[El-errata] New updates available via Ksplice (ELSA-2016-3596)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Sep 1 10:53:52 PDT 2016


Synopsis: ELSA-2016-3596 can now be patched using Ksplice
CVEs: CVE-2015-2085 CVE-2015-7513 CVE-2015-7566 CVE-2015-7799 CVE-2015-7833 CVE-2015-7884 CVE-2015-8785 CVE-2015-8787 CVE-2016-0723 CVE-2016-2069 CVE-2016-2184 CVE-2016-2185 CVE-2016-2186 CVE-2016-2188 CVE-2016-2383 CVE-2016-3136 CVE-2016-3137 CVE-2016-3138 CVE-2016-3689 CVE-2016-4581 CVE-2016-4913 CVE-2016-4951

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2016-3596.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 6 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-8785: Infinite loop when submitting invalid io vectors to FUSE filesystem.

Due to a logic error in the io vector handling during FUSE filesystem
write operations, a malicious local user with access to the filesystem
could cause the kernel to enter an infinite loop.


* CVE-2016-2069: Race condition in the TLB flush logic on multi-processors.

A race condition in the TLB flush logic when modifying paging structures
could lead to stale entries in the local TLB after switching to a new
process.  A local attacker could use this flaw to cause a denial-of-service
or potentially escalate privileges.


* CVE-2015-8787: NULL pointer dereference in Netfilter NAT redirection.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when redirecting an IPV4 packet.


* CVE-2016-0723: Denial-of-service in TTY TIOCGETD ioctl().

A use-after-free when getting the line discipline for a TTY could allow
a local user to trigger a kernel crash.


* Stack buffer overflow in the HP Smart Array SCSI driver.

Use of unbound sprintf() on a stack allocated buffer in the HP Smart Array
SCSI driver could lead to a stack overflow and kernel panic.  A local,
privileged user could use this flaw to cause a denial-of-service.


* Denial-of-service in ALSA SNDRV_SEQ_IOCTL_REMOVE_EVENTS ioctl().

A missing NULL pointer check in the SNDRV_SEQ_IOCTL_REMOVE_EVENTS
ioctl() handler could result in a NULL pointer dereference and kernel
crash.  A local user with access to an ALSA device could use this flaw
to crash the system.


* Use-after-free in ALSA sequencer timers.

Multiple flaws could result in a use-after-free when adding and
removing timers in the ALSA sequencer.  A local user with access to the
device could use this flaw to crash the system, or potentially escalate
privileges.


* Privilege escalation in ALSA compatibility ioctl().

Incorrect handling of compatibility data structures could result in a
heap buffer overflow.  A local user with access to the ALSA devices
could use this flaw to trigger a kernel crash or potentially, escalate
privileges.


* Denial-of-service in ALSA timer management.

Incorrect timer reprogramming in the ALSA subsystem could result in
deadlock.  A local user with access to the device could use this flaw to
cause a denial-of-service.


* Denial-of-service in ALSA TLV controls.

Missing validation of user-supplied data could result in kernel warnings
being output to the kernel console.  A local user could use this flaw to
flood the kernel console, causing a denial-of-service.


* Use-after-free in Intel audio device removal.

Missing handling of deferred work during device removal could result in
a use-after-free.  A user with physical access to the device could use
this flaw to crash the system.


* Kernel crash in Wolfson 8974 audio codec probing.

A missing register map cache type could result in triggering a kernel
assertion when probing a Wolfson 8974 codec.


* Use-after-free when taking a reference on an IPv6 label.

A logic error in the IPv6 stack could lead to a use-after-free under
certain circumstances.  A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Denial-of-service in IPv6 stable_secret sysctl writing.

Missing initialization of a stack stored string could result in an
out-of-bounds access and kernel crash when writing to the stable_secret
sysctl.  A privileged user could use this flaw to crash the system under
specific conditions.


* Denial-of-service in SCTP protocol under memory pressure.

Failure to handle low memory conditions could result in a memory leak
and additional memory pressure on the system.  A malicious user could
use this flaw to crash the system under specific conditions.


* Denial-of-service in Connector callback implementation.

A reference counting imbalance of socket buffers could result in a
memory leak when processing Connector callbacks.  Under specific
conditions this could result in memory exhaustion and a system crash.


* Privilege escalation in network bridge startup.

A local, unprivileged user could create a new network namespace which
would call /sbin/bridge-stp in the initial namespace.  Under specific
conditions this could result in networking failure or potentially in
conjunction with other flaws to escalate privileges.


