[El-errata] New updates available via Ksplice (ELSA-2014-3034)

Fri May 23 09:35:35 PDT 2014

Synopsis: ELSA-2014-3034 can now be patched using Ksplice
CVEs: CVE-2013-1059 CVE-2013-4587 CVE-2013-6378 CVE-2013-6380 
CVE-2013-6382 CVE-2013-6885 CVE-2013-7268 CVE-2014-0038 CVE-2014-0049 
CVE-2014-0196 CVE-2014-1737 CVE-2014-1738 CVE-2014-1874 CVE-2014-2309 
CVE-2014-2580

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2014-3034.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 6 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.

The floppy driver would leak internal memory addresses to userspace,
and would allow unprivileged userspace code to overwrite those
addresses, allowing for a local privilege escalation and gaining
of root.

* CVE-2014-0196: Pseudo TTY device write buffer handling race.

A race in how the pseudo ttyp (pty) device handled device writes when
two threads/processes wrote to the same pty, the buffer end could be
overwritten. An attacker could use this to cause a denial-of-service or
gain root privileges.

* NULL pointer dereference during error recovery in Emulex BladeEngine 
driver.

Due to a logic error in the error recovery code of the be2net driver, the
kernel could under certain circumstances dereference a NULL pointer and
crash.

* NULL pointer dereference during packet reception in Emulex BladeEngine 
driver.

A missing error check in the packet reception code of the be2net
driver could lead to a NULL pointer dereference and subsequent
kernel crash.

* Kernel panic in OCFS2 during lock migration.

Due to a logic error and data race during lock migration in the OCFS2
filesystem, it is possible in rare circumstances for the kernel to
dereference invalid data which will trigger a subsequent assertion
failure.

* Buffer overrun in the tracing subsystem.

An incorrect bounds check in the kernel tracing subsystem could lead to
writing past the end of a buffer. A privileged local user can use this
flaw to crash the kernel or potentially gain additional privileges.

* Use of uninitialized memory in USB hub configuration.

In low memory situations, due to incorrect error handling, configuring
a USB hub could lead to use of uninitialized memory and a kernel crash.
A person with physical access to the machine could use this flaw to
cause denial of service.

* CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.

Incorrect validation of user supplied data in the Marvell 8xxx Libertas
WLAN driver could allow a privileged user to trigger an invalid pointer
dereference and crash the system.

* CVE-2013-6380: Denial-of-service in Adaptec RAID driver.

Incorrect memory allocations in the Adaptec RAID driver could result in
dereferencing an invalid pointer allowing a local user with the
CAP_SYS_ADMIN privilege to crash the system.

* Use-after-free in Ralink rt2x00 device removal.

Incorrect checks for device presence could result in a use-after-free
and kernel crash when removing an active WiFi USB dongle from the
system.

* Memory leak in devpts.

Failure to properly free everything when a devpts filesystem
is unmounted causes a memory leak.  This could be seen when
shutting down a Linux container.

* Information leak in procfs and debugfs filesystems.

The kernel incorrectly uses the effective uid instead of the real uid when
displaying pointers in the procfs and debugfs filesystems. This allows local
unprivileged users to use setuid binaries to leak the layout of kernel 
memory.

* Denial-of-service in System V message queue send path.

Incorrect comparison between signed and unsigned integer could lead
msgsnd() to bypass msgmax message queue limit and lead to a kernel crash. A
local, privileged user could use this flaw to cause a denial-of-service.

* Out-of-bounds write in iscsi-target when computing checksums.

Incorrect length checking in iscsi-target code could lead to a one byte
out-of-bounds write. An attacker could use this to cause a
denial-of-service or potentially, escalate privileges.

* Incorrect credentials checking in iscsi-target with CHAP authentication.

A flaw in the username checking in iscsi-target CHAP authentication causes
all usernames with the correct username as prefix to be accepted.

