[El-errata] New updates available via Ksplice (ELSA-2014-3070)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2014-3070 can now be patched using Ksplice
CVEs: CVE-2013-2930 CVE-2014-1690 CVE-2014-3122

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2014-3070.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 6 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak in ext4 defragmentation during stress.

Due to a combination of a race condition and incorrect error handling,
defragmenting a file while doing direct I/O to it could cause a memory
leak. A local, unprivileged user could use this to cause denial of
service.


* CVE-2013-2930: Incorrect permissions check in perf ftrace feature.

Incorrect permissions checks could allow a local, unprivileged user to
enable ftrace through the perf subsystem.  This could allow the user to
gain information to bypass ASLR or crash the system.


* CVE-2014-1690: Remote information leak in IRC NAT helper.

Due to incorrect initialisation of an on-stack buffer, parts of the
kernel stack would be sent out over the network. A remote attacker
communicating over the Direct Client to Client Protocol (DCCP) over
IRC could use this flaw to obtain senstive information about the
running kernel.


* Deadlock in ext4 when mixing asynchronous and direct IO.

When mixing asynchronous and direct IO to a file, it is possible for
the same kernel thread to attempt to lock the same mutex twice, thus
deadlocking on itself. A local, unprivileged user could use this flaw
to cause denial of service.


* Kernel panic in OCFS2 when creating fragmented extended attributes.

Creating new extended attributes on an OCFS2 filesystem could lead to a
kernel panic when the cluster is fragmented over multiple extent records.
A local, unprivileged user could use this flaw to cause denial of
service.


* Denial-of-service in ext4 when resizing with large inode tables.

A flaw in the ext4 code when resizing a filesystem with large number of
inodes per block group could lead to a kernel BUG. A local, privileged user
could use this flaw to cause a denial-of-service.


* Data corruption in ext4 when resizing with non-standard blocks-per-group number.

A flaw in the ext4 resizing code could lead to data corruptions when the
number of blocks per group is not 8.


* Denial-of-service in net core when allocating sk_buff under memory pressure.

A flaw in the net core subsystem when allocating a sk_buff under memory
pressure could lead to trigger OOM and potentially result in a
denial-of-service.


* Deadlock in PCI DMA subsystem when allocating a DMA buffer.

A logic error in the PCI DMA architecture dependent code could lead to a
deadlock.


* Memory leak in ACPI PCI when enabling IRQ.

A flaw in the ACPI PCI IRQ driver could lead to leak memory. A local,
privileged user could use this flaw to exhaust the memory on the system and
cause a denial-of-service.


* Use-after-free in i7 EDAC driver when iterating PCI devices.

Due to incorrect reference counting in the i7 EDAC driver, a use-after-free
could result in a kernel crash and denial-of-service.


* Deadlock in EHCI USB2 controller driver when handling an interrupt.

Incorrect locking in the EHCI driver code could lead to a deadlock,
resulting in a denial-of-service under specific conditions.


* Use-after-free in workqueue subsystem when destroying a worker.

Incorrect reference counting in the workqueue subsystem could lead to a
use-after-free and kernel crash.


* Denial-of-service in perf subsystem when hotplugging CPU.

Incorrect locking in the perf subsystem could lead to use-after-free and
kernel crash when hotplugging a CPU. A local, privileged user could use
this flaw to cause a denial-of-service.


* Quota file corruption in ocfs2.

Improper caching of quota file structures could result in
corruption of the quota file.


* Data corruption in ocfs2 sync.

The ocfs2 file system was syncing the wrong range.  This could
allow data to not be correctly synced and therefore cause
corruption.


* Denial of service in CFS scheduler.

Under certain specific circumstances, a malicious user could cause their
own task to starve other tasks in the same priority level of CPU time.


* NULL pointer dereference in Ethernet Solarflare driver.

A race condition in the sfc driver could lead to a PTP event
coming in from the NIC without being properly setup.  This
causes a NULL pointer dereference, leading to a kernel panic.