* Use-after-free in network destination cache removal.

A use-after-free when removing a network destination cache entry could
result in a kernel crash and denial-of-service.


* Out-of-bounds access in SCTP cookie_hmac_alg sysctl writing.

Missing initialization of a stack based string could result in an
unterminated read of the buffer.  Under specific conditions this could
trigger an out-of-bounds access and kernel crash.


* Use-after-free in IPv6 SYNACK retransmission.

Missing locking when retransmitting a SYNACK packet could result in a
use-after-free and kernel crash.  Under specific conditions, this could
result in a denial-of-service.


* Denial-of-service in SO_NO_CHECK sockets.

Incorrect handling of checksum offload for SO_NO_CHECK sockets could
result in network device drivers accessing invalid memory addresses and
triggering a kernel crash.  A local, unprivileged user could use this
flaw to crash the system under specific conditions.


* NULL pointer dereference in PhoNet packet reception.

Incorrect handling of shared socket buffers could result in a NULL
pointer dereference and kernel crash when receiving PhoNet packets.


* CVE-2016-2383: Undefined behaviour in Berkeley Packet Filter constant shifts.

Missing validation of constant shifts in a BPF program could result in
undefined behaviour, depending on the system.


* Denial-of-service in ISDN PPP device opening.

Missing allocation failure checks could result in a NULL pointer
dereference when opening an ISDN PPP device.  A local user with access
to the device could use this flaw to crash the system.


* CVE-2015-7799: Denial-of-service in PPP compression slot parameters.

Missing validation of VJ compression slot parameters for a PPP device
could result in a NULL pointer dereference and kernel crash.  A local
user with access to the PPP device could use this flaw to crash the
system.


* Information leak in HID core when connecting device.

In certain circumstances, connecting a HID device could cause an
uninitialised buffer to be printed to the kernel log. A malicious
local user with the ability to connect devices could use this to
obtain sensitive information from the kernel.


* Denial-of-service in Lustre filesystem echo client.

Missing validation of user-supplied pointers could result in the kernel
accessing an invalid address and faulting.  A local user could use this
flaw to crash the system.


* CVE-2015-7884: Information leak in Virtual Video Test Driver ioctl.

Missing initialization of an ioctl() structure field could result in a
leak of 16 bytes of kernel stack contents to user-space.


* Denial of service in Topro USB Camera ioctl.

The Topro USB Camera driver does not correctly handle setting the
framerate to zero which can trigger a divide-by-zero and kernel panic.


* Memory leak in Realtek USB Wireless adapter when receiving malformed frames.

The kernel driver for Realtek USB Wireless adapters does not correctly
free memory when processing frames with incorrect checksums. A remote
attacker could trigger a denial-of-service by intentionally sending
frames with incorrect frames.


* Privilege escalation in overlayfs extended attributes.

A logic error in the overlay filesystem can allow unprivileged users to
set extended attributes on files which they don't have write access to.


* Kernel panic when removing directory from overlay filesystem.

A logic error in the overlay filesystem can trigger a kernel panic when
removing a directory which contains whiteouts from lower layers.


* Memory leak when requeuing priority inversion futex.

A logic error in the kernel futex subsystem can trigger a memory leak
and subsequent kernel panic when failing to acquire a PI futex.


* Denial-of-service when parsing UDF indirect extents.

A UDF disk image can trigger an infinite loop and denial of service
when parsing malformed indirect extents.


* Denial-of-service in block cache driver on device removal.

Lack of testing a kernel thread had been properly started could lead to an
invalid pointer dereference and kernel panic. A local, privileged user
could use this flaw to cause a denial-of-service.


* Memory corruption when processing multibyte unicode filenames on UDF.

The kernel UDF filesystem driver incorrectly manages memory when
converting multibyte unicode filenames on UDF filesystems which can
trigger kernel memory corruption.


* Denial-of-service in BTRFS device array reading.

Missing error handling could result in a kernel crash when reading the
system array.  A maliciously crafted filesystem image could be used to
crash the system.


* Memory corruption in Nouveau driver during connector hotplug.

Missing locking could result in memory corruption and subsequent
undefined behaviour when hotplugging a connector under specific
conditions.


* Use-after-free in virtio balloon driver during compaction.

A race condition in the virtio balloon driver can trigger a use after
free and kernel panic when memory compaction occurs.


