[El-errata] New updates available via Ksplice (ELSA-2015-3064)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Fri Jul 31 12:23:06 PDT 2015


Synopsis: ELSA-2015-3064 can now be patched using Ksplice
CVEs: CVE-2014-6416 CVE-2014-6417 CVE-2014-6418 CVE-2014-8086 CVE-2014-8989 CVE-2014-9731

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2015-3064.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 7 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel hang on UDP flood with wrong checksums.

A flaw in the UDP handling of wrong checksums could lead to a kernel hang
under a UDP flood attack.  A remote attacker could use this flaw to cause a
denial-of-service.


* Data loss in frontswap page invalidation.

If the kernel frontswap subsystem fails to store a newer version of a
swap page then data corruption can occur leading to data loss.


* Denial of service in Xen netfront fragment processing.

An incorrect assertion in the Xen netfront network driver can trigger a
kernel panic (BUG_ON) in the guest when processing fragmented packets
which cross page boundaries.


* Kernel panic in transmission of tunnelled SCTP packets.

The kernel SCTP stack does not correctly allocate memory for SCTP
packets which are sent via a tunnel which can trigger an assertion and
kernel panic.


* Denial-of-service in ext2 when writing quota.

A flaw in ext2 quota management could lead to use uninitialized memory. A
local, privileged user could use this to cause a denial-of-service.


* Data corruption in RAID on concurrent writes during unplug.

Lack of synchronization in bitmap_unplug() could lead to data corruption
under certain circumstances.


* Use-after-free in NFSv4 when getting a layout header.

Incorrect reference counting in the NFSv4 when releasing a layout could
cause a use-after-free and kernel panic.  An attacker could use this flaw
to cause a denial-of-service.


* Memory corruption when loading a stale AES key.

A lack of key unregistering when the key size check fails leads to a stale
key still being in the keys list, causing a memory leak and a kernel panic
when the registering a new key.  A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service when using force umount() from a namespace.

A force unmount() affects the underlying superblock and not just the mount
namespace so it should be restricted to the global root user.  A privileged
user in a user namespace could force the shutdown of a superblock in a more
privileged mount namespace, leading to a denial-of-service.


* Use-after-free in cryptographic algorithms when handling backlogged requests.

A logic error in the cryptographic algorithms driver could lead to an early
return to userspace when a request is still pending.  A local attacker
could use this flaw by closing its sockets causing the pending requests to
use freed memory, leading to a user-after-free and kernel panic.


* Memory leak of process namespace on child_reaper concurrent exit.

Incorrect reference counting in the pid namespace code could prevent a
namespace from being released, causing a memory leak.  A local user could
use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Data corruption in Btrfs when un-pinning from the extent cache.

A logic error in the Btrfs driver when un-pinning from the extent cache
causes some checksums not to be re-written on disk, leading to data
corruption on certain circumstances.


* Btrfs filesystem corruption on aborted transactions.

Filesystem corruption may occur when a certain order of transactions
occurs and the underlying device supports discarded transactions.


* Buffer overflow in HID device initialisation.

A missing check may allow a buffer overflow inside the kernel that can
occur when a HID device is inside of an IRQ callback.


* Memory corruption when expanding hard drive partition table.

A missing overflow check may allow a user to read and possibly write
data past the end of a kernel memory buffer causing memory corruption.


* Kernel BUG when using uncore event collection.

During event collection, a missing check may allow uncore to access
foreign events that can cause the kernel to crash.


* TCP segmentation offload transmission queue overflow.

In certain instances, existing queued packets may look to be unacknowledged
and may not be removed from the transmission queue possibly causing a
denial of service.


* Kernel panic in NFSv4 client state recovery.

Attempting state recovery on an partially initialised NFSv4 client can
trigger memory corruption and a kernel panic.


* Resource leak in GPIO during sysfs accesses.

Multiple call sites in the GPIO sysfs handling code failed to put
resources on exit.  This could result in failure to remove devices and
memory leaks.


* CVE-2014-8086: Denial-of-service on ext4 filesystem.

A race condition in the ext4 filesystem when concurrently writing to a file
and changing its status flags to O_DIRECT could lead to a kernel BUG(). A
local attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference during hotplug CPU offline.

A race condition when hotplugging a CPU could result in failure to
initialize a percpu thread, causing a NULL pointer dereference when the
CPU was later offlined.


* Information leak when reading IPv4 and IPv6 error queue.

The error queue mechanism (MSG_ERRQUEUE) in IPv4 and IPv6 sockets does
not correctly initialise kernel data-structures which causes the
contents of kernel memory to be leaked to userspace.


* Kernel panic when receiving compressed PPP data.

The kernel Point-to-Point networking implementation does not correctly
handle decompressing large PPP packets which can trigger an assertion
failure and kernel panic.


* Denial of service when decoding NFSv4.1 sequence operations.

