[Ksplice][Ubuntu-15.10-Updates] New updates available via Ksplice (USN-2971-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue May 10 10:15:10 PDT 2016 

Synopsis: USN-2971-1 can now be patched using Ksplice
CVEs: CVE-2015-7515 CVE-2016-2184 CVE-2016-2185 CVE-2016-2186 CVE-2016-2188 CVE-2016-3136 CVE-2016-3137 CVE-2016-3138 CVE-2016-3140 CVE-2016-3157 CVE-2016-3689 CVE-2016-3951

Systems running Ubuntu 15.10 Wily can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-2971-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.10 Wily
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel panic when using receive aggregation on WiFi.

Use of uninitialised values in the WiFi stack when using RX aggregation
could lead to a kernel crash.


* Information leak in the ATA 32 bits compat ioctl.

A logic error in the ATA 32 bits compat ioctl could lead to writing 3 bytes
of uninitialized stack content to userspace.  An attacker could use this
flaw to gain information about the running kernel.


* Kernel deadlock in JFFS2 filesystem when writing.

Incorrect lock ordering when writing to a JFFS2 filesystem could lead to
deadlocks.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Memory corruption when removing Geschwister Schneider USB/CAN device.

Invalid usage of kfree() on a pointer that is reference counted leads to
use-after-free and memory corruptions when removing a Geschwister Schneider
USB/CAN device.  An attacker with physical access could use this flaw to
cause a denial-of-service.


* Out of bounds memory access on reading a file from a SMB server.

Missing input validation when parsing the lease state from a Server Message
Block (SMB) Create response could lead to an out of bounds memory read and
kernel crash.  A local, unprivileged user or a rogue SMB server could use
this flaw to cause a denial-of-service.


* Kernel hang when the function graph tracer is enabled on suspend.

The function graph tracer gets inconsistent call return information in the
low level ACPI suspend code, leading to a kernel hang.


* Heap overflow in the Unsorted Block Images (UBI) on volume update.

A flaw in the UBI code causes a heap structure to be allocated with too few
bytes, leading to a write overflow when updating the volume.  A local,
unprivileged user could use this flaw to cause a denial-of-service or
potentially escalate privileges.


* Use-after-free in generic Target Core Mod (TCM) on completed commands.

An extra reference count was dropped when aborting an already completed
command, leading to use-after-free and memory corruption.


* NULL pointer dereference in NCP filesystem under memory pressure.

A logic error on failure to allocate a new inode in the NCP filesystem
leads to a NULL pointer dereference and kernel panic.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Denial-of-service in JFFS2 when recovering a halfway failed rename.

A logic error in the JFFS2 journalling driver could lead to a kernel panic
when recovering a halfway failed rename.


* Information leak to KVM guests when the the host is using PEBS tracing.

KVM hosts using Intel Precise Events Based Sampling (PEBS) could have their
PEBS tracing record written to a KVM guest under certain circumstances.  An
attacker with full control of a KVM kernel guest could use this flaw to get
information about the KVM host kernel.


* CVE-2016-3951: Use-after-free in USB networking bind failure.

A race condition between probing a USB network device and error handling
could result in a use-after-free condition and kernel crash.


* Use-after-free in FUSE filesystems with direct, asynchronous I/O.

Incorrect handling of synchronous files could result in a use-after-free
condition.  A local, unprivileged user could use this flaw to crash the
system, or potentially, escalate privileges.


* CVE-2016-2188: Denial of service in IO Warrior USB descriptor parsing.

A logic error in the IO Warrior USB driver can allow a malformed USB
descriptor with zero endpoints to trigger a NULL pointer dereference and
kernel panic.


* CVE-2016-2184: Denial of service in ALSA USB audio descriptor parsing.

A logic error in the ALSA USB audio driver can allow a malformed USB
descriptor with zero end-points to trigger a NULL pointer dereference
and kernel panic.


* NULL pointer dereference in TTY line discipline reception.

A missing NULL pointer check could result in a NULL pointer dereference
when receiving a buffer under specific conditions.


* Use-after-free in Infra-red terminal opening.

Use of a stale pointer when opening an IrTTY device could result in a
use-after-free condition and subsequent kernel crash.  A local user with
access to the IrTTY device could use this flaw to crash the system.