* Denial-of-service in loop block subsystem when unloading the loop module.

A logic error in the error path when allocating a block queue in the loop
module could result in a NULL pointer dereference. A local, privileged user
could use this flaw to cause a denial-of-service.

* Kernel crash in block device subsystem when using unassigned loop device.

Due to incorrect initialisation in the loop block device driver, it was
possible to use a block device before it had been assigned an underlying
file. A malicious local user could under certain circumstances use this
to cause denial of service.

* Memory leak in ext4 filesystem when expanding inode with extended 
attributes.

A flaw in the ext4 inode expanding code could result in a buffer header
memory leak. A local, unprivileged user could use this flaw to cause a
denial-of-service.

* Information leak in audit subsystem when getting status from audit 
netlink.

A missing field assignment in the receive loop of audit causes an
information leak. A local user with CAP_AUDIT_CONTROL could use this flaw
to obtain information on the running kernel.

* Deadlock in selinux/netlabel on connect().

Incorrect locking in the selinux/netlabel glue code could lead to a
deadlock. A local, unprivileged user could use this flaw to cause a
denial-of-service.

* Denial-of-service in cpuset subsystem when changing cpuset.

Incorrect locking when changing cpuset of a running test could result in a
deadlock. A local, privileged user could use this flaw to cause a
denial-of-service.

* Kernel crash in cfg80211 subsystem during network scanning.

Due to incorrect locking in the cfg80211 subsystem, two processes
accessing a scanning request at the same time could cause one of the
processes to see invalid data. A malicious local user could use this to
crash the kernel and cause denial of service.

* Use-after-free in netfilter connection tracking extensions.

A race condition in netfilter connection tracking allows the kernel to free
in-use extensions leading to a use-after-free condition and kernel panic.

* Kernel panic while getting TCP metrics.

The kernel could panic or crash using TCP fast open which an attacker
could use to cause a Denial-of-service.

* Possible buffer overruns in ISDN loop.

The isdnloop code was using strcpy on unvalidated user input which
might not be NUL terminated, leading to a potential buffer overrun.

* Deadlock in UDP stack on connect().

Incorrect locking the UDP connect() code could lead to a deadlock or
memory corruption. A local, unprivileged user could use this flaw to
cause a denial-of-service.

* CVE-2013-7268: Information leak in recvmsg handler.

Missing initialization in the network recvmsg handlers could leak kernel
memory into userspace.

* Information leak in IPv6 UDP stack when dequeuing error messages.

Lack of initialization in the IPv6 UDP stack could lead to leaking
information from the stack. A remote attacker could use this flaw to obtain
information about the running kernel.

* Denial-of-service in network stack on sending UDP/ICMP or connecting 
to TCP socket.

Incorrect locking in various places of the TCP stack could lead to a
deadlock under specific conditions.

* Kyro video driver information leak and memory corruption.

The Kyro framebuffer video driver could copy more data than intended
which could cause memory corruption or leak kernel memory to userspace
which an attacker could use to cause a denial-of-service or read kernel
memory.

* Denial-of-service in virtual function I/O IOMMU_MAP_DMA ioctl.

An incorrect assertion in the VFIO_IOMMU_MAP_DMA ioctl allows local
users with access to the /dev/vfio/vfio device to trigger a kernel
panic.

* Soft lockup in elevator IO scheduler.

A race condition in the block device subsystem could cause a soft lockup
to occur if a dm multipath device is initialised at the same time that the
IO scheduler is changed. This could cause the kernel to hang.

* CVE-2013-4587: Privilege escalation in KVM when creating VCPU.

A lack of input validation in the KVM code when creating a VCPU could lead
to an out-of-bounds memory write. A local user could use this flaw to cause
a kernel crash or potentially escalate privileges.

* CVE-2013-6382: Denial-of-service in XFS filesystem ioctls.

