[El-errata] New updates available via Ksplice (ELSA-2015-3012)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Fri Mar 20 10:11:19 PDT 2015
Synopsis: ELSA-2015-3012 can now be patched using Ksplice
CVEs: CVE-2013-7421 CVE-2014-3610 CVE-2014-5206 CVE-2014-5207 CVE-2014-7970 CVE-2014-7975 CVE-2014-8133 CVE-2014-8134 CVE-2014-9644 CVE-2015-2042
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2015-3012.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on EL 6 install these
updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2014-8133: Information leak in thread area of 32-bit KVM guests.
The espfix implementation which prevents kernel information leaking to
unprivileged guests can be bypassed by creating a custom thread area. A
local unprivileged user could potentially use this flaw to leak stack
addresses.
* CVE-2014-8134: Information leak in 32-bit KVM guests.
A bug in the espfix handling code could result in leaking high bits of
the kernel stack pointer when returning to a userspace with a 16 bit
stack. A local unprivileged user could potentially use this flaw to
leak kernel stack addresses.
* CVE-2014-5206: Read-only mount permission bypass in containers.
A flaw in the mount syscall allows a user with CAP_SYS_ADMIN to remount a
read-only mount as read-write, potentially leading to privilege escalation.
* CVE-2014-7975: Denial-of-service in do_umount.
A missing capability check in do_umount allows unprivileged local users to
remount the root file system read-only, causing a denial-of-service (loss
of writability).
* CVE-2014-7970: Memory corruption when using pivot_root.
A flaw in the pivot_root syscall leads to a corruption of the mount tree
when calling with a directory outside a chroot. A local user could use this
flaw to cause a memory corruption and likely a denial-of-service.
* CVE-2014-3610: Denial-of-service in KVM host from the guest.
A KVM guest could write a non-canonical address to certain MSRs registers,
which the host KVM will write into its own MSRs registers, leading the host
kernel to panic. A local attacker could use this flaw to cause a
denial-of-service.
* CVE-2014-5207: Permission bypass in locked mount options in a container.
Various mount options weren't locked from within a container and could
allow a user in container with CAP_SYS_ADMIN to bypass intended
permissions, potentially leading to privilege escalation or container
escape.
* CVE-2013-7421, CVE-2014-9644: Arbitrary module loading by users in crypto API.
The kernel crypto API does not restrict which kernel modules can be
loaded automatically which allows users to load arbitrary kernel
modules. This allows an unprivileged user to increase the attack surface
of the kernel.
* CVE-2015-2042: Information leak in the Reliable Datagram Socket protocol.
A flaw in the handling of userspace tuning for the Reliable Datagram Socket
(RDS) protocol leads to an information leak when reading from the sysctl
files. A local, privileged user could use this flaw to gain knowledge about
the running kernel, potentially facilitating an attack.
* Data corruption on ext4 filesystem when discarding previously allocated blocks.
Incorrect clean up when discarding previously allocated blocks in the ext4
filesystem could lead to data corruption. An attacker could use this flaw
to cause a denial-of-service.
* Kernel panic in ext4 block free.
Improper error handling in the case of a block allocation failure
in ext4 could leads to a BUG_ON and kernel panic.
* Data corruption in btrfs checksums.
A race condition in btrfs could result in the same file extent
range having two versions of a checksum, causing data corruption.
* Denial-of-service in jbd2 on corrupt journal recovery.
When the jbd2 code encounters a corrupt journal block during
journal recovery, it falls into an infinite loop. An attacker
could potentially exploit this flaw to cause a denial-of-service.
* Kernel crash in NFSD startup.
Invalid error handling in the case of a memory allocation failure
during nfsd startup leads to improper accounting, which could cause
a kernel crash on a subsequent nfsd startup retry.
* Possible incorrect permissions in NFSv4 close with delegation.
The check in NFSv4 for read/write, read-only, or write-only share
mode is invalid in the presence of delegations. This could lead to close
being done with the wrong state flags.
* Use-after-free in AMD iommu mass device removal.
Incomplete cleanup during mass device remove in the AMD
iommu could result in a use-after-free.
* Data corruption in trace ring buffer during reads.
A race condition while reading a trace file could cause the
ring buffer iterator to get corrupted, leading to a kernel
panic.
* XFS page cache corruption with O_DIRECT operations.
XFS reads and writes with O_DIRECT can zero out partial ranges in a page in
a cache. This page can stay in the cache, causing normal, buffered reads to
read zeros instead of the actual content.
* Invalid recovery during RAID1 and RAID10 recoveries.
