[Ksplice][Ubuntu-15.10-Updates] New updates available via Ksplice (USN-2908-1)

[Oracle Ksplice]

Synopsis: USN-2908-1 can now be patched using Ksplice
CVEs: CVE-2013-4312 CVE-2015-1575 CVE-2015-1576 CVE-2015-8785 CVE-2016-2069 CVE-2016-2383

Systems running Ubuntu 15.10 Wily can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-2908-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.10 Wily
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Corrupted root FAT filesystem directory causes readdir to never terminate.

A corrupted root directory could cause fat_get_entry() to fail causing
progress to not be reported to VFS. The result is that userspace will
never see the end of the directory, causing e.g. 'ls' to hang in a loop.


* Use after free and memory leak in ipvlan.

Incorrect memory management in the ipvlan subsystem could cause packet
data memory leak or use after free condition.


* Memory leak when receiving frames in MAC-VLAN virtual interface driver.

In certain circumstances, receiving a frame through the MAC-VLAN
virtual network interface driver could cause the memory used for the
frame to be leaked. A malicious local user could potentially abuse
this to cause denial of service.


* Out-of-bounds read in Mac partition table parser.

Due to missing input validation in the Mac partition table parser, a
corrupted partition table could cause a buffer overflow. A malicious
local user could use this to crash the kernel or potentially escalate
privileges.


* Symlink corruption in SysV filesystem.

Incorrect handling of inline symlinks in the SysV filesystem driver could
cause a corruption of userspace applications or an information leak where
data that should not be accessible by userspace applications becomes
exposed.


* Denial of service in sendfile() system call.

Due to a missing check for pending signals, a malicious call to
sendfile() by a regular userspace process could cause the system
call to hang for a long time. This could tie up resources and thus
cause denial of service.


* Softlockups and RCU stalls in sendfile() system call.

Due to missing scheduling points in sendfile(), attempting to send large
amounts of memory between certain types of file descriptors could cause the
kernel to get tied up, causing a denial of service.


* Improved fix to denial-of-service in PCI numa_node sysfs attribute.

Missing range checks could result in an out-of-bounds access when
writing to the num_node override attribute of a PCI device triggering a
kernel crash, or possibly allowing privilege escalation. The original
version of this update did not handle checking for negative numbers.


* Memory leak in Bluetooth Security Manager Protocol.

Bluetooth Security Manager Protocol driver incorrectly handles reference
to Bluetooth L2CAP channel causing a memory leak.


* Timing leak in CGM and CCM decryption and ESP ICV verification.

Using non-constant time memcmp() makes the verification of the authentication
tag in the decrypt path vulnerable to timing attacks.


* Use-after-free when opening X.25 async driver TTY.

A logic error in the X.25 async driver could result in a use-after-free
when opening the TTY device. A malicious local user with sufficient
permissions could potentially use this to crash the kernel or escalate
privileges.


* Multicast group exhaustion in IPv4 IGMP driver.

In certain circumstances, hot-unplugging an interface that has joined
an IPv4 IGMP multicast group would cause the stale group entry to remain
in memory. This entry is counted against the igmp_max_memberships sysctl
and could prevent new groups from being joined. A malicious local user
with the ability to hot-unplug interfaces could use this to cause denial
of service.


* CVE-2015-8785: Infinite loop when submitting invalid io vectors to FUSE filesystem.

Due to a logic error in the io vector handling during FUSE filesystem
write operations, a malicious local user with access to the filesystem
could cause the kernel to enter an infinite loop.


* Untimely page reclaim when truncating files in Ext4/OCFS2 filesystems.

When an Ext4/OCFS2 filesystem is mounted with data=journal mode,
truncating a file can cause the pages belonging to that file to remain
in memory for a long time, potentially tying up resources for other
users.


* Kernel hang in TTM memory manager.

A read/write-lock locking imbalance in the TTM manager could cause the
kernel to hang indefinitely.


* NULL pointer dereference when disconnecting a USB 3.0 mass storage in transporting state.

A missing check for NULL pointer when disabling the low power mode of a USB
3.0 mass storage device could lead to a NULL pointer dereference when
disconnecting the device whilst it's in transporting state.  A local,
un-privileged user with physical access could use this flaw to cause a
denial-of-service.


* Kernel crash in Wireless USB Host Controller Interface (WHCI) driver.

A missing error check when setting up DMA mappings could cause the
kernel and/or hardware to attempt to access nonexistant memory and
subsequently crash.


* Memory leak in Multiple Devices (MD) persistent data driver.

In certain circumstances, a missing error check during btree splitting
could cause the MD persistent data driver to leak memory. A malicious
local user with sufficient privileges could use this to cause denial of
service.


