[Ksplice-Fedora-24-updates] New Ksplice updates for Fedora 24 (FEDORA-2016-96d276367e )

[Oracle Ksplice]

Synopsis: FEDORA-2016-96d276367e  can now be patched using Ksplice
CVEs: CVE-2016-7097 CVE-2016-9083

Systems running Fedora 24 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-96d276367e .

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 24
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* General protection faults in Intel Pstate driver when hotplugging cpus.

An incorrect logic in Intel Pstate driver when accessing Hardware
Managed Performance MSR during cpu hotplug could lead to general
protection fault. A user with the ability to hotplug CPUs could cause a
denial-of-service.


* Free error in ramoops driver during removal.

A flaw in ramoops driver removal could lead to a segmentation fault by
freeing unwanted memory. A user with capability to load modules could
use this flaw to cause a denial-of-service.


* Use-after-free in device mapper driver when removing dm devices.

A locking error when stopping device mapper queue could lead to a
use-after-free of a work. An attacker could use this flaw to cause a
denial-of-service.


* Use-after-free in device mapper driver when adding dm devices.

A locking error when adding device mapper queue could lead to a
use-after-free of a work. An attacker could use this flaw to cause a
denial-of-service.


* Infinite loop when activating path in device mapper.

An error in condition check when activation path in device mapper
multipathing driver could lead to infinite loop. An attacker with
permissions to use multipath_prepare ioctl could cause a
denial-of-service.


* Kernel information leak in overlayfs directory entry.

A struct dentry address is used as unique id in an overlayfs dir
function. A local attacker could use this to gain information
about the running kernel and facilitate an attack.


* Buffer overflow while copying up xattr in overlayfs.

A check error could cause an overflow while copying up xattrs from
underlying filesystems. An attacker could use this flaw to cause a
denial-of-service.


* Permission bypass in NFS due to inode corruption.

Incorrect usage of inode cache could corrupt inode on the client file
system and imply a mode change. An attacker could use this flaw to
bypass permissions on NFS.


* Permission bypass in NFSv4 during open state recovery.

An incorrect error checking on open state recovery could lead to
unaligned permissions between client and server. An attacker could use
this flaw to bypass permissions.


* Data corruption when writing a pNFS block layout.

An error in inode size computation before writing it leads to incorrect
inode size on the filesystem. As a consequence, data corruption could
happen.


* Use-after-free when probing some scsi devices.

An error in refcounting when probing scsi device could lead to a
use-after-free. A user with the ability to probe scsi devices could
cause a denial-of-service.


* Race condition in super block handling of filesystems.

Due to a race condition when locking and unlocking the file system, a
BUG_ON could be triggered. An attacker could use this race to cause a
denial-of-service.


* Overflow in Cifs credit handling.

A cifs client can get as much credit as requested from the server,
leading to an integer overflow of the credit counter. An attacker
could use this flaw to cause a denial-of-service.


* Multiple memory leak in cifs ioctls.

Missing memory free in copychunk_file and file_clone ioctls of cifs
leads to memory leak. An attacker could use those ioctls to exhaust
the memory and  cause a denial-of-service.


* CIFS Distributed Filesystem mounting failure.

Missing path comparisons during CIFS Distributed Filesystem mounting could
result in failure to mount a volume.


* Incorrect memory free in Ceph Distributed File System.

A logic error in Ceph file read error handling leads to a random oops
because of incorrect memory free. An attacker could use this flaw to
generate a denial-of-service.


* Reference count leak in target transport layer on scsi command reception.

An error in flag handling could lead to reference count leak when
receiving scsi command. An attacker could use this flaw to cause
a denial-of-service.


* CVE-2016-7097: privilege escalation when setting xattr.

A missing clear of SGID bit during a setxattr call could allow a local
user to gain group privileges.


* NULL pointer dereference in Intel Ethernet Controller XL710 family.

An error in condition checks during configuration of Receive Side
Scaling (RSS) of the controller could lead to NULL pointer dereference.
A local user with capability to set RSS could use this flaw to cause a
denial-of-service.


* Out-of-bounds memory access when setting key in crypto gcm.

An error in array declaration while setting gcm key could lead to
out-of-bounds memory access. A local user with ability to set gcm key
could use this flaw to cause a denial-of-service.


* CVE-2016-9083: Integer overflow in PCI VFIO bus driver.

An error in user-supplied arguments sanitizing of VFIO_DEVICE_SET_IRQS
ioctl could lead to an integer overflow. A local user with capability to
use this ioctl could cause a denial-of-service.


* Vmalloc exhaustion in VMware virtual gpu driver.

An user submitting command using execbuf ioctl could overflow command
size and cause a vmalloc space exhaustion. A local user could use this
ioctl to cause a denial-of-service.


* Denial-of-service when setting encryption policy on a directory.

Incorrect locking when setting encryption policy through the
FS_IOC_SET_ENCRYPTION_POLICY ioctl() could lead to trailing unencrypted
files or to memory leaks. A local, unprivileged user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.