[El-errata] New updates available via Ksplice (ELBA-2016-3548)

[Errata Announcements for Oracle Linux]

Synopsis: ELBA-2016-3548 can now be patched using Ksplice

CVEs: CVE-2015-7550 CVE-2015-7837 CVE-2015-8374 CVE-2015-8543 CVE-2015-8569
CVE-2015-8575 CVE-2015-8812 CVE-2016-2383 CVE-2016-2384

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle kernel update, ELBA-2016-3548.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 6 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in AMD IOMMU driver with PROT_NONE mappings.

Incorrect handling of file mappings with PROT_NONE protections could
result in triggering a kernel assertion and crash.  A local,
unprivileged user could use this flaw to crash the system under specific
conditions.


* Stack corruption in Silicon Labs demodulator driver.

A possible stack corruption leading to a kernel crash may
occur when initializing certain tv demodulators.


* Denial-of-service in PCI numa_node sysfs attribute.

Missing range checks could result in an out-of-bounds access when
writing to the num_node override attribute of a PCI device triggering a
kernel crash, or possibly allowing privilege escalation.


* Memory leak in overlayfs mount and unmount.

Missing resource freeing in the mount and unmount paths of overlayfs
could trigger a memory leak.


* Memory leak in overlayfs copying to upper filesystem.

Incorrect error handling could result in a memory leak when the
overlayfs filesystem failed to copy files from the lower to upper
filesystem.


* NULL pointer dereference in Marvell 88SE64XX/88SE94XX task preparation.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when performing tasks on a Marvell 88SE64XX/88SE94XX
device under low memory conditions.


* Memory leak in btrfs file system on issuing a balance ioctl.

A lack of releasing allocated resources when the argument check fails in
the btrfs file system balance ioctl leads to a memory leak.  A local,
privileged user could use this flaw to exhaust the kernel memory and cause
a denial-of-service.


* Use-after-free in Infiniband Connected Mode Service ID Resolution.

Incorrect handling of Service ID Resolution requests could result in a
use-after-free condition and kernel crash.


* Kernel crash in Intel Knights Landing CPU frequency scaling.

A divide by zero error in the CPU frequency scaling driver for the
Knights Landing platform could result in a kernel crash under specific
conditions.


* Kernel hang in NVMe command retry.

A memory leak during NVMe command retry could result in a kernel hang if
an NVMe device was removed when the DMA pool was busy.


* NULL pointer dereference in PPP over Ethernet device releasing.

An incorrect check for disconnected PPP over Ethernet devices could
result in a NULL pointer dereference and kernel crash when closing the
device.


* Information leak in RDS over TCP.

In low memory situations, an incoming RDS datagram may get corrupted and
potentially leak sensitive information to the userspace program receiving
the datagram.


* Memory corruption in Mellanox MLX4 slave events.

Incorrect size arguments to memcpy() calls could result in memory
corruption of MLX4 devices, causing a kernel crash.


* Kernel BUG in IP multicast routing.

Due to a race condition when updating network device statistics for IP
multicast routing, a malicious local user may in rare circumstances be
able to cause a kernel crash.


* Use-after-free in the network destination cache.

A logic error could cause a use-after-free when releasing a network
destination cache object.  A local, unprivileged user could use this flaw
to cause a denial-of-service.


* NULL pointer dereference in 802.11 WiFi stack on channel switch.

A missing check for NULL in the mac 802.11 WiFi stack on channel switch
could lead to a NULL pointer dereference when those events are being
traced.  A local user with the capabilities to trace those events could use
this flaw to cause a NULL pointer dereference.


* Divide by zero in 802.11 WiFi-Direct stack on notification of absence.

A flaw in the Mac 802.11 WiFi-Direct stack could lead to a division by zero
in kernel upon receipt of a notification of absence with a zero interval.
A remote user in the physical range of the WiDi radio could use this flaw
to cause a denial-of-service.


* Memory leak when parsing SMPS mode when starting in Access Point mode.

A flaw in the NL80211 stack could lead to a memory leak of the ACL policy
when failing to parse the SMPS mode.  A local user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* Information leak in procfs wchan field.

The wchan field in the proc filesystem is exposing absolute kernel
addresses, giving away the address space layout randomization offset.  This
information can be used by an attacker to facilitate an attack.


* Memory corruption in Marvell mwifiex driver when reading the eeprom.

A flaw in the Marvell mwifiex driver could lead to memory corruptions when
reading the eeprom.  A local user could use this flaw to cause a
denial-of-service.


* Memory corruption in CAN driver when filling netlink packet.

A flaw in the CAN driver when writing device information on a netlink
socket can lead to memory corruption and kernel panic.  A local user could
use this flaw to cause a denial-of-service.


