[Ksplice-Fedora-24-updates] New updates available via Ksplice (FEDORA-2016-7179af3ac1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Oct 10 12:27:22 PDT 2016 

Synopsis: FEDORA-2016-7179af3ac1 can now be patched using Ksplice
CVEs: CVE-2016-6828

Systems running Fedora 24 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-7179af3ac1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 24 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Data loss when setting ext4 encryption policy.

Missing validation when processing the EXT4_IOC_SET_ENCRYPTION_POLICY
ioctl can allow a user to set the encryption policy on a read-only
filesystem which can potentially cause data loss.


* Out-of-bounds memory access in BPF direct packet access.

Due to a logic error in the BPF verifier for direct packet access, a
program could confuse the verifier and bypass a bounds check. A malicious
user with the ability to modify packet filters could potentially use this
to escalate privileges.


* Kernel panic in IPv4 when reading /proc/net/route.

Due to a race condition, it is possible to crash the kernel when reading
the routing table while it is being modified. An unprivileged user could
potentially use this to cause denial of service.


* Denial of service in Infrared IAP setup.

A kernel panic can be triggered when a memory allocation fails during
infrared Information Access Protocol (IAP) connection setup.


* Deadlock when reading from SCTP procfs interface.

A logic error when failing to read from files in the SCTP procfs
interface can trigger a deadlock and kernel panic.


* Denial of service in TIPC connection shutdown.

A kernel panic can be triggered when a memory allocation fails when
shutting down a TIPC connection.


* CVE-2016-6828: Use after free during TCP transmission.

A logic error when a memory allocation fails during TCP transmission can
cause the kernel TCP stack to use freed memory causing a kernel panic.


* Memory corruption in SCTP diagnostic interface.

A logic error when dumping an SCTP connection to an inet diagnostic
interface can trigger a stack buffer overflow and kernel panic


* Use after free in KCM socket SIOCKCMCLONE ioctl.

A logic error when cloning a Kernel Connection Multiplexor socket via
the SIOCKCMCLONE ioctl can trigger a use after free and kernel panic.


* Kernel panic in when rebonding networking interface.

A logic error when bonding a network interface which is already bonded
can trigger a kernel panic.


* Deadlock in Unix sockets on overlayfs.

Due to incorrect lock ordering in the Unix socket subsystem, it is
possible to create a deadlock which causes the kernel to hang. A
malicious local user with access to an overlayfs filesystem could
potentially use this to cause denial of service.


* Memory leak in IPv6 ping transmission.

A reference counting error when transmitting a IPv6 ping packet can
trigger a kernel memory leak and subsequent kernel panic.


* Kernel panic in parallel NFS flexfiles.

A logic error when failing to connect to a remote server can trigger a
use after free and kernel panic when flexfiles are used.


* Memory corruption in NFSv4.1 callback procedures.

A logic error when a NFS server is disconnected can trigger kernel
memory corruption when using a stale NFS callback sequence.


* Memory leak when creating NFSv4 callbacks.

Incorrect reference counting when creating NFSv4 callbacks can trigger a
kernel memory leak and subsequent memory leak.


* Kernel panic in RapidIO address translation.

Incorrect validation in the IDT Tsi721 RapidIO device driver can allow a
local privileged user to trigger a kernel panic.


* Use after free in AUDIT_EXE audit filter.

Incorrect reference counting when using an AUDIT_EXE filter can trigger
a use after free and kernel memory corruption.


* Memory corruption when configuring TI ADS1015 device.

A logic error when configuring a Texas Instruments ADS1015 device can
trigger kernel memory corruption and a kernel panic.


* Kernel panic when reading from Analog Devices AD799x device.

A logic error when attempting to read from an Analog Devices AD799x
device can trigger a NULL pointer dereference and kernel panic.


* Denial of service in generic 8250 serial driver.

A logic error when setting the baud rate of a generic 8250 serial device
can trigger a division by zero and kernel panic.


* Kernel oops in Cavium Thunder ethernet driver.

Attempting to dump a Cavium Thunder ethernet device's registers using
e.g. ethtool could cause a bus error and a kernel oops. A local user
with the CAP_NET_ADMIN could potentially use this to cause denial of
service.


* NULL pointer dereference in log writes device mapper target.

An invalid error check could in certain low-memory situations cause a
NULL pointer dereference. A malicious local user could use this to cause
denial of service.


* Invalid free in "crypt" device mapper target.

Due to incorrect error handling in the "crypt" device mapper target
driver, the kernel could in certain situations attempt to free
uninitialized pointers. A malicious local user could potentially
use this to cause denial of service.


* Kernel crash in crypto daemon when importing hash request.

Incorrect initialization when importing a hash request could cause a
kernel crash in the software asynchronous crypto daemon. A malicious
user could potentially use this to cause denial of service.


* Memory corruption when writing btrfs logs.

A logic error when synchronizing a btrfs log to disk can trigger a use
after free and kernel panic.


* Deadlock when performing direct IO to FUSE device.

Incorrect locking when performing a direct IO operation to a FUSE device
can trigger a deadlock and subsequent kernel panic.


* Memory corruption when configuring Broadcom 802.11 AP.

Missing data validation when configuring an 802.11 access point using a
Broadcom chipset can allow a privileged local user to trigger kernel
memory corruption and potentially gain elevated privileges.


* Kernel panic when querying Atheros ath9k state.

A logic error when querying the state of Atheros 9000 device before it
has associated can trigger a kernel panic.


* NULL pointer dereference in Intel CQM perf support.

Due to a missing hardware capability check, enabling MBM events
where the hardware does not support it can cause a NULL pointer
dereference in the perf subsystem. A local user could potentially
use this to cause denial of service.


* Denial of service in Intel Processor Trace perf validation.

Missing validation when installing a perf filter using Intel Processor
Traces can allow a privileged user to trigger kernel memory corruption.


* Denial of service in SunRPC GSSAPI authentication.

Incorrect memory management when looking up a GSSAPI context in the
SunRPC subsystem can trigger kernel memory corruption and a kernel
panic.


* Memory corruption in ARECA SCSI command handling.

Missing validation of SCSI commands send to a ARECA SCSI device can
allow a local privileged user to trigger kernel memory corruption and
potentially gain elevated privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-24-Updates mailing list