[El-errata] New updates available via Ksplice (ELSA-2015-3098)

Sat Nov 14 02:01:33 PST 2015

Synopsis: ELSA-2015-3098 can now be patched using Ksplice
CVEs: CVE-2014-7822 CVE-2015-1420 CVE-2015-1805 CVE-2015-2041 CVE-2015-6937 CVE-2015-7990

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2015-3098.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 6 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Use-after-free when sending large frames via Hyper-V network driver.

The Hyper-V virtual network driver does not correctly handle errors when
sending large frames which allows a guest VM to trigger a use-after-free
condition and kernel panic in the host.

* Memory corruption in Multiple Device driver when destroying a device.

Incorrect locking in the Multiple Device driver when destroying a device
could lead to memory corruptions and kernel panic.  A local, privileged
user could use this flaw to cause a denial-of-service.

* Kernel crash in SCSI devices during unplug.

Incorrect handling of unoperational links could result in accessing a
device when it should not be possible to do so.  This could result in an
invalid pointer dereference and kernel crash.

* Use-after-free in CIFS page writing during intermittent network connectivity.

Incorrect error handling during loss of network connection could result
in a use-after-free when writing pages on a CIFS filesystem.

* Kernel panic in ServerEngines iSCSI BladeEngine 2 initialization failure.

An incorrect call to remove the device in the error handling path could
result in a kernel crash when a BladeEngine 2 device failed to
initialize.

* OCFS2 file corruption for files opened with O_APPEND.

The OCFS2 filesystem was incorrectly synchronizing files opened with
O_APPEND.  This could result in data corruption under specific
conditions.

* CVE-2015-2041: Information leak in 802.2 LLC sysctl interface.

The 802.2 Link Layer type 2 subsystem uses an incorrect length when
returning data to userspace from the sysctl interface, allowing
userspace processes to disclose the contents of kernel memory.

* Information leak in /proc/PID/pagemap.

/proc/PID/pagemap includes the virtual to physical mappings and could be
accessed by a local, unprivileged user.  This could be used in
conjuction with flaws such as ROWHAMMER to elevate privileges.

* Kernel hang in Realtek 8139 ethernet driver.

The Realtek 8139 ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.

* Kernel hang in Realtek 8169 ethernet driver.

The Realtek 8169 ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.

* Kernel hang in Intel PRO 10GbE ethernet driver.

The Intel PRO 10GbE ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.

* CVE-2014-7822: Incorrect parameter validation in splice() system call.

An incorrect parameter validation in the splice() system call could allow
a local, unprivileged user to use this flaw to write past the maximum
file size, and thus crash the system.

* Deadlock when sending IPv4 FIN packets.

The kernel IPv4 stack can deadlock causing a kernel panic when
transmitting IPv4 FIN packets under high memory pressure.

* Denial of service in btrfs IOC_CLONE ioctl.

Attempting to clone a zero-length region from one file to another on a
btrfs volume can trigger an infinite loop and kernel panic. A local
user could use this flaw to cause a denial of service.

* Data loss when mounting btrfs volume with the 'discard' option.

When mounting a btrfs volume with '-o discard' the btrfs driver can
possibly overwrite filesystem metadata causing data loss.

* Denial-of-service in Rados Block Device (RBD) driver on end I/O.

Incorrect logic in the RBD driver on end I/O could trigger a kernel
assertion and lead to a denial-of-service under certain conditions.

* Kernel hang in the ocfs2 driver when locking resources.

A race condition in the dlm_get_lock_resource() function in the ocfs2
driver could lead to a kernel hang on concurrent purge.  A local attacker
could use this flaw to cause a denial-of-service.

* Memory leak and denial-of-service in the memory-failure subsystem.

A logic error in the memory-failure subsystem when handling transparent
huge page could result in a memory leak and to a machine check error
killing the application using the transparent huge page.

* Denial-of-service in userspace string handling.

An incorrect length check could result in accessing beyond a
validated buffer.  A local, unprivileged user could use this flaw to
crash the kernel in specific conditions.

* CVE-2015-1420: Buffer overflow in name_to_handle_at() system call.

Due to a race condition in the name_to_handle_at() system call, it is
possible for userspace to change the length of the buffer read by the
kernel after it has been allocated. This could lead to a buffer
overflow. A local user with CAP_DAC_READ_SEARCH privileges could
potentially use this to cause denial of service or possibly escalate
their privileges.

* NULL pointer dereference when handling IPv4 errors.

A missing check for NULL could lead to a NULL pointer dereference when
handling IP errors when the network device is being removed.  An attacker
could use this flaw to cause a denial-of-service.

* Kernel crash when attaching a new queue discipline in the network scheduler.

A flaw in the networking scheduler could lead to a use-after-free when
attaching a new queue discipline to a network device.  A local, privileged
user could use this flaw to cause a denial-of-service.

* CVE-2015-1805: Memory corruption in handling of userspace pipe I/O vector.