* Information leak when reading directory entries on CIFS mount.

Incorrect memory management allows a local user to leak the contents of
kernel memory to debug logs when reading from a directory on a CIFS
mount.


* Use-after-free in OCFS2 distributed lock manager.

Incorrect reference counting in the OCFS2 filesystem driver can trigger
a use-after-free and kernel panic when migrating a lock.


* Kernel panic when soft-offlining memory.

Incorrect memory management when soft-offlining memory via
madvise(MADV_SOFT_OFFLINE) can trigger an assertion failing and kernel
panic.


* Use-after-free when unregistering events in memory control group.

Incorrect locking in the memory control group subsystem (memcg) when
unregistering events can trigger a use-after-free condition and kernel
panic.


* Use-after-free when failing to accept userspace cryptographic sockets.

A logic error in kernel cryptographic subsystem can allow a unprivileged
user to trigger a use after free condition and kernel panic when calling
accept(2) on a cryptographic socket fails.


* Memory corruption when sending data to userspace cryptographic socket.

A logic error in the kernel cryptographic socket subsystem can allow a
local user to trigger kernel memory corruption when sending data to a
cryptographic socket.


* Kernel panic when setting prctl MM values.

Incorrect locking when setting memory management settings via prctl can
trigger an assertion failure and kernel panic. A local user with
CAP_SYS_RESOURCE can trigger this issue.


* Data loss in USB Modem driver during suspend and resume.

Improper cleanup in the USB Modem driver leads to data loss during a
suspend and resume sequence.


* Crash in USB hub driver during device reset.

Improper memory cleanup during USB hub device reset can lead to a NULL
pointer dereference causing a crash.


* Crash in USB serial driver when malicious Treo device is connected.

Improper handling of USB endpoint probing during Treo device initialization
leads to a NULL pointer dereference.


* CVE-2015-7566: Denial-of-service in USB Handspring Visor driver.

Incomplete USB endpoint validation could result in a kernel crash when
probing a USB Handspring Visor device.  A malicious USB device could use
this flaw to crash the system.


* Use-after-free when removing virtio PCI devices.

A logic error in the virtio subsystem can trigger a use-after-free and
kernel panic when removing a virtio PCI device.


* Crash in SCSI driver during power management suspend and resume.

Performing a suspend while the SCSI driver is probing for devices may
crash or cause CD/DVD and hard disk devices to become unusable.


* Deadlock when reading from rfkill sysfs file.

Incorrect locking in the rfkill sysfs interface can cause a kernel panic
when reading events. A privileged local user could use this flaw to
cause a denial of service.


* Kernel crash in userspace interface for hash algorithm when sending a message.

A failure to wait for the completion of crypto_ahash_init() when using
sendpage()/sendmsg() could cause a kernel crash.  A local, unprivileged
user could use this flaw to cause a denial-of-service.


* Kernel log buffer flood in ALSA rawmidi driver.

The ALSA rawmidi driver would dump the kernel stack to the kernel log
buffer every time userspace would pass it a NULL pointer.  A local,
unprivileged user with access to the ALSA device could use this flaw to
flood the kernel logs, potentially causing a denial-of-service or gaining
information about the running kernel if he's able to read the kernel log.


* Multiple kernel deadlocks in ALSA OSS emulation.

Incorrect locking in the ALSA OSS emulation code could lead to AB-BA
deadlocks when accessing read()/write() and mmap() concurrently.  A local
user could use these flaws to cause a denial-of-service.


* Multiple use-after-free in ALSA sequencers when closing the device.

Incorrect locking in the ALSA sequencers sub-system could lead to different
use-after-free under certain conditions.  A local user could use these
flaws to cause a denial-of-service.


* Memory corruption in ALSA rawmidi driver on concurrent read/write.

Incorrect locking in the ALSA rawmidi driver on concurrent read/write
operations could lead to memory corruptions.  A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Use-after-free when unloading xHCI host driver.

A flaw in the xHCI host driver could lead to reading already freed memory
when removing the driver.  A local user with the ability to unload the xHCI
kernel module could use this flaw to cause a denial-of-service.


* Denial-of-service in ALSA timer handling.

Multiple locking flaws in the ALSA timer handling could lead to memory
corruptions and denial-of-service on concurrent operations.  A local user
could use these flaws to cause a denial-of-service.


* Kernel panic when closing Philips SAA7134 devices.

