[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2016-a159c484e4)

Tue May 17 08:14:58 PDT 2016

Synopsis: FEDORA-2016-a159c484e4 can now be patched using Ksplice
CVEs: CVE-2016-4482 CVE-2016-4565

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-a159c484e4.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Denial-of-service in SUNRPC cache management.

Incorrect error handling could result in a reference count imbalance of
the SUNRPC cache object, triggering either a resource leak, or
potentially, a use-after-free.

* Denial of service when initializing disk partitions.

A race condition in the block subsystem can trigger a NULL pointer
dereference and kernel panic when adding a new partition to a system.

* Data corruption when performing asynchronous IO to loop device.

A logic error in the loop device driver can trigger data corruption when
a process preforms an asynchronous write to a loop device.

* Memory corruption when inserting data into associative arrays.

A logic error in the generic associative array module can trigger an
out-of-bounds read when inserting a new member. This can be triggered,
for example, by inserting a new cryptographic key into the kernel's
keyring.

* Use after free when disabling a USB XHCI device.

A logic error in the USB XHCI driver can trigger a use-after-free and
kernel panic when disabling a XHCI device multiple times.

* Memory corruption when probing USB Host Controller devices.

A logic error in the Host Controller driver (HCD) can trigger memory
corruption and kernel panic when an HCD device has an invalid companion
device.

* Use after free when using asynchronous IO on USB gadget device.

A logic error in the USB gadget driver can trigger a use-after-free and
kernel panic when completing an asynchronous read or write to a device.

* Deadlock in Digigram PCXHR ALSA IRQs.

Incorrect locking the in the PCXHR IRQ can trigger a deadlock and kernel
panic when handling interrupts from a Digigram PCXHR device.

* Kernel panic when modesetting Intel 915 graphics devices.

A race condition in Intel i915 driver can trigger a kernel panic when
attempting to perform a modeset on a non-existent device.

* Information leak in AMD cryptographic coprocessor support.

The AMD cryptographic coprocessor driver does not correctly handle
memory when exporting the state of SHA1 operations which can cause the
contents of the kernel stack to be leaked to userspace.

* Kernel panic when completing SHA1 multibuffer operations.

A logic error in the cryptographic subsystem handling multibuffer
operations can trigger a use-after-free and kernel panic.

* Denial of service in wireless networking netlink interface.

A logic error when handling netlink notifications for wireless devices
can allow malicious local users to disable networking interfaces.

* Kernel panic when displaying dynamic audio power information.

The sysfs interface for displaying dynamic audio power information to
userspace can trigger a NULL pointer dereference and kernel panic when a
system has a dummy component.

* Kernel panic when using madvise on a hugepage mapping.

The kernel hugepage subsystem does not correctly handle calling madvise
on certain hugepage mapping which can trigger a bogus BUG_ON and kernel
panic.

* Use after free when freeing cgroups.

A race condition when freeing cgroups can trigger a use-after-free
condition and kernel panic when a cgroup's parent is freed before the
child cgroup.

* Kernel panic when marking dirty inodes on ext4 filesystems.

A logic error when marking dirty inodes on ext4 filesystems can trigger
a NULL pointer dereference and kernel panic.

* Kernel panic when probing NAND devices.

A logic error in the NAND subsystem can trigger a bogus BUG() and kernel
panic when a NAND device does not have an owner.

* Memory corruption in Maxim MAX77843 USB driver.

A logic error in the Maxim MAX77843 USB driver can trigger kernel memory
corruption when probing a micro-USB device.

* CVE-2016-4482: Information leak in USB devfs ioctl.

The USB devfs driver can leak the contents on the kernel stack to
userspace when performing a USBDEVFS_CONNECTINFO operation.

* Kernel panic when parsing EFI variables.

Incorrect parsing logic can trigger an out-of-bounds read and kernel
panic when reading or writing to EFI variables.

* CVE-2016-4565: Privilege escalation in Infiniband ioctl.

The Infiniband ioctl interface does not correctly validate parameters
from userspace which can allow local users to corrupt kernel memory and
escalate privileges.

* Kernel panic in when handling unvalidated ports in kernel DRM subsystem.

The kernel DRM driver does not validate ports which are passed from
userspace which can trigger a use-after-free and kernel panic when
handling DRM ioctls.

* Kernel panic in hugepage procfs interface.

A logic error in the transparent hugepage procfs interface can trigger
an out-of-bounds read and kernel panic when reading the 'numa_maps'
procfs file.

* Memory corruption when mapping buffer objects from userspace.

Missing validation when mapping buffer objects from userspace can allow
a malicious local users to corrupt kernel memory and escalate privileges.

* Deadlock when locking voltage regulators.

Incorrect locking in the kernel voltage regulator support can trigger a
deadlock and kernel panic.

* Buffer overflow in V4L2 during VIDIOC_DQBUF ioctl.

Due to missing length checks in the V4L2 core when servicing a
VIDIOC_DQBUF ioctl request, a userspace program could overwrite kernel
memory beyond the end of the buffer. A malicious user could potentially
use this to escalate privileges or crash the kernel.

* Buffer overflow in SCIF ioctl().

Incorrect buffer size checks in SCIF memory registration/unregistration
routines could allow a user with access to SCIF devices to crash the
kernel or potentially overwrite kernel memory.

* Memory leak during Intel Wireless WiFi driver unloading.

Due to a missing free in the Intel Wireless WiFi buffer management code,
unloading the driver would not be freed. A user capable of
loading/unloading the driver could cause the machine to run out of
memory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.