[Ksplice-Fedora-23-updates] New updates available via Ksplice (FEDORA-2016-1642a20327)

[Oracle Ksplice]

Synopsis: FEDORA-2016-1642a20327 can now be patched using Ksplice

Systems running Fedora 23 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-1642a20327.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 23 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak when reading directory entries on CIFS mount.

Incorrect memory management allows a local user to leak the contents of
kernel memory to debug logs when reading from a directory on a CIFS
mount.


* Denial-of-service in BTRFS device array reading.

Missing error handling could result in a kernel crash when reading the
system array.  A maliciously crafted filesystem image could be used to
crash the system.


* Privilege escalation in overlayfs extended attributes.

A logic error in the overlay filesystem can allow unprivileged users to
set extended attributes on files which they don't have write access to.


* BTRFS filesystem corruption during trim/discard.

Incorrect limits in BTRFS extent freeing could result in discarding
information in the superblock of device, rendering the filesystem
unmountable.


* Buffer overflow in Analog Devices inertial measurement device driver.

Incorrect memory offset calculation in the driver for Analog Devices
inertial measurement devices leads to a buffer overflow during transmit.


* Kernel panic when soft-offlining memory.

Incorrect memory management when soft-offlining memory via
madvise(MADV_SOFT_OFFLINE) can trigger an assertion failing and kernel
panic.


* Denial-of-service when parsing UDF indirect extents.

A UDF disk image can trigger an infinite loop and denial of service
when parsing malformed indirect extents.


* Memory leak when requeuing priority inversion futex.

A logic error in the kernel futex subsystem can trigger a memory leak
and subsequent kernel panic when failing to acquire a PI futex.


* Integer overflow in ext4 buffer allocation.

An integer overflow in ext4 could cause access to invalid memory regions
not owned by the filesystem, possibly corrupting them.


* Kernel panic when setting prctl MM values.

Incorrect locking when setting memory management settings via prctl can
trigger an assertion failure and kernel panic. A local user with
CAP_SYS_RESOURCE can trigger this issue.


* Crash in SCSI driver during power management suspend and resume.

Performing a suspend while the SCSI driver is probing for devices may
crash or cause CD/DVD and hard disk devices to become unusable.


* Kernel panic when removing directory from overlay filesystem.

A logic error in the overlay filesystem can trigger a kernel panic when
removing a directory which contains whiteouts from lower layers.


* Memory corruption when processing multibyte unicode filenames on UDF.

The kernel UDF filesystem driver incorrectly manages memory when
converting multibyte unicode filenames on UDF filesystems which can
trigger kernel memory corruption.


* Use-after-free when unregistering events in memory control group.

Incorrect locking in the memory control group subsystem (memcg) when
unregistering events can trigger a use-after-free condition and kernel
panic.


* Memory corruption when disabling the Input/Output MMU on non PCI devices.

A logic error in the Intel IOMMU driver could lead to memory corruption by
type confusion when disabling the IOMMU on non PCI devices.


* Use-after-free in the kernel list library on concurrent hotplug events.

The starting node given to klist_iter_init_node() might not be on the list
anymore in case of concurrent hotplug events, potentially leading to a
user-after-free and crash.


* Kernel hang in ext4 filesystem on checksum failure.

Incorrect usage of functions which might sleep in the ext4 filesystem on
checksum failure could lead to a kernel hang.  A local user with the
ability to mount a filesystem with checksum errors could use this flaw to
cause a denial-of-service.


* Out of bounds memory access in parallel NFS when comparing mirrors file layout version.

A logic error in the parallel NFS sub-system when comparing mirrors file
layout version could lead to out of bounds memory accesses.  A local user
or rogue NFS mirror could use this flaw to cause a denial-of-service.


* NULL pointer dereference when loading a module with async_probe.

A NULL pointer was being passed to the routine configuring the async_probe
module parameter when loading a module.  A local user with the ability to
trigger a module load with async_probe set could use this flaw to cause a
denial-of-service.


* Kernel hang in Btrfs filesystem when using the BTRFS_IOC_INO_PATHS ioctl.

