[El-errata] New updates available via Ksplice (ELSA-2013-2507)

Sun Mar 3 03:05:05 PST 2013

Synopsis: ELSA-2013-2507 can now be patched using Ksplice
CVEs: CVE-2012-0957 CVE-2013-0311

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2013-2507.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 5 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Use-after-free in l2tp_eth driver.

Incorrect module reference counts could result in the module being
unloaded whilst it was still in use and a use-after-free condition could
result in a kernel crash.

* Kernel crash in eCryptfs on handling inherited files.

eCryptfs would fail with assertions and kernel crash rather than
returning error codes under specific circumstances when handling with
files that had been inherited on a fork() or passed by IPC.

* Denial of service in TCP SYN+FIN messages.

SYN+FIN attacks can cause a denial of service with machines trying
to respond to the invalid messages.  This update will drop TCP
messages with both SYN and FIN set instead of trying to process
them.

* Log corruption in UBIFS.

When fixing up the UBIFS log, it could corrupt the log which may prevent
later mounts of the UBIFS filesystem.

* Memory corruption in device mapper RADI1 mirror recovery and discard.

A race condition in mirror recovery and discard could result in the
corruption of linked lists resulting in undefined behaviour.

* Use-after-free in SCSI request handling.

A use-after-free may occur if a SCSI request has no more references,
but is still rescheduled for completion.

* Information leak via incomplete copies in USB.

Copies of non-contiguous isochronous buffers in the USB subsystem may
leak kernel memory to a potential attacker.

* Out-of-bound values allowed by fcntl_setlease.

A missing bounds check in fcntl_setlease may allow out-of-bounds values
due to an incorrect cast from a long to an integer.

* Fix ACPI oops when it is unable to initialize a power supply.

When the ACPI driver failed to initialize a power supply, the
failure wasn't getting returned causing the driver to mistakingly
believe the device was initialized.  This could lead to a kernel
oops.

* Denial-of-service in rpciod.

rpciod could deadlock when trying to allocate memory for a new socket
resulting in a system hang and denial-of-service.

* Data loss in ext4 filesystems.

An integer underflow in metadata block management could result in
allocation failure and data loss.

* NULL pointer dereference in SFB packet scheduling.

A missing NULL pointer check in options parsing could result in a
NULL pointer dereference and system crash.

* Use-after-free in sctp.

In some circumstances, a sctp association could be used after it was
freed, leading to memory corruption and possibly a kernel oops.

* NULL pointer dereference in CIPSO socket options.

Adding a CIPSO option to a socket could result in a NULL pointer
dereference and kernel crash under specific conditions.

* Kernel crash in kaweth USB Ethernet driver.

Invalid memory allocation could cause the kernel to sleep in an atomic
state resulting in a kernel crash.

* Kernel stack information leak in tun ioctls.

Incorrect initialisation of ioctl structures could result in leaking
stack bytes to a userspace process.

* NULL pointer dereference in futex requeuing.

A missing NULL pointer check could result in a kernel crash when
attempting to requeue a futex.

* NULL pointer dereference in non-pi futexes.

Incorrect configuration of futex addresses could lead to a NULL pointer
dereference and kernel crash.

* Memory corruption in FUSE handling of vectored responses.

An incorrect check of the size of the response vector could lead to an
overflow and corruption of memory after the vector.

* NULL pointer dereference handling scsi over IB command responses.

A NULL dereference will occur if a reply to a previous request would happen
during or after an abort command.

* Race-condition in VFS file operations.

A race condition when performing scatter-gather IO on a file can lead
to data corruption.

* Kernel panic in hugetlbfs.

A race condition between processes sharing huge page mappings can cause
a kernel panic.

* Unreported error can cause unusable mount in NFS.

An unreported error can cause a mount to seem to succeed but have
completely unusable values for block sizes, maxfilesize, etc.

* Kernel panic in Parallel NFS.

A kernel panic (BUG_ON) can be triggered when releasing file data because
of a broken assumption in the Parallel NFS implementation.