The Philips SAA7134 TV card driver does not correctly free memory when
closing a device which can lead to a NULL pointer dereference and kernel
panic.


* Kernel deadlock when dumping the call stack on multiple CPUs.

Incorrect locking when dumping the kernel stack to the kernel log buffer on
multiple CPUs could lead to a deadlock.  An attacker with the ability to
trigger concurrent dump_stack() calls could use this flaw to cause a
denial-of-service.


* Infinite loop when unmounting an OCFS2 filesystem using the kernel distributed lock manager.

A logic error when releasing the locks of an OCFS2 recovery master dead
node could lead to an infinite loop when later trying to unmount the OCFS2
filesystem.


* Kernel deadlock when validating a memory context.

A race condition in the virtual memory subsystem when validating a memory
context could lead to a deadlock.  A local, unprivileged user could use
this flaw to cause a denial-of-service.


* Integer underflow when accessing Intel Storage Controller Unit (SCU) registers.

A flaw in the Intel SCU driver could lead to an integer underflow when
accessing the SCU registers.  A local user with CAP_SYS_RAWIO could use
this flaw to cause out of range memory accesses leading to a kernel crash.


* Kernel panic when handling interrupts for SATA devices.

Incorrect locking can trigger an assertion failure and kernel panic when
handling an interrupt for a SATA device.


* Kernel hang in Btrfs filesystem when using the BTRFS_IOC_INO_PATHS ioctl.

Double locking of the same read/write lock in the Btrfs filesystem when
querying the path of an inode could lead to a kernel deadlock.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Information leak in ALSA sound sub-system when parsing the HDMI EDID-Like-Data (ELD).

Lack of proper bounds checking when copying the HDMI ELD structure could
lead to leaking 256 bytes of kernel memory under certain conditions.


* Use-after-free in the crypto sub-system when traversing the list of crypto algorithms.

Incorrect locking when traversing the list of crypto algorithms could lead
to a use-after-free when concurrently unregistering an algorithm.  A local,
unprivileged user could use this flaw to cause a kernel crash.


* Use-after-free in the kernel list library on concurrent hotplug events.

The starting node given to klist_iter_init_node() might not be on the list
anymore in case of concurrent hotplug events, potentially leading to a
user-after-free and crash.


* Kernel panic when parsing VBT in Intel integrated graphics.

The Intel integrated graphics driver does not validate VBT data which
can trigger an out-of-bounds access and kernel panic.


* Integer overflow in ext4 buffer allocation.

An integer overflow in ext4 could cause access to invalid memory regions
not owned by the filesystem, possibly corrupting them.


* Data corruption on ext4 filesystem when moving data to a donor file.

A flaw in the ext4 filesystem when moving data to a donor file could lead
to data corruption.


* CVE-2015-2085: Timing side channel attack in EVM integrity module.

The verification routine of the EVM HMAC was using a regular non-constant
memcmp(), allowing attackers to do timing side channel attacks and reduce
the MAC forgery complexity from 2^128 to 2^12.


* Memory leak in the ALSA audio driver on concurrent writes to the sequencer device.

Incorrect locking in the ALSA audio sequencer could lead to a memory leak
on concurrent writes to the sequencer device.  A local user with write
access to the sequencer device could use this flaw to exhaust the memory on
the system.


* Memory corruption in QXL virtual GPU ioctls.

An integer overflow in the QXL virtual GPU can allow a local user to
cause kernel memory corruption via ioctls.


* Kernel crash when handling vmalloc page faults on large pages.

A wrong assumption in the vmalloc fault handler causes the kernel to crash
when handling vmalloc ranges larger than 512GB.  A local user with the
ability to ioremap() pages could use this flaw to cause a
denial-of-service.


* Kernel deadlock in ALSA sound driver when handling pulse code modulation.

Incorrect locking in the ALSA sound driver when handling non-atomic PCM
streams could lead to a deadlock.  A local, unprivileged user could use
this flaw to cause a denial-of-service.


* Data loss in ext4 with concurrent direct IO operations.

The ext4 filesystem driver does not correctly handle multiple direct IO
operations on the same file which can lead to data loss.


* Kernel panic when starting fastopen TCP connections.

The kernel TCP stack does not correctly handle starting fastopen
connections which can trigger a NULL pointer deference and kernel panic.


* Memory leak when reading from AF_UNIX socket.

Incorrect reference counting when reading from AF_UNIX can trigger a
memory leak when a signal is delivered to a process.


