[Ksplice][Ubuntu-15.10-Updates] New updates available via Ksplice (4.2.0-19.23)

[Oracle Ksplice]

Synopsis: 4.2.0-19.23 can now be patched using Ksplice

Systems running Ubuntu 15.10 Wily can now use Ksplice to patch against
the latest Ubuntu kernel update, 4.2.0-19.23.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.10 Wily
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Out of bounds memory access when accessing perf constraints on Intel CPU.

A missing bounds check for an index variable when accessing perf
constraints on Intel CPU could lead to memory corruptions and kernel panic.
A local, unprivileged user could use this flaw to cause a denial of
service.


* Kernel crash when applying alternative instructions.

The kernel did not disable interrupts whilst applying alternative
instructions, which could cause half-written opcodes to be executed and a
kernel panic.  A local, un-privileged user could use this flaw to cause a
denial-of-service.


* Out of bounds memory access in get_wchan().

A logic error when checking bounds of the current stack pointer in
get_wchan() could lead to out of bounds memory accesses.  A local,
un-privileged user could use this flaw to cause a kernel panic.


* Memory leak when iterating LED devices.

Incorrect reference counting when looking for LED devices name leads to a
memory leak.  A local, privileged user could use this exhaust the memory on
the system.


* NULL pointer dereference in the SPI subsystem on device close.

A missing NULL pointer check when freeing an SPI device could result in a
NULL pointer dereference and kernel panic.  A local, un-privileged user
could use this flaw to cause a denial-of-service.


* NULL pointer dereference in IOMMU library on flush.

A lack of NULL pointer check in the IOMMU library on lazy flush could lead
to a NULL pointer dereference and kernel panic in certain circumstances


* Kernel BUG when unmapping a hugetlbfs page.

A logic error in the hugetlbfs when unmapping a page that is mapped both
with MAP_SHARED and MAP_PRIVATE could trigger a BUG() assertion.  A local,
un-privileged user could use this flaw to cause a denial-of-service.


* Denial-of-service in BTRFS special file writing.

Incorrect handling of special files including device nodes could result
in a kernel panic when evicting inodes.  A local, privileged user with
permission to create device nodes could use this flaw to crash the
system.


* Remote information leak in the RPC over RDMA sub-system.

The Linux NFS server could return garbage data in the payload of inline
RDMA read replies if the client didn't provide a reply chunk or a write
list.  A remote attacker could use this flaw to gain information about the
running kernel.


* Kernel panic when reshaping a RAID5 to RAID0.

A flaw in the RAID sub-system could lead to device errors and trigger a
kernel BUG() assertion when reshaping a RAID5 to a RAID0 in certain
circumstances.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Memory corruption in IP set netlink interface.

The netlink interface to the IP set subsystem allows users to corrupt
kernel memory by sending a malformed CIDR value.


* Use-after-free when removing the netfilter logging module.

A failure to wait for pending RCUs when releasing internal objects on
netfilter logging module removal could lead to use-after-free and kernel
panic.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Memory leak in the NFS filesystem when resetting the metadata server.

A lack of cleaning up the page IO descriptor when resetting the metadata
server in the NFS filesystem leads to a memory leak.  A local, privileged
user could use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Memory corruption in the AMD GPU driver.

An integer overflow on 32 bits kernels in the AMD GPU driver could lead to
a memory corruption and kernel panic under certain circumstances.


* Memory corruption in the XHCI driver on init command timeout.

A flaw in the XHCI driver causes a uninitialized timer to be deleted on
init command timeout, leading to memory corruption.  A local, privileged
user could use this flaw to cause a denial-of-service.


* NULL pointer dereference in Hyper-V transport driver on allocation failure.

Failure to check the result of an allocation could lead to a NULL pointer
dereference and kernel panic.


* Stack buffer overflow in the HP Smart Array SCSI driver.

Use of unbound sprintf() on a stack allocated buffer in the HP Smart Array
SCSI driver could lead to a stack overflow and kernel panic.  A local,
privileged user could use this flaw to cause a denial-of-service.


* NULL pointer dereference when tearing down x86 CPU cacheinfo.

In certain situations, offlining a CPU could cause a NULL pointer
dereference and kernel panic. A malicious local user with CPU hotplugging
capabilities could use this to cause denial of service.