* Use-after-free in audit subsystem.

A reference counting error in the audit subsystem can trigger a
use-after-free causing a kernel crash.

* Kernel panic in SUNRPC over TCP.

A kernel panic can be triggered when closing a SUNRPC TCP socket.

* Race condition in SUNRPC.

A race condition can cause data corruption when closing a SUNRPC socket.

* NULL pointer dereference in USB ACM.

A NULL pointer dereference can be triggered when probing a device that
provides an ACM endpoint.

* NUMA memory policy kernel panic.

A kernel panic can be triggered when querying a task's NUMA memory policy
via procfs.

* SCSI MegaRAID kernel panic.

A kernel panic can be triggered when the MegaRAID driver is loaded but
no adapters are present on the system.

* UDF data corruption fix.

Files stored in ICB (inode) can be partially overwritten with all
zeros.

* Data loss/corruption in ext3 filesystem after crash.

The fdatasync syscall does not flush inode metadata when used on a file where
only the file's size changed. This could lead to data loss/corruption in
applications following a system crash.

* NULL pointer dereference in DCCP sockets.

A NULL pointer dereference can be triggered by querying or setting the
socket options of a DCCP socket that has no associated CCID.

* Kernel panic on SUNRPC initialization failure.

A kernel panic may occur due to a failed SUNRPC initialization due to invalid
return values returned by the initialization function.

* Use-after-free in freed page LRU handling.

A race condition between MMU notifier release and page unmapping may cause
the memory manager to access a page which was already freed.

* Denial of service in hugetlbfs shared page table teardown.

A race condition in hugetlbfs shared page table teardown may cause a corruption
of the pagetables, leading to a kernel BUG.

* NULL pointer dereference in Ralink rt2x00 wireless network driver.

Due to incorrect initialization of a data structure, a NULL pointer
dereference may occur on device wakeup.

* Deadlock in VFS file renaming.

A deadlock can be triggered in the VFS subsystem when multiple processes
attempt to rename the same file.

* Kernel panic in ttyprintk driver.

Writing a specially crafted string to /dev/ttyprintk can cause the to
kernel access memory beyond the end of an allocated buffer and
trigger a kernel panic.

* Kernel panic in Broadcom 43xx wireless driver.

A kernel panic can be triggered when unloading the legacy
Broadcom wireless driver when no firmware is present.

* Kernel panic in coredumping.

An unprivileged user can cause a double-free when constructing a
coredump under low-memory conditions.

* Use-after-free in IP over Infiniband.

A use-after-condition condition can be triggered when processing
multicast IP packets over an Infiniband device.

* Use-after-free in Infiniband RDMA driver.

A use-after-free condition triggered in the Infiniband RDMA driver
when resetting an Infiniband device.

* Kernel panic in packet scheduler.

A missing bounds check in the network packet scheduler can lead to
a kernel panic.

* Kernel panic in packet ring-buffer.

An invalid assumption between the kernel and a userspace process can lead
to a kernel panic when destroying packets in a ring-buffer.

* Information leak in ATM socket options.

The SO_ATMPCV socket option allows malicious users to disclose the
contents of kernel memory.

* Information leak in ATM socket name.

An malicious user can disclose the contents of kernel memory by calling
getsockname() on an ATM socket.

* Information leak in DCCP socket options.

The DCCP_SOCKOPT_CCID_TX_INFO socket option allows malicious users to
disclose the contents of kernel memory.

* Information leak in IP Virtual Server socket options.

A malicious user can disclose the contents of kernel memory by calling
getsockopt() on an IP virtual server socket.

* Information leak in socket compatibility ioctl.

The SIOCGIFCONF socket option allows malicious users to disclose the
contents of kernel memory.

* Netlink spoofing allows privilege elevation.

A local user may be able to elevate privileges by spoofing the source
of a netlink message.

* Kernel crash when removing net namespace.