Multiple buffer underflows in the XFS implementation in the Linux kernel
could allow local users with the CAP_SYS_ADMIN capability to cause a
denial of service (memory corruption) or possibly have unspecified other
impact.

* Memory corruption in btrfs IOC_SEND ioctl.

An incorrect access check when processing a BTRFS_IOC_SEND ioctl can 
allow a local
privileged user to trigger kernel memory corruption and cause a kernel 
panic.

* Memory corruption in block device TABLE_LOAD ioctl.

The kernel block device driver does not correctly handle large a large 
number of
targets in the DM_TABLE_LOAD_CMD ioctl leading to memory corruption and 
a kernel
panic.

* Denial-of-service in NFSv4 client session delegation.

An incorrect assumption in the kernel NFSv4 client can cause the kernel 
to stop
processing all server responses when handling delegation responses.

* Use-after-free in ext4 when creating new block.

Incorrect locking in ext4 could lead to a use-after-free and to kernel
crash when creating new block on ext4 filesystem.

* Denial-of-service in ext4 extent validation.

Incorrect handling of overlapping extents could result in failing kernel
assertion and crashing the system. A local, privileged user, could use a
carefully crafted filesystem to cause a denial-of-service.

* Disk corruption on ext4 filesystems due to physical block address 
corruption.

Incorrect calculation of physical block addresses could result in corruption
of the on-disk filesystem.

* Out of bound memory access in Radio tap.

A lack of input validation in the Radio tap iterator code could lead to out
of bound memory access. A local, privileged user, could use this to cause a
denial-of-service, or potentially escalate privileges.

* NULL pointer dereference in Huge TLB subsystem.

A missing check in the Huge TLB subsystem could lead to a NULL pointer 
dereference
and panic. An attacker could use this flaw to cause a denial-of-service.

* NULL pointer dereference in memory management on memory failures.

Incorrect reference counting in the memory management subsystem could lead
to a panic. An attacker could use this to cause a denial-of-service.

* Missing check in selinux for outbound IPSec packets.

A missing check in selinux allowed any outbound IPSec packets to pass
through. This flaw could lead a local, unprivileged user to send
unauthorized traffic.

* NULL pointer dereference in CephFS during metadata parsing.

A missing NULL check in the metadata parsing of the Ceph distributed
filesystem could in low-memory situations lead to a NULL pointer
dereference and subsequent kernel crash.

* NULL pointer dereference in CephFS during client initialisation.

A missing NULL check during client initialisation of the Ceph distributed
filesystem could in low-memory situations lead to a NULL pointer
dereference and subsequent kernel crash.

* Kernel crash in CephFS during mount option parsing.

Due to a missing bounds check, the Ceph mount option parser could attempt
to access memory outside the buffer provided by the user. A malicious
user with mounting privileges could use this flaw to cause denial of
service.

* CVE-2013-1059: NULL pointer dereference in CephFS authentication.

A lack of validation can allow a remote user to trigger a NULL pointer 
dereference
and kernel panic by attempting to authenticate with the "auth_none" Ceph
authentication.

* NULL pointer dereference in libceph.

If nr_maps is set to zero in both places it is used then a NULL pointer
dereference error could occur.

* Use-after-free in virtio device removal.

The recently added multiqueue support for virtio devices introduced a 
use-after-
free vulnerability when removing virtio devices leading to a kernel panic.

* Information leak in socket monitoring interface.

For non-AF_INET6 sockets the kernel does not initialise fields in socket 
monitoring
data causing the contents of kernel memory being leaked to userspace.

* Use-after-free in logical link control stream sockets.

Receiving stream data on a LLC socket can trigger a use-after-free 
condition and
kernel panic if the MSG_PEEK flag is not used.

* Deadlock in bridge multicast 'hash_max' sysfs file.

Incorrect locking when changing the 'hash_max' setting via the sysfs 
interface
can trigger a deadlock and kernel panic.

* Use-after-free in GFS2 filesystem with parallel close/chown.