The kernel NFSv4.1 client tries to free invalid memory when decoding NFS
sequence operations which can trigger a kernel panic. This flaw can be
triggered by remote users.


* Security bypass in kernel pseudo terminal subsystem.

The kernel pseudo-terminal (PTY) subsystem does not enforce restrictions
on which users can signal processes which allows local unprivileged
users to send arbitrary signals to privileged process.


* Memory corruption when mounting malformed JFFS2 disk images.

The kernel JFFS2 filesystem driver does no validate the eraseblock which
can trigger an assertion and kernel panic.


* Use-after-free in the extended matches network classifier.

A logic error in the extended matches (ematch) network classifier could
lead to a use-after-free and kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference in the Team driver on concurrent device un-registering.

A race condition in the network Team driver could lead to NULL pointer
dereference on concurrent network device un-registering.  A local,
privileged user could use this flaw to cause a denial-of-service.


* Denial-of-service when reading physical memory from user-space.

The routine generic_phys_access(), used by the /dev/mem and userspace IO
drivers, was only re-mapping one page of IO memory when the request could
span a bigger range, causing out of bounds memory accesses and kernel
panic.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Data loss in BTRFS file synchronization.

A race during synchronizing files with the filesystem could result in
data loss under specific conditions.


* Denial-of-service in btrfs when reading extended ref.

Improper pointer arithmetic when calculating the address of the extended
ref could lead to an out of bounds memory read and kernel panic.  A local
attacker could use this flaw to cause a denial-of-service.


* Information leak in the USB stack when sending signals to userspace.

A lack of clearing a struct siginfo sent to user-space leads to leaking
kernel stack content to userspace.  A local, unprivileged user could use
this flaw to gain information about the running kernel, facilitating an
attack.


* Use-after-free in USB serial stack on failure to probe a device.

A logic error in the USB serial stack could lead to a use-after-free and
kernel panic on failure to probe a device.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Use-after-free on removing from debugfs on concurrent symlink traversal.

A race condition in the debugfs filesystem could lead to a use-after-free
when removing inodes from debugfs concurrently with traversing symlinks.  A
local, privileged user could use this flaw to cause a denial-of-service.


* Kernel panic when probing iSCSI BladeEngine devices.

An invalid DMA configuration can trigger an assertion and kernel panic
when probing a iSCSI BladeEngine device.


* Use-after-free in the Multiple devices driver when taking a reference count.

Incorrect locking in the Multiple devices driver (RAID and LVM) could lead
to a use-after-free.  A local, privileged user could use this flaw to cause
a denial-of-service.


* Use-after-free in the Multiple devices driver when taking a snapshot.

An internal structure of the Multiple devices (RAID and LVM) driver was
being accessed after it was released.  An attacker could use this flaw to
cause a denial-of-service.


* Kernel crash in IPv4 socket monitoring interface.

Incorrect allocation could result in a heap overflow and subsequent
kernel crash when receiving diagnostics for an IPv4 socket.


* Kernel crash in SAS driver during expander discovery.

Incorrect handling of expander device discovery could result in a NULL
pointer dereference and kernel crash.


* Resource leak in IP virtual server backup sync protocol.

Missing resource freeing could result in a memory leak and failure to
remove an IP virtual server instance.


* Kernel crash in IP Virtual Server support when re-routing to local clients.

A logic error in the IP Virtual Server support could lead to a kernel crash
when re-routing packets to clients on the local network.  An attacker could
use this flaw to cause a denial-of-service.


* Denial-of-service in pSCSI backend.

A missing NULL pointer check could result in a denial-of-service,
triggerable by a local, unprivileged user for incomplete configurations.


* CVE-2014-6416, CVE-2014-6417, CVE-2014-6418: Buffer overflow in libceph authorization.

An invalid hard-coded buffer size could lead to buffer overflows
and kernel panics during ticket authorization.


* CVE-2014-8989: Group based restrictions bypass in user namespace.

A flaw in the user namespace subsystem could lead to a potential Unix group
privilege escalation when un-sharing parts of a process execution context.
An attacker could use this flaw to gain extra Unix group privileges on a
system.


* Deadlock in NFS when performing direct IO to regular file.

Direct IO is only supported on NFS mounts when writing to a swapfile. An
attempt to perform direct IO on a regular file will trigger a deadlock
and kernel panic.


* Use-after-free when receiving IPv4 and IPv6 ICMP echo replies.

The kernel IPv4 and IPv6 subsystems incorrectly free memory when
receiving ICMP echo replies which can trigger a use-after-free condition
and kernel panic.


* Use-after-free in USB Host Controller Device driver.

Incorrect memory management in he USB Host Controller Driver (HCD) can
trigger a use-after-free condition and kernel panic.


* Memory leak when adding a vlan device to a shut down interface.

A lack of un-registering stacked devices in the error path of rtnl_newlink()
leads to a memory leak.  A local, privileged user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* Multiple data losses on TCM Storage Engine.

