[Ksplice][Ubuntu-17.04-Updates] New Ksplice updates for Ubuntu 17.04 Zesty (4.10.0-26.30)

[Oracle Ksplice]

Synopsis: 4.10.0-26.30 can now be patched using Ksplice
CVEs: CVE-2017-1000364 CVE-2017-100363 CVE-2017-8890 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 CVE-2017-9242

Systems running Ubuntu 17.04 Zesty can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.10.0-26.30.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 17.04
Zesty install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in Plan 9 filesystem access control list manipulation.

Incorrect error handling when updating access control lists in the plan
9 filesystem can result in a memory leak. A local attacker could use
this flaw to exhaust kernel memory, resulting in a denial-of-service.


* Kernel crash in mwifiex 802.11 packet transmission.

A logic error in the processing of wifi transmission packets in the
mwifiex driver can result in a buffer overrun, resulting in a kernel
crash.


* Denial-of-service in iwlwifi debugfs interface.

A failure to correctly validate input can result in a kernel crash when
writing to the iwlwifi debug interface. A privileged attacker could use
this flaw to crash the kernel, leading to a denial-of-service.


* Out-of-bounds access in Intel power management controller.

A logic error in the intel power management controller driver can result
in an out-of-bounds memory access. This could result in undefined
behaviour or a kernel crash.


* Denial-of-service in qedi iSCSI connection initialization.

Incorrect error handling can result in a failure to free kernel memory.
A local attacker with the ability to create iSCSI connections could use
this flaw to cause a denial-of-service.


* Kernel crash in Broadcom flexible MAC wifi driver.

A logic error in the processing of wifi transmission packets can result
in the access of uninitialised memory resulting in a kernel crash.


* Denial-of-service in TCP transmission buffer management.

A logic error during management of TCP packet buffers can cause an
assertion failure in the Kernel leading to undefined behaviour or
potentially a Kernel crash. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service in IPv6 duplicate address detection.

A race condition in the handling of duplicate address detection for IPv6
could result in kernel memory corruption. A user with the ability to
create network namespaces could use this flaw to crash the kernel,
leading to a denial-of-service.


* Denial-of-service in TCP accept handling.

A failure to correctly initialize a pointer when accepting TCP
connections could result in a double free. A local attacker could use
this flaw to cause undefined behaviour or a kernel crash, leading to a
denial-of-service.


* Denial-of-service in raw socket IP header processing.

A failure to validate IP packets submitted to raw sockets can result in
the access of invalid memory. This could result in a kernel crash,
leading to a denial-of-service.


* Kernel crash in Broadcom NetXtreme Receive Flow Steering.

A failure to allocate enough memory for Receive Flow Steering management
can result in a buffer overrun leading to undefined behaviour or a
kernel crash.


* Information disclosure via use of unprivileged eBPF programs.

A failure to enforce kptr_restrict for eBPF programs can result in the
leak of sensitive information to userspace. A local attacker could use
this flaw to facilitate a further attack.


* Denial-of-service due to corrupted F2FS filesystem.

A failure to validate the segment count when mounting an F2FS
filesystem can result in undefined behaviour when accessing the
filesystem. This could result in a kernel crash, leading to a
denial-of-service.


* Use-after-free in DRM/TTM fault handling.

A race condition in the DRM/TTM driver can result in a use-after-free
during vm fault handling. A local attacker could use this flaw to cause
a kernel crash.


* CVE-2017-8890, CVE-2017-9076, CVE-2017-9077: Denial-of-service in DCCPv6 sockets.

A use-after-free in the DCCPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.


* CVE-2017-9074: Information leak via ipv6 fragment header.

The header size of an ipv6 fragment is not properly checked, potentially
allowing an attacker to read out-of-bounds memory when attempting to
parse it, leaking information.


* CVE-2017-9075: Denial of service when using SCTP protocol with IPV6.

A missing structure initialization could lead to a double free when
creating a new socket. A local unprivileged attacker could use this flaw
to cause a denial-of-service.


* CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.

A missing check when sending messages over IPV6 sockets could lead to an
out-of-bound access. A local user could use this flaw to cause a
denial-of-service.


* Race condition in USB device initialization causes denial-of-service.

Two USB devices calling init_usb_class simultaneously can race and
corrupt kernel memory, potentially causing a crash and
denial-of-service.


* Auto-suspending disconnected USB devices causes denial-of-service.

In rare cases, the generic USB driver can attempt to auto-suspend a USB
device not actually connected to the system. This causes a NULL pointer
dereference and denial-of-service.


* Incorrect event handling in KVM causes SMM errors in client.

Incorrect logic when entering system management mode on a KVM client
could cause the system to misbehave, potentially causing the client SMM
to report errors.


* Deadlock in Intel OPA Gen1 Infiniband driver causes denial-of-service.

Incorrectly holding a spinlock while yielding CPU in the Intel OPA Gen1
Infiniband driver could deadlock the thread, causing a
denial-of-service.


* Denial-of-service when writing to small memory-mapped file on ext4.

In rare cases, writing to a very small memory-mapped file on the ext4
filesystem can execute invalid code, causing a denial-of-service.


* Information leak via unsanitized buffer in getxattr.

Failing to zero out a buffer returned by getxattr in low-memory
situations could cause kernel memory to be exposed to userspace.


* Null private_data in CIFS ioctls causes denial-of-service.

When enumerating CIFS snapshots or getting IOC information for a tree,
the private_data pointer is not properly checked, potentially causing a
kernel panic and denial-of-service.


* Deadlock when reporting DAX device information to sysfs.

Invalid ordering of calls when reporting DAX device information to sysfs
could cause a deadlock and denial-of-service.


* CVE-2017-100363: Denial-of-service in printer driver setup.

Missing validation on the "lp" module parameter could result in an
out-of-bounds access and integer overflow.  A local, privileged user
could use this flaw to crash the kernel or defeat secure boot
protections.


* Information leak in TI LP8788 charger driver.

Incorrect array initialization could result in reading beyond the end of
an array and leaking the contents of kernel memory to user-space.


* Denial-of-service in Ceph file system extended attributes.

Failure to free memory when the filesystem failed to set an extended
attribute could result in memory exhaustion.  A local, unprivileged user
could use this flaw to cause a denial of service.


* Improved fix to CVE-2017-1000364 to allow stack expansion close to userspace guard.

Some userspace applications like the Java Virtual Machine are trying to
implement a stack guard area manually by using a fixed mapping which,
together with the original Debian fix for CVE-2017-1000364, prevents stack
expansion when it shouldn't have.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.