Incorrect reference counting in the GFS2 chown syscall could lead to a
use-after-free. A local, privileged user, could use this flaw to cause a
denial-of-service.

* NULL pointer dereference in selinux code when checking inode permission.

A race condition in the selinux code could lead to a NULL pointer
dereference and kernel panic. A local, unprivileged user could use this
flaw by opening and closing files in parallel to cause a denial-of-service.

* NULL pointer dereference in Raid10 subsystem during recovery.

Incorrect locking in the Raid10 subsystem could result in a use-after-free
and NULL pointer dereference. A local, privileged user could a specially
crafted block device to cause a denial-of-service.

* Denial-of-service in Raid10 subsystem when handling known bad blocks.

Incorrect calculation of the number of sectors handled in RAID10 could
potentially lead to a kernel crash. A local, privileged user could use a
specially crafted block device to cause a denial of service.

* Use-after-free in EDAC Intel E752X driver.

Incorrect reference counting in the EDAC Intel E752X driver could lead to a
use-after-free and kernel crash. A local, privileged user could use this
flaw to cause a denial-of-service.

* CVE-2014-0038: Privilege escalation in X32 recvmmsg.

Missing pointer validation in the X32 ABI compatible version of the 
recvmmsg(2)
syscall allows users to write arbitrary data to arbitrary kernel memory. 
This allows
an unprivileged user to gain kernel code execution.

* NULL pointer dereference in USB Core driver when removing a hub.

Missing locking in the USB Core driver could lead to a NULL pointer
dereference and kernel oops when unbinding a USB driver. A local,
privileged user could use this flaw to cause a denial-of-service.

* Memory leak in MFD driver on driver removal.

Incorrect initialization of a register map in the MFD driver results in
memory being leaked after driver removal. A local, privileged user could
use this flaw to exhaust the memory on the system and cause a
denial-of-service.

* Memory corruption in ext4 filesystem when truncating small data file.

A missing cast in the ext4 filesystem code could result in memory or data
corruption if truncating an inline file. A local, unprivileged user could
use this flaw to cause a denial-of-service.

* Memory leak in ieee8015.4 driver error path when adding interface.

Incorrect reference counting in ieee8015.4 driver error path results in a
memory leak. A local, privileged user could use this flaw to exhaust memory
on the system and to cause a denial-of-service.

* NULL pointer dereference in the IPv4 forwarding code for small MTU.

Missing check in the IPv4 forwarding code could result in a NULL pointer
dereference when setting a small MTU on non-IP capable netdevices. A local,
privileged user could use this flaw to cause a denial-of-service.

* Memory leaks in TCP early demux.

Incorrect reference counting on a socket when using TCP early demux leads
to memory leaks. A local, unprivileged user could use this flaw to cause a
denial-of-service.

* Information leak in btrfs code when creating a snapshot.

Due to incorrect privilege checks in btrfs code, no restriction was
enforced on subvolumes snapshots. A local, unprivileged user could use this
flaw to have access to parts of the filesystem which were otherwise
protected by Unix permissions.

* CVE-2013-6885: Denial-of-service on AMD processors.

Under a highly specific and detailed set of internal timing conditions, a
locked instruction may trigger a timing sequence whereby the write to a
write combined memory type is not flushed, causing the locked instruction
to stall indefinitely. A local, unprivileged user could use this flaw to
cause a denial-of-service.

* Memory leak in SELinux when loading a policy.

A flaw in SELinux error path policy code loading leads to a memory leak. A
local, privileged user could use this flaw to cause a denial-of-service.

* Denial-of-service in memory-failure on transparent huge page split.

Incorrect locking in the memory-failure code could lead to a kernel crash
under specific conditions. A local, privileged user could use this flaw to
cause a denial-of-service.

* Use-after-free in NFSv4 client code when initializing a new client.

A logic error in the NFSv4 client code could lead to a use-after-free and
kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service.