Invalid treatment of a write error during recovery in raid1
and raid10 drivers could result in some sectors not being correctly
recovered.
* Buffer overflows in USB serial probes.
A failure to verify ports and/or endpoints in the USB serial code
could lead to writing off the end of an array, causing heap and/or
stack overflows. A malicious user could exploit this to cause a
denial of service.
* Kernel crash in NFSv3 filesystem mounting.
Incorrect locking in NFSv3 mounting could result in a race condition
between kernel threads and causing a kernel panic.
* NULL pointer dereference in iSCSI target memory allocation failure.
Incorrect error handling on allocation failure when copying a parameter
list could result in a NULL pointer dereference and kernel crash.
* Memory corruption in iSCSI target logout handler.
A logic error in the logout handler could result in memory corruption
when a target was disconnected.
* Privilege escalation in iSCSI PDU sending.
Missing bounds checks could allow a user with privileges to send PDUs to
an iSCSI device to overflow a buffer and potentially escalate
privileges.
* Memory corruption during percpu allocation failures.
Incorrect cleanup during percpu allocation failures could result in
freeing incorrect pages leading to memory corruption and a kernel crash.
* rpcbind crash during lockd startup failure.
Under specific conditions rpcbind could crash the kernel if startup
failed.
* Ext2 filesystem corruption while getting XIP memory.
A bug in the ext2 code could result in an accounting error where ext2
thought 0 blocks had been allocated but 1 had really been allocated.
This could result in a loop whereby all blocks get allocated. A
malicious user could exploit this by causing a denial-of-service where
all ext2 blocks are exhausted.
* Use-after-free in perf subsystem on fork error path.
A flaw in the perf subsystem could lead to releasing a perf event on fork
failure while it is still in use, leading to a use-after-free and kernel
panic. A local attacker could use this flaw to cause a denial-of-service.
* Kernel BUG() in openvswitch driver when using multiple VLAN headers.
A flaw in the openvswitch driver on receive of a frame with multiple VLAN
headers leads to a kernel BUG(). A remote attacker could use this flaw to
cause a denial-of-service.
* NULL pointer dereference in LT2P stack when getting PMTU.
A race condition in the LT2P stack when getting PMTU over PPP could lead to
a NULL pointer dereference and kernel panic. A local attacker could use
this flaw to cause a denial-of-service.
* NULL pointer dereference in generic register map debugfs entries.
Under specific conditions some register maps may not have a Linux device
associated with them which could trigger a NULL pointer dereference when
creating debugfs entries for the register map.
* Privilege escalation in ServerEngines BladeEngine 2 iSCSI driver.
Missing validation of user supplied data could allow a local user with
permissions to access the iSCSI device to overflow a stack buffer and
potentially escalate privileges.
* Denial-of-service in ecryptfs extended attribute setting.
A missing NULL pointer check could result in a kernel crash when setting
an extended attribute on an ecryptfs filesystem. A local, unprivileged
user could use this flaw to trigger a denial-of-service.
* Memory leak in ipv4 unicast reply.
Improper error handling in the ipv4 code could lead to leaked memory
when an error occurs while sending a unicast reply. A malicious user
could use this to cause a denial of service.
* Denial of service in generic filesystem mounting.
The generic filesystem mounting implementation does not correctly
validate filesystem parameters leading to a division by zero and kernel
panic.
* Memory corruption in generic SELinux filesystem support.
The kernel SELinux subsystem does not correctly lock resources when
initializing SELinux for a filesystem leading to possible memory
corruption and a kernel panic.
* Kernel crash in ext4 with extended attributes.
A missing check for an extended attribute entry's value offset
could cause a kernel crash. A malicious user could use this to
cause a denial-of-service by mounting a filesystem with a custom
crafted extended attribute.
* NULL pointer dereference in Ext4 new inode creation.
Improper error handling in ext4 during the creation of a new inode
could lead to a NULL pointer dereference and kernel panic.
* Divide-by-zero with UART baud rate setting.
The serial driver did not deal correctly in some scenarios
with setting the baud rate to 38400. This caused an invalid
baud rate to be returned and a kernel WARNING.
* NFSD4 kernel crash on invalid operation number.
Invalid handling of an invalid operation number in the nfsd4 code
could lead to a kernel crash. A malicious user could exploit this to
cause a denial-of-service.
* Stack information leak in POSIX timers creation.
A failure to properly initialize posix timers could lead
to kernel stack information being leaked to userspace.
* Invalid free in BTRFS lookup code.
In the case of an error during btrfs lookup, the wrong list
was being freed, leading to memory leak and possible use-after-free.
