[Ksplice][Ubuntu-15.10-Updates] New updates available via Ksplice (USN-3003-1)

Wed Jun 15 17:20:07 PDT 2016

Synopsis: USN-3003-1 can now be patched using Ksplice
CVEs: CVE-2016-1583 CVE-2016-2117 CVE-2016-2187 CVE-2016-3672 CVE-2016-3955 CVE-2016-3961 CVE-2016-4485 CVE-2016-4486 CVE-2016-4565 CVE-2016-4581

Systems running Ubuntu 15.10 Wily can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-3003-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.10 Wily
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Use-after-free in USB networking device probe failure.

Incorrect error handling when registering a USB networking device could
result in a use-after-free condition and kernel crash.

* CVE-2016-3955: Privilege escalation in IP over USB driver.

Missing user supplied input validation could result in an out-of-bounds
write allowing a local user to crash the system or potentially escalate
privileges.

* CVE-2016-3672: ASLR bypass on 32-bit processes.

Enabling an unlimited stack size would completely disable ASLR for
process with the limit applied.  A local user could use this flaw to
reduce the security of a setuid/setgid application.

* CVE-2016-2187: Denial of service in GTCO CallComp/InterWrite USB descriptor parsing.

A logic error in the GTCO CallComp/InterWrite USB driver can allow a
malformed USB descriptor with zero endpoints to trigger a NULL pointer
dereference and kernel panic.

* Infinite loop when calculating the IP checksum on destination link failure.

Lack of proper memory zeroing in case of destination link failure could
lead to an infinite loop when calculating IP checksums.

* Use-after-free when decrypting a packet after the netdevice was unregistered.

Asynchronous decryptions of packets on the netdevice receive queue were not
properly taking a reference on the netdevice, potentially leading to a
use-after-free if the netdevice is unregistered after queueing such packets
for decryption.

* Kernel BUG when sending a UDP over IPv6 longer than the MTU.

Failure to account for the space needed for the extension headers when
sending a UDP message over IPv6 when the packet is longer than the MTU
leads to a kernel BUG.  A local, unprivileged user could use this flaw to
cause a denial-of-service.

* Memory corruption when inserting data into associative arrays.

A logic error in the generic associative array module can trigger an
out-of-bounds read when inserting a new member. This can be triggered,
for example, by inserting a new cryptographic key into the kernel's
keyring.

* Use after free when disabling a USB XHCI device.

A logic error in the USB XHCI driver can trigger a use-after-free and
kernel panic when disabling a XHCI device multiple times.

* Memory corruption when probing USB Host Controller devices.

A logic error in the Host Controller driver (HCD) can trigger memory
corruption and kernel panic when an HCD device has an invalid companion
device.

* Kernel panic when completing SHA1 multibuffer operations.

A logic error in the cryptographic subsystem handling multibuffer
operations can trigger a use-after-free and kernel panic.

* Information leak in AMD cryptographic coprocessor support.

The AMD cryptographic coprocessor driver does not correctly handle
memory when exporting the state of SHA1 operations which can cause the
contents of the kernel stack to be leaked to userspace.

* Use after free when using asynchronous IO on USB gadget device.

A logic error in the USB gadget driver can trigger a use-after-free and
kernel panic when completing an asynchronous read or write to a device.

* Deadlock in Digigram PCXHR ALSA IRQs.

Incorrect locking the in the PCXHR IRQ can trigger a deadlock and kernel
panic when handling interrupts from a Digigram PCXHR device.

* Kernel panic in when handling unvalidated ports in kernel DRM subsystem.

The kernel DRM driver does not validate ports which are passed from
userspace which can trigger a use-after-free and kernel panic when
handling DRM ioctls.

* Memory corruption when mapping buffer objects from userspace.

Missing validation when mapping buffer objects from userspace can allow
a malicious local users to corrupt kernel memory and escalate privileges.

* CVE-2016-2117: Information leak in Atheros ATL2 transmission.

The Atheros ATL2 driver advertised features that weren't supported by
the hardware and this could result in a buffer overflow, leaking the
contents of kernel memory into transmitted packets.

* CVE-2016-4485: Information leak in LLC message processing.

The Logical Link Layer networking driver does not initialize memory when
proesssing ancillary data requests to an LLC socket which leaks the
contents of kernel memory to userspace. A local user could use this flaw
to infer the layout of kernel memory.

