[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (ubuntu-3.2.0-38.60)

[Sonja Tideman]

Synopsis: ubuntu-3.2.0-38.60 can now be patched using Ksplice

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu kernel update, ubuntu-3.2.0-38.60.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in shared mempolicy.

Improper reference counting could lead to leaked memory on a shmem
shared mempolicy.  This could lead to a denial-of-service by an
unprivileged user.


* Denial-of-service with ext4 acls.

If ext4_journal_start returns an error, acls may not get released,
causing a memory leak.  This could lead to a denial-of-service.


* Memory corruption in USB EHCI.

Failure to properly set pointers for isochronous URBs can cause URBs to
be improperly reused, leading to list corruption and a system freeze.


* NULL pointer dereference in xhci.

If xhci has to bail out due to OOM while allocating ring segments,
the ring segments are left in a bad state.  This could lead to a NULL
pointer dereference when xhci tries to free them or it could lead to
a use-after-free if a caller believes the ring segments are valid.
Either could potentially also cause a kernel crash.


* Invalid memory access in cgroup file system.

If cgroup_create_file() fails, no dentry get is performed, but
the corresponding dentry put gets performed anyhow, leading to an
invalid memory access and a kernel oops.


* Client deadlock in NFSv4 connection binding.

When a NFS server reports a cb_path_down sequence error, the client
attempts to perform a bind_connection_to_session which will result in
a deadlock on the client, where the client is unable to perform any
further NFS activity.


* Deadlock in iSCSI asynchronous messages.

When processing asynchronous messages the iSCSI driver can deadlock when
attempting to allocate kernel memory.


* NULL pointer dereference in ring buffer.

If rb_set_head_page() fails it will return a NULL pointer.  Some
callers of rb_set_head_page() do not properly check for a NULL
pointer return, leading to a NULL pointer dereference.


* Fix packet handling in firewire.

Improper handling of fragmented multicast and broadcast packets
in firewire could cause packets to not be correctly delivered.


* NULL pointer dereference in NFSv2 and NFSv3 in server cloning.

A race condition that occurs when nfs_clone_server gets an error
can lead to a NULL pointer dereference in nfs_clone_server.


* Buffer overflow with NFSv4 read encoding.

If the argument and reply in nfsd4_encode_read exceed the maximum
payload size, then the rq_pages array can overflow.


* NULL pointer dereference in bonding slave management.

Missing locking in bonding slave management could result in a NULL
pointer dereference and kernel crash.


* Denial-of-service in SCTP message sending.

The SCTP protocol implementation did not correctly release memory when
passed an invalid source buffer.  This could allow an unprivileged user
to cause a denial-of-service.


* NULL pointer dereference in IRDA SIR network device.

An invalid check in the IRDA SIR network device driver could result in
calling a NULL pointer and crashing the kernel.


* Memory corruption in IPv4 packet defragmentation.

A race condition when checking packet defragmentation could cause packet
corruption.


* Buffer overflow in QuickNet Internet LineJack input handling.

The QuickNet Internet LineJack driver didn't properly check input from
userspace, which has made it possible to pass it strings which are not
properly NULL terminated, leading to a buffer overflow.


* Denial-of-service in udf writes.

A memory leak that occurs while allocating blocks during udf
writes could lead to a denial-of-service.


* Memory corruption in extent tree for ext4.

When the depth of the extent tree in ext4 is greater then one,
the interior node is not correctly updated leading to memory
corruption with the extent tree.


* Kernel panic in jbd2.

A race condition in jbd2 code could lead to an assertion failure
and a kernel panic.


* Memory corruption when using /proc/mounts.

Mounting /tmp with mpol=local can cause kernel memory corruption when
subsequent reads from /proc/mounts, /proc/pid/mounts, or
/proc/pid/mounting.  This memory corruption can lead to a kernel
panic.


* Denial-of-service with TCP and DCCP recv sockets.

If tcp_v4/6_syn_recv_sock or dccp_v4/6_request_recv_sock have
inet_csk_route_child_sock() or __inet_inherit_port() fail, they
will leak memory, enabling a potential denial-of-service attack.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.