* Memory leak when sending IPv4 data with ancillary data.

The kernel IPv4 stack does not free ancillary data when failing to send
IPv4 data which causes a kernel memory leak.


* Information leak in the ATA 32 bits compat ioctl.

A logic error in the ATA 32 bits compat ioctl could lead to writing 3 bytes
of uninitialized stack content to userspace.  An attacker could use this
flaw to gain information about the running kernel.


* Memory leak in device mapper when requeuing requests.

Incorrect reference counting in the device mapper subsystem can trigger
a memory leak and subsequent kernel panic when failing to requeue
requests.


* Memory corruption when parsing numbers from NFS requests.

The kernel NFS server does not correctly parse hex strings from
userspace which can trigger kernel memory corruption.


* Kernel deadlock in JFFS2 filesystem when writing.

Incorrect lock ordering when writing to a JFFS2 filesystem could lead to
deadlocks.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Kernel panic when handling signals under Intel MPX.

An out-of-bounds read can be triggered when handling signals under Intel
Memory Protection Extensions which can trigger a kernel panic.


* Kernel panic when failing to open file.

The generic VFS subsystem does not validate the status of filesystem
operations which can trigger a kernel panic.


* Kernel panic when parsing filenames.

A logic error in the generic filesystem subsystem can trigger a NULL
pointer dereference and kernel panic when parsing a filename.


* Out of bounds memory access on reading a file from a SMB server.

Missing input validation when parsing the lease state from a Server Message
Block (SMB) Create response could lead to an out of bounds memory read and
kernel crash.  A local, unprivileged user or a rogue SMB server could use
this flaw to cause a denial-of-service.


* Kernel hang when the function graph tracer is enabled on suspend.

The function graph tracer gets inconsistent call return information in the
low level ACPI suspend code, leading to a kernel hang.


* Heap overflow in the Unsorted Block Images (UBI) on volume update.

A flaw in the UBI code causes a heap structure to be allocated with too few
bytes, leading to a write overflow when updating the volume.  A local,
unprivileged user could use this flaw to cause a denial-of-service or
potentially escalate privileges.


* Kernel panic when using receive aggregation on WiFi.

Use of uninitialised values in the WiFi stack when using RX aggregation
could lead to a kernel crash.


* Memory corruption when removing Geschwister Schneider USB/CAN device.

Invalid usage of kfree() on a pointer that is reference counted leads to
use-after-free and memory corruptions when removing a Geschwister Schneider
USB/CAN device.  An attacker with physical access could use this flaw to
cause a denial-of-service.


* Possible frame injection on encrypted WiFi using Galois/Counter Mode Protocol.

A failure to discard a fragment with a packet number not incremented by one
in the GCMP protocol could lead to possible frame injections.  A remote
attacker in the radio range of an encrypted WiFi network could potentially
use this flaw to inject frames.


* NULL pointer dereference in NCP filesystem under memory pressure.

A logic error on failure to allocate a new inode in the NCP filesystem
leads to a NULL pointer dereference and kernel panic.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Denial-of-service in JFFS2 when recovering a halfway failed rename.

A logic error in the JFFS2 journalling driver could lead to a kernel panic
when recovering a halfway failed rename.


* Information leak to KVM guests when the the host is using PEBS tracing.

KVM hosts using Intel Precise Events Based Sampling (PEBS) could have their
PEBS tracing record written to a KVM guest under certain circumstances.  An
attacker with full control of a KVM kernel guest could use this flaw to get
information about the KVM host kernel.


* Denial-of-service when running KVM guest with Extended Page Table disabled.

KVM guests with Extended Page Table (EPT) disabled could trigger a
continuous stream of faults, effectively causing a denial-of-service of the
host.


* Kernel deadlock in the USB HID stack on interrupt.

Incorrect locking in the USB HID stack could lead to recursive deadlocks in
specific conditions, potentially causing the kernel to hang.


* Buffer overflow in Analog Devices inertial measurement device driver.

Incorrect memory offset calculation in the driver for Analog Devices
inertial measurement devices leads to a buffer overflow during transmit.


* Memory leak in btrfs superblock validation.

Incorrect reference counting in the btrfs filesystem can trigger a
memory leak and kernel panic when an invalid checksum is encountered in
a superblock.


* Kernel panic when writing a single page to a btrfs filesystem.

Incorrect reference counting in the btrfs filesystem can trigger a NULL
pointer dereference when writing a single page to a file.


