[Ksplice][Ubuntu-17.04-Updates] New Ksplice updates for Ubuntu 17.04 Zesty (USN-3314-1)

Wed Jun 7 03:33:36 PDT 2017

Synopsis: USN-3314-1 can now be patched using Ksplice
CVEs: CVE-2016-9604 CVE-2017-0605 CVE-2017-2671 CVE-2017-6951 CVE-2017-7472 CVE-2017-7618 CVE-2017-7645 CVE-2017-7889 CVE-2017-7895 CVE-2017-7979 CVE-2017-8064 CVE-2017-8067

Systems running Ubuntu 17.04 Zesty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3314-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 17.04
Zesty install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Denial-of-service due to race in Intel RDT schemata.

A misplaced lock in the Intel Resource Director schemata code could
allow temporary storage memory to be written out of bounds or
double-freed, potentially causing a denial-of-service.

* Denial-of-service in iSCSI sessions shutdown reference handling.

Incorrect reference logic in iSCSI session shutdown could cause a leak
of a memory record, potentially causing a kernel panic and
denial-of-service.

* Information leak via SCSI driver capability check.

Incorrectly parsing the length of a SCSI capability buffer returned from
an older device could read off the end of the buffer, potentially
leaking kernel information.

* Denial-of-service in non-volatile memory fault handling.

Incorrect lock logic in libnvdimm could cause a lock order reversal
while handling a memory fault on non-volatile memory, potentially
causing a kernel hang and denial-of-service.

* Denial-of-service in non-volatile memory locking.

Incorrect lock logic in libnvdimm reconfigure causes a kernel thread to
sleep while holding a lock, triggering a kernel BUG and a potential
denial-of-service.

* Denial-of-service in zram unaligned page compression.

Incorrectly copying memory from a non page-aligned boundary in the zram
driver could corrupt kernel memory, causing a kernel panic and
denial-of-service.

* Denial-of-service with asynchronous XTS and LRW cryptography.

Functions in the XTS and LRW cryptography code do not correctly accept
asynchronous completions, and free memory in-use, causing memory
corruption and a possible denial-of-service.

* CVE-2017-8064: Kernel stack memory access via USB DVD device name.

An erroneous copy of a USB DVD device name to the stack could overflow,
potentially allowing an attacker to manipulate stack memory, causing a
denial-of-service or privilege escalation.

* CVE-2017-7889: Permissions bypass via /dev/mem file.

The mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM
protection mechanism, which allows local users to read or write to
kernel memory locations via an application that opens the /dev/mem file.

* CVE-2017-8067: Denial-of-service via console driver memory mapping.

An incorrect usage of mapped memory from the stack in the virtio-console
driver could allow an attacker to alter kernel stack memory, causing a
privilege escalation of denial-of-service.

* CVE-2016-9604: Permission bypass when creating key using keyring subsystem.

A missing check when an user create a key beginning with '.' could lead
to a permission bypass. A local attacker could use this flaw to access
sensitive information.

* CVE-2017-6951: Denial-of-service from userspace via dead security keys.

Dead security keys were improperly assigned a type with name "dead",
which allowed them to be accessed by users with the
key_get_type_from_user() syscall, causing a kernel panic and
denial-of-service.

* CVE-2017-7472: Denial-of-service when setting default request-key keyring.

A logic error when a user set default request-key keyring multiple
times could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a kernel panic.

* Denial-of-service due to negative isolated memory stats.

A race condition could allow the count of isolated memory regions to go
negative, potentially sending the kernel into an infinite loop and
causing a denial-of-service.

* CVE-2017-2671: Use-after-free in ping implementation.

A race condition in the kernel ping implementation can result in a
use-after-free. A local attacker with access to ping sockets could use
this flaw to cause a kernel crash or escalate privileges.

* Denial of service in IP neighbour probing.

A missing pointer check can trigger a NULL pointer dereference and kernel panic
when an interface needs to solicit information from a neighbour.

* Information leak in KCM ioctl.

A logic error when copying Kernel Connection Multiplexor ioctl information from
userspace can leak the contents of kernel memory.

* Memory leak when handling L2TP control frames.