A malicious user could exploit this to cause a denial-of-service.
* Memory leak in SCTP authentication key management.
Incorrect reference counting when setting the SCTP_AUTH_KEY socket option
on an SCTP socket leads to a memory leak of sensitive keying materials.
A local, unprivileged user could use this flaw to exhaust the memory on the
system and cause a denial-of-service. An attacker with memory read access
could also later gain sensitive information about the keys.
* Kernel panic in libceph AES encryption engine on large authentication packets.
A flaw in the libceph AES encryption engine leads to a kernel panic on
large authentication packets. An attacker could use this flaw to cause a
denial-of-service.
* Use-after-free in IEEE80211 stack when defragmenting a packet.
A flaw in the IEEE80211 stack upon receiving a fragmented packet leads to a
use-after-free and kernel panic when updating the network statistics. An
attacker could use this flaw to cause a denial-of-service.
* Information leak in Firewire stack when doing an ioctl.
A uninitialized variable on the stack could be leaked to userspace when
doing an ioctl() on a Firewire char device. An attacker could use this flaw
to gain knowledge about the running kernel in order to facilitate an
attack.
* Memory leak in NFS stack when releasing a direct request.
The routine to release a direct request in the NFS stack was lacking to
release an internal cinfo structure, leading to a memory leak. A local user
could use this flaw to exhaust the memory on the system and cause a
denial-of-service.
* Memory leak in netfilter stack when sending a packet on the netlink socket.
In case of error when appending a DONE message to a netfilter netlink
socket buffer, the socket buffer is never released, causing a memory leak
and blocking further communication on the netlink socket. A local,
privileged user could use this flaw to cause a denial-of-service.
* Kernel crash in macvtap packet reception.
Macvtap could cause host lockups when virtual guests using a macvtap
interface is present.
* Out of bounds memory access in Dell WMI hotkeys driver.
A flaw in the Dell WMI driver leads when notifying of a hot key event could
lead to dereferencing memory above the boundaries of a dynamically
allocated array, potentially causing a kernel panic and/or leaking
information about the running kernel. A local user could use this flaw to
cause a denial-of-service or obtain sensitive information about the
allocator.
* Information leak in point-to-point tunneling protocol.
A lack of on-stack structure initialization in the ppptp_getname() function
leads to leaking 16 bytes of kernel stack to userspace when using
getsockname(). This information could be used to facilitate an attack on
the running kernel.
* Memory leak when unbinding Electronic System Design CAN-USB driver.
Private structures used by the Electronic System Design (ESD) CAN-USB
driver are not properly released when un-binding the driver. A local,
privileged user could use this flaw to exhaust the memory on the system and
cause a denial-of-service.
* Kernel crash Target Core Mod when sending zero-length command.
A missing check to validate that a command contains data could lead to a
kernel crash depending on the transport driver. A local attacker could use
this flaw to cause a denial-of-service.
* Memory corruption in Realtek 2x00 WiFi driver when re-transmitting a frame.
A logic error in the Realtek 2x00 WiFi driver consumes 4 bytes of a socket
buffer at each retransmission, leading to a kernel panic. A remote attacker
could potentially use this flaw to cause a denial-of-service.
* Memory corruption in QLogic NetXtreme II FCoE driver.
A logic error in the BNX2FC driver leads to an early removal of a shared
socket buffer, and corruptions of the other references. An attacker could
use this flaw to cause a denial-of-service.
* Filesystem corruption during block bitmap verification in Ext4 filesystem.
If a filesystem is mounted with the 'errors=continue' option, the code
responsible for doing block bitmap verification will happily accept a
corrupted bitmap. The block allocator may subsequently use the corrupt
bitmap to reuse blocks covered by the bitmap, corrupting the data in
those blocks.
* Kernel crash in OCFS2 during master query.
A race condition in the OCFS2 distributed lock manager could result in
an inconsistent state where different nodes believed they were the
master. This could trigger an assertion and crash the system.
* Deadlock in OCFS2 distributed lock manager during lock mode conversion.
In a multi node cluster where two nodes want to convert lock levels, a
timeout could result in failure to progress. This would result in
deadlock on one of the nodes.
* Memory leak in Xen block backend driver on grant map error.
A failure to correctly handle failures during grant mapping can
lead to a memory leak. A malicious user could use this to cause
a denial of service.
* Multiple use-after-free in HyperV network driver when transmitting.
Multiple flaws in the HyperV network driver could lead to a use-after-free
and kernel panic. A local user could use this flaw to cause a
denial-of-service.
* Data corruption during Hyper-V NetVSC packet send.
