[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2016-373c063e79)

Mon May 9 10:59:42 PDT 2016

Synopsis: FEDORA-2016-373c063e79 can now be patched using Ksplice
CVEs: CVE-2016-3672 CVE-2016-3955 CVE-2016-3961

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-373c063e79.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Denial-of-service in KVM VCPU creation.

Incorrect error handling could result in an integer overflow, allowing a
user with permission to create virtual CPUs to trigger a kernel
assertion and crash the system.

* Denial-of-service in KVM invvpid and invept instruction emulation.

Incorrect handling of invalid invvpid and invept instructions could
result in a kernel hang.  A local user could use this flaw to crash the
system.

* Permissions bypass in nvdim ioctls().

Incorrect handling of ioctl() numbers could result in allowing write
operations to a dimmctl or ndctl device that was opened in read-only
mode.

* Denial-of-service in device mapper snapshot devices.

Creating a device mapper snapshot device where the copy-on-write and
origin devices used the same device would result in a NULL pointer
dereference and kernel crash.

* NULL pointer dereference in request-based device mapper devices.

Incorrect ordering in request queuing could result in a NULL pointer
dereference and kernel crash under specific conditions.

* Kernel stack information leak in cryptographic key wrapping.

Incorrect clearing of a kernel stack buffer could result in leaking
kernel stack contents to user-space.  A local user could use this flaw
to gain privileged kernel information.

* Kernel stack corruption in Intel Management Engine Interface transfers.

Performing transfers before the MEI device was enabled could result in
stack corruption during link reset and a subsequent kernel crash.

* Heap overflow in I2C USB HID reporting.

Missing bounds checks could result in a heap overflow when setting or
sending a report.  A local user with access to the device could use this
flaw to crash the system or potentially, escalate privileges.

* NULL pointer dereference in TTY line discipline reception.

A missing NULL pointer check could result in a NULL pointer dereference
when receiving a buffer under specific conditions.

* Use-after-free in Infra-red terminal opening.

Use of a stale pointer when opening an IrTTY device could result in a
use-after-free condition and subsequent kernel crash.  A local user with
access to the IrTTY device could use this flaw to crash the system.

* Journalling filesystem corruption on unmount under memory pressure.

Unmounting a filesystem under memory pressure could result in journal
corruption on a subsequent remount.

* NULL pointer dereference in Infiniband CSI RDMA Protocol Target.

Missing SRP targets could result in a NULL pointer dereference and
subsequent kernel crash under specific conditions.

* NULL pointer dereference in block cache registration failure.

Allocation failures whilst creating a block cache device could result in
a NULL pointer dereference and kernel crash when the system was under
memory pressure.

* Heap buffer overflow in Bluetooth Add Advertising command handler.

Missing bounds checks could result in a heap buffer overflow when
performing an Add Advertising operation.  A local user with permissions
to perform Bluetooth management operations could use this flaw to
escalate privileges or crash the system.

* Denial-of-service in pipe splicing with no pages.

Splicing from a pipe with no pages could result in a NULL pointer
dereference and kernel crash.  Under specific conditions a local user
could use this flaw to crash the system.

* Denial-of-service in NFS server buffer decoding.

Integer overflows in the NFS buffer decoding operations could result in
out-of-bounds accesses and a kernel crash.  A malicious client could use
this flaw to crash the system.

* Denial-of-service in NFS secinfo+readdir operations.

Incorrect locking could allow a malicious client to deadlock the system
with unexpected compound operations.

* Use-after-free in writeback operations.

Incorrect reference counting could result in a use-after-free during
writeback operations.  Under specific conditions this could result in a
kernel crash.

* Kernel crash in OCFS2 Distributed Lock Manager during master loss.

A race condition when the DLM master went down could result in
triggering a kernel assertion and crashing the system under specific
conditions.

* CVE-2016-3672: ASLR bypass on 32-bit processes.

Enabling an unlimited stack size would completely disable ASLR for
process with the limit applied.  A local user could use this flaw to
reduce the security of a setuid/setgid application.

* Kernel hang in OCFS2 Distributed Lock Manager convert and recovery operations.

A race condition between convert and recovery operations could result in
a system hang under specific conditions.

* Use-after-free in USB networking bind failure.

A race condition between probing a USB network device and error handling
could result in a use-after-free condition and kernel crash.

* Use-after-free in USB networking device probe failure.

Incorrect error handling when registering a USB networking device could
result in a use-after-free condition and kernel crash.

* Kernel crash in Wacom Bamboo ONE driver.

Incorrect handling of Bamboo ONE devices during registration could
result in a NULL pointer dereference when processing events for the
device.

* Kernel crash in block cache device initialization.

A race between initializing a block cache device and the writeback
thread could result in triggering a kernel assertion and crashing the
system.

* Kernel crash in disk quota initialization.

Missing array initialization could result in dereferencing an invalid
pointer and a kernel crash when initializing a quota for an inode and
experiencing an error.

