[El-errata] New updates available via Ksplice (ELSA-2013-2525)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Jun 20 04:19:43 PDT 2013


Synopsis: ELSA-2013-2525 can now be patched using Ksplice
CVEs: CVE-2012-6542 CVE-2013-1848 CVE-2013-1860 CVE-2013-1929 CVE-2013-1979

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2013-2525.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 5 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Deadlock in NFSv4 client during recovery.

Incorrect locking could result in deadlocks in a recovery situation for 
NFSv4.


* NULL pointer dereference in NFS lookup code.

Fix kernel oops caused by a null pointer dereference due to
lookup_one_len() calling down to the dentry revalidation code with
a NULL pointer to struct nameidata.


* Memory corruption in netlink listener management.

RCU locking violations in netlink could lead to intermittent memory
corruption.


* Use-after-free in L2TP Ethernet session.

The kernel L2TP driver does not correctly handle failing to initialise
a L2TPv3 Ethernet session leading to a use-after-free and kernel panic.


* Remote information leak in netfilter TCP connection tracking.

An attacker on a shared routing queue with the victim can gain information
about the victim's TCP connections by sending malformed TCP packets.


* Kernel crash during recovery from hardware memory errors.

If a hardware memory error occurs, wrong assumptions about the type of
memory being offlined could trigger an internal sanity check and stop
the kernel.


* Unnecessary warning about partition ioctl.

Don't warn about ioctls when the user has raw IO capabilities.


* NULL pointer dereference in bonding slave management.

Missing locking in bonding slave management could result in a NULL
pointer dereference and kernel crash.


* Denial-of-service in SCTP message sending.

The SCTP protocol implementation did not correctly release memory when
passed an invalid source buffer.  This could allow an unprivileged user
to cause a denial-of-service.


* NULL pointer dereference in NFSv2 and NFSv3 in server cloning.

A race condition that occurs when nfs_clone_server gets an error
can lead to a NULL pointer dereference in nfs_clone_server.


* Buffer overflow with NFSv4 read encoding.

If the argument and reply in nfsd4_encode_read exceed the maximum
payload size, then the rq_pages array can overflow.


* Invalid memory access in cgroup file system.

If cgroup_create_file() fails, no dentry get is performed, but
the corresponding dentry put gets performed anyhow, leading to an
invalid memory access and a kernel oops.


* Memory leak in ext4 extended attributes.

The ext4 filesystem driver does not correctly release kernel memory if
setting an extended attribute on a file fails.


* Memory corruption in ext4 file truncation.

When truncating an existing file, the ext4 filesystem driver does not 
correctly
handle files with large extent trees leading to memory corruption and a 
kernel
panic.


* Kernel panic in jbd2 driver.

A race condition in the jbd2 filesystem driver when writing a journal to 
disk
can trigger a kernel panic.


* Memory leak in udf file writing.

The udf filesystem driver leaks kernel memory when allocating blocks
for a new file on a udf filesystem.


* Memory leak in CIFS referral mount handling.

Allocated memory was not correctly freed in the CIFS referral mount
error handling path leading to a potential denial-of-service.


* Memory leak in xHCI USB host request handler.

The private date related to TX events in the USB request handler was
not freed.


* Kernel crash on virtio console removal.

The kernel could access uninitialized data on device removal causing a
kernel crash.


* Fix stack overflow in kernel resource allocation.

Recursive calls in kernel/resource.c could lead to a stack overflow when
reserving regions.


* Memory leak in memory mapped AF_PACKET transmission.

A memory leak in the memory mapped packet transmission code could result
in a denial-of-service against the system by a user with CAP_NET_RAW
capability.


* SCTP key leak in shared secret key setup.

The SCTP association key setup did not securely free the key memory
resulting in a possible leak of the key to an attacker.


* Denial-of-service in nanosleep implementation.

Failure to clean up correctly timers when performing a clock_nanosleep()
call using CPU_TIMER would result in a reference count leak on the
calling task.  This could allow an unprivileged, local user to trigger a
denial-of-service attack.


