[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2016-3a57b19360)

[Oracle Ksplice]

Synopsis: FEDORA-2016-3a57b19360 can now be patched using Ksplice
CVEs: CVE-2016-3134 CVE-2016-3135 CVE-2016-3156

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-3a57b19360.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak to KVM guests when the the host is using PEBS tracing.

KVM hosts using Intel Precise Events Based Sampling (PEBS) could have their
PEBS tracing record written to a KVM guest under certain circumstances.  An
attacker with full control of a KVM kernel guest could use this flaw to get
information about the KVM host kernel.


* Denial-of-service when running KVM guest with Extended Page Table disabled.

KVM guests with Extended Page Table (EPT) disabled could trigger a
continuous stream of faults, effectively causing a denial-of-service of the
host.


* Denial-of-service in JFFS2 when recovering a halfway failed rename.

A logic error in the JFFS2 journalling driver could lead to a kernel panic
when recovering a halfway failed rename.


* NULL pointer dereference in NCP filesystem under memory pressure.

A logic error on failure to allocate a new inode in the NCP filesystem
leads to a NULL pointer dereference and kernel panic.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Memory corruption when removing Geschwister Schneider USB/CAN device.

Invalid usage of kfree() on a pointer that is reference counted leads to
use-after-free and memory corruptions when removing a Geschwister Schneider
USB/CAN device.  An attacker with physical access could use this flaw to
cause a denial-of-service.


* Kernel panic when using receive aggregation on WiFi.

Use of uninitialised values in the WiFi stack when using RX aggregation
could lead to a kernel crash.


* Possible frame injection on encrypted WiFi using Galois/Counter Mode Protocol.

A failure to discard a fragment with a packet number not incremented by one
in the GCMP protocol could lead to possible frame injections.  A remote
attacker in the radio range of an encrypted WiFi network could potentially
use this flaw to inject frames.


* Kernel deadlock in the AMD/Radeon graphics driver when flipping the frame buffer.

Incorrect locking when trying to flip the frame buffer in the AMD/Radeon
graphics driver could lead to a kernel deadlock.


* Denial-of-service at exit time of a process using userfaultfd.

A failure to check that a process is being torned down in the userfaultfd
syscall leads to unkillable processes.  A local user with the capabilities
to use userfaultfd could use this flaw to exhaust the memory on the system
and cause a denial-of-service.


* Privilege escalation when chowning files on overlayfs mount.

The overlayfs filesystem driver does not update filesystem metadata when
changing file ownership which could allow a local user to access
privileged files and gain escalated privileges.


* Use-after-free in generic Target Core Mod (TCM) on completed commands.

An extra reference count was dropped when aborting an already completed
command, leading to use-after-free and memory corruption.


* NULL pointer dereference in the CDC USB Ethernet driver.

A lack of NULL pointer check in the Communication Device Class (CDC) USB
Ethernet driver when checking the RNDIS descriptor leads to a Kernel panic.
An attacker with physical access could plug such rogue device to cause a
denial-of-service.


* CVE-2016-3135: Privilege escalation caused by integer overflow in the netfilter subsystem.

An integer overflow on 32 bits in xt_alloc_table_info can lead to a small
structure allocation and a copy_from_user based heap corruption.  A local,
unprivileged user could use this flaw to escalate privileges.


* CVE-2016-3134: Memory corruption when parsing netfilter source chains.

A logic error when parsing netfilter source chains can allow local users
to corrupt kernel memory.


* CVE-2016-3156: Denial-of-service when removing a network interface.

Removal of a network interface with lots of IPv4 addresses may lead to the
kernel hanging for a long time, with all network operation blocked.  A
local, privileged user in a container could use this flaw to block network
access and cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.