[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (3.5.0-24.37)

[Sasha Levin]

Synopsis: 3.5.0-24.37 can now be patched using Ksplice

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.5.0-24.37.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Out-of-bounds read in FireWire packet processing.

The FireWire driver does not correctly parse fragmented multicast and
broadcast packets leading to an out-of-bounds read and kernel panic.


* Fix client deadlock in NFSv4.

When a NFS server reports a cb_path_down sequence error, the client
attempts to perform a bind_connection_to_session which will result in
a deadlock on the client, where the client is unable to perform any
further NFS activity.


* Use-after-free in SunRPC pipefs unmount.

When unmounting a pipefs filesystem the kernel releases the pipefs filesystem
before notifying other kernel threads, leading to a use-after-free and kernel
panic.


* Invalid memory access in cgroup file system.

If cgroup_create_file() fails, no dentry get is performed, but
the corresponding dentry put gets performed anyhow, leading to an
invalid memory access and a kernel oops.


* NULL pointer dereference in xhci.

If xhci has to bail out due to OOM while allocating ring segments due,
the ring segments are left in a bad state.  This could lead to a NULL
pointer dereference when xhci tries to free them or it could lead to
a use-after-free if a caller believes the ring segments are valid.
Either could potentially also cause a kernel crash.


* Kernel panic on 802.11 driver unload.

The mac80211 wireless driver schedules an asynchronous job when unloading
leading to a use-after-free and kernel panic.

* Deadlock in iSCSI asynchronous messages.

When processing asynchronous messages the iSCSI driver can deadlock when
attempting to allocate kernel memory.


* Memory corruption when using /proc/mounts.

Mounting /tmp with mpol=local can cause kernel memory corruption when
subsequent reads from /proc/mounts, /proc/pid/mounts, or
/proc/pid/mounting.  This memory corruption can lead to a kernel
panic.


* Kernel panic in jbd2 driver.

A race condition in the jbd2 filesystem driver when writing a journal to disk
can trigger a kernel panic.


* Use-after-free in ext4 inode creation.

When creating a new inode the ext4 filesystem driver uses kernel
memory after it has been freed, leading to a kernel panic.


* NULL pointer dereference in Radeon CS parser in UMS mode.

When running in UMS mode the parser might try to dereference the
device pointer, which is NULL in that mode.


* Memory leak in Atheros ath5k driver.

The Atheros ath5k driver does not correctly release transmitted packets
leading to a kernel memory leak and eventual kernel panic.


* Memory leak in udf file writing.

The udf filesystem driver leaks kernel memory when allocating blocks
for a new file on a udf filesystem.


* Memory corruption in ext4 file truncation.

When truncating an existing file, the ext4 filesystem driver does not correctly
handle files with large extent trees leading to memory corruption and a kernel
panic.


* Invalid memory free in Radeon CS parser in UMS mode.

The CS parser in the Radeon driver may attempt to free a memory
which was never dynamically allocated in the first place in
UMS mode.


* Denial-of-service with TCP and DCCP recv sockets.

If tcp_v4/6_syn_recv_sock or dccp_v4/6_request_recv_sock have
inet_csk_route_child_sock() or __inet_inherit_port() fail, they
will leak memory, enabling a potential denial-of-service attack.


* NULL pointer dereference in USB Inside Out Edgeport serial driver.

A NULL pointer dereference may occur during disconnection of the driver
due to a missing check.


* Memory leak in ext4 directory search.

When searching for a directory on an ext4 filesystem the kernel will leak memory
when it finds a malformed directory entry.


* Memory leak in ext4 extended attributes.

The ext4 filesystem driver does not correctly release kernel memory if
setting an extended attribute on a file fails.


* Information leaks in INET transport monitoring bytecode.

Invalid validation of monitoring bytecode could allow a malicous user to
leak a number of bytes of kernel heap memory or to crash the kernel by
reading off the end of mapped memory.


* Memory corruption in IPv4 packet defragmentation.

A race condition when checking packet defragmentation could cause packet
corruption.


* NULL pointer dereference in NFSv2 and NFSv3.

A race condition that occurs when nfs_clone_server gets an error
can lead to a NULL pointer dereference in nfs_clone_server.


* NULL pointer dereference in bonding slave management.

Missing locking in bonding slave management could result in a NULL
pointer dereference and kernel crash.


* Denial-of-service in SCTP message sending.

The SCTP protocol implementation did not correctly release memory when
passed an invalid source buffer.  This could allow an unprivileged user
to cause a denial-of-service.


* Use after free on LUN RESET of target driver IO handling driver.

A LUN RESET command during a long backend IO can trigger a use-after-free
on IO completion.


* NULL pointer dereference in tracing ring buffer.

Missing error checks in the tracing ring buffer management could result
in a NULL pointer dereference and kernel crash.


* NULL pointer dereference in IRDA SIR network device.

An invalid check in the IRDA SIR network device driver could result in
calling a NULL pointer and crashing the kernel.


* Buffer overflow with NFSv4 read encoding.

If the argument and reply in nfsd4_encode_read exceed the maximum
payload size, then the rq_pages array can overflow.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.