* Kernel crash in device mapper for thin objects.

Incorrect initialization of device-mapper thinly provisioned storage
devices could cause accesses to invalid memory addresses resulting in
memory corruption or a kernel crash.

* Deadlock between high resolution timers and timekeeping subsystem.

Incorrect locking in the time management subsystem could lead to a
deadlock. An attacker could use this flaw to cause a denial-of-service.

* CVE-2014-1874: Denial-of-service in SELinux on empty security context.

Incorrect input validation in the SELinux subsystem could lead to a NULL
pointer dereference. A local, privileged user could use this flaw to cause
a denial-of-service.

* Deadlock in memory management subsystem when setting page_dirty bit.

Incorrect locking in the memory management could lead to a deadlock when
setting the dirty bit. An attacker could use this flaw to cause a
denial-of-service.

* Information leak in mac80211 when transferring fragmented packet.

A flaw in the mac80211 stack could result in leaking 8 bytes of plain text
in the air. An attacker, physically in the range of the WiFi network, could
use this flaw to obtain sensitive informations.

* Denial-of-service in ftrace subsystem when using function graph caller.

A race condition in the ftrace subsystem could lead to a kernel crash under
specific conditions. A local, privileged user could use this flaw to cause
a denial-of-service.

* NULL pointer dereference in MAX17040 fuel gauge driver on probing.

A missing check in the MAX17040 fuel gauge driver could result in a NULL
pointer dereference. A local, privileged user could use this flaw to cause
a denial-of-service.

* NULL pointer dereference in VIA Rhine driver when resetting the card.

A flaw in the VIA Rhine driver code could result in a NULL pointer
dereference when resetting the ethernet controller. A local, unprivileged
user could potentially use this flaw to cause a denial-of-service.

* Memory leak when reading parameters in BladeEngine 2 iSCSI driver.

Due to incorrect error handling in the be2iscsi driver, it is possible
to leak memory in error situations. In extreme situations, this could
force a reboot when all memory has been exhausted.

* Memory leak in BladeEngine 2 iSCSI driver when losing link.

In certain situations where there was outstanding IO while the link was
closed, the be2iscsi driver would not clean up SCSI commands properly,
leading to a memory leak.

* Memory leak of block orphan block reservation in btrfs.

Due to an error in the btrfs unmounting code, the data structures used
to reserve orphan blocks were not being freed.

* Kernel hang in btrfs COW extent relocation.

Due to incorrect error handling, a failure to allocate a COW extent could
lead to an infinite loop.

* Kernel crash in btrfs during compressed writes.

A race condition in the code handling compressed write buffering could
trigger an assertion failure in the writeback code.

* Use-after-free in btrfs during device replacement.

A race condition in the btrfs device replacement code could lead to a
use-after-free error and subsequent kernel crash.

* Data loss in btrfs during scrubbing.

If the system is suspended while btrfs is scrubbing a replacement device,
data corruption could go unnoticed, leading to data loss.

* Memory leak when failing to commit a btrfs transaction.

Due to insufficient error handling, it is possible to leak kernel memory 
when
failing to commit a btrfs transaction.

* Memory leak in btrfs during buffer replay.

Due to incorrect error handling, replaying a btrfs log buffer can trigger a
memory leak if an inode cannot be read.

* Invalid warning when mounting btrfs filesystems.

Incorrect reference counting can trigger a spurious warning when failing to
mount a btrfs filesystem.

* Memory leak in btrfs device replacement ioctl.

Due to incorrect error handling, requesting a device replacement on a
read-only btrfs filesystem would leak a small amount of kernel memory.

* Duplicate inode allocation in btrfs.

Due to an off-by-one programming error during file creation, an inode that
was already in use would be allocated for the new file. A malicious local
user could use this to prevent other users from creating new files.

* Buffer overflow during btrfs directory traversal.