An improperly calculated data length in the Hyper-V netvsc send
code could lead to a buffer overrun and subsequent data corruption.
* Divide by zero when reading sched procfs file.
A 64 bits type is truncated to 32 bits after having been tested for
non-zero, which could still leave the resulting 32 bits type as zero and
cause a divide-by-zero in-kernel when reading /proc/<pid>/sched procfs
file. A local, unprivileged user could use this flaw to cause a
denial-of-service.
* Kernel panic when flushing SFF ATA devices.
Incorrect locking when flushing Small Form Factor ATA devices can
trigger a BUG_ON and kernel panic.
* Kernel crash in Infiniband Sockets Direct Protocol packet reception.
Incorrect locking could result in dereferencing a NULL pointer during
packet reception and causing a kernel crash.
* Buffer overflow in raw packet socket receive function.
Lack of bounds checking when receiving a packet in the raw packet driver
could lead to a buffer overflow and overwrite of kernel memory. A remote
attacker could use this flaw to cause a denial-of-service or potentially
escalate privileges.
* Kernel crash during balance failure in btrfs backref building.
Missing error handling in the btrfs backref code could result in hitting
a kernel assertion for a recoverable error. A maliciously crafted
filesystem could crash the host when mounting the filesystem.
* Memory leak in ServerEngines iSCSI driver on unload.
The ServerEngines iSCSI driver was missing to release DMA memory allocated
in the unload path of the module.
* List corruption in fuse filesystem driver.
A flaw in the fuse filesystem driver could lead to a race condition causing
a list corruption and potentially a kernel panic. A local, unprivileged
user could use this flaw to cause a denial-of-service.
* Memory corruption in HP Smart Array SCSI driver when using DMA.
A logic error in the function initializing the DMA chains leads to an
off-by-one error when calculating the size of the chain, potentially
causing a memory corruption.
* NULL pointer dereference in HyperV network driver.
A logic error in the HyperV network driver could lead to a NULL pointer
dereference when adding a network device on low memory conditions. An
attacker could use this flaw to cause a denial-of-service.
* Stack corruption in Xen PCI driver when adding a PCI device.
A flaw in the Xen PCI driver leads to stack corruption when adding a Xen
PCI device. An attacker could use this flaw to cause a denial-of-service.
* Denial-of-service in Xen bus driver on string truncation.
The Xen bus driver was incorrectly using BUG_ON() on string truncation
instead of printing an error to the kernel log. An attacker could use this
flaw to cause a denial-of-service.
* Use-after-free in Xen driver when translating guest pages to memory frames.
A logic error when releasing a page to memory tree node in the Xen driver
leads to a use-after-free and potentially a kernel panic. An attacker
could use this flaw to cause a denial-of-service.
* Memory leak in Xen driver when handling page to memory frame.
A race condition in the Xen driver when deciding if it should allocate a
new page to memory tree node could lead to a memory leak if such a node was
allocated concurrently, leading to a memory leak.
* Use-after-free in ACPI CPU Frequency driver on unloading.
The ACPI CPU Frequency driver was not properly returning an error in its
module initialization routine, leading to unregistering of never registered
structures, potentially causing use-after-free. A local, privileged user
could use this flaw to cause a denial-of-service.
* Use-after-free in the Reliable Datagram Sockets protocol driver.
The Reliable Datagram Sockets protocol driver was not cancelling a deferred
work when removing a device, potentially leading to use-after-free when the
deferred work accesses released resources. A local, privileged user could
use this flaw to cause a denial-of-service.
* Integer overflow in netfilter userspace logging with large payloads.
A flaw in the netlink code when sending large payloads to userspace could
lead to an integer overflow and data corruption.
* NULL pointer dereference in the NFS driver when setting ACL on a file.
A missing check for NULL when setting a file ACL could lead to a NULL
pointer dereference and kernel panic. A local, unprivileged user could use
this flaw to cause a denial-of-service.
* NULL pointer dereference in SunRPC driver on concurrent connect/close.
A race condition in the SunRPC driver could lead to a NULL pointer
dereference on concurrent connect()/close() on the same socket. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* Denial-of-service on KVM writes to shared MSRs from the guest.
The KVM code was not protected against a page fault when writing invalid
data to shared MSRs, leading to a kernel panic. A privileged user within a
KVM guest could use this flaw to cause a denial-of-service in the host KVM.
* Memory leak in Multiple Devices (RAID/LVM) driver when reshaping a RAID10.
A flaw in the RAID10 driver could lead to a memory leak under certain
condition. A local, privileged user could use this flaw to cause a
denial-of-service by exhausting the memory.