Double locking of the same read/write lock in the Btrfs filesystem when
querying the path of an inode could lead to a kernel deadlock.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Memory corruption in the generic non-volatile memory driver.

Type confusion in the generic non-volatile memory driver could lead to
memory corruption and kernel panic.  A local user could use this flaw to
cause a denial-of-service.


* Use-after-free and memory leak in the Nouveau driver on deferred probe.

Failure paths of the deferred probe function in the Nouveau driver lack the
necessary clean-ups, later leading to use-after-free and memory leak.  A
local user could use this flaw to cause a denial-of-service.


* Kernel deadlock in ALSA sound driver when handling pulse code modulation.

Incorrect locking in the ALSA sound driver when handling non-atomic PCM
streams could lead to a deadlock.  A local, unprivileged user could use
this flaw to cause a denial-of-service.


* Memory leak in the ALSA audio driver on concurrent writes to the sequencer device.

Incorrect locking in the ALSA audio sequencer could lead to a memory leak
on concurrent writes to the sequencer device.  A local user with write
access to the sequencer device could use this flaw to exhaust the memory on
the system.


* NULL pointer dereference in the Industrial IO (IIO) driver when releasing a channel.

A missing check for NULL pointer when releasing an IIO channel could lead
to a NULL pointer dereference and kernel panic.


* Kernel deadlock when dumping the call stack on multiple CPUs.

Incorrect locking when dumping the kernel stack to the kernel log buffer on
multiple CPUs could lead to a deadlock.  An attacker with the ability to
trigger concurrent dump_stack() calls could use this flaw to cause a
denial-of-service.


* Kernel deadlock when validating a memory context.

A race condition in the virtual memory subsystem when validating a memory
context could lead to a deadlock.  A local, unprivileged user could use
this flaw to cause a denial-of-service.


* Kernel crash when remapping file pages of a removed IPC ID.

A race condition in the shared memory subsystem could lead to accessing
invalid pointers when remapping file pages of a removed IPC ID.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Kernel crash when releasing a device persistent memory range.

The wrong pointer was being used when releasing a device persistent memory
range, leading to a memory leak and potential kernel crash.  A local user
with the ability to unload the pmem driver could use this flaw to cause a
denial-of-service.


* Data corruption on ext4 filesystem when moving data to a donor file.

A flaw in the ext4 filesystem when moving data to a donor file could lead
to data corruption.


* Integer underflow when accessing Intel Storage Controller Unit (SCU) registers.

A flaw in the Intel SCU driver could lead to an integer underflow when
accessing the SCU registers.  A local user with CAP_SYS_RAWIO could use
this flaw to cause out of range memory accesses leading to a kernel crash.


* Use-after-free when unloading xHCI host driver.

A flaw in the xHCI host driver could lead to reading already freed memory
when removing the driver.  A local user with the ability to unload the xHCI
kernel module could use this flaw to cause a denial-of-service.


* Use-after-free in ALSA sequencer driver on port removal.

A flaw in the ALSA sequencer driver could lead to double port deletion on
port removal when the port is concurrently being deleted.  A local user
could use this flaw to cause a denial-of-service.


* Kernel hang when removing a SCSI target.

A flaw in the SCSI sysfs subsystem could cause the kernel to hang when
removing a SCSI target.  A local user with the ability to remove a SCSI
target could use this flaw to cause a denial-of-service.


* Permission bypass when checking credentials for filesystem accesses.

A flaw in the ptrace access checks allows a temporarily unprivileged
process to access files that it was not supposed to.  A local, unprivileged
user could potentially use this flaw to escalate privileges.


* Kernel panic in the radix tree library when doing a gang lookup.

A race condition in the radix tree library in the kernel could lead to type
confusion and kernel panic when doing a gang lookup and concurrently
growing the radix tree.  A local user could use this flaw to cause a
denial-of-service.


* Kernel crash when handling vmalloc page faults on large pages.

A wrong assumption in the vmalloc fault handler causes the kernel to crash
when handling vmalloc ranges larger than 512GB.  A local user with the
ability to ioremap() pages could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.