Incorrect reference counting when handling control frames from an L2TP socket
can trigger a kernel memory leak and subsequent kernel panic.

* Denial of service when listening on SCTP socket.

A logic error in the SCTP subsystem can trigger a kernel panic and denial of
service when attempting to listen on a non-listening socket.

* Memory leak when disconnecting TCP socket.

Incorrect reference counting when closing a TCP socket can allow a local
attacker to trigger kernel memory corruption and potentially gain elevated
privileges.

* Denial of service when disabling IPv6 network interface.

Incorrect locking when disabling an IPv6 network interface can allow a local
attacker to trigger an infinite loop and cause a denial of service.

* Kernel panic when processing IPv6 segment routing headers.

The kernel Ipv6 stack does not correctly handle truncated Segment Routing
Headers which can trigger an out-of-bounds read and kernel panic.

* Kernel panic when handling invalid IPv6 segment routing headers.

A logic error when the kernel IPv6 stack attempts to parse an invalid IPv6
Segment Routing Header can trigger a double-free and kernel panic.

* Denial of service when removing IPv6 multicast interfaces.

The IPv6 subsystem does not correctly handle IPv6 interfaces with multicast
routing support which can cause interfaces to be removed twice and trigger a
kernel assertion.

* Memory leak when destroying MAC-VLAN devices.

Incorrect reference counting when destroying a MAC-VLAN device can cause a
kernel memory leak and subsequent kernel panic.

* Denial of service in IPv6 virtual routing.

A logic error when changing the virtual routing and forwarding configuration of
an IPv6 interface could trigger a use-after-free and kernel panic.

* Memory corruption when calculating nexthop of IPv6 tunnel.

A logic error when passing IPv4 traffic through an IPv6 tunnel can trigger an
out-of-bounds write and kernel memory corruption.

* Memory corruption when changing IPv4 TCP congestion control.

The IPv4 subsystem does not initialize memory when changing the congestion
control on a TCP socket which can allow a local attacker to trigger kernel
memory corruption.

* Memory corruption when reading Plan9 directories.

A logic error when the Plan9 filesystems reads a directory from a remote server
can trigger memory corruption and a kernel panic.

* CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

If an NFS version 2 or 3 client appends extraneous data to their RPC
calls or replies, the server fails to correctly allocate sufficient
memory, potentially causing memory corruption and a denial-of-service.

* CVE-2017-7895: Remote information leak in kernel NFS server.

Missing bounds checks could result in an out-of-bounds memory access,
allowing a remote attacker to leak the contents of kernel memory.

* Denial of service in Geschwister Schneider UG USB driver.

Incorrect use of DMA buffer on the stack when passing USB control message to
Geschwister Schneider UG driver could lead to a stack corruption. A local
attacker could use this flaw to cause a denial-of-service.

* Data race when canceling timer file descriptors causes denial-of-service.

Missing serialization when canceling timer file descriptors could cause
the cancels to race, causing a data race or use-after-free, potentially
resulting in a kernel crash and denial-of-service.

* Information leak via multiple disk (RAID/LVM) device ioctl.

Failing to initialize an unused data field in multiple device ioctls
could allow kernel stack information to be exposed to userspace.

* CVE-2017-7979: Denial-of-service in cookie handling of packet action API.

A logic error in the packet action API can result in memory being
incorrectly freed, leading to a kernel crash or undefined behaviour. A
local attacker could use this flaw to cause a denial-of-service.

* CVE-2017-0605: Privilege escalation when using kernel tracing subsystem.

Usage of strcpy() when using kernel tracing subsystem and retrieving
traced process command line could lead to a stack overflow. A local
attacker could use this flaw to execute arbitrary code in the kernel and
escalate privileges.

* Denial-of-service when cloning IPv6 route.

Missing flag validation when configuring IPv6 route allows a local
process to create malformed route. A malicious user can exploit this
to trigger a null-pointer dereference and cause denial-of-service.

* CVE-2017-7618: Remote denial of service in asynchronous hash functions.

In certain cases, a remote attacker could trigger an edge condition in the
kernel's CRC and cryptographic hash function facilities. This could cause
the kernel to crash or lock up.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.