* Kernel stack corruption in Intel Management Engine Interface transfers.

Performing transfers before the MEI device was enabled could result in
stack corruption during link reset and a subsequent kernel crash.


* NULL pointer dereference in Infiniband CSI RDMA Protocol Target.

Missing SRP targets could result in a NULL pointer dereference and
subsequent kernel crash under specific conditions.


* Denial-of-service in NFS server buffer decoding.

Integer overflows in the NFS buffer decoding operations could result in
out-of-bounds accesses and a kernel crash.  A malicious client could use
this flaw to crash the system.


* Kernel crash in disk quota initialization.

Missing array initialization could result in dereferencing an invalid
pointer and a kernel crash when initializing a quota for an inode and
experiencing an error.


* Permissions bypass in nvdim ioctls().

Incorrect handling of ioctl() numbers could result in allowing write
operations to a dimmctl or ndctl device that was opened in read-only
mode.


* Kernel crash in block cache device initialization.

A race between initializing a block cache device and the writeback
thread could result in triggering a kernel assertion and crashing the
system.


* NULL pointer dereference in block cache registration failure.

Allocation failures whilst creating a block cache device could result in
a NULL pointer dereference and kernel crash when the system was under
memory pressure.


* Journalling filesystem corruption on unmount under memory pressure.

Unmounting a filesystem under memory pressure could result in journal
corruption on a subsequent remount.


* Denial-of-service in device mapper snapshot devices.

Creating a device mapper snapshot device where the copy-on-write and
origin devices used the same device would result in a NULL pointer
dereference and kernel crash.


* Heap buffer overflow in Bluetooth Add Advertising command handler.

Missing bounds checks could result in a heap buffer overflow when
performing an Add Advertising operation.  A local user with permissions
to perform Bluetooth management operations could use this flaw to
escalate privileges or crash the system.


* NULL pointer dereference in request-based device mapper devices.

Incorrect ordering in request queuing could result in a NULL pointer
dereference and kernel crash under specific conditions.


* Heap overflow in I2C USB HID reporting.

Missing bounds checks could result in a heap overflow when setting or
sending a report.  A local user with access to the device could use this
flaw to crash the system or potentially, escalate privileges.


* Denial-of-service in NFS secinfo+readdir operations.

Incorrect locking could allow a malicious client to deadlock the system
with unexpected compound operations.


* Denial-of-service in pipe splicing with no pages.

Splicing from a pipe with no pages could result in a NULL pointer
dereference and kernel crash.  Under specific conditions a local user
could use this flaw to crash the system.


* Use-after-free in writeback operations.

Incorrect reference counting could result in a use-after-free during
writeback operations.  Under specific conditions this could result in a
kernel crash.


* Denial-of-service in KVM VCPU creation.

Incorrect error handling could result in an integer overflow, allowing a
user with permission to create virtual CPUs to trigger a kernel
assertion and crash the system.


* Denial-of-service in coredump writing.

Under specific conditions, the kernel could write corefiles for SUID
processes into a user-controlled directory.  This flaw could be used to
exhaust disk space and trigger a denial-of-service.


* Kernel hang in OCFS2 Distributed Lock Manager convert and recovery operations.

A race condition between convert and recovery operations could result in
a system hang under specific conditions.


* Kernel crash in OCFS2 Distributed Lock Manager during master loss.

A race condition when the DLM master went down could result in
triggering a kernel assertion and crashing the system under specific
conditions.


* CVE-2016-3157: Xen I/O port access privilege escalation in x86-64.

User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.


* Divide-by-zero in the ALSA RME Hammerfall audio driver.

A lack of data validation in the system sample rate code of the RME
Hammerfall audio driver could lead to a division-by-zero and kernel crash.


* Possible frame injection on encrypted WiFi using Galois/Counter Mode Protocol.

A failure to discard a fragment with a packet number not incremented by one
in the GCMP protocol could lead to possible frame injections.  A remote
attacker in the radio range of an encrypted WiFi network could potentially
use this flaw to inject frames.


* Denial-of-service when running KVM guest with Extended Page Table disabled.

KVM guests with Extended Page Table (EPT) disabled could trigger a
continuous stream of faults, effectively causing a denial-of-service of the
host.