Invalid ordering of operations can lead to a kernel crash in ipv4
ipmr when removing net namespace.

* Kernel panic in netconsole bridge device.

A reference-counting error can cause a kernel panic when removing a
bridge device which has a netconsole running on it.

* Inode leak in eCryptfs file renaming.

Inodes are not being properly removed when they are the target of
a rename() system call, causing extra disk space to be consumed.

* Kernel panic in Broadcom 5709 driver.

A kernel panic can be triggered when a Broadcom 5709 device is under
heavy load.

* Data corruption in HP Smart Array SCSI driver.

An unhandled protocol error could result in data corruption when
configured in a multipath system.

* Deadlock in cfg80211 wireless subsystem.

Incorrect locking could result in circular locking leading to deadlock
and a system hang.

* Information leak in NFS 'readdir' reply.

The kernel NFS server does not correctly initialise the 'cookieverf' element
in a 'readdir' reply leading to the contents of kernel memory being disclosed
to remote clients.

* Logic error in NFSv4 server.

A logic error in the NFSv4 server implementation can cause malformed NFS
open requests to be considered valid.

* Invalid memory access in xHCI ring queue handling.

An incorrect dequeuing of items from the xHCI ring queue can
cause general protection faults by accessing invalid memory regions.

* Possible denial of service in drop_monitor.

drop_monitor may sleep while holding a spinlock, which could lead
to a possible deadlock situation.

* Kernel panic in exit syscall.

A race condition in the exit syscall can cause a dead process to be
scheduled for execution, causing a kernel panic.

* Use-after-free in USB.

A race condition that occurs when removing host controllers can
cause a use-after-free if a process is reading the
/sys/kernel/debug/usb/devices when the controller is being removed.

* NULL pointer dereferences in xfrm code.

A unexpected return of a NULL pointer in two functions in the xfrm
code could cause a NULL pointer dereference.  This could lead to a
privilege escalation if an attacker has CAP_NET_ADMIN and is able
to map address 0.

* Kernel information leaks in network transformation subsystem.

This fixes several cases where xfrm_user code could lead kernel
memory to user space.

* Guest crash when attaching a netxen NIC to a VM.

If the root bus is null when attaching a netxen NIC to a VM
the guest will crash due to a NULL pointer dereference.

* Denial of service with net sched cbq configuration.

It is possible to setup the net scheduler class based queuing
configuration that leads to an infinite loop in cbq_classify().

* Kernel crash in packet scheduler.

Invalid start times can be assigned to a class in the Quick Fair Queue
(QFQ) scheduler.  This can lead to data structure corruption which may
result in a crash.

* Denial of service in TCP IOAT DMA.

When the receive wait queue is zero and the sk_async_wait_queue is
non-empty, a recv() syscall can cause sk_wait_data() to block
forever.

* Kernel hang in PPP over Ethernet on virtual device removal.

Removing a virtual Ethernet device whilst a zombied PPPOE instance is
running can cause a kernel hang as a result of invalid reference
counting.

* Kernel crash with keepalive on raw TCP sockets.

Its possible to use RAW sockets to get a crash in
tcp_set_keepalive() / sk_reset_timer() when attempting
to set TCP keepalive on a RAW socket.

* Data loss/corruption in ext4 filesystem after crash.

The fdatasync() did not flush inode metadata when the fdatasync() system
call was used on a file where only the file's size changed. This could
lead to data loss/corruption in applications following a system crash.

* Deadlock in page unmapping.

Invalid locking in the memory management subsystem can cause a deadlock
and kernel hang when unmapping pages from a process' address space.

* Out-of-bounds accesses in filesystem export handles.

Incorrect checking of file handle lengths when exporting a filesystem
over NFS could result in an out-of-bounds access and kernel crash.

* Userspace memory corruption and information leak in FireWire core.

The kernel writes too much data to the buffer supplied by the userspace
process calling ioctl() on a FireWire character device. In addition, the
extra data represents an information leak of kernel data.