* Kernel crash in target lun configuration.

Missing bounds checks for the mapped_lun attribute in the target lun
configfs filesystem could result in a kernel crash.


* Out-of-bounds read in binary sysctl helpers.

An invalid check for NULL in binary sysctl's could result in a
dereference of an invalid pointer leading to a kernel crash.


* Race condition in ext4 block preallocation.

Incorrect locking in ext4 block preallocation could lead to memory
corruption and undefined behavior.


* Kernel page mapping information leak in dmesg.

On x86 systems, an unprivileged process can easily determine whether an 
address
residing within the kernel address space is mapped or unmapped by examining
the error code reported to dmesg.[1]

[1] http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/


* NULL pointer dereference in CIFS filesystem mounting.

The CIFS filesystem does not correctly handle attempts to mount paths which
contain symlinks causing a NULL pointer dereference and kernel panic.


* Deadlocks in XFS filesystem due to memory reclaim recursion.

In low-memory situations, memory reclaim recursion can cause XFS
filesystems to deadlock.


* Stack overflow in XFS filesystem driver.

In certain error situations, the XFS filesystem driver can call a function
recursively deep enough to cause a stack overflow. This could lead to a
kernel crash.


* Memory leak in USB networking transmit path.

Invalid reference counting in the transmit path of the USB networking
framework could result in a memory leak of USB requests.


* NULL pointer dereference in SCSI subsystem.

Due to a missing check in the error handling of SCSI device discovery,
the kernel could follow a NULL pointer and subsequently crash.


* Denial-of-service Oracle VM guest messaging driver.

Incorrect use of list traversal primitives and missing input sanitation
could lead to kernel crashes in the OVM API driver.


* Kernel deadlock in Xen pv-spinlocks.

A race condition can lead to a deadlock where a CPU gets stuck
waiting forever for a lock.


* NULL pointer dereference in QLogic QLA2XXX Fibre Channel SCSI driver.

A programming error in the QLA2XXX SCSI driver could lead to a NULL
pointer dereference under specific error conditions.


* Information leak in OCFS2 cluster filesystem driver.

In certain error situations, the OCFS2 ioctl() system call could return
uninitialised data to the user. An local user could potentially use this
flaw to obtain sensitive data from the kernel.


* NULL pointer dereference when moving extents in OCFS2 cluster 
filesystem driver.

Due to a a programming error, the OCFS2 cluster filesystem driver would
dereference a pointer before it had been assigned the intended value. A
local user could potentially use this flaw to cause a kernel crash.


* Division by zero in VMware VMXNET3 ethernet driver.

Incomplete initialization in the VMXNET3 driver could lead to a division
by zero if the ring buffer size of the network device is configured before
the device has been brought up.


* Kernel panic in iSCSI Extensions for RDMA (iSER).

Due to an oversight when making changes to the iSCSI subsystem, the
iSER driver was never updated accordingly. This could lead to a kernel
panic when connecting the device.


* Denial of service in RealTek 8169 Ethernet driver.

An incorrect check in the RealTek 8169 Ethernet driver could cause the
network device to stop responding. A malicious user could possibly
trigger this flaw remotely to cause denial of service.


* CVE-2012-6542: Information leak in LLC socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an LLC socket.


* Memory corruption in Emulex LightPulse Fibre Channel driver.

Due to a logic error, the LPFC driver would use the wrong XRI tag for
continued commands. This could potentially lead to memory corruption.


* Kernel crash in Emulex LightPulse Fibre Channel driver.

Missing error checks during LPFC resource allocation could lead to
a kernel crash.


* Infinite loop in Emulex LightPulse Fibre Channel driver.

A logic error in the LPFC driver could in certain circumstances lead
to an infinite loop when getting the next fcf record.


* Kernel hang in FCF round robin handling of Emulex LightPulse Fibre 
Channel driver.

In certain circumstances, the LPFC driver could enter an infinite loop
in the FCF round robin handling.


* NULL pointer dereference in Emulex LightPulse Fibre Channel driver.