* Invalid memory access in B.A.T.M.A.N. Advanced Meshing protocol when transmitting.

A flaw in the B.A.T.M.A.N. Advanced Meshing driver when transmitting a
socket buffer without a header properly set could lead out of bounds memory
accesses in the socket buffer.  A local, un-privileged user could use this
flaw to cause a denial-of-service.


* Memory leak in the RSI WiFi driver when loading the firmware.

A flaw in the RSI WiFi driver leads to a memory leak when trying to load
the firmware under memory pressure.  A local, privileged user could use
this flaw to put even more memory pressure and exhaust the memory on the
system.


* Out of bounds memory access in the UBI driver.

A lack of input validation when parsing a UBI image could cause out of
bounds memory accesses and lead to a kernel crash.  A local user able to
mount a special handcrafted image could use this flaw to cause a
denial-of-service.


* Memory leak when destroying a Xen domain.

An imbalance between allocating and releasing requests in the Xen block
back driver could lead to memory leaks.  A local, privileged user could use
this flaw to exhaust the memory on the host and cause a denial-of-service.


* Kernel hang when disconnecting from the backend in Xen netfront driver.

Failure to check that an interface is running before calling
napi_synchronise() in the Xen netfront driver could lead to a kernel hang.


* Out of bounds memory access in Multiple devices driver when allocating a bitmap.

A logic error when passing the slot number to the function allocating a
bitmap in the Multiple devices driver could lead to out of bounds memory
access and kernel panic when the bitmap isn't clustered.  An attacker could
use this flaw to cause a denial-of-service.


* Use-after-free and NULL pointer dereference in NFS when decoding a layout.

A flaw in the NFS file layout subsystem could lead to use-after-free and
NULL pointer dereference in certain circumstances.


* Kernel hang in Multiple devices driver when destroying a device.

Incorrect lock ordering when destroying a RAID device could lead to a
deadlock and kernel hang.


* NULL pointer dereference in the Multiple devices driver when switching from cleaner policy.

A flaw in the Multiple devices driver could lead to a NULL pointer
dereference in certain circumstances.  A local attack could use this flaw
to cause a denial-of-service.


* Permission bypass in the tty driver.

A flaw in the tty code would allow someone with a file descriptor opened
write only to re-open the tty with different flags, allowing him to control
the terminal when this should require both read and write access to the
tty.


* Remote denial-of-service when receiving socket buffers with partial checksums.

A flaw in the socket buffer code dealing with partial checksums causes out
of bounds memory accesses on the socket buffer and kernel panic.  A remote
attacker could use this flaw to cause a denial-of-service.


* Kernel BUG when passing a socket buffer allocated from pfmemalloc on a user socket.

A flaw in the socket buffer management when dealing with socket buffers
allocated from pfmemalloc could lead to a kernel BUG() assertion to trigger
under certain circumstances.  A local, un-privileged user could use this
flaw to cause a denial-of-service.


* NULL pointer dereference in the Point to point over ethernet protocol.

A flaw in the Point to point over ethernet driver could lead to a NULL
pointer dereference and kernel panic when flushing the device.  A local,
un-privileged user could use this flaw to cause a denial-of-service.


* Kernel panic when dumping eBPF filter via SO_GET_FILTER.

A logic error in the BPF subsystem can trigger a NULL pointer
dereference and kernel panic when dumping a eBPF filter via the
SO_GET_FILTER sockopt.


* Denial-of-service when allocating from offline NUMA node in Openvswitch driver.

A flaw in the Openvswitch driver when allocating from the cache for an
offline NUMA node leads to a VM_BUG_ON() assertion to trigger and kernel
panic.  An attacker could use this flaw to cause a denial-of-service.


* Kernel panic in the Redirecting and Mirroring network scheduler.

A flaw in the network scheduler for redirecting and mirroring packets could
cause a kernel panic when moving socket buffer from a receive to a transmit
queue.  An attacker could use this flaw to cause a denial-of-service.


* Kernel panic in the Berkeley Packet Filter when transmitting.

A flaw in the Berkeley Packet Filter could cause a kernel panic when
transmitting packets.  An attacker could use this flaw to cause a
denial-of-service.


