panic when removing a virtio PCI device.


* Memory corruption in Nouveau driver during connector hotplug.

Missing locking could result in memory corruption and subsequent
undefined behaviour when hotplugging a connector under specific
conditions.


* Kernel panic when parsing VBT in Intel integrated graphics.

The Intel integrated graphics driver does not validate VBT data which
can trigger an out-of-bounds access and kernel panic.


* Memory corruption in QXL virtual GPU ioctls.

An integer overflow in the QXL virtual GPU can allow a local user to
cause kernel memory corruption via ioctls.


* Kernel panic when reading cpufreq governor.

Incorrect locking in the cpufreq driver can trigger a NULL pointer
dereference and kernel panic when reading from the governor sysfs file.


* Rate-limit error messages when handling OSD replies.

The kernel OSD client does not rate-limit error messages when processing
replies from an OSD server which can cause a denial-of-service.


* Deadlock when reading from rfkill sysfs file.

Incorrect locking in the rfkill sysfs interface can cause a kernel panic
when reading events. A privileged local user could use this flaw to
cause a denial of service.


* Use-after-free in QLogic QLA2xxx queue management.

Incorrect memory management in the QLogic QLA2xxx SCSI devices can
trigger a use-after-free and kernel panic when manipulating queues.


* Kernel panic when handling interrupts for SATA devices.

Incorrect locking can trigger an assertion failure and kernel panic when
handling an interrupt for a SATA device.


* Use-after-free when completing direct IO requests.

Incorrect memory management in the generic kernel block subsystem can
trigger a use-after-free condition and kernel panic when completing
direct IO requests.


* Memory corruption when parsing numbers from NFS requests.

The kernel NFS server does not correctly parse hex strings from
userspace which can trigger kernel memory corruption.


* Kernel panic when failing to open file.

The generic VFS subsystem does not validate the status of filesystem
operations which can trigger a kernel panic.


* Kernel panic when following symlinks.

A race condition in the generic VFS subsystem can trigger a kernel panic
when following symlinks on a filesystem.


* Kernel panic when handling signals under Intel MPX.

An out-of-bounds read can be triggered when handling signals under Intel
Memory Protection Extensions which can trigger a kernel panic.


* SMAP bypass in 32bit compatibility syscall handler.

The 32bit compatibility syscall does not disable the Access Control flag
when entering kernel-mode which can allow kernel code to incorrectly
access user-mode data.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-22-Updates mailing list