* Use-after-free in FUSE filesystems with direct, asynchronous I/O.

Incorrect handling of synchronous files could result in a use-after-free
condition.  A local, unprivileged user could use this flaw to crash the
system, or potentially, escalate privileges.

* Denial-of-service in coredump writing.

Under specific conditions, the kernel could write corefiles for SUID
processes into a user-controlled directory.  This flaw could be used to
exhaust disk space and trigger a denial-of-service.

* Kernel crash in IP-over-Infiniband multicast group joining.

A race condition when joining an IP-over-Infiniband multicast group
could result in a NULL pointer dereference and kernel crash.

* Use-after-free in Maxim MAX1111 ADC channel read.

Incorrect clearing of the MAX1111 global pointer on removal could result
in a use-after-free and kernel crash.  A local, privileged user could
use this flaw to crash the system.

* Trust bypass in PKCS#7 trust validation.

An uninitialized variable could result in trusting a PKCS#7 SignedInfo
block when the verification had actually failed.

* Kernel crash in ALSA timer arming.

Incorrect use of the timer API could result in triggering a kernel
assertion when rearming the ALSA system timer.

* Kernel crash in NUMA page migration.

Incorrect handling of NUMA nodes could result in a kernel crash when
allocating memory during page isolation.

* NULL pointer dereference in Transparent Inter Process Communication (TIPC) transmission.

A race condition in the transmission on TIPC sockets for a congested
channel could result in a NULL pointer dereference and kernel crash.  A
local, unprivileged user could use this flaw to crash the system.

* Denial-of-service in PPP interface creation failure.

Imbalanced locking when PPP interface creation failed could result in a
permanently held lock and failure to create future interfaces.

* Denial-of-service in recvmmsg() error handling.

Incorrect reference counting could result in a use-after-free in the
recvmmsg() system call.  A local, unprivileged user could use this flaw
to trigger a denial-of-service.

* Use-after-free in PPP ioctl() handling.

Incorrect locking in the PPP ioctl handler could result in dereferencing
an invalid pointer and a kernel crash.  A local user with access to the
PPP device could use this flaw to crash the system.

* Denial-of-service in 802.11 interface stopping.

Missing locking could result in memory corruption and dereferencing an
invalid pointer.  A local, privileged user could use this flaw to crash
the system.

* BTRFS filesystem data loss during fsync() after rename and inode creation.

Renaming a file on a BTRFS filesystem followed by creation of a new
inode with the same name could result in data loss if the filesystem is
uncleanly mounted.

* Denial-of-service in USB stack during device unplug.

Incorrect handing of USB devices during unplug could result in memory
corruption and a kernel crash.  A user with physical access to the
system could use this flaw to crash the system.

* CVE-2016-3955: Privilege escalation in IP over USB driver.

Missing user supplied input validation could result in an out-of-bounds
write allowing a local user to crash the system or potentially escalate
privileges.

* Infinite loop when calculating the IP checksum on destination link failure.

Lack of proper memory zeroing in case of destination link failure could
lead to an infinite loop when calculating IP checksums.

* Use-after-free when decrypting a packet after the netdevice was unregistered.

Asynchronous decryptions of packets on the netdevice receive queue were not
properly taking a reference on the netdevice, potentially leading to a
use-after-free if the netdevice is unregistered after queueing such packets
for decryption.

* Kernel BUG when sending a UDP over IPv6 longer than the MTU.

Failure to account for the space needed for the extension headers when
sending a UDP message over IPv6 when the packet is longer than the MTU
leads to a kernel BUG.  A local, unprivileged user could use this flaw to
cause a denial-of-service.

* Invalid pointer dereference in the MultiProtocol Label Switching router.

A missing check when looking up the network device to route packets to when
sending a packet through the MultiProtocol Label Switching stack could lead
to an invalid pointer dereference and kernel panic.  A local, unprivileged
user could use this flaw to cause a denial-of-service.

* Kernel panic when closing an Auvitek V4L2 device on concurrent device unregister.

Lack of proper testing for the device state when closing an Auvitek V4L2
device could lead to a kernel panic if the device was unregistered
concurrently.  A local, unprivileged user could use this flaw to cause a
denial-of-service.

* Use-after-free in the perf subsystem on error in the perf_event_open syscall.

A double-free condition can be triggered in the perf_event_open() syscall
on error opening the event file, leading to a use-after-free and kernel
panic.  A local user with CAP_SYS_ADMIN or unprivileged user in case of a
permissive perf_event paranoid setting could use this flaw to cause a
denial-of-service.

* CVE-2016-3961: Xen PV guest crash when using HugeTLBFS.

HugeTLBFS is not supported on Xen PV guests and leads to a kernel crash
when an application tries to mmap() a Huge TLB.  A local user with the
ability to mmap() Huge TLB pages in a Xen PV guest can cause a
denial-of-service of the guest.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.