* Kernel panic when accessing symlinks on btrfs volume.

The btrfs filesystem driver does not handle accessing empty symlinks
which can trigger an assertion and kernel panic.


* Memory leak when creating hard link on btrfs volume.

Incorrect reference counting when creating a hard link on a btrfs
volume can cause a memory leak and subsequent kernel panic.


* Use-after-free when tracing a work queueing in Btrfs filesystem.

Incorrect ordering between queueing a work item and tracing it could lead
to a use-after-free and kernel crash.


* CVE-2015-7513: Divide-by-zero in KVM when reloading the programmable interrupt timer.

A missing input sanitization when loading the programmable interrupt timer
counters from userspace could cause KVM to make a division by zero, causing
a kernel crash.  A local user with the capability to run KVM machines could
use this flaw to cause a denial-of-service.


* Denial-of-service when updating a negatively instantiated user cryptographic key.

A lack of checking the key was not negatively instantiated when updating a
user cryptographic key could lead to a BUG assertion to trigger.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* NULL pointer dereference in TTY line discipline reception.

A missing NULL pointer check could result in a NULL pointer dereference
when receiving a buffer under specific conditions.


* Use-after-free in Infra-red terminal opening.

Use of a stale pointer when opening an IrTTY device could result in a
use-after-free condition and subsequent kernel crash.  A local user with
access to the IrTTY device could use this flaw to crash the system.


* Filesystem corruption in EXT4 extent moving.

A missing update of the buffer head could result in filesystem
corruption when moving extent data.


* NULL pointer dereference in Infiniband CSI RDMA Protocol Target.

Missing SRP targets could result in a NULL pointer dereference and
subsequent kernel crash under specific conditions.


* Denial-of-service in NFS server buffer decoding.

Integer overflows in the NFS buffer decoding operations could result in
out-of-bounds accesses and a kernel crash.  A malicious client could use
this flaw to crash the system.


* Kernel crash in disk quota initialization.

Missing array initialization could result in dereferencing an invalid
pointer and a kernel crash when initializing a quota for an inode and
experiencing an error.


* Kernel crash in block cache device initialization.

A race between initializing a block cache device and the writeback
thread could result in triggering a kernel assertion and crashing the
system.


* NULL pointer dereference in block cache registration failure.

Allocation failures whilst creating a block cache device could result in
a NULL pointer dereference and kernel crash when the system was under
memory pressure.


* Journalling filesystem corruption on unmount under memory pressure.

Unmounting a filesystem under memory pressure could result in journal
corruption on a subsequent remount.


* Use-after-free in FUSE filesystems with direct, asynchronous I/O.

Incorrect handling of synchronous files could result in a use-after-free
condition.  A local, unprivileged user could use this flaw to crash the
system, or potentially, escalate privileges.


* CVE-2016-2186: Denial of service in Griffin PowerMate USB descriptor parsing.

A logic error in the Griffin PowerMate USB driver can allow a malformed
USB descriptor with zero endpoints to trigger a NULL pointer dereference
and kernel panic.


* Heap overflow in I2C USB HID reporting.

Missing bounds checks could result in a heap overflow when setting or
sending a report.  A local user with access to the device could use this
flaw to crash the system or potentially, escalate privileges.


* CVE-2016-2184: Denial of service in ALSA USB audio descriptor parsing.

A logic error in the ALSA USB audio driver can allow a malformed USB
descriptor with zero end-points to trigger a NULL pointer dereference
and kernel panic.


* Denial-of-service in NFS secinfo+readdir operations.

Incorrect locking could allow a malicious client to deadlock the system
with unexpected compound operations.


* CVE-2016-3689: Denial of service in IMS PCU USB descriptor parsing.

A logic error in the IMS PCU USB driver can allow a malformed USB
descriptor with missing interfaces to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-2188: Denial of service in IO Warrior USB descriptor parsing.

A logic error in the IO Warrior USB driver can allow a malformed USB
descriptor with zero endpoints to trigger a NULL pointer dereference and
kernel panic.


* Denial of service in generic USB interface management.

A malformed USB descriptor can trigger a NULL pointer dereference and
kernel panic when the generic USB driver claims interfaces.


* CVE-2016-3138: Denial of service in CDC ADM USB descriptor parsing.

A logic error in the CDC ADM USB driver can allow a malformed USB
descriptor with an incorrect number of interfaces to trigger a NULL
pointer dereference and kernel panic.