* Information leak in mac80211 QoS-null frames.

Uninitialized memory in QoS-null frames in the mac80211 code
could leak information.


* NULL pointer dereference in drm TTM code.

The TTM code didn't check that a TTM driver had an invalidate_caches()
function and tried to call it, leading to a NULL pointer dereference
and kernel panic.


* Use-after-free in firewire.

An error in a failure path in the firewire code could result in an
use-after-free error and kernel panic.


* NULL pointer dereference in NFS async code.

A NULL pointer check in the NFS delegation code could lead
to a NULL pointer dereference and kernel panic.


* Data corruption in vmxnet3 netpoll driver.

A race condition in the vmxnet3 poll driver can lead to data
corruption and kernel panics.


* Kernel BUG in mm compaction.

Improper error handling in the mm compaction code could lead to
a bad page state and kernel BUG().


* Kernel BUG on SCSI isci hard reset timeout.

The isci code was incorrectly generating a kernel BUG() in the
case of a hard reset timeout.


* Kernel panic in isci host code.

An invalid loop in the isci for_each_isci_host macro could
lead to a NULL pointer dereference and kernel panic.


* Denial-of-service with x86 fpu code and aesni-intel.

A bug in the x86 fpu code could lead to interrupts being improperly
disabled in subsequent calls.  Specifically, this has been seen to
cause a kernel BUG() when a user process dumps code on an ecrypt fs
while aesni-intel is loaded.  In this case, all subsequent accesses
to the ecrypt fs filesystem will hang.  A malicious user could exploit
this to cause a denial-of-service.


* Memory leak in linkat.

A bug in the linkat code could allow a mountpoint reference
leak and a memory link when attempting to retry on ESTALE.


* Denial-of-service in KVM with nested VMs.

A missing check in the KVM MMU code could lead to a kernel crash. A local,
privileged user could use this flaw to cause a denial-of-service.


* Kernel panic in nested KVM MMU management.

The KVM virtual MMU does not correctly handle memory mappings in nested virtual
machines leading to a kernel panic.


* Data corruption of ext4 immutable files when updating inode flags.

A race condition in the ext4 file system when updating the inode flags of
an immutable file could open a small window of time where the immutable
flag is not set. Provided very good timing, a local, unprivileged user
could use this flaw to modify an immutable file.


* NULL pointer dereference in CPU idle driver when getting a reference counter.

A missing check for NULL in the CPU idle driver could lead to a NULL
pointer dereference and kernel panic in case there is no CPU idle driver
registered with the current CPU.


* Memory leak in SCTP stack on COOKIE ECHO error path.

A memory leak in SCTP stack on COOKIE ECHO handling when memory is
constrained could lead to a memory leak. A remote attacker could use this
flaw to exhaust the memory on the system and cause a denial-of-service.


* Denial-of-service in Bridge code on receiving malformed MFD queries.

A lack of input validation in the bridge code when handling MFD queries
could lead to multi-cast ports being shut down. A remote attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service in IPv4 fragmentation code on evicting fragments.

A race condition in the IPv4 fragmentation code could lead to a kernel
crash under specific conditions. A local, privileged user could use this
flaw to cause a denial-of-service.


* Deadlock in TCP stack on software checksum calculation.

A logic error in the TCP stack when the NIC has no support for RX checksum
could lead to a deadlock under specific conditions.


* NULL pointer dereference in VXLAN code when handling ARP requests.

A lack of input validation in the VXLAN code could lead to a NULL pointer
dereference when memory is constrained. A remote attacker could use this
flaw to cause a denial-of-service.


* Memory corruption in ISDN loop driver.

A lack of input validation in various places of the ISDN loop driver could
lead to out of bounds memory accesses. A local, unprivileged user could use
these flaws to cause a denial-of-service or potentially escalate
privileges.


* NULL pointer dereference in PID namespaces.