* NULL pointer dereference in IPVS.

A NULL pointer dereference and kernel panic can be triggered when unloading the
IP Virtual Server kernel module.

* Crash on malformed IPv4 packets in netfilter connection tracking.

The header lengths of IPv4 packets were not validated before the packet
was passed on to TCP options parsing, resulting in an assertion failure
(BUG_ON) in the TCP options parsing code.

* Crash in NAT handling of Real-time Transport Protocol (RTP) packets.

If an RTP packet arrives while the NAT connection tracking data structures
are locked, the kernel may crash while attempting to register the same
expectation callback twice on the same list.

* NULL pointer dereference in NAT handling for bridging/IP Virtual Servers.

Incoming frames on bridge devices can cause a NULL pointer dereference when
IPVS incorrectly causes a NAT reply to reset the frame's bridge pointer to
NULL.

* Kernel panic in lockd server.

The kernel lockd server does not correctly handle stale file handles
leading to a kernel panic. A remote attacker could potentially use this
flaw to cause a remote denial of service.

* Memory corruption in SUNRPC procfs.

A stack buffer overflow can be triggered by reading the contents of the
"flush" procfs file, leading to a kernel panic.

* CVE-2012-0957: Information leak in uname syscall.

A process running under a UNAME26 personality can disclose the contents
of kernel memory via the uname syscall.

* Kernel panic in IPv4 ARP and IPv6 Neighbor Discovery.

An invalid assumption in the IP stack can lead to a kernel panic when
failing to send an IPv4 ARP or IPv6 Neighbor Discovery packet.

* Kernel panic when sending RDS ping responses.

Incorrect locking in the RDS implementation can cause a kernel panic
when responding to RDS ping packets. A remote attacker could potentially
use this flaw to cause a remote denial of service.

* Out-of-bounds read in netfilter bridge.

A fragmented IP header can cause an out-of-bounds read and kernel panic when
filtering bridged ethernet traffic.

* Inaccurate information in /proc/stat.

The /proc/stat procfs file contains inaccurate information about idle and iowait
timings when CPUs enter low power states.

* Denial of service in network block device.

A race condition when a network block device server fails can lead to
memory exhaustion.

* NFS DNS resolver timeout.

An error in how the kernel NFS DNS resolver caches DNS queries can cause
legitimate NFS operations to fail under certain circumstances.

* Memory corruption in xenbus frontend driver.

An integer overflow in the xenbus frontend driver allows a user to cause
memory corruption inside a Xen guest kernel.

* Packet loss in IPv4 networking.

An invalid optimisation in the IPv4 networking stack could cause IPv4
packets to be incorrectly dropped.

* Networking failure in QLogic ISP3XXX driver.

The QLogic networking driver does not correctly initialise hardware
registers causing intermittent networking failures.

* Kernel panic in Xen when adding Virtual CPUs.

A kernel panic can be triggered when adding or removing Virtual CPUs while a
cgroup 'notify_on_release' event is being processed.

* Remove spurious ext4 file-system warning.

The ext4 file-system driver generates spurious warning on asynchronous IO
operations which can fill up system log files.

* Performance improvement in XFS direct I/O.

The XFS filesystem driver incorrectly locks resources when performing
direct I/O leading to performance degradation.

* NULL pointer dereference in PCI hotplug.

A NULL pointer dereference can be triggered when configuring the maximum
payload on a hotplugged PCI device leading to a kernel panic.

* Race condition in epoll subsystem.

A race condition in the epoll subsystem can lead to missing epoll events
when sending a EPOLL_CTL_MOD command.

* CVE-2013-0311: Privilege escalation in vhost descriptor management.

Incorrect handling of vhost descriptors that crossed regions could allow
a privileged guest user to crash the host or possibly escalate
privileges inside the host.

* Memory corruption in OCFS2 distributed lock manager.

Kernel memory corruption can be triggered when the distributed lock manager
attempts to recover from DLM nodes disconnecting.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.