* CVE-2016-4486: Information leak in routing netlink interface.

The netlink interface for querying network routing information does not
initialize memory which leaks the contents of kernel memory to userspace.
A local user could use this flaw to infer the layout of kernel memory.

* Kernel panic when parsing EFI variables.

Incorrect parsing logic can trigger an out-of-bounds read and kernel
panic when reading or writing to EFI variables.

* Kernel panic when using madvise on a hugepage mapping.

The kernel hugepage subsystem does not correctly handle calling madvise
on certain hugepage mapping which can trigger a bogus BUG_ON and kernel
panic.

* CVE-2016-4581: Denial-of-service in slave mount propagation.

Incorrect handling of mount propagation could result in a NULL pointer
dereference.  A local, unprivileged user could use this flaw to crash
the system.

* Kernel panic when displaying dynamic audio power information.

The sysfs interface for displaying dynamic audio power information to
userspace can trigger a NULL pointer dereference and kernel panic when a
system has a dummy component.

* CVE-2016-4565: Privilege escalation in Infiniband ioctl.

The Infiniband ioctl interface does not correctly validate parameters
from userspace which can allow local users to corrupt kernel memory and
escalate privileges.

* CVE-2016-3961: Xen PV guest crash when using HugeTLBFS.

HugeTLBFS is not supported on Xen PV guests and leads to a kernel crash
when an application tries to mmap() a Huge TLB.  A local user with the
ability to mmap() Huge TLB pages in a Xen PV guest can cause a
denial-of-service of the guest.

* Information leak in mclist netlink attribute.

The netlink interface for querying the mclist attribute does not
initialize memory which leaks the contents of kernel memory to
userspace. A local user could use this flaw to infer the layout of
kernel memory.

* Kernel panic in remap_file_pages syscall.

Incorrect reference counting in the remap_file_pages syscall can trigger
a use after free condition and kernel panic. A local user can use this
flaw to trigger a kernel panic and possibly escalate privileges.

* NULL pointer dereference in AK8975 Magnetometer interrupt handler.

A NULL pointer dereference can occur in the Ashai Kasei AK8975 3-Axis
Magnetometer interrupt handler if an interrupt occurs during device
initialization leading to a kernel crash.

* Memory leak when creating handle to GEM object.

Incorrect reference counting when creating a handle to a Graphics
Execution Manager (GEM) object can trigger a kernel memory leak and
possible kernel panic.

* Memory leak in IEEE 802.11 interface management.

The kernel IEEE 802.11 driver does not correctly free memory when
adding a new interface which can lead to a memory leak and possible
kernel panic.

* Use after free in AMD Radeon metadata management.

A logic error when freeing buffer object metadata can trigger a use
after free condition and kernel panic.

* Use after free when updating BATMAN routing information.

A logic error when updating the routing information of a BATMAN mesh
network can lead to a reference count imbalance and use after free and
kernel panic.

* Kernel panic when processing VLAN traffic over a BATMAN interface.

The BATMAN mesh networking driver does not correctly account for VLAN
headers when processing ethernet traffic which can lead to an
out-of-bounds read and kernel panic.

* Kernel information leak in Chelsio iSCSI IPv6 route information.

The Chelsio iSCSI IPv6 route lookup does not initialize memory which leaks
the contents of kernel memory to userspace. A local user could use this flaw
to infer the layout of kernel memory.

* Kernel panic in Chelsio T4 RDMA queue management.

The management of queues for Chelsio T4 iWARP/RDMA devices is incorrect
and can lead to a kernel panic when processing doorbell operations

* Use-after-free in i915 video driver under memory pressure.

Incorrect locking in the i915 video driver can result in dereferencing
an invalid pointer and a kernel crash when under memory pressure.

* Data corruption in openvswitch ipv6 checksum recalculation.

Incorrect flag check prior to recalculating ipv6 checksums in
openvswitch may result in the recalculation being skipped.

* CVE-2016-1583: Privilege escalation in eCryptfs.

eCryptfs was incorrectly trying to use the mmap() file operation on lower
filesystem that may not support it.  A local, unprivileged user could use
this flaw to cause a denial-of-service through recursive faults or
potentially escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.