[Ksplice][Ubuntu-17.04-Updates] New Ksplice updates for Ubuntu 17.04 Zesty (4.10.0-24.28)

[Oracle Ksplice]

Synopsis: 4.10.0-24.28 can now be patched using Ksplice
CVEs: CVE-2017-1000364 CVE-2017-100363 CVE-2017-8890 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 CVE-2017-9242

Systems running Ubuntu 17.04 Zesty can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.10.0-24.28.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 17.04
Zesty install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in Plan 9 filesystem access control list manipulation.

Incorrect error handling when updating access control lists in the plan
9 filesystem can result in a memory leak. A local attacker could use
this flaw to exhaust kernel memory, resulting in a denial-of-service.


* Kernel crash in mwifiex 802.11 packet transmission.

A logic error in the processing of wifi transmission packets in the
mwifiex driver can result in a buffer overrun, resulting in a kernel
crash.


* Denial-of-service in iwlwifi debugfs interface.

A failure to correctly validate input can result in a kernel crash when
writing to the iwlwifi debug interface. A privileged attacker could use
this flaw to crash the kernel, leading to a denial-of-service.


* Out-of-bounds access in Intel power management controller.

A logic error in the intel power management controller driver can result
in an out-of-bounds memory access. This could result in undefined
behaviour or a kernel crash.


* Denial-of-service in qedi iSCSI connection initialization.

Incorrect error handling can result in a failure to free kernel memory.
A local attacker with the ability to create iSCSI connections could use
this flaw to cause a denial-of-service.


* Kernel crash in Broadcom flexible MAC wifi driver.

A logic error in the processing of wifi transmission packets can result
in the access of uninitialised memory resulting in a kernel crash.


* Denial-of-service in TCP transmission buffer management.

A logic error during management of TCP packet buffers can cause an
assertion failure in the Kernel leading to undefined behaviour or
potentially a Kernel crash. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service in IPv6 duplicate address detection.

A race condition in the handling of duplicate address detection for IPv6
could result in kernel memory corruption. A user with the ability to
create network namespaces could use this flaw to crash the kernel,
leading to a denial-of-service.


* Denial-of-service in TCP accept handling.

A failure to correctly initialize a pointer when accepting TCP
connections could result in a double free. A local attacker could use
this flaw to cause undefined behaviour or a kernel crash, leading to a
denial-of-service.


* Denial-of-service in raw socket IP header processing.

A failure to validate IP packets submitted to raw sockets can result in
the access of invalid memory. This could result in a kernel crash,
leading to a denial-of-service.


* Kernel crash in Broadcom NetXtreme Receive Flow Steering.

A failure to allocate enough memory for Receive Flow Steering management
can result in a buffer overrun leading to undefined behaviour or a
kernel crash.


* Information disclosure via use of unprivileged eBPF programs.

A failure to enforce kptr_restrict for eBPF programs can result in the
leak of sensitive information to userspace. A local attacker could use
this flaw to facilitate a further attack.


* Denial-of-service due to corrupted F2FS filesystem.

A failure to validate the segment count when mounting an F2FS
filesystem can result in undefined behaviour when accessing the
filesystem. This could result in a kernel crash, leading to a
denial-of-service.


* Use-after-free in DRM/TTM fault handling.

A race condition in the DRM/TTM driver can result in a use-after-free
during vm fault handling. A local attacker could use this flaw to cause
a kernel crash.


* CVE-2017-8890, CVE-2017-9076, CVE-2017-9077: Denial-of-service in DCCPv6 sockets.

A use-after-free in the DCCPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.


* CVE-2017-9074: Information leak via ipv6 fragment header.

The header size of an ipv6 fragment is not properly checked, potentially
allowing an attacker to read out-of-bounds memory when attempting to
parse it, leaking information.


* CVE-2017-9075: Denial of service when using SCTP protocol with IPV6.

A missing structure initialization could lead to a double free when
creating a new socket. A local unprivileged attacker could use this flaw
to cause a denial-of-service.


* CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.

A missing check when sending messages over IPV6 sockets could lead to an
out-of-bound access. A local user could use this flaw to cause a
denial-of-service.


* Race condition in USB device initialization causes denial-of-service.

Two USB devices calling init_usb_class simultaneously can race and
corrupt kernel memory, potentially causing a crash and
denial-of-service.


* Auto-suspending disconnected USB devices causes denial-of-service.

In rare cases, the generic USB driver can attempt to auto-suspend a USB
device not actually connected to the system. This causes a NULL pointer
dereference and denial-of-service.


* Incorrect event handling in KVM causes SMM errors in client.

Incorrect logic when entering system management mode on a KVM client
could cause the system to misbehave, potentially causing the client SMM
to report errors.


* Deadlock in Intel OPA Gen1 Infiniband driver causes denial-of-service.

Incorrectly holding a spinlock while yielding CPU in the Intel OPA Gen1
Infiniband driver could deadlock the thread, causing a
denial-of-service.


* Denial-of-service when writing to small memory-mapped file on ext4.

In rare cases, writing to a very small memory-mapped file on the ext4
filesystem can execute invalid code, causing a denial-of-service.


* Information leak via unsanitized buffer in getxattr.

Failing to zero out a buffer returned by getxattr in low-memory
situations could cause kernel memory to be exposed to userspace.


* Null private_data in CIFS ioctls causes denial-of-service.

When enumerating CIFS snapshots or getting IOC information for a tree,
the private_data pointer is not properly checked, potentially causing a
kernel panic and denial-of-service.


* Deadlock when reporting DAX device information to sysfs.

Invalid ordering of calls when reporting DAX device information to sysfs
could cause a deadlock and denial-of-service.


* CVE-2017-100363: Denial-of-service in printer driver setup.

Missing validation on the "lp" module parameter could result in an
out-of-bounds access and integer overflow.  A local, privileged user
could use this flaw to crash the kernel or defeat secure boot
protections.


* Information leak in TI LP8788 charger driver.

Incorrect array initialization could result in reading beyond the end of
an array and leaking the contents of kernel memory to user-space.


* Denial-of-service in Ceph file system extended attributes.

Failure to free memory when the filesystem failed to set an extended
attribute could result in memory exhaustion.  A local, unprivileged user
could use this flaw to cause a denial of service.


* CVE-2017-1000364: Increase stack guard size to 1 MiB.

A vulnerability in how userspace programs are compiled can cause the
program's stack to grow into the program's heap and corrupt either of
them. Depending on which program is targeted, an attacker can gain
additional privileges.

This update provides a new sysctl variable which can be used to tune
the gap between a program's heap and stack. To change it, use e.g.:

    # set gap to 32 MiB
    echo 33554432 > /proc/sys/vm/heap_stack_gap

This update is a kernel mitigation for what is fundamentally a
userspace problem. As such, there is no guarantee that it will stop
every potential attack vector, but it will stop the ones that are
currently known and make it much more difficult to exploit in general.

Running processes where the stack and heap are already very close may
need to be restarted for the change to take effect. It is therefore
recommended that long-running processes and network daemons are
restarted after applying this update.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.