Pipe I/O vector handling functions didn't handle failure of atomic accesses
correctly. This would allow a local unprivileged user to crash the system.

* Use-after-free in network bridging when changing ports.

Incorrect locking when adding or removing bridge ports can trigger a
use-after-free condition. A privileged user could use this flaw to gain
kernel code execution.

* Denial of service in networking packet fanout.

Incorrect locking in the networking subsystem can trigger a
divide-by-zero and kernel panic when a userspace process uses the
PACKET_FANOUT socket option.

* Denial of service when processing OOTB SCTP packets.

A race condition between processing 'out-of-the-blue' OOTB packets and
removing a SCTP route can trigger a NULL pointer dereference and kernel
panic. A remote attacker could use this flaw to trigger a denial of
service.

* NULL pointer dereference in USB XHCI endpoint creation.

Incorrect handling of cached rings during XHCI endpoint creation could
result in a NULL pointer dereference and kernel crash.

* Denial-of-service in BTRFS inode cache during deletion.

Missing locking during inode unpinning could result in memory
corruption.  A local user with access to the BTRFS filesystem could use
this flaw to trigger a denial-of-service.

* Out-of-bounds memory access in IP over Infiniband protocol validation.

A logic error in the IP over Infiniband driver protocol version
validation could result in false positives and accessing beyond the end
of a structure, causing a kernel crash.

* Kernel crash during Infiniband port failover test.

Incorrect locking could result in a kernel crash during the Infiniband
port failover test.

* Kernel crash in Infiniband RDS packet reception.

Receiving incorrectly addressed RDS packets over an Infiniband
connection could result in a kernel crash and denial-of-service.  A
remote user that could send RDS packets to the host could trigger a
denial-of-service.

* Denial of service when freeing Xen netback driver grants.

A logic error in the Xen netback driver can trigger an assertion failure
and kernel panic when freeing grants used in zerocopy transfers.

* Incorrect resource counting in Mellanox 10Gbit Ethernet.

Missing update of resource counters when freeing slave pci-based virtual
function devices would cause an incorrect count which seemed to just
go down.

* Integer overflow on Intel VF driver MTU changes.

The MTU value can overflow for big values. This goes unchecked and
will cause error messages.

* Unnecessary cap on the maximum amount of block device sectors.

A cap on the max amount of block sectors existed for historical reasons, but
is not needed anymore.

* Memory leak in recieving packet fragments in vmxnet3 network driver.

A fragment might get leaked if a new page had to be allocated to store the
data for the fragment.

* Incorrect error code reporting in HyperV network receive buffer initialization.

A failure to allocate memory during initialization might be reported as no
error.

* Race condition in HyperV vmbus per-cpu function handling.

A process might migrate between CPUs when it was assumed it will not, this
can lead to various races.

* Race condition when unregistering a HyperV device.

A kernel crash may occur when unregistering a HyperV device due to a race
between vmbus device unregistration and vmbus offer handling.

* Memory leak in HyperV baloon device when allocating large memory blocks.

An incorrect handling of 2MB blocks can lead to memory leak if a failure to
allocate occurs.

* Denial-of-service in OCFS2 file attributes.

Incorrect locking when setting a file attribute on an OCFS2 filesystem
could result in hitting a kernel assertion and crashing the system.

* Memory corruption when resolving symlink target.

A reference counting error when opening a symlink which crosses a
mountpoint can trigger a use-after-free condition and kernel panic.

* Kernel crash in ext4 during truncate and write race.

Incorrect locking could result in a kernel crash when threads raced
between writing a journaled page and truncation.

* NULL pointer dereference in firmware loading events.

Missing NULL pointer checks could result in a NULL pointer dereference
and kernel crash when loading firmware and sending an event to
userspace.

* Delayed inode freeing in directory cache.

A bug in the dcache code when using file handles could cause inodes to
remain on disk (taking up space) indefinitely after deletion. A
malicious local user could use this to fill up a filesystem.

* Use-after-free on IPC race condition.

When IPC_RMID races with other shm operations there is potential for
use-after-free of the shm object associated file.

* Denial-of-service in Reliable Datagram Socket transmission.

Sending a large number of datagrams over an RDS socket could result in
exceeding the send buffer and blocking the device.  A local,
unprivileged user could use this flaw to trigger a denial-of-service
attack.

* CVE-2015-6937: NULL pointer dereference in RDS socket creation.

Failure to check for binding to a transport could result in a NULL
pointer dereference when creating an RDS socket.  A local, unprivileged
user could use this flaw to crash the system.

* CVE-2015-7990: Race condition when sending a message on unbound RDS socket.

Incorrect locking when checking the state of a socket before sending a
message could lead to a NULL pointer dereference.  A local, un-privileged
user could use this flaw to cause a denial-of-service.

* Kernel panic on team interface due to race condition in port removal.

When retrieving the port from a team interface, it might return a null
reference due to a race condition between the port removal and the
socket buffer transaction path leading to a Kernel Panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.