* NULL pointer dereferences in Register Map API when reading or writing.
A missing check for NULL before doing a string comparison could lead to a
NULL pointer dereference. An attacker could use this flaw to cause a
denial-of-service.
* Ext4 filesystem corruption during suspend/resume cycles.
Missing locking could result in filesystem corruption during heavy
filesystem accesses and a suspend/resume cycle.
* Denial-of-service in Intel X(L)710 Virtual Functions driver.
A lack of proper releases of resources in the Intel X(L)710 Virtual
Functions driver when the physical driver was removed leads to a kernel
panic. A local, privileged user could use this flaw to cause a
denial-of-service.
* NULL pointer dereferences in Intel X(L)710 Ethernet driver when updating link.
A missing check for NULL when updating some link information in the Intel
X(L)710 Ethernet driver could lead to NULL pointer dereferences. A local,
privileged user could use this flaw to cause a denial-of-service.
* Use-after-free in Intel X(L)710 Ethernet driver on driver removal.
A logic error in the Intel X(L)710 Ethernet driver on removal was leaving
some dangling pointers behind, potentially causing a use-after-free. A
local, privileged user could use this flaw to cause a denial-of-service.
* Information leak in Intel X(L)710 Ethernet driver from virtual devices.
The Intel X(L)710 Ethernet driver did not prevent virtual devices to set
their virtual ethernet device to promiscuous mode, allowing them to snoop
on traffic of other virtual devices.
* Memory leak in Intel X(L)710 Ethernet driver on driver removal.
The Intel X(L)710 Ethernet driver was not releasing queue vectors on driver
removal or device reset, leading to memory leaks. A local, privileged user
could use this flaw to cause a denial-of-service by exhausting the memory
on the system.
* Denial-of-service in guest OS when removing Intel X(L)710 Ethernet driver.
A race condition in the Intel X(L)710 Ethernet driver when removing a
driver while the device is in reset could trigger a panic in a guest OS
under certain conditions. A local, privileged user could use this flaw to
panic a guest OS running on the same host.
* Out of bounds memory read in Intel X(L)710 Ethernet driver when printing debug output.
A logic error in the Intel X(L)710 Ethernet driver lead to printing memory
after an allocated buffer, either leaking kernel memory to userspace or
potentially crashing on the invalid read. A local, privileged attacker
could use this flaw to cause a denial-of-service or gain sensitive
information about the running kernel.
* Data corruption in XFS when extending EOF.
Invalid dirty buffer handling in XFS could result in data
corruption when one process extends the EOF while another
process attempts to write via direct I/O to the same file.
A malicious user could use this to cause a denial-of-service.
* Denial-of-service in XFS directory lookup.
The XFS file-system driver incorrectly hashes directory entries when listing a
directory causing directory entries to be hidden. An local unprivileged user
can use this flaw to force the file-system to be remounted read-only.
* Kernel panic in NVM Express PCI device driver.
The NVM Express PCI device driver does not correctly cancelling pending
IO operations when an error occurs which can lead to memory corruption
and a kernel panic.
* Kernel panic in XFS filesystem when splitting and merging nodes.
A logic error when calculating a hash node entry size could lead to
directory buffer overruns when splitting and merging nodes. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* Kernel BUG() in Cisco Ethernet driver on concurrent soft IRQs.
The Cisco Ethernet driver was not properly disabling interrupts when
holding a lock, potentially leading to a Kernel BUG() if a soft IRQ was
triggered while the lock was held. An attacker could use this flaw to
cause a denial-of-service.
* Use-after-free in Cisco Ethernet driver on receive error.
The Cisco Ethernet driver did not reset a pointer to NULL on receive error,
leading to a use-after-free. An attacker could use this flaw to cause a
denial-of-service.
* Memory leak in Cisco Ethernet driver when queues allocation fail.
The already allocated queues were not being freed in the Cisco Ethernet
driver in the error path of the enic_open() function. A local, privileged
user could use this flaw to exhaust the memory on the system and cause a
denial-of-service.
* Multiple NULL pointers dereference in Emulex LightPulse SCSI driver.
Various pointers were being dereferenced without first checking for NULL,
potentially leading to a kernel crash. A local attacker could use this
flaw to cause a denial-of-service.
* Revert "Memory corruption in generic SELinux filesystem support."
This reverts commit a316b479577c78f14b40d93fdf0d5612bacc8f0e.
There's an update touching security/selinux/hooks.c which was reverted on
some customers machines and not on others, so we can't patch it anymore as
it leads to fail-to-find run-pre errors.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata
mailing list