* Denial-of-service in pipe splicing with no pages.

Splicing from a pipe with no pages could result in a NULL pointer
dereference and kernel crash.  Under specific conditions a local user
could use this flaw to crash the system.


* Denial-of-service in KVM invept instruction emulation.

Incorrect handling of an invalid invept instruction could
result in a kernel hang.  A local user could use this flaw to crash the
system.


* Denial-of-service in KVM VCPU creation.

Incorrect error handling could result in an integer overflow, allowing a
user with permission to create virtual CPUs to trigger a kernel
assertion and crash the system.


* Denial-of-service in coredump writing.

Under specific conditions, the kernel could write corefiles for SUID
processes into a user-controlled directory.  This flaw could be used to
exhaust disk space and trigger a denial-of-service.


* CVE-2016-2185: Denial of service in ATI/Philips USB RF remote descriptor parsing.

A logic error in the ATI/Philips USB RF remote driver can allow a
malformed USB descriptor to trigger a NULL pointer dereference and
kernel panic.


* Kernel hang in OCFS2 Distributed Lock Manager convert and recovery operations.

A race condition between convert and recovery operations could result in
a system hang under specific conditions.


* Kernel crash in OCFS2 Distributed Lock Manager during master loss.

A race condition when the DLM master went down could result in
triggering a kernel assertion and crashing the system under specific
conditions.


* CVE-2016-3136: Denial of service in MCT Serial USB descriptor parsing.

A logic error in the MCT Single Port Serial driver can allow a malformed
USB descriptor with missing ports to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-3137: Denial of service in USB Cypress M8 descriptor parsing.

A logic error in the Cypress M8 device driver can allow a malformed USB
descriptor with missing endpoints to trigger a NULL pointer dereference
and kernel panic.


* Memory corruption when inserting data into associative arrays.

A logic error in the generic associative array module can trigger an
out-of-bounds read when inserting a new member. This can be triggered,
for example, by inserting a new cryptographic key into the kernel's
keyring.


* Use after free when disabling a USB XHCI device.

A logic error in the USB XHCI driver can trigger a use-after-free and
kernel panic when disabling a XHCI device multiple times.


* Kernel crash when remapping file pages of a removed IPC ID.

A race condition in the shared memory subsystem could lead to accessing
invalid pointers when remapping file pages of a removed IPC ID.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Use-after-free when processing switchdev events.

Incorrect locking in the switchdev subsystem can trigger a
use-after-free condition and kernel panic when processing events from a
switchdev device.


* Divide-by-zero in the ALSA RME Hammerfall audio driver.

A lack of data validation in the system sample rate code of the RME
Hammerfall audio driver could lead to a division-by-zero and kernel crash.


* Privilege escalation when chowning files on overlayfs mount.

The overlayfs filesystem driver does not update filesystem metadata when
changing file ownership which could allow a local user to access
privileged files and gain escalated privileges.


* Use-after-free in the perf subsystem on error in the perf_event_open syscall.

A double-free condition can be triggered in the perf_event_open() syscall
on error opening the event file, leading to a use-after-free and kernel
panic.  A local user with CAP_SYS_ADMIN or unprivileged user in case of a
permissive perf_event paranoid setting could use this flaw to cause a
denial-of-service.


* SMAP bypass in 32bit compatibility syscall handler.

The 32bit compatibility syscall does not disable the Access Control flag
when entering kernel-mode which can allow kernel code to incorrectly
access user-mode data.


* BTRFS filesystem xattr data corruption during fast fsync().

Adding xattrs for a file with a large number of xattrs on a BTRFS filesystem
could result in data loss when the log is replayed after an unclean unmount.


* BTRFS filesystem data corruption with no_holes and multiple truncates.

If a file on a BTRFS filesystem is truncated to a smaller size and then
re-truncated to a size between the original and new, the fsync log will
not contain information about the new hole. When the log is replayed the
file will remain in the state it had before both truncate operations.


* BTRFS filesystem data loss during fsync() after rename and inode creation.

Renaming a file on a BTRFS filesystem followed by creation of a new
inode with the same name could result in data loss if the filesystem is
uncleanly mounted.


* Multiple crashes with RDS (Reliable Datagram Sockets) over TCP.

Errors handling out of order send status, scaling, and running RDS-TCP
and RDS-RDMA can lead to a kernel crash or deadlock.