Due to incorrect bounds checking in the btrfs directory item verification,
a specially crafted filesystem could cause buffer overflows. A malicious
user with mounting privileges could potentially use this to crash the
system.

* Kernel crash when sending incremental btrfs snapshots.

Due to a missing extent type check during extent traversal, the kernel
could try to read past the end of the extent. This could in certain
circumstances lead to a kernel crash.

* Kernel BUG in btrfs extent backrefs handling during defragmentation.

An invalid assumption in the btrfs extent backref handling code could
lead to a kernel crash in certain error situations.

* Potential data loss in multiple btrfs rename operations.

Under certain circumstances, rename a file twice on a btrfs filesystem would
fail to properly record the second rename operation, leading to 
potential data
loss.

* NULL pointer dereference during btrfs copy-on-write compression.

Invalid logic in the btrfs mount option parsing code could cause the
wrong compression type to be set. A malicious local user could use this
to cause a NULL pointer dereference by setting a file's compression type
by hand.

* Kernel oops during btrfs balance relocation.

Incorrect transaction use in the btrfs balance relocation code could
cause a root block to be reused and subsequently crash the kernel.

* Data corruption due to incorrect boundary check in btrfs.

An off-by-one error in the btrfs extent boundary check could lead to 
incorrect
data being returned when a read operation fails.

* Kernel crash in btrfs extent map merging.

Due to a logic error in the btrfs extent map merging code, the extent
map would end up with the wrong length, potentially causing data
corruption or kernel crashes.

* Deadlock in btrfs inode ref iteration.

In certain circumstances, iterating inode refs and running delayed inodes
at the same time could lead to a deadlock. A malicious local user could
use this to cause denial of service.

* Kernel BUG in btrfs during tree block relocation.

Due to incorrect error handling in the tree block relocation code, some
pending nodes were not updated when they should have been. This would
lead to an assertion failure.

* Kernel hang in btrfs subvolume handling when sending snapshots.

A logic error in the search path initialisation of btrfs snapshot sending
could cause the wrong locking scheme to be used, thus exposing a race
condition that could cause the kernel to hang.

* Integer overflow during btrfs defragmentation.

Use of the wrong data type in the btrfs defragmentation code meant that
certain integer variables could overflow, leading to kernel panic.

* Kernel crash due to race condition in btrfs backref walking.

Due to incorrect locking in the btrfs backref walking code, a race
between resolving indirect refs and root deletion could in certain
cases cause the kernel to access inconsistent data structures and
crash.

* Soft lockup in btrfs snapshot quota handling.

Due to long-running uninterruptible code when having many snapshots,
it was possible to cause a denial-of-service by triggering the kernel
soft lockup detection mechanism.

* Potential data loss during btrfs snapshot sending.

Due to incorrect logic in the btrfs slot search code, certain items
could be skipped when sending incremental btrfs snapshots.

* Data corruption when accessing btrfs compressed extents.

Due to incorrect data page initialisation, mixing compressed file extents
and prealloc extents could lead to random kernel data making it into the
data page. This could lead to data corruption and information leaks.

* Data corruption in btrfs clone ioctl.

An incorrect offset calculation in the btrfs clone ioctl could cause the
wrong data to be copied when cloning a subvolume.

* Kernel BUG when cloning btrfs volume with split extents.

A logic error in the way certain inline extents are cloned could trigger
an assertion failure and cause the kernel to crash.

* Kernel hang in OCFS2 during lock migration recovery.

Due to a logic error and a race condition in the OCFS2 filesystem, it is
possible for two nodes to be confused about who is the new master in a
recovery situation. This can cause the whole cluster to hang.

* Division by zero in Intel NVM Express block device driver.

An invalid assumption in SCSI/block device interface of the NVMe driver
about the maximum number of hardware sectors could lead to a division by
zero and a subsequent kernel crash.

* Double free during packet transmission in Emulex BladeEngine driver.