The kernel does not validate a pointer when looking up a PID namespace for a
given process which leads to a NULL pointer dereference and kernel panic.


* Data corruption in ext4 extents lookup.

The ext4 file-system driver does not validate a return value when mapping
extents based files leading to possible data corruption.


* Memory corruption when creating large files on jffs2 images.

An integer overflow in the jffs2 file-system driver when calculating the size
of a large file can trigger kernel memory corruption and kernel panic.


* Use-after-free in jffs2 garbage collection.

A logic error can cause a use-after-free and kernel panic when reserving space
on a jffs2 file-system.


* Denial-of-service when exiting processes.

A race condition when a process is exiting can lead to a process not releasing
kernel resources. A local unprivileged user could use this flaw to exhaust
kernel resources and cause a kernel panic.


* Kernel panic when inserting function tracer.

Missing synchronization across CPUs can cause a kernel panic when inserting a
function tracer.


* Kernel panic when hotplugging a PCI USB controller card.

A race condition in the USB subsystem can trigger a kernel panic when
hotplugging a PCI USB controller card.


* Memory corruption in NFSv4.1 extended attributes.

Missing bounds checking in the NFSv4.1 server when encoding extended file
attributes could lead to memory corruption and kernel panic.


* Kernel panic when recovering iSCSI target connections.

An invalid pointer is dereferenced when recovering a dropped iSCSI connection,
triggering a kernel panic.


* CVE-2014-3122: Denial-of-service in non-linear memory mappings.

An assertion failure and kernel panic can be triggered when unmapping a
non-linear memory mapping.  This could be exploited by a local,
unprivileged user to crash the system.


* Double-free in OCFS2 block writing.

Under specific conditions, the OCFS2 filesystem could perform a
double-free on a buffer head resulting in a kernel crash.


* Data corruption in ext4 unaligned asynchronous IO.

A race condition between reading the size of an inode and performing an
asynchronous file write can trigger data corruption on an ext4 filesystem.


* Kernel BUG in NFS lockd socket creation.

When socket creation failed during lockd_up, all live sockets
were not getting properly cleaned up, causing a kernel BUG.


* Use after free in e1000 network device driver.

Due to a race condition in the e1000 network device driver, it is possible
for a watchdog timer callback to run after the device has been unregistered
and removed. This could in certain circumstances cause a kernel crash.


* Lost hardware events in Xen guests.

Due to a race condition in the Xen guest IRQ handling code, it would be
possible for certain hardware events to get lost or delayed.


* Memory corruption in Xen hypervisor for x86 PVH guests.

In certain situations, the Xen hypervisor could potentially free a page
belonging to another guest. This could lead to both host and guest memory
corruption.


* NULL pointer dereference in Xen virtual block device frontend.

Due to incorrect error checking, removing an underlying block device
from the Xen hypervisor could lead to a NULL pointer dereference in
the hypervisor when removing the guest's block device interface.


* Memory leak in Xen when assigning new slot on virtual PCI bus.

Due to incorrect error handling, failure to assign a new slot on the
virtual PCI bus would leak the memory allocated for the device. Over
time, this could cause the kernel to run out of memory altogether.


* Kernel crash in Xen backend network device.

Due to insufficient locking in the Xen backend network device, it is
possible for the kernel to crash when sending and receiving packets
at the same time.


* Out-of-bounds write in Xen frontend network device initialization.

Incorrect initialization of TX and RX queues in the Xen frontend network
device could lead to out-of-bounds writes when the queues have different
sizes. This could in certain circumstances cause the kernel to crash.


* Out-of-bounds write when reading SMART attributes from NVM Express block device.

Due to an incorrect calculation of the buffer size, querying the SMART
attribute log of an NVM Express block device could cause writes past the
end of the buffer. In certain circumstances, this could cause memory
corruption and kernel crashes.


* NULL pointer dereference when accessing NVM Express block device.

Due to incorrect error handling in certain low-memory situations, it
would be possible for the NVM Express block device driver to dereference
a NULL pointer when accessing the device. This could crash the kernel.


