[Ksplice][Ubuntu-15.10-Updates] New updates available via Ksplice (4.2.0-35.40)

[Oracle Ksplice]

Synopsis: 4.2.0-35.40 can now be patched using Ksplice
CVEs: CVE-2015-2085 CVE-2015-7833 CVE-2015-8812 CVE-2016-2383

Systems running Ubuntu 15.10 Wily can now use Ksplice to patch against
the latest Ubuntu kernel update, 4.2.0-35.40.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.10 Wily
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-7833: Crash in USB vision driver when malicious device is connected.

Improper handling of USB endpoint probing during vision device initialization
leads to a NULL pointer dereference.


* CVE-2015-8812: Use-after-free in Infiniband CXGB3 driver on network congestion.

A logic error in the Infiniband CXGB3 driver could lead to a use-after-free
of a socket buffer when the network is congested.  A local, unprivileged
user could use this flaw to cause a kernel crash or potentially escalate
privileges.


* CVE-2015-2085: Timing side channel attack in EVM integrity module.

The verification routine of the EVM HMAC was using a regular non-constant
memcmp(), allowing attackers to do timing side channel attacks and reduce
the MAC forgery complexity from 2^128 to 2^12.


* Deadlock when reading from rfkill sysfs file.

Incorrect locking in the rfkill sysfs interface can cause a kernel panic
when reading events. A privileged local user could use this flaw to
cause a denial of service.


* Kernel crash in userspace interface for hash algorithm when sending a message.

A failure to wait for the completion of crypto_ahash_init() when using
sendpage()/sendmsg() could cause a kernel crash.  A local, unprivileged
user could use this flaw to cause a denial-of-service.


* NULL pointer dereference in the Industrial IO (IIO) driver when releasing a channel.

A missing check for NULL pointer when releasing an IIO channel could lead
to a NULL pointer dereference and kernel panic.


* Integer underflow when accessing Intel Storage Controller Unit (SCU) registers.

A flaw in the Intel SCU driver could lead to an integer underflow when
accessing the SCU registers.  A local user with CAP_SYS_RAWIO could use
this flaw to cause out of range memory accesses leading to a kernel crash.


* Kernel log buffer flood in ALSA rawmidi driver.

The ALSA rawmidi driver would dump the kernel stack to the kernel log
buffer every time userspace would pass it a NULL pointer.  A local,
unprivileged user with access to the ALSA device could use this flaw to
flood the kernel logs, potentially causing a denial-of-service or gaining
information about the running kernel if he's able to read the kernel log.


* Multiple kernel deadlocks in ALSA OSS emulation.

Incorrect locking in the ALSA OSS emulation code could lead to AB-BA
deadlocks when accessing read()/write() and mmap() concurrently.  A local
user could use these flaws to cause a denial-of-service.


* Multiple use-after-free in ALSA sequencers when closing the device.

Incorrect locking in the ALSA sequencers sub-system could lead to different
use-after-free under certain conditions.  A local user could use these
flaws to cause a denial-of-service.


* Kernel panic when handling interrupts for SATA devices.

Incorrect locking can trigger an assertion failure and kernel panic when
handling an interrupt for a SATA device.


* NULL pointer dereference when loading a module with async_probe.

A NULL pointer was being passed to the routine configuring the async_probe
module parameter when loading a module.  A local user with the ability to
trigger a module load with async_probe set could use this flaw to cause a
denial-of-service.


* Memory corruption in ALSA rawmidi driver on concurrent read/write.

Incorrect locking in the ALSA rawmidi driver on concurrent read/write
operations could lead to memory corruptions.  A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Kernel panic in the radix tree library when doing a gang lookup.

A race condition in the radix tree library in the kernel could lead to type
confusion and kernel panic when doing a gang lookup and concurrently
growing the radix tree.  A local user could use this flaw to cause a
denial-of-service.


* Use-after-free when unloading xHCI host driver.

A flaw in the xHCI host driver could lead to reading already freed memory
when removing the driver.  A local user with the ability to unload the xHCI
kernel module could use this flaw to cause a denial-of-service.


* Denial-of-service in ALSA timer handling.

Multiple locking flaws in the ALSA timer handling could lead to memory
corruptions and denial-of-service on concurrent operations.  A local user
could use these flaws to cause a denial-of-service.


* Kernel hang in Btrfs filesystem when using the BTRFS_IOC_INO_PATHS ioctl.

Double locking of the same read/write lock in the Btrfs filesystem when
querying the path of an inode could lead to a kernel deadlock.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Information leak in ALSA sound sub-system when parsing the HDMI EDID-Like-Data (ELD).

Lack of proper bounds checking when copying the HDMI ELD structure could
lead to leaking 256 bytes of kernel memory under certain conditions.


* Kernel deadlock when dumping the call stack on multiple CPUs.

Incorrect locking when dumping the kernel stack to the kernel log buffer on
multiple CPUs could lead to a deadlock.  An attacker with the ability to
trigger concurrent dump_stack() calls could use this flaw to cause a
denial-of-service.


* Infinite loop when unmounting an OCFS2 filesystem using the kernel distributed lock manager.

A logic error when releasing the locks of an OCFS2 recovery master dead
node could lead to an infinite loop when later trying to unmount the OCFS2
filesystem.


* Kernel deadlock when validating a memory context.

A race condition in the virtual memory subsystem when validating a memory
context could lead to a deadlock.  A local, unprivileged user could use
this flaw to cause a denial-of-service.


* Use-after-free in the crypto sub-system when traversing the list of crypto algorithms.

Incorrect locking when traversing the list of crypto algorithms could lead
to a use-after-free when concurrently unregistering an algorithm.  A local,
unprivileged user could use this flaw to cause a kernel crash.