Due to incorrect error handling, the be2net driver could in certain
circumstances attempt to free the same socket buffers twice, potentially
crashing the kernel.

* Deadlock during packet transmission in Emulex BladeEngine driver.

A locking error in the be2net driver could in rare circumstances cause
a deadlock during packet transmission.

* CVE-2014-2580: Denial-of-service in Xen backend network driver.

Invalid locking in the Xen backend network driver can trigger a deadlock and
kernel panic when receiving malformed packets.

* Kernel crash in QLOGIC QLNIC network driver during LRO processing.

Due to off-by-one errors during LRO (large receive offload) processing
in the qlnic driver, the kernel could in very rare circumstances attempt
to read beyond the end of an array. This could lead to kernel crashes.

* Kernel BUG in OCFS2 extended attribute handling.

Due to a logic error, certain buffers were marked as new when in fact
they were reused old buffers. This can cause an assertion failure and
subsequent kernel crash. A malicious local user could use this to cause
denial of service.

* Soft lockup during control block allocation in QLogic QLA2XXX driver.

An incorrect loop termination check in the qla2xxx I/O control block
allocator could cause a soft lockup.

* Use-after-free when unregistering Hyper-V device.

When unregistering a Hyper-V device, a message containing the name of the
device would be printed to the kernel log. However, the name had already
been freed. Dereferencing this buffer could in rare causes cause the
kernel to crash.

* Use of uninitialised memory when reading from Hyper-V channel.

A missing error check could cause clients that are reading a packet from
a Hyper-V channel to succeeded, when in fact it did not. In case of error,
the client would be using the uninitialised buffer, potentially leading
to kernel crashes.

* Deadlock when disconnecting a Hyper-V virtual network device.

When disconnecting a Hyper-V virtual network device, the kernel might
attempt to stop the transmit queue while in interrupt context. This
would lead to a warning in the kernel log, or (at worst) a deadlock
and kernel hang.

* Kernel BUG when receiving packet in Hyper-V network device.

Due to missing initialisation, using virtual LANs with Hyper-V network
devices could trigger an assertion failure and cause the kernel to
crash.

* NULL pointer dereference in Hyper-V storage driver.

Due to a missing error check, failure to initialise a Hyper-V storage
device could cause a NULL pointer dereference when destroying the same
device.

* Memory corruption when starting Cisco VIC network device.

Due to a missing bounds check when starting an enic network device, it
was possible for a buffer to overflow when using very long device names.
This could lead to memory corruption and the kernel crashing.

* Kernel hang/crash in Cisco VIC network device when changing MTU.

Due to incorrect locking in the error paths of the MTU change code of
the enic driver, a lock would be held indefinitely, thus causing other
kernel threads trying to acquire the same lock to hang.

* Kernel hang during packet transmission in Cisco VIC network device.

Incorrect use of the kernel networking API in the enic driver could in
certain circumstances lead to kernel hangs. In particular, large packets
could cause the kernel to deadlock when calling certain functions that
are not safe to call in interrupt context.

* NULL pointer dereference when enabling Virtual eXtensible LAN (VXLAN) 
device.

A certain function was changed to have new calling conventions, but not
all of the callers were changed accordingly. This lead to the wrong
pointer being passed to the networking stack when transmitting frames
over a VXLAN device, thus crashing the kernel.

* CVE-2014-0049: Code execution in KVM mmio emulator.

A logic error in the KVM code could lead to out of bounds memory accesses,
resulting in a kernel crash or potentially allowing a local user to write
in the host memory. A local, privileged user could use this flaw to elevate
privileges and execute arbitrary code in kernel mode.

* CVE-2014-2309: Denial-of-service in ICMPv6 route code.

The ip6_route_add function does not properly count the addition of routes,
which allows remote attackers to cause a denial of service (memory
consumption) via a flood of ICMPv6 Router Advertisement packets.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.