* Crash in SCSI runtime power management.

A logic error in the handling of SCSI power management could lead to a
kernel crash when devices are manually put into low power mode. A local,
privileged user could use this flaw to cause a denial-of-service.


* Kernel crash in 9P filesystem driver.

Due to a logic error in the 9P filesystem driver, closing a device
node on a 9P filesystem which is open on another filesystem could
cause the kernel to crash. A malicious local user with access to a
9P filesystem could use this to cause denial of service.


* Data corruption during RAID and LVM metadata snapshot.

Improper locking while taking a metadata snapshot could cause out of
date data to be saved in the snapshot leading to data corruption.


* Buffer memory leaks in Multiple Devices (MD) persistent data driver.

In certain circumstances involving invalid metadata, a missing error
check could cause the MD persistent data driver to leak memory. A
malicious local user could possibly use this to cause denial of service.


* Kernel BUG during huge page table page fault handling.

A race between page migration/hardware poisoning and huge page handling
could cause an assertion failure. A malicious local user with access to
huge pages could use this to cause denial of service.


* Consume unprocessed events when a Xen CPU dies.

When a CPU is offlined, there may be unprocessed events on a port for
that CPU.  If the port is subsequently reused on a different CPU, it
could be in an unexpected state with the link bit set, resulting in
interrupts being missed. Fix this by consuming any unprocessed events
for a particular CPU when that CPU dies.


* Kernel panic when encrypting zero-length data.

The kernel crypto subsystem does not correctly handle encrypting
zero-length data which can lead to a kernel panic. A local, unprivileged
user could use this flaw to cause a denial of service.


* Use-after-free in WiFi/NFC RF switch subsystem after device rename.

The RF switch subsystem improperly handles the device name provided by
the WiFi and NFC drivers causing an use-after-free when a device is
renamed.


* Multiple out-of-bounds memory accesses in SCSI enclosure support.

Multiples flaw in the SCSI enclosure support driver could lead to
out-of-bounds memory accesses and kernel panic.  A local user could use
this flaw to cause a denial-of-service.


* Kernel crash in Wolfson 8974 audio codec probing.

A missing register map cache type could result in triggering a kernel
assertion when probing a Wolfson 8974 codec.


* NULL pointer dereference in the TTY line discipline on receival.

A missing check for NULL before calling the receive_buf function pointer on
a line discipline could lead to a NULL pointer dereference.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Memory leak in SPI stack when allocating master device.

A reference was taken on the wrong device when allocating a SPI master
device, leading to a memory leak.  A local user could use this flaw to
exhaust the memory on the system.


* Kernel panic in OCFS2 when extending size of filesystem.

A logic error in the OCFS2 filesystem driver can trigger an assertion
failure and kernel panic when extending the size of an existing
filesystem. A local user could use this flaw to trigger a
denial-of-service.


* Use-after-free when taking a reference on an IPv6 label.

A logic error in the IPv6 stack could lead to a use-after-free under
certain circumstances.  A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Denial-of-service in IPv6 stable_secret sysctl writing.

Missing initialization of a stack stored string could result in an
out-of-bounds access and kernel crash when writing to the stable_secret
sysctl.  A privileged user could use this flaw to crash the system under
specific conditions.


* Use-after-free in ISDN Gigaset driver on device shutdown.

A logic error in the ISDDB Gigaset device shutdown path could lead to a
use-after-free and kernel panic.


* Crash in MDIO Bus multiplexer driver under memory pressure.

Improper handling of memory allocation in the MDIO Bus multiplexer
driver may result in a crash when a memory allocation fails.


* Deadlock in oneshot interrupt handling.

Improper locking in one shot interrupt handling could result in a
deadlock on multi-core systems.


* Crash in Kernel tracing of printk_formats.

Improper handling of list indexes in the Kernel tracing subsystem
causes a crash when iterating printk_formats. A local, privilege user
could use this flaw to cause a denial-of-service.


* Crash in DMA engine operations used by multiple drivers, including RAID5.

Improper memory allocation type in DMA engine operations used by
multiple drivers, including RAID5 may cause a kernel panic.


* Use-after-free in network destination cache removal.

A use-after-free when removing a network destination cache entry could
result in a kernel crash and denial-of-service.


* Denial-of-service in BTRFS device array reading.

Missing error handling could result in a kernel crash when reading the
system array.  A maliciously crafted filesystem image could be used to
crash the system.


* Memory corruption in Nouveau driver during connector hotplug.

Missing locking could result in memory corruption and subsequent
undefined behaviour when hotplugging a connector under specific
conditions.