* Use-after-free in QLogic QLA2xxx queue management.

Incorrect memory management in the QLogic QLA2xxx SCSI devices can
trigger a use-after-free and kernel panic when manipulating queues.


* Use-after-free in the kernel list library on concurrent hotplug events.

The starting node given to klist_iter_init_node() might not be on the list
anymore in case of concurrent hotplug events, potentially leading to a
user-after-free and crash.


* Kernel panic when parsing VBT in Intel integrated graphics.

The Intel integrated graphics driver does not validate VBT data which
can trigger an out-of-bounds access and kernel panic.


* Kernel hang when removing a SCSI target.

A flaw in the SCSI sysfs subsystem could cause the kernel to hang when
removing a SCSI target.  A local user with the ability to remove a SCSI
target could use this flaw to cause a denial-of-service.


* Integer overflow in ext4 buffer allocation.

An integer overflow in ext4 could cause access to invalid memory regions
not owned by the filesystem, possibly corrupting them.


* Data corruption on ext4 filesystem when moving data to a donor file.

A flaw in the ext4 filesystem when moving data to a donor file could lead
to data corruption.


* Memory leak in the ALSA audio driver on concurrent writes to the sequencer device.

Incorrect locking in the ALSA audio sequencer could lead to a memory leak
on concurrent writes to the sequencer device.  A local user with write
access to the sequencer device could use this flaw to exhaust the memory on
the system.


* Memory corruption in QXL virtual GPU ioctls.

An integer overflow in the QXL virtual GPU can allow a local user to
cause kernel memory corruption via ioctls.


* Kernel crash when handling vmalloc page faults on large pages.

A wrong assumption in the vmalloc fault handler causes the kernel to crash
when handling vmalloc ranges larger than 512GB.  A local user with the
ability to ioremap() pages could use this flaw to cause a
denial-of-service.


* Kernel deadlock in ALSA sound driver when handling pulse code modulation.

Incorrect locking in the ALSA sound driver when handling non-atomic PCM
streams could lead to a deadlock.  A local, unprivileged user could use
this flaw to cause a denial-of-service.


* Memory leak in device mapper when requeuing requests.

Incorrect reference counting in the device mapper subsystem can trigger
a memory leak and subsequent kernel panic when failing to requeue
requests.


* Memory corruption when parsing numbers from NFS requests.

The kernel NFS server does not correctly parse hex strings from
userspace which can trigger kernel memory corruption.


* Kernel panic when handling signals under Intel MPX.

An out-of-bounds read can be triggered when handling signals under Intel
Memory Protection Extensions which can trigger a kernel panic.


* Deadlock in OCFS2 when failing to delete inode.

Incorrect locking when failing to delete an inode from a OCFS2
filesystem can trigger a deadlock and kernel panic.


* Kernel panic when failing to open file.

The generic VFS subsystem does not validate the status of filesystem
operations which can trigger a kernel panic.


* Kernel panic when parsing filenames.

A logic error in the generic filesystem subsystem can trigger a NULL
pointer dereference and kernel panic when parsing a filename.


* Kernel panic when following symlinks.

A race condition in the generic VFS subsystem can trigger a kernel panic
when following symlinks on a filesystem.


* Kernel panic when starting fastopen TCP connections.

The kernel TCP stack does not correctly handle starting fastopen
connections which can trigger a NULL pointer deference and kernel panic.


* Memory leak when reading from AF_UNIX socket.

Incorrect reference counting when reading from AF_UNIX can trigger a
memory leak when a signal is delivered to a process.


* CVE-2016-2383: Arbitrary read in eBPF when adjusting backwards jumps offset.

A logic error in the kernel BPF verifier when adjusting backwards jumps
offset allows attackers to read arbitrary kernel memory.  A local attacker
could use this flaw to elevate privileges.


* Memory leak when sending IPv4 data with ancillary data.

The kernel IPv4 stack does not free ancillary data when failing to send
IPv4 data which causes a kernel memory leak.


* Kernel crash when remapping file pages of a removed IPC ID.

A race condition in the shared memory subsystem could lead to accessing
invalid pointers when remapping file pages of a removed IPC ID.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Use-after-free when processing switchdev events.

Incorrect locking in the switchdev subsystem can trigger a
use-after-free condition and kernel panic when processing events from a
switchdev device.


* SMAP bypass in 32bit compatibility syscall handler.

The 32bit compatibility syscall does not disable the Access Control flag
when entering kernel-mode which can allow kernel code to incorrectly
access user-mode data.


* Deadlock when cloning duplicate extents on btrfs volume.

Incorrect locking in the btrfs filesystem driver can cause a deadlock
and kernel panic when cloning file-extents which are not unique.


* Kernel panic when closing Philips SAA7134 devices.

The Philips SAA7134 TV card driver does not correctly free memory when
closing a device which can lead to a NULL pointer dereference and kernel
panic.


* Privilege escalation when chowning files on overlayfs mount.

The overlayfs filesystem driver does not update filesystem metadata when
changing file ownership which could allow a local user to access
privileged files and gain escalated privileges.


* Information leak in netfilter batch netlink message processing.

The netfilter netlink interface does not correctly handle batch messages
with invalid lengths which can cause the contents of kernel memory to be
leaked to userspace. A local user with CAP_NET_ADMIN could potentially
escalate privileges.


* Data loss in ext4 with concurrent direct IO operations.

The ext4 filesystem driver does not correctly handle multiple direct IO
operations on the same file which can lead to data loss.


* Kernel panic in resource tracking for Mellanox Ethernet devices.

The resource counting feature for Mellanox Ethernet devices does not
handle an unknown resource counter which can trigger a NULL pointer
dereference and kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.