Due to a logic error, a pointer was dereferenced before it was compared
against NULL. This could trigger a kernel crash in low-memory situations.


* Deadlock in Emulex LightPulse Fibre Channel driver.

Due to a logic error in the LPFC driver, an attempt would be made to
acquire the same spinlock twice in a row. This would cause a deadlock
and a kernel hang.


* Deadlock in Filesystem in Userspace subsystem when using auditing.

When mounting a FUSE filesystem, process auditing can cause the mounting
process to read extended attributes for the filesystem which has not yet
been fully mounted. This would cause the mounting process to get stuck.


* Memory leak when freeing btrfs back references.

When scrubbing a btrfs volume, back references are incorrectly freed 
leading to
a memory leak and subsequent kernel panic.


* Double-free in btrfs back references.

When scrubbing a btrfs volume, back references are incorrectly freed 
leading to
a double-free and kernel panic.


* Memory corruption in btrfs IOC_INO_PATHS ioctl.

A sign extension error in the BTRFS_IOC_INO_PATHS ioctl can allow a 
malicious
user to corrupt kernel memory and cause a kernel panic.


* Infinite loop in btrfs volume shrinking.

If a btrfs volume runs out of space while shrinking the same volume, an 
infinite
loop and subsequent kernel panic can be triggered.


* Memory leak in opening btrfs seed device.

Incorrect error handling can cause a memory leak and kernel panic when 
opening a
btrfs seed device.


* Data loss on RAID10 btrfs volumes.

The btrfs RAID10 implementation uses the incorrect device when repairing 
a volume
leading to data loss.


* Deadlock in btrfs nested chunk allocation.

When inserting a device into a RAID array, a deadlock can be caused by 
invalid
locking.


* Deadlock when mounting corrupted btrfs superblock.

A format string vulnerability allows a user capable of mounting a btrfs 
volume to
deadlock the system.


* Buffer overflow when initializing a RAID device.

A kernel heap overflow can be triggered when adding a large number of 
devices to
a btrfs RAID array.


* Kernel panic in btrfs chunk allocation.

Failing to allocate a new chunk for a btrfs volume can cause an 
assertion failure
and kernel panic.


* Data loss on invalid btrfs superblock.

Data loss can occur when attempting to mount a btrfs volume with a invalid
metadata blocksize.


* Memory leak in btrfs transaction cleanup.

The btrfs transaction cleanup fails to free pinned extents leading to a 
memory
leak and kernel panic.


* Kernel panic when setting up btrfs trees.

When mounting a btrfs volume, a failure to allocate a path can lead to an
assertion failure and kernel panic.


* Deadlock when allocating btrfs extent chunks.

Incorrect locking when allocating chunks in the btrfs extent tree can 
cause a
deadlock and kernel panic.


* Kernel panic in btrfs extent tree walking.

Incorrect locking in btrfs extent tree walking can cause an assertion 
failure and
kernel panic.


* Kernel panic on btrfs extent tree corruption.

The btrfs extent lookup implementation does not gracefully handle a 
corrupted
volume leading to an assertion failure and kernel panic.


* Deadlock in btrfs overcommit.

The btrfs filesystem fails to take into account reserved space on a 
volume when
committing transactions causing the volume to fill up and cause a deadlock.


* Deadlock when aborting a btrfs transaction.

When a btrfs transaction is aborted, incorrect locking on an error path 
can cause
a deadlock and kernel panic.


* Data loss in btrfs auto defragmentation.

A race condition between direct I/O and btrfs defragmentation can cause 
stale
data to be written to disk causing data loss.


* NULL pointer dereference in btrfs DEV_INFO ioctl.

If a multi-device btrfs volume is mounted with the degraded option, 
calling the
DEV_INFO ioctl on a missing device will cause a NULL pointer dereference.


* Kernel panic when creating btrfs sub-volumes.

If creating btrfs sub-volume fails, a double-free is triggered causing a 
kernel
panic.


* Use-after-free when ending btrfs transactions.

A use-after-free condition can be triggered when ending a btrfs transaction
causing spurious I/O errors.