* Denial-of-service in KVM invept instruction emulation.

Incorrect handling of an invalid invept instruction could
result in a kernel hang.  A local user could use this flaw to crash the
system.


* CVE-2016-3140: Denial of service in Digi AccelePort USB descriptor parsing.

A logic error in the Digi AccelePort USB driver can allow a malformed
USB descriptor with missing endpoints to trigger a NULL pointer
dereference and kernel panic.


* CVE-2016-3136: Denial of service in MCT Serial USB descriptor parsing.

A logic error in the MCT Single Port Serial driver can allow a malformed
USB descriptor with missing ports to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-3137: Denial of service in USB Cypress M8 descriptor parsing.

A logic error in the Cypress M8 device driver can allow a malformed USB
descriptor with missing endpoints to trigger a NULL pointer dereference
and kernel panic.


* Denial of service in generic USB interface management.

A malformed USB descriptor can trigger a NULL pointer dereference and
kernel panic when the generic USB driver claims interfaces.


* CVE-2016-3689: Denial of service in IMS PCU USB descriptor parsing.

A logic error in the IMS PCU USB driver can allow a malformed USB
descriptor with missing interfaces to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-2185: Denial of service in ATI/Philips USB RF remote descriptor parsing.

A logic error in the ATI/Philips USB RF remote driver can allow a
malformed USB descriptor to trigger a NULL pointer dereference and
kernel panic.


* CVE-2016-3138: Denial of service in CDC ADM USB descriptor parsing.

A logic error in the CDC ADM USB driver can allow a malformed USB
descriptor with an incorrect number of interfaces to trigger a NULL
pointer dereference and kernel panic.


* CVE-2016-2186: Denial of service in Griffin PowerMate USB descriptor parsing.

A logic error in the Griffin PowerMate USB driver can allow a malformed
USB descriptor with zero endpoints to trigger a NULL pointer dereference
and kernel panic.


* CVE-2015-7515: Denial-of-service in the aiptek USB driver.

A flaw in the aiptek USB tablet driver could lead to an out-of-bounds
memory access when the interface has no endpoints.  An attacker with
physical access could use a specially crafted USB device to cause a
denial-of-service.


* Filesystem corruption in EXT4 extent moving.

A missing update of the buffer head could result in filesystem
corruption when moving extent data.


* Denial-of-service in PPP interface creation failure.

Imbalanced locking when PPP interface creation failed could result in a
permanently held lock and failure to create future interfaces.


* NULL pointer dereference in Mellanox MLX5 configuration failure.

Incorrect error handling when closing a device that had incomplete
configuration could result in a NULL pointer dereference and kernel
crash.


* Denial-of-service in 802.11 interface stopping.

Missing locking could result in memory corruption and dereferencing an
invalid pointer.  A local, privileged user could use this flaw to crash
the system.


* Denial-of-service in recvmmsg() error handling.

Incorrect reference counting could result in a use-after-free in the
recvmmsg() system call.  A local, unprivileged user could use this flaw
to trigger a denial-of-service.


* Denial-of-service in SUNRPC cache management.

Incorrect error handling could result in a reference count imbalance of
the SUNRPC cache object, triggering either a resource leak, or
potentially, a use-after-free.


* Use-after-free in PPP ioctl() handling.

Incorrect locking in the PPP ioctl handler could result in dereferencing
an invalid pointer and a kernel crash.  A local user with access to the
PPP device could use this flaw to crash the system.


* Use-after-free in Maxim MAX1111 ADC channel read.

Incorrect clearing of the MAX1111 global pointer on removal could result
in a use-after-free and kernel crash.  A local, privileged user could
use this flaw to crash the system.


* Kernel crash in ALSA timer arming.

Incorrect use of the timer API could result in triggering a kernel
assertion when rearming the ALSA system timer.


* Kernel crash in NUMA page migration.

Incorrect handling of NUMA nodes could result in a kernel crash when
allocating memory during page isolation.


* BTRFS filesystem data loss during fsync() after rename and inode creation.

Renaming a file on a BTRFS filesystem followed by creation of a new
inode with the same name could result in data loss if the filesystem is
uncleanly mounted.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-15.10-updates mailing list