* Information leak when getting strings from the ethtool device.

A lack of cleaning an allocated buffer that is copied to user space on
ETHTOOL_GSTRINGS requests could leak information about the running kernel.
This could help an attacker to elevate privileges.


* Kernel crash when using ahash driver without import/export callback.

Ahash drivers are required to provide import/export callbacks to be
registered with the ahash crypto sub-system, otherwise they could lead to a
kernel crash under certain circumstances.  A local, un-privileged user
could use this flaw to cause a denial-of-service.


* Use-after-free in Btrfs filesystem when iterating extended refs.

A flaw in the Btrfs filesystem code when iterating over extended refs leads
to a use-after-free and kernel panic.  A local, un-privileged user could
use this flaw to cause a denial-of-service.


* Use-after-free in Rados block device driver on failure to probe.

A flaw in the Rados block device driver leads to double-free if there's an
error when probing the parent device.  A local, privileged user could use
this flaw to cause a denial-of-service.


* Stack corruption in Silicon Labs demodulator driver.

A possible stack corruption leading to a kernel crash may
occur when initializing certain tv demodulators.


* Use-after-free in block control group destruction.

Incorrect handling of block control group destruction could result in a
use-after-free and kernel crash when removing a block control group.  A
local, privileged user could use this flaw to crash the system under
specific conditions.


* Denial-of-service in VM86 on fork/clone.

Missing initialization of the VM86 pointer on fork/clone operations
could result in a use-after-free condition and kernel crash.  A local,
unprivileged user could use this flaw to crash the system, or
potentially escalate privileges.


* Denial-of-service in AMD IOMMU driver with PROT_NONE mappings.

Incorrect handling of file mappings with PROT_NONE protections could
result in triggering a kernel assertion and crash.  A local,
unprivileged user could use this flaw to crash the system under specific
conditions.


* Integer overflow in DRM blob creation.

Missing integer overflow checks could result in an incorrect allocation
size of user supplied data.  A local user with access to the DRM device
could use this flaw to trigger an out-of-bounds access and crash the
system or potentially escalate privileges.


* Denial-of-service in PCI numa_node sysfs attribute.

Missing range checks could result in an out-of-bounds access when
writing to the num_node override attribute of a PCI device triggering a
kernel crash, or possibly allowing privilege escalation.


* Memory leak in overlayfs mount and unmount.

Missing resource freeing in the mount and unmount paths of overlayfs
could trigger a memory leak.


* Memory leak in overlayfs copying to upper filesystem.

Incorrect error handling could result in a memory leak when the
overlayfs filesystem failed to copy files from the lower to upper
filesystem.


* Denial-of-service in software RAID5 stripe cleaning.

Incorrect locking during stripe cleaning could result in an infinite
loop and system crash.  A local, unprivileged user with write access to
a filesystem on a RAID5 device could use this flaw to crash the system.


* NULL pointer dereference in Marvell 88SE64XX/88SE94XX task preparation.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when performing tasks on a Marvell 88SE64XX/88SE94XX
device under low memory conditions.


* Deadlock in netfilter ipset rule addition.

Incorrect memory allocation could result in deadlock, effectively
crashing the system.  A local, privileged user could use this flaw to
crash the system.


* Denial-of-service in KVM irqchip routing.

Missing resource freeing could result in a memory leak when setting the
IRQ routing for a KVM irqchip.  A local user with access to the KVM
device could use this flaw to crash the system.


* Use-after-free in Infiniband Connected Mode Service ID Resolution.

Incorrect handling of Service ID Resolution requests could result in a
use-after-free condition and kernel crash.


* Kernel crash in Intel Knights Landing CPU frequency scaling.

A divide by zero error in the CPU frequency scaling driver for the
Knights Landing platform could result in a kernel crash under specific
conditions.


* Kernel hang in NVMe command retry.

A memory leak during NVMe command retry could result in a kernel hang if
an NVMe device was removed when the DMA pool was busy.


* Mark unused space between __ex_table_end and rodata as non-executable.

Unused space between the end of the __ex_table and the start of rodata had
incorrect RWX protection, which could potentially be used to inject code in
a running kernel and facilitate exploits.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.