* CVE-2016-2069: Race condition in the TLB flush logic on multi-processors.

A race condition in the TLB flush logic when modifying paging structures
could lead to stale entries in the local TLB after switching to a new
process.  A local attacker could use this flaw to cause a denial-of-service
or potentially escalate privileges.


* Denial-of-service in ALSA SNDRV_SEQ_IOCTL_REMOVE_EVENTS ioctl().

A missing NULL pointer check in the SNDRV_SEQ_IOCTL_REMOVE_EVENTS
ioctl() handler could result in a NULL pointer dereference and kernel
crash.  A local user with access to an ALSA device could use this flaw
to crash the system.


* Use-after-free in ALSA sequencer timers.

Multiple flaws could result in a use-after-free when adding and
removing timers in the ALSA sequencer.  A local user with access to the
device could use this flaw to crash the system, or potentially escalate
privileges.


* Denial-of-service in ALSA timer management.

Incorrect timer reprogramming in the ALSA subsystem could result in
deadlock.  A local user with access to the device could use this flaw to
cause a denial-of-service.


* Privilege escalation in ALSA compatibility ioctl().

Incorrect handling of compatibility data structures could result in a
heap buffer overflow.  A local user with access to the ALSA devices
could use this flaw to trigger a kernel crash or potentially, escalate
privileges.


* Denial-of-service in ALSA TLV controls.

Missing validation of user-supplied data could result in kernel warnings
being output to the kernel console.  A local user could use this flaw to
flood the kernel console, causing a denial-of-service.


* Use-after-free in Intel audio device removal.

Missing handling of deferred work during device removal could result in
a use-after-free.  A user with physical access to the device could use
this flaw to crash the system.


* Out-of-bounds access in SCTP cookie_hmac_alg sysctl writing.

Missing initialization of a stack based string could result in an
unterminated read of the buffer.  Under specific conditions this could
trigger an out-of-bounds access and kernel crash.


* Use-after-free in IPv6 SYNACK retransmission.

Missing locking when retramsitting a SYNACK packet could result in a
use-after-free and kernel crash.  Under specific conditions, this could
result in a denial-of-service.


* Denial-of-service in SCTP protocol under memory pressure.

Failure to handle low memory conditions could result in a memory leak
and additional memory pressure on the system.  A malicious user could
use this flaw to crash the system under specific conditions.


* Denial-of-service in Connector callback implementation.

A reference counting imbalance of socket buffers could result in a
memory leak when processing Connector callbacks.  Under specific
conditions this could result in memory exhaustion and a system crash.


* CVE-2013-4312: Denial of service in unix sockets.

Due to incorrect resource accounting, a process could allocate and keep
open an arbitrary number of file descriptors, thus exceeding the limits
set for the process. A malicious local user could use this flaw to cause
denial of service.


* Privilege escalation in network bridge startup.

A local, unprivileged user could create a new network namespace which
would call /sbin/bridge-stp in the initial namespace.  Under specific
conditions this could result in networking failure or potentially in
conjunction with other flaws to escalate privileges.


* Denial-of-service in SO_NO_CHECK sockets.

Incorrect handling of checksum offload for SO_NO_CHECK sockets could
result in network device drivers accessing invalid memory addresses and
triggering a kernel crash.  A local, unprivileged user could use this
flaw to crash the system under specific conditions.


* NULL pointer dereference in PhoNet packet reception.

Incorrect handling of shared socket buffers could result in a NULL
pointer dereference and kernel crash when receiving PhoNet packets.


* CVE-2016-2383: Undefined behaviour in Berkeley Packet Filter constant shifts.

Missing validation of constant shifts in a BPF program could result in
undefined behaviour, depending on the system.


* Denial of service in nfs4 when truncated compound request received.

When truncated compound request is received, uninitialized data is used
to process the request as if it was fully received.


* Kernel panic after Machine Check Exception with offline CPU.

Intel's Machine Check Architecture broadcasts Machine Check Exceptions to
all CPUs, including offline ones. Offline CPUs will never successfully
complete the rendezvous process causing a kernel panic.


* Infinite loop in Aufs when sendfile() is interrupted.

Improper handling of EINTR signal in Aufs when sendfile() is interrupted
results in infinite loop. A local user could use this flaw to cause a
denial-of-service.


* Memory leak when closing CUSE device.

Incorrect reference counting in the Character device in Usespace
subsystem can trigger a kernel memory leak when a device is closed
leading to a kernel memory leak.


* Kernel panic in OCFS2 when committing data to jbd2 device.

An interaction between the OCFS2 filesystem and the jbd2 journalling
driver can trigger an assertion failure and kernel panic when committing
data to disk.