* Deadlock when aborting btrfs transactions.

Incorrect locking when aborting a btrfs transaction can cause a deadlock and
kernel panic.


* Data loss when a btrfs commit fails.

The btrfs filesystem does not correctly handle a commit failing leading to
potential data loss. Additionally, btrfs volumes which are flagged as having
errors are not mounted read-only leading to further potential data loss.


* Deadlock when cleaning up btrfs transactions.

Incorrect locking when cleaning up btrfs transactions can cause a 
deadlock and
kernel panic.


* Memory corruption when unmounting a resized btrfs volume.

A race condition between unmounting a btrfs volume and resizing the same 
btrfs
volume can cause memory corruption and a kernel panic.


* NULL pointer dereference in btrfs volume resizing.

A NULL pointer dereference can be triggered if the root node is not 
found when
resizing a btrfs volume.


* Memory leak in btrfs block relocation.

A memory leak can be triggered when relocating btrfs blocks leading to a 
kernel
panic.


* Kernel panic in btrfs block relocation.

A failure to create a new transaction for a btrfs block group relocation can
cause a kernel panic.


* Kernel panic when storing btrfs dirty nodes.

A lack of synchronization can cause memory corruption and a kernel panic 
when
storing dirty nodes for copy-on-write files.


* Kernel panic in btrfs logging.

An incorrectly terminated string can cause an out-of-bounds read and 
kernel panic
when btrfs prints diagnostic information.


* Kernel panic in btrfs compressed files.

When writing btrfs extents for a compressed file, the kernel incorrectly 
attempts
to unlock a previously unlocked page leading to an assertion failure and 
kernel
panic.


* Deadlock in btrfs unmounting.

If a memory allocation fails when unmounting a btrfs volume, incorrect 
locking
can cause a kernel deadlock.


* Memory leak in btrfs ordered I/O.

If starting a btrfs transaction fails when writing ordered I/O, memory is
incorrectly freed.


* Deadlock when deleting btrfs delayed work items.

Incorrect locking when deleting btrfs delayed items can cause a deadlock and
kernel panic.


* Kernel panic when writing btrfs file extents.

Incorrect reference counting when writing btrfs file extents to disk can 
cause a
use-after-free condition and kernel panic.


* NULL pointer dereference when querying btrfs extents.

A missing NULL pointer check when querying btrfs file extents can cause 
a kernel
panic.


* Deadlock when running btrfs async operations.

Incorrect locking when processing btrfs asynchronous operations can cause a
deadlock and kernel panic.


* Deadlock in btrfs file pre-allocation.

The btrfs file pre-allocation algorithm reserves an incorrect amount of 
data for
files leading to a deadlock when the filesystem becomes full.


* Kernel panic when reading compressed btrfs data.

If a memory allocation fails when reading compressed data from a btrfs 
volume, an
invalid pointer is freed causing a kernel panic.


* Memory leak in btrfs free space cache.

When mounting a btrfs volume with a free space cache, memory is not 
freed if the
mount operation fails.


* Kernel panic in btrfs root tree update.

Under low memory conditions, the btrfs filesystem will kernel panic when 
updating
the btrfs root tree.


* Kernel panic when looking up btrfs checksums.

Under low memory conditions, the btrfs filesystem will kernel panic when 
looking
up btrfs checksums.


* Denial of service in btrfs mounting.

A lack of sanity checks when mounting a corrupted btrfs volume can cause an
assertion failure and kernel panic.


* Kernel panic when expanding btrfs file extents.

When expanding the extents for a file on a btrfs volume, an invalid 
pointer is
freed causing a kernel panic.


* CVE-2013-1848: Format string vulnerability in ext3 mounting.

The ext3 file-system driver incorrectly uses an argument from userspace as a
format string allowing local users with the ability to mount ext3 
filesystems
to corrupt kernel memory and gain privileged execution.


* CVE-2013-1860: Buffer overflow in Wireless Device Management driver.

A malicious USB device can cause a buffer overflow and gain kernel code 
execution
by sending malformed Wireless Device Management packets.


