[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (3.5.0-24.37)
Sasha Levin
sasha.levin at oracle.com
Tue Feb 19 18:22:27 PST 2013
Synopsis: 3.5.0-24.37 can now be patched using Ksplice
Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.5.0-24.37.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Out-of-bounds read in FireWire packet processing.
The FireWire driver does not correctly parse fragmented multicast and
broadcast packets leading to an out-of-bounds read and kernel panic.
* Fix client deadlock in NFSv4.
When a NFS server reports a cb_path_down sequence error, the client
attempts to perform a bind_connection_to_session which will result in
a deadlock on the client, where the client is unable to perform any
further NFS activity.
* Use-after-free in SunRPC pipefs unmount.
When unmounting a pipefs filesystem the kernel releases the pipefs filesystem
before notifying other kernel threads, leading to a use-after-free and kernel
panic.
* Invalid memory access in cgroup file system.
If cgroup_create_file() fails, no dentry get is performed, but
the corresponding dentry put gets performed anyhow, leading to an
invalid memory access and a kernel oops.
* NULL pointer dereference in xhci.
If xhci has to bail out due to OOM while allocating ring segments due,
the ring segments are left in a bad state. This could lead to a NULL
pointer dereference when xhci tries to free them or it could lead to
a use-after-free if a caller believes the ring segments are valid.
Either could potentially also cause a kernel crash.
* Kernel panic on 802.11 driver unload.
The mac80211 wireless driver schedules an asynchronous job when unloading
leading to a use-after-free and kernel panic.
* Deadlock in iSCSI asynchronous messages.
When processing asynchronous messages the iSCSI driver can deadlock when
attempting to allocate kernel memory.
* Memory corruption when using /proc/mounts.
Mounting /tmp with mpol=local can cause kernel memory corruption when
subsequent reads from /proc/mounts, /proc/pid/mounts, or
/proc/pid/mounting. This memory corruption can lead to a kernel
panic.
* Kernel panic in jbd2 driver.
A race condition in the jbd2 filesystem driver when writing a journal to disk
can trigger a kernel panic.
* Use-after-free in ext4 inode creation.
When creating a new inode the ext4 filesystem driver uses kernel
memory after it has been freed, leading to a kernel panic.
* NULL pointer dereference in Radeon CS parser in UMS mode.
When running in UMS mode the parser might try to dereference the
device pointer, which is NULL in that mode.
* Memory leak in Atheros ath5k driver.
The Atheros ath5k driver does not correctly release transmitted packets
leading to a kernel memory leak and eventual kernel panic.
* Memory leak in udf file writing.
The udf filesystem driver leaks kernel memory when allocating blocks
for a new file on a udf filesystem.
* Memory corruption in ext4 file truncation.
When truncating an existing file, the ext4 filesystem driver does not correctly
handle files with large extent trees leading to memory corruption and a kernel
panic.
* Invalid memory free in Radeon CS parser in UMS mode.
The CS parser in the Radeon driver may attempt to free a memory
which was never dynamically allocated in the first place in
UMS mode.
* Denial-of-service with TCP and DCCP recv sockets.
If tcp_v4/6_syn_recv_sock or dccp_v4/6_request_recv_sock have
inet_csk_route_child_sock() or __inet_inherit_port() fail, they
will leak memory, enabling a potential denial-of-service attack.
* NULL pointer dereference in USB Inside Out Edgeport serial driver.
A NULL pointer dereference may occur during disconnection of the driver
due to a missing check.
* Memory leak in ext4 directory search.
When searching for a directory on an ext4 filesystem the kernel will leak memory
when it finds a malformed directory entry.
* Memory leak in ext4 extended attributes.
The ext4 filesystem driver does not correctly release kernel memory if
setting an extended attribute on a file fails.
* Information leaks in INET transport monitoring bytecode.
Invalid validation of monitoring bytecode could allow a malicous user to
leak a number of bytes of kernel heap memory or to crash the kernel by
reading off the end of mapped memory.
* Memory corruption in IPv4 packet defragmentation.
A race condition when checking packet defragmentation could cause packet
corruption.
* NULL pointer dereference in NFSv2 and NFSv3.
A race condition that occurs when nfs_clone_server gets an error
can lead to a NULL pointer dereference in nfs_clone_server.
* NULL pointer dereference in bonding slave management.
Missing locking in bonding slave management could result in a NULL
pointer dereference and kernel crash.
* Denial-of-service in SCTP message sending.
The SCTP protocol implementation did not correctly release memory when
passed an invalid source buffer. This could allow an unprivileged user
to cause a denial-of-service.
* Use after free on LUN RESET of target driver IO handling driver.
A LUN RESET command during a long backend IO can trigger a use-after-free
on IO completion.
* NULL pointer dereference in tracing ring buffer.
Missing error checks in the tracing ring buffer management could result
in a NULL pointer dereference and kernel crash.
* NULL pointer dereference in IRDA SIR network device.
An invalid check in the IRDA SIR network device driver could result in
calling a NULL pointer and crashing the kernel.
* Buffer overflow with NFSv4 read encoding.
If the argument and reply in nfsd4_encode_read exceed the maximum
payload size, then the rq_pages array can overflow.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-12.10-Updates
mailing list