* Information leak when auditing tty copy to user.

The source buffer used to audit the tty copying data to user was mixed up
with the destination buffer given by userspace, allowing an unprivileged
user to cause a denial-of-service by giving an un-mapped address or causing
a read memory from the kernel.


* Out-of-memory condition when sending a TCP message.

A flaw in the TCP stack allows a local, unprivileged user to cause a huge
contiguous memory allocation, potentially leading to an out-of-memory
condition.


* Integer underflow when receiving an odd number of file descriptors through Unix sockets.

Mis-calculation of the message size when passing an odd number of file
descriptors through a Unix socket could lead to an integer underflow.  A
local, unprivileged user could use this flaw to cause a denial-of-service.


* Memory leak when removing routing table in the IPv4 and IPv6 stacks.

Incorrect reference counting when destroying a routing table in the IPv4
and IPv6 stacks leads to a memory leak.  A local user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* Out-of-bounds memory access when updating elements of a Berkeley Packet Filter array.

A logic error when copying elements of a Berkeley Packet Filter to an array
could lead to an out-of-bounds memory read.  A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference when dumping proxy entries.

A missing check for NULL when dumping proxy entries could lead to a NULL
pointer dereference when the proxy entry is device agnostic.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Memory leak when closing an SCTPv6 socket.

The SCTPv6 failed to release its associated IPv6 socket when closing the
socket, leading to a memory leak.  A local, unprivileged user could use
this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Btrfs file corruption after cloning inline extents.

Cloning data with the clone ioctl from a file with inline
data to a larger file can cause data loss due to mixed inline
and non-inline data.


* CVE-2015-8374: Information leak when truncating a compressed and inlined extent on Btrfs.

An information leak vulnerability was found when truncating a file to a
smaller size which consists of an inline extent that is compressed. The
data between the new file size and the old file size was not discarded,
allowing another user to read it through the clone ioctl.


* Kernel crash when running delayed allocation in Btrfs.

Due to a race between concurrent link/xattr and delayed allocation
operations in the Btrfs filesystem, it was possible for the kernel
to trigger an assertion failure and crash.


* Use-after-free in Rados block device when queueing work.

Incorrect reference counting in the Rados block device when queueing work
could lead to a use-after-free and kernel panic.  A local attacker could
use this flaw to cause a denial-of-service.


* Use-after-free in the ext4 filesystem when stopping journaling.

A flaw in the ext4 filesystem when stopping journaling leads to a
use-after-free.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Data corruption on ext4 filesystem when recording an error into the super block.

A race condition in the ext4 filesystem when using JDB2 journaling could
cause non recoverable data corruption under certain circumstances.  A
local, unprivileged user could use this flaw to cause permanent data
corruption.


* Denial-of-service in the NFSv4 client code when allocating an ID.

Incorrect reference counting when allocating an ID in the NFSv4 client code
could lead to a kernel crash under certain circumstances.  A local,
unprivileged user with access to a NFSv4 mount could use this flaw to cause
a denial-of-service.


* NULL pointer dereference when disconnecting a USB 3.0 mass storage in transporting state.

A missing check for NULL pointer when disabling the low power mode of a USB
3.0 mass storage device could lead to a NULL pointer dereference when
disconnecting the device whilst it's in transporting state.  A local,
un-privileged user with physical access could use this flaw to cause a
denial-of-service.


* Use-after-free in IPv6 SCTP accept() calls.

Incorrect cloning of IP options during accept() could result in a kernel
crash.  A local, unprivileged user could use this flaw to crash the
system.


* CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.

It was discovered that a local user permitted to create raw sockets could
cause a denial-of-service by specifying an invalid protocol number for the
socket.


* CVE-2015-8569: Information leak in point-to-point protocol.

A lack of validating user input could cause kernel stack memory to be
leaked to userspace in the point-to-point bind() and connect() functions.
A local, unprivileged user could use this flaw to gain information about
the running kernel.


* Denial-of-service in timestamping with raw sockets.

Type confusion could result in a kernel crash when attempting to enable
timestamping on a raw socket.  A local user with access to raw sockets
could use this flaw to crash the system.


* CVE-2015-8575: Information leak in Bluetooth socket binding.

Lack of input validation when binding a Bluetooth socket could result in
kernel stack memory being leaked to userspace.  A local attacker could use
this flaw to gain information about the running kernel.


* Denial-of-service in hash table walking.

Incorrect locking in the resizable kernel hash table could result in
memory corruption and a kernel crash, or under specific conditions, may
allow arbitrary code execution.


* CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.

A race condition in the cryptographic key management sub-system could lead
to a kernel crash when revoking and reading a key concurrently.  A local,
unprivileged user could use this flaw to cause a denial-of-service.