* CVE-2013-1929: Buffer overflow in TG3 VPD firmware parsing.

Incorrect length checks when parsing the firmware could cause a buffer
overflow and corruption of memory.


* CVE-2013-1979: Privilege escalation with UNIX socket credentials.

Incorrect passing of credentials over a UNIX domain socket could allow
an unprivileged user to use a setuid binary to escalate privileges to
superuser level.


* Incorrect MAC address usage after bonding failover.

Missing events in the bonding subsystem could cause the old MAC address
to be used after a failover when the fail_over_mac parameter was set to
'active'.


* NULL pointer dereference while handling orphaned directories in OCFS2 
cluster filesystem driver.

Under certain circumstances, due to an incorrect return value, adding
a new file to an orphaned directory could lead to a NULL pointer
dereference.


* Spurious warning in OCFS2 cluster filesystem driver.

When removing a non-empty directory, the kernel would print a
spurious warning in the kernel message log.


* Missing return value in IPv6 socket options manipulation.

When calling setsockopt(IPIPPROTO_IPV6, IPV6_MINHOPCOUNT), the return value
would be ENOPROTOOPT (protocol not available) instead of 0 (success).


* Use-after-free in USB serial driver probing.

In an error situation, the serial device object would be incorrectly freed,
possibly leading to reference and memory leaks.


* NULL pointer dereference on futex wakeup.

Incorrect synchronization during a futex wakeup sequence can trigger a
NULL pointer dereference by trying to wake up a locked futex.


* Deadlock in block device journalling layer JBD.

Under certain circumstances, waiting for a transaction to be committed
to the journal could deadlock because of holding an extra lock that
should have been dropped.


* Bogus return value in Virtio driver memory allocation.

Due to a missing flag, virtio ring buffers could be allocated from
highmem in a low-memory situation and eventually end up as passing
an invalid pointer to userspace. This could return in an unexpected
failure or memory corruption.


* NULL pointer dereference in ATA driver core.

In certain situations involving disk errors, the ATA core would dereference
a NULL pointer and subsequently crash the kernel.


* Kernel crash during user registration in NetEffect RNIC InfiniBand river.

The kernel would crash when registering a zero length MR for CQ.


* Invalid memory dereference in MD multiple devices driver ioctl.

Due to missing input validation, userspace could change the ioctl payload
length after the ioctl() call and cause the kernel to dereference invalid
memory. A malicious user could use this to crash the kernel.


* List corruption in ATA over Ethernet block device driver.

In certain situations, due to a logic error, data associated with the
backing device would be initialised twice. This would lead to a warning
about list corruption.


* OCFS2 mount can hang forever.

If a lockres refresh fails, the ocfs2 mount will hang forever waiting
on a super lock.


* Memory leak in error handling while mounting Ext4 filesystem.

If an error occurs while initialising an ext4 superblock, the kernel does
not correctly free all the acquired resources. A malicious user could use
this to exhaust all available memory and cause denial of service.


* Memory leak in error handling while resizing Ext4 filesystem.

If an error occurs while manipulating group descriptor tables, the kernel
does not correctly free all the acquired resources. A malicious user could
use this to exhaust all available memory and cause denial of service.


* Kernel crash when printing CPU sets in an out-of-memory situation.

Due to missing locking, the kernel might dereference an invalid pointer
while it is printing CPU sets to the kernel log in an out-of-memory
situation. This could lead to a kernel crash in rare cases.


* Use-after-free when cloning device structs in the Btrfs filesystem.

Spinlocks were being copied byte for byte instead of initialised
correctly. This could lead to a use-after-free in certain configurations.


* NULL pointer dereference upon RAID0 stripe zone creation error.

If RAID0 stripe zone creation fails, the function incorrectly returns
NULL. The callers do not expect this and will dereference the invalid
pointer.


* Memory leak in CPU frequency scaling statistics.

Under certain situations, bringing a CPU down could leak memory. Over time,
the system could run completely out of memory.


SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.





More information about the El-errata mailing list