* NULL pointer dereference in RDS over TCP during accept().

A race condition in RDS over TCP protocol can trigger a NULL pointer
dereference and kernel panic.


* Use-after-free in Xen network device teardown.

A logic error in the Xen network device driver could lead to a
use-after-free of a queue when removing a network device.


* Heap buffer overflow in internal Xen reply queue.

An Integer overflow when allocating memory for an internal Xen reply
queue leads to an heap buffer overflow. This flaw can be used to cause a
denial-of-service or potentially escalate privileges.


* Denial of service in BTRFS filesystem driver.

Improper handling of file deletion can result in no free space being
reported when a large file is created and deleted rapidly. A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Multiple data corruption issues in BTRFS filesystem driver.

Improper synchronization between memory log and the on-disk log can
result in a directory that is unable to be deleted upon log replay.


* Kernel crash in HP Smart Array SAS Controller driver.

Multiple memory management flaws in the HP Smart Array SAS Controller
driver can lead to memory corruptions and kernel crashes. A local user
could use these flaws to cause a denial-of-service.


* Kernel infinite loop in SCSI disk driver.

Incorrect string length checking can cause an infinite loop in the SCSI
disk driver when scanning occurs at the same time as a device removal.


* Kernel panic in IPv6 forwarding of timewait sockets.

The kernel IPv6 stack does not correctly handle forwarding data from
timewait sockets which can trigger an assertion failure and kernel
panic.


* Kernel hang with Xen under nested virtualization.

Incorrect handling of event interrupts in Xen can result in a Kernel
hang on platforms with unreliable TSC, such as QEMU.


* Kernel crash in Xen block-device backend driver.

Improper state synchronization between the backend and frontend block
device drivers can result in a kernel crash during initialization.


* Kernel BUG during scrub of BTRFS filesystem.

Improper offset checking can lead to a Kernel BUG while performing a
scrub of a BTRFS filesystem. A local user could use this flaw to cause a
denial of service.


* CVE-2015-7833: Crash in USB vision driver when malicious device is connected.

Improper handling of USB endpoint probing during vision device initialization
leads to a NULL pointer dereference.


* CVE-2016-4913: Information leak in ISO9660 filename parsing.

Incorrect handling of NUL termination bytes could result in reading
excessive data from a kernel buffer into user-space.  A local user with
permissions to mount a maliciously crafted filesystem could use this
flaw to leak the contents of sensitive memory.


* CVE-2016-4951: NULL pointer dereference in TIPC nested attribute parsing.

A missing NULL pointer check could result in a NULL pointer dereference
when parsing nested attributes for a published socket.


* CVE-2016-4581: Denial-of-service in slave mount propagation.

Incorrect handling of mount propagation could result in a NULL pointer
dereference.  A local, unprivileged user could use this flaw to crash
the system.


* Memory leak in virtio balloon driver during inflation and deflation.

Incorrect locking in the virtio balloon driver can leads to a memory leak
after repeated inflation and deflation cycles.


* Kernel deadlock in Emulex 10Gbps iSCSI driver.

Improper locking leads to a kernel deadlock in the Emulex 10Gbps iSCSI
driver causing a denial of service.


* Kernel panic on machine check exception with offline cpu.

A machine check exception is broadcast to all CPUs, but offline CPUs are
cannot participate in the rendezvous process leading to a kernel panic.


* Memory leak in Broadcom QLogic bnx2 driver on initialization failure.

Incorrect error handling leads to a memory leak if the QLogic bnx2
driver fails to initialize a device.


* NULL pointer dereference in Brocade Fiber Channel driver on disconnection.

A missing check for NULL when issuing the task management command can
lead to a NULL pointer dereference if a port was recently disconnected.


* Kernel memory corruption in Btrfs direct IO reads and writes.

Improper reference counting when a direct IO request fails can lead to
kernel memory corruption. A local, unprivileged user could utilize the
bug to cause a denial of service or escalate privileges.


* Denial-of-service when accepting userspace cryptographic sockets.

A logic error in the kernel cryptographic subsystem can allow a
unprivileged user to trigger a denial of service by calling accept(2) on
PF_ALG socket before setting a cryptographic key.


* Permission bypass when checking credentials for filesystem accesses.

A flaw in the ptrace access checks allows a temporarily unprivileged
process to access files that it was not supposed to.  A local, unprivileged
user could potentially use this flaw to escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.





More information about the El-errata mailing list