Lack of input validation and range checks in the TCM Storage Engine (Target
Core) driver could lead to data loss or data corruption under certain
circumstances.


* Use-after-free when disconnecting CephFS client.

A race condition when closing a connection to a CephFS service can
trigger a use-after-free condition and kernel panic.


* Memory leak in CephFS Object Storage Daemon client.

The Ceph filesystem does not release memory when a read or write operation to an
Object Storage Daemon fails causing a kernel memory leak.


* NULL pointer dereference in RAM persistent store filesystem.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when reading the RAM oops store.


* Kernel crash when mounting corrupted OCFS2 filesystem.

Incorrect handling of reservation maps for a corrupted filesystem could
result in hitting a kernel assertion and crashing the system.


* Use-after-free in OCFS2 access control lists.

Missing locking could result in a use-after-free condition when setting
an access control list on a file on an OCFS2 filesystem.


* Out-of-bounds memory access in Intel XL710 driver.

Missing range checks in the Intel XL710 driver could result in
out-of-bounds memory accesses leading to a kernel crash.


* Use-after-free in Intel XL710 Ethernet driver on device shutdown.

Incorrect ordering when freeing virtual functions in the XL710 device
could result in a use-after-free and kernel crash.


* NULL pointer dereference in Intel XL710 ethtool operations.

A missing NULL pointer check could result in a kernel crash when getting
the receive flow hash indirection through ethtool.


* Memory leak in Intel XL710 debug command write.

Missing memory frees could result in a memory leak when the driver
failed to copy a command from debugfs.


* NULL pointer dereference in Intel XL710 admin queues.

A missing NULL pointer check could result in a kernel crash when
configuring the device for a UDP tunnel.


* Use-after-free in Intel XL710 driver during shutdown.

Incorrect sequencing of shutdown could result in freeing rings and
buffers before the device had finished operating on them leading to a
kernel panic.


* Memory leak in HyperV virtual storage driver.

The HyperV virtual storage driver does not correctly unmap memory when
handling I/O commands from a guest causing a kernel memory leak in the
host.


* Kernel crash in DTrace process info calculation.

Use of incorrect accessors for reading strings from user-space could
result in a kernel crash when reading process info.


* Denial-of-service in /proc/sgi_uv/ptc_statistics on SGI Ultraviolet.

Missing error handling in the read handler for
/proc/sgi_uv/ptc_statistics could result in a NULL pointer dereference
and kernel crash triggerable by an unprivileged local user.


* Out-of-bounds access in Intel XL710 virtual functions.

A missing range check could result in an out-of-bounds access when using
a virtual function in the XL710 driver.


* Privilege escalation in user namespace destruction.

Destroying nested user namespaces could result in a stack overflow under
specific conditions.  A local user could use this flaw to create nested
user namespaces and crash the system or potentially escalate privileges.


* Kernel crash in kernel keyring with big keys.

Missing initialization of key fields could result in dereferencing an
invalid pointer and a kernel crash under specific conditions.


* NULL pointer dereference in Cisco FNIC command queuing.

Incorrect locking could result in a NULL pointer dereference if the
device finished processing the command before submission was completed.


* NULL pointer dereference in NVMe driver with synchronous commands.

Incorrect handling of timeouts and signals in the NVMe core could result
in memory corruption when commands finished early.


* Memory corruption in Adaptec AACRAID thread creation.

A format string vulnerability in the AACRAID driver could result in
memory corruption or an information leak with a malicious device name.


* NULL pointer dereference in QLogic ISP4XXX firmware initialization.

A missing NULL pointer check could result in a kernel crash when
initializing an ISP4XXX device under low memory conditions.


* NFS hang on OCFS2 cluster during unlock race.

A race condition in the OCFS2 and DLM interaction could result in NFS
accesses hanging under rare conditions.


* Multiple information leaks in QLogic ISP4XXX driver.

Incorrect handling of NULL-terminated strings could result in leaking
the contents of kernel memory to userspace under specific conditions.


* Kernel crash in Emulex LightPulse port removal.

A logic error in driver teardown could result in a use-after-free and a
subsequent kernel crash.


* Kernel crash in VMWare Machine Communication Interface.

Missing validation of user data could result in accessing beyond the
bounds of a buffer and crashing the kernel when sending datagrams over
the VMCI device.


* Integer overflow in VMWare Virtual Machine Communication Interface.

An integer overflow from untrusted user input could allow a local
attacker with access to the VMCI device to cause a denial-of-service or,
potentially escalate privileges.


* CVE-2014-9731: Information link in UDF filesystem symlinks.

Missing validation of symlinks could allow a local attacker with a
maliciously crafted filesystem to leak the contents of kernel memory to
user-space.


* Memory leak in netlink routing interface.

The kernel netlink routing interface does not correctly release
resources when a permissions error is encountered leading to memory
exhaustion.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.





More information about the El-errata mailing list