[Ksplice-Fedora-23-updates] New updates available via Ksplice (FEDORA-2016-8e858f96b8)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Apr 20 03:10:23 PDT 2016 

Synopsis: FEDORA-2016-8e858f96b8 can now be patched using Ksplice
CVEs: CVE-2016-3672

Systems running Fedora 23 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-8e858f96b8.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 23 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in KVM VCPU creation.

Incorrect error handling could result in an integer overflow, allowing a
user with permission to create virtual CPUs to trigger a kernel
assertion and crash the system.


* Denial-of-service in KVM invvpid and invept instruction emulation.

Incorrect handling of invalid invvpid and invept instructions could
result in a kernel hang.  A local user could use this flaw to crash the
system.


* Permissions bypass in nvdim ioctls().

Incorrect handling of ioctl() numbers could result in allowing write
operations to a dimmctl or ndctl device that was opened in read-only
mode.


* Denial-of-service in device mapper snapshot devices.

Creating a device mapper snapshot device where the copy-on-write and
origin devices used the same device would result in a NULL pointer
dereference and kernel crash.


* NULL pointer dereference in request-based device mapper devices.

Incorrect ordering in request queuing could result in a NULL pointer
dereference and kernel crash under specific conditions.


* Kernel stack information leak in cryptographic key wrapping.

Incorrect clearing of a kernel stack buffer could result in leaking
kernel stack contents to user-space.  A local user could use this flaw
to gain privileged kernel information.


* Kernel stack corruption in Intel Management Engine Interface transfers.

Performing transfers before the MEI device was enabled could result in
stack corruption during link reset and a subsequent kernel crash.


* Heap overflow in I2C USB HID reporting.

Missing bounds checks could result in a heap overflow when setting or
sending a report.  A local user with access to the device could use this
flaw to crash the system or potentially, escalate privileges.


* NULL pointer dereference in TTY line discipline reception.

A missing NULL pointer check could result in a NULL pointer dereference
when receiving a buffer under specific conditions.


* Use-after-free in Infra-red terminal opening.

Use of a stale pointer when opening an IrTTY device could result in a
use-after-free condition and subsequent kernel crash.  A local user with
access to the IrTTY device could use this flaw to crash the system.


* Journalling filesystem corruption on unmount under memory pressure.

Unmounting a filesystem under memory pressure could result in journal
corruption on a subsequent remount.


* NULL pointer dereference in Infiniband CSI RDMA Protocol Target.

Missing SRP targets could result in a NULL pointer dereference and
subsequent kernel crash under specific conditions.


* NULL pointer dereference in block cache registration failure.

Allocation failures whilst creating a block cache device could result in
a NULL pointer dereference and kernel crash when the system was under
memory pressure.


* Heap buffer overflow in Bluetooth Add Advertising command handler.

Missing bounds checks could result in a heap buffer overflow when
performing an Add Advertising operation.  A local user with permissions
to perform Bluetooth management operations could use this flaw to
escalate privileges or crash the system.


* Denial-of-service in pipe splicing with no pages.

Splicing from a pipe with no pages could result in a NULL pointer
dereference and kernel crash.  Under specific conditions a local user
could use this flaw to crash the system.


* Denial-of-service in NFS server buffer decoding.

Integer overflows in the NFS buffer decoding operations could result in
out-of-bounds accesses and a kernel crash.  A malicious client could use
this flaw to crash the system.


* Denial-of-service in NFS secinfo+readdir operations.

Incorrect locking could allow a malicious client to deadlock the system
with unexpected compound operations.


* Use-after-free in writeback operations.

Incorrect reference counting could result in a use-after-free during
writeback operations.  Under specific conditions this could result in a
kernel crash.


* Kernel crash in OCFS2 Distributed Lock Manager during master loss.

A race condition when the DLM master went down could result in
triggering a kernel assertion and crashing the system under specific
conditions.


* CVE-2016-3672: ASLR bypass on 32-bit processes.

Enabling an unlimited stack size would completely disable ASLR for
process with the limit applied.  A local user could use this flaw to
reduce the security of a setuid/setgid application.


* Kernel hang in OCFS2 Distributed Lock Manager convert and recovery operations.

A race condition between convert and recovery operations could result in
a system hang under specific conditions.


* Use-after-free in USB networking bind failure.

A race condition between probing a USB network device and error handling
could result in a use-after-free condition and kernel crash.


* Use-after-free in USB networking device probe failure.

Incorrect error handling when registering a USB networking device could
result in a use-after-free condition and kernel crash.


* Kernel crash in Wacom Bamboo ONE driver.

Incorrect handling of Bamboo ONE devices during registration could
result in a NULL pointer dereference when processing events for the
device.


* Kernel crash in block cache device initialization.

A race between initializing a block cache device and the writeback
thread could result in triggering a kernel assertion and crashing the
system.


* Kernel crash in disk quota initialization.

Missing array initialization could result in dereferencing an invalid
pointer and a kernel crash when initializing a quota for an inode and
experiencing an error.


* Use-after-free in FUSE filesystems with direct, asynchronous I/O.

Incorrect handling of synchronous files could result in a use-after-free
condition.  A local, unprivileged user could use this flaw to crash the
system, or potentially, escalate privileges.


* Denial-of-service in coredump writing.

Under specific conditions, the kernel could write corefiles for SUID
processes into a user-controlled directory.  This flaw could be used to
exhaust disk space and trigger a denial-of-service.


* Kernel crash in IP-over-Infiniband multicast group joining.

A race condition when joining an IP-over-Infiniband multicast group
could result in a NULL pointer dereference and kernel crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-23-Updates mailing list