[Ksplice-Fedora-24-updates] New Ksplice updates for Fedora 24 (FEDORA-2017-15fbaf2450)

[Oracle Ksplice]

Synopsis: FEDORA-2017-15fbaf2450 can now be patched using Ksplice

Systems running Fedora 24 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2017-15fbaf2450.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 24
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Deadlock when setting ALSA timer with small tickrate.

The ALSA subsystem does not define a lower-bound for tickrates which can allow
a local user to cause deadlocks by setting a small tickrate for timers.


* Kernel panic in Realtek wireless header parsing.

The Realtek wireless driver does not correctly handle truncated wireless frames
which can trigger a NULL pointer dereference and kernel panic.


* Memory corruption when performing IO on anonymous memory mappings.

A logic error when performing IO on anonymous memory mappings can trigger
memory corruption and a kernel panic.


* Denial of service in loop device SET_STATUS ioctl.

The kernel loopback driver does not drain pending work before changing status
which can later trigger kernel panics.


* Memory corruption when handling EXT4 small group sizes.

A logic error when handling EXT4 filesystems with small group sizes can trigger
an out-of-bounds read and potentially corrupt kernel memory.


* Memory leak in EXT4 inline data writeback.

The EXT4 filesystem driver does not handle errors when writing inline to disk
which can trigger reference counting errors and a kernel memory leak.


* Use after free in EXT4 encryption lookup.

A malformed EXT4 filesystem which has inconsistent encryption contexts across
directories can trigger a use-after-free condition and trigger a kernel panic.


* Memory leak when synchronously closing FUSE files.

Incorrect reference counting when synchronously closing files on FUSE
filesystems can trigger a kernel memory leak and subsequent kernel panic.


* Kernel panic in USB CAN memory transfers.

The USB CAN driver incorrectly DMAs memory which can trigger memory corruption
and a kernel panic.


* Memory leak when attaching one-wire slave devices.

A logic error when an error is encountered attaching one-wire devices can
trigger a kernel memory leak and subsequent kernel panic.


* Memory leak when disabling USB HID gadget devices.

Incorrect memory management when disabling a USB gadget device with HID
functions can trigger a kernel memory leak and subsequent kernel panic.


* Denial of service when parsing RDMA iWARP parameters.

The kernel RDMA connection manager does not fully validate iWARP parameters
from userspace which can allow a local user to trigger a NULL pointer
dereference and kernel panic.


* Use-after-free in GFS2 lock management.

A race condition when manipulating locks in the GFS2 filesystem can trigger a
use-after-free condition and kernel panic.


* Denial of service when truncating files on NFS exports.

The kernel NFS server does not correctly handle updating ownership metadata and
filesizes which trigger assertion failures when some filesystems are exported
via NFS.


* Memory leak when opening files via NFSv4 client.

The kernel NFSv4 client does not track memory correctly when opening files on a
remote NFS server which can lead to a memory leak and subsequent kernel panic.


* Use after free in F2FS when merging file extents.

The F2FS filesystem does not correctly handle freed memory when merging file
extents which can lead to a use-after-free condition and kernel panic.


* Memory corruption in Mellanox Connect-IB SRQ management.

The Mellanox Connect-IB PCI Express driver does not correctly allocate memory
when creating SRQs which can later trigger an out-of-bounds write and kernel
memory corruption.


* Denial of service when processing Infiniband SRPs.

The kernel Infiniband driver does not handle duplicate SRP responses which can
trigger a NULL pointer dereference and kernel panic.


* Denial of service in Radeon buffer-object caching.

The Radeon graphics driver does not correctly handle swapping out
buffer-objects which can trigger an assertion failure and kernel panic.


* Denial of service in Digi AccelePort OOB events.

A logic error when parsing truncated OOB events from Digi AccelePort USB
devices can trigger an out-of-bounds read and kernel panic.


* Information leak in safe-serial USB driver.

The safe-serial USB driver does not correctly validate USB frames which can
allow short USB frames to leak the contents of kernel memory to userspace.


* Denial of service in IO Warrior USB endpoint processing.

The IO Warrior USB device driver does not correctly handle malicious USB
devices with missing endpoints which can trigger a NULL pointer dereference and
kernel panic.


* Denial of service in Digi Edgeport TI interrupt processing.

A logic error when handling interrupts from Digi Edgeport USB devices can allow
a malicious device to trigger a NULL pointer dereference and kernel panic.


* Information leak in Digi Edgeport TI callback completion.

An integer underflow in the Digi Edgeport TI USB driver can allow a malicious
USB device to leak the contents of kernel memory to userspace.


* Denial of service when truncating encrypted EXT4 inodes.

A logic error when mounting an EXT4 filesystem can trigger an assertion and
kernel panic when truncating encrypted inodes.


* Use after free in L2TP backlog processing.

A logic error when processing backlogged L2TP packets can lead to a packet
being discarded multiple times triggering a use after free condition and kernel
panic.


* Memory corruption in virtualized packet transmission.

The Generic Network Virtualization and VXLAN networking subsystems do not hold
the correct locks when transmitting packets which can trigger kernel memory
corruption.


* Deadlock when listening on DCCP sockets.

Incorrect locking when listening on IPv4 and IPv6 DCCP sockets can trigger a
deadlock and kernel panic. A malicious local user could use this flaw to
trigger a denial of service.


* Information leak in AF_PACKET socket binding.

A logic error when copying AF_PACKET addresses from userspace can trigger an
out-of-bound read and leak the contents of kernel memory to userspace.


* Denial of service when accepting DCCP connections.

A logic error when accepting a DCCP connection fails can trigger an assertion
failure and kernel panic.


* Denial of service in IPv4 TCP timers.

The TCP subsystem does not correctly handle changing timers on IPv4 TCP sockets
in the LISTEN state which trigger a divide-by-zero and kernel panic.


* Memory corruption when completing network packets.

Incorrect reference counting when network packet transmission has completed can
trigger a use-after-free condition and kernel panic.


* Denial of service when configuring netfilter connection marking.

A logic error when parsing configuration data from userspace can allow a local
user to trigger a NULL pointer dereference and kernel panic.


* Memory corruption in IP packet redirection.

Incorrect reference counting when redirecting IPv4, IPv6 and DCCP packets can
trigger a use-after-free condition and kernel panic.


* Memory leak in DCCP CCID-2 socket teardown.

The DCCP CCID-2 networking subsystem does not free memory when tearing down a
socket which can cause a memory leak and subsequent kernel panic.


* Memory corruption in futex requeuing.

A logic error when requeuing a PI futex can trigger a use-after-free condition
and kernel memory corruption when changing the owner of the futex.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.