[Ksplice-Fedora-24-updates] New updates available via Ksplice (FEDORA-2016-30e3636e79)

[Oracle Ksplice]

Synopsis: FEDORA-2016-30e3636e79 can now be patched using Ksplice
CVEs: CVE-2016-4794 CVE-2016-5400

Systems running Fedora 24 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-30e3636e79.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 24 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use after free in 802.11 mesh networking station cleanup.

A race condition when destroying 802.11 mesh network station information
can trigger a use after free and kernel panic.


* Kernel panic in EDAC workqueue cleanup.

A logic error when cleaning up a workqueue used in the Error Detection
And Correction (EDAC) subsystem can trigger a NULL pointer dereference
and kernel panic.


* Deadlock when establishing new InfiniBand connection.

Incorrect locking in the InfiniBand connection manager can trigger a
deadlock and kernel panic when a new connection has been established.


* Use after free when removing USB-3 host controller.

A race condition when removing a shared USB-3 host controller can
trigger a use after free condition and kernel panic.


* Use after free in NFS client asynchronous readpages.

Incorrect reference counting can trigger a use after free condition and
kernel panic when the kernel NFS client attempts an asynchronous read.


* Memory leak when creating SUNRPC transport interface.

Incorrect reference counting when failing to allocate a switch can
trigger a kernel memory leak when creating a SUNRPC transport interface.


* Kernel panic when setting AppArmor process attributes.

A logic error in the AppArmor security module can trigger an out of
bound write and kernel panic when writing to /proc/pid/attr/ procfs
files.


* CVE-2016-5400: Memory leak in AirSpy SDR device initialization.

A logic error when failing to initialize a AirSpy USB SDR device can
trigger a kernel memory leak and subsequent kernel panic. A local user
with USB access can use this flaw to cause a denial of service.


* Memory corruption when collecting user perf callgraphs.

Incorrect memory management can trigger kernel stack corruption when
collecting user perf callgraphs. A local user could use this flaw to
cause a denial of service.


* Use after free when closing dummy soundcard.

Incorrect reference counting when closing a dummy soundcard with a
high-resolution timer backend can trigger a use after free condition and
kernel panic.


* Memory corruption when removing Echoaudio ALSA devices.

A logic error when allocating memory for Echoaudio ALSA devices can
trigger kernel memory corruption and kernel panic.


* Memory leak in NFS atomic file opening.

Incorrect reference counting in the kernel NFS client when an error is
encountered opening a file atomically can trigger a memory leak and
kernel panic.


* Memory corruption in CIFS NTLM authentication.

Incorrect memory management in the kernel SMB server can allow a remote
user to cause kernel memory corruption by providing an over-sized
NTMLSSP message.


* Information leak in virtual terminal key mapping.

A logic error when mapping raw scan codes to keys in the virtual
terminal driver can trigger an out-of-bounds read which can leak the
contents of kernel memory to userspace.


* Kernel panic in GPIO descriptor validation.

The generic GPIO library does not correctly validate descriptors which
can trigger an out-of-bounds read and kernel panic when an error is
encountered.


* Memory leak in overlayfs file permission checking.

A logic error when an error is encountered checking the permission of a
file on an overlay filesystem can trigger a kernel memory leak and
kernel panic.


* Permission bypass when mounting filesystem in user namespace.

A logic error when mounting a filesystem can allow a read-only
filesystem to be mounted read-write in a user namespace allowing an
unprivileged user to write data outside their namespace.


* Use after free when closing ALSA digital audio stream.

A logic error when closing an ALSA digital audio stream with channel
mapping controls can trigger a use after free and kernel panic.


* Memory leak in industrial IO device polling.

Memory is incorrectly freed when attaching a polling function to an
industrial device fails which can trigger a kernel memory leak and
kernel panic.


* Permission bypass when updating attributes on overlayfs files.

A logic error when updating attributes on an overlayfs file can allow a
local user to write to a setuid or setgid file. This could be used by a
malicious user to gain elevated privileges.


* Kernel panic when creating RDMA verb queue pair.

A logic error when an RDMA verb queue pair cannot be allocated can
trigger an invalid memory access and kernel panic.


* Memory leak when releasing IPv6 routes.

A logic error when an IPv6 route is released can lead to a kernel memory
leak and subsequent kernel panic. A remote attacker may be able to
trigger this issue by creating and destroying many routes.


* Kernel panic when removing ELO USB touchscreen device.

A logic error when removing a ELO USB 4000/4500 touchscreen device can
trigger a use after free condition and kernel panic.


* Denial of service in OverlayFS directory removal.

A race condition can allow a malicious user to remove an upper directory
while it is being hidden in the lower directory which can trigger a
kernel panic.


* Kernel panic with trace points with non-constant formats.

An invalid optimization can trigger a NULL pointer dereference and
kernel panic when a trace point contains a non-constant format string.


* CVE-2016-4794: Use-after-free in per-cpu memory allocator.

Due to incorrect synchronization between synchronous map extension and
chunk destruction, a local user with the ability to call BPF programs
could cause a use-after-free and potentially escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.