* Out-of-bounds memory access in QLogic NetXen network device.

Due to an off-by-one error in the ring buffer size calculation, it is
possible for the device driver to read and write to memory outside the
allocated buffer. This could in certain cases lead to memory corruption
and kernel crashes.


* NULL pointer dereference when aborting request in HP Smart Array SAS driver.

Due to incorrect error handling when aborting a SCSI request, the kernel
could in certain low-memory situations cause a NULL pointer dereference.
This could cause the kernel to crash.


* Memory leak when scanning for HP Smart Array SAS devices.

Due to a missing kfree() call, the HP Smart Array SAS device driver would
leak a small amount of memory when scanning for devices. Over time, this
could cause the kernel to run out of memory altogether.


* Memory leak in QLogic 40xx iSCSI host adapter driver even handler.

In very specific circumstances, the QLogic 40xx iSCSI host adapter driver
could leak a small amount of memory when processing interrupts from the
device. Over time, this could cause the kernel to run out of memory
altogether.


* NULL pointer dereference when configuring endpoint parameters in QLogic 40xx iSCSI driver.

Due to an incorrect code sequence, the device driver could attempt to
dereference a pointer before it has been checked against a potential NULL
value. This could lead to a NULL pointer dereference and consequent kernel
crash.


* Kernel hang when initialising QLogic QLCNIC device.

Under certain circumstances, initialising a QLogic QLCNIC device using
MSI-X-type interrupts could cause the driver to enter an infinite loop.
This could cause the kernel to hang.


* Memory leak when sending asynchronous commands to QLogic QLCNIC device.

Due to a missing kfree(), sending asynchronous commands to a QLogic QLCNIC
device would cause a leak of the memory used for the command. Over time,
this could cause the kernel to run out of memory altogether.


* Kernel panic on TX timeout in QLogic QLCNIC device driver.

In certain cases, a missing sanity check during transmission timeout in
the QLogic QLCNIC device driver could cause the kernel to read
uninitialised memory. This could cause a kernel panic.


* Kernel hang when flushing inodes in XFS filesystem.

A missing memory barrier could in rare circumstances cause the thread
responsible for flushing inodes to hang indefinitely. This can cause
unnecessary delays in getting data to disk or in the worst case cause
the filesystem and the kernel to hang.


* Kernel hang when accessing CIFS remote filesystem.

Incorrect error handling during writeback in the CIFS filesystem could
in certain circumstances lead to hung tasks when accessing the filesystem.
In certain cases, this could lead to a full kernel hang.


* Kernel BUG during reflink operation in OCFS2 cluster filesystem.

Due to incorrect locking in the OCFS2 reflink operation, a race condition
could trigger a kernel BUG (assertion failure). An unprivileged user could
use this to cause denial of service.


* Buffer overflow in SCSI megaraid driver when servicing an ioctl.

Lack of input validation in the SCSI megaraid driver could lead to a buffer
overflow and kernel panic. A local, privileged user could use this flaw to
cause a denial-of-service or potentially gain kernel code execution.


* Memory corruption in MegaRAID SAS controller initialisation.

Due to an unintended 64-to-32-bit truncation, it is possible for the
MegaRAID SAS device to access the wrong memory area when communicating
with the driver. This could in certain cases lead to memory corruption
and a kernel crash.


* Denial of service in OCFS2 cluster filesystem.

Due to a logic error in the code responsible for handling incoming
connections in the OCFS2 cluster filesystem, all pending connections
would be cancelled when encountering and rejecting an invalid one.
A malicious remote user could potentially use this to prevent
legitimate connections from forming and thereby carry out a denial
of service attack.


* List corruption when freeing connection in RDS protocol.

Due to missing locking in the Reliable Datagram Socket (RDS) protocol,
it would be possible for two threads to simultaneously access the
connection list. This could lead to list corruption and kernel crashes.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.