* Memory leak in RDMA over InfiniBand when creating targets.

The RDMA over InfiniBand subsystem does not correctly handle creating or
connecting to targets which can lead to a reference inbalance and
subsequent memory leak.


* Denial of service in Topro USB Camera ioctl.

The Topro USB Camera driver does not correctly handle settting the
framerate to zero which can trigger a divide-by-zero and kernel panic.


* Memory leak in Realtek USB Wireless adapter when receiving malformed frames.

The kernel driver for Realtek USB Wireless adapters does not correctly
free memory when processing frames with incorrect checksums. A remote
attacker could trigger a denial-of-service by intentionally sending
frames with incorrect frames.


* Denial-of-service when accepting userspace cryptographic sockets.

A logic error in the kernel cryptographic subsystem can allow a
unprivileged user to trigger a denial of service by calling accept(2) on
PF_ALG socket before setting a cryptographic key.


* Use-after-free when failing to accept userspace cryptographic sockets.

A logic error in kernel cryptographic subsystem can allow a unprivileged
user to trigger a use after free condition and kernel panic when calling
accept(2) on a cryptographic socket fails.


* Memory corruption when processing multibyte unicode filenames on UDF.

The kernel UDF filesystem driver incorrectly manages memory when
converting multibyte unicode filenames on UDF filesystems which can
trigger kernel memory corruption.


* Use-after-free in OCFS2 distributed lock manager.

Incorrect reference counting in the OCFS2 filesystem driver can trigger
a use-after-free and kernel panic when migrating a lock.


* Use-after-free when unregistering events in memory control group.

Incorrect locking in the memory control group subsystem (memcg) when
unregistering events can trigger a use-after-free condition and kernel
panic.


* Kernel panic in Atheros wireless driver HTC frame handling.

The kernel Atheros wireless driver does not correctly handle malformed
HTC frames which can trigger kernel memory corruption. A unauthenticated
remote user can trigger this issue.


* Kernel panic when setting prctl MM values.

Incorrect locking when setting memory management settings via prctl can
trigger an assertion failure and kernel panic. A local user with
CAP_SYS_RESOURCE can trigger this issue.


* Kernel panic when soft-offlining memory.

Incorrect memory management when soft-offlining memory via
madvise(MADV_SOFT_OFFLINE) can trigger an assertion failing and kernel
panic.


* Memory leak in virtio balloon driver under memory pressure.

Incorrect locking in the virtio balloon driver can trigger a memory leak
when the system is under memory pressure leading kernel panic and denial
of service.


* Memory leak when requeuing priority inversion futex.

A logic error in the kernel futex subsystem can trigger a memory leak
and subsequent kernel panic when failing to acquire a PI futex.


* Memory corruption when creating InfiniBand SRP send queue.

A logic error in the InfiniBand SCSI RDMA Protocol subsystem can trigger
memory corruption and a kernel panic when allocating memory for a send
queue.


* Denial-of-service when parsing UDF indirect extents.

A UDF disk image can trigger an infinite loop and denial of service
when parsing malformed indirect extents.


* Kernel panic in HyperV guest-to-host transport.

Missing pointer validation can trigger a NULL pointer dereference and
kernel panic when transferring data from the guest to host.


* Deadlock in NFS share exported from OCFS2 filesystem.

Incorrect locking can trigger a deadlock and kernel panic when OCFS2 is
used to export an NFS share.


* Information leak when reading directory entries on CIFS mount.

Incorrect memory management allows a local user to leak the contents of
kernel memory to debug logs when reading from a directory on a CIFS
mount.


* Use-after-free in virtio balloon driver during compaction.

A race condition in the virtio balloon driver can trigger a use after
free and kernel panic when memory compaction occurs.


* Kernel panic when removing directory from overlay filesystem.

A logic error in the overlay filesystem can trigger a kernel panic when
removing a directory which contains whiteouts from lower layers.


* Privilege escalation in overlayfs extended attributes.

A logic error in the overlay filesystem can allow unprivileged users to
set extended attributes on files which they don't have write access to.


* Memory corruption when sending data to userspace cryptographic socket.

A logic error in the kernel cryptographic socket subsystem can allow a
local user to trigger kernel memory corruption when sending data to a
cryptographic socket.


* CVE-2015-1575, CVE-2015-1576: Multiple permission bypasses on overlayfs mounts.

Overlayfs mounts did not propagate correctly file attributes when mounted
on top of a fuse filesystem and would also incorrectly propagate file
extended attributes (like POSIX ACLs) under certain circumstances.  A
local, unprivileged user could use these flaws to escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.