[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (4.1.12-94.1.8)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Apr 27 05:55:40 PDT 2017


Synopsis: 4.1.12-94.1.8 can now be patched using Ksplice
CVEs: CVE-2016-1237 CVE-2016-2187 CVE-2016-3961 CVE-2016-4486
CVE-2016-4557 CVE-2017-5669

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle kernel update, 4.1.12-94.1.8.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in Xenbus handle validation.

The Xenbus driver incorrectly used an assertion to validate user
handles, allowing a local, privileged user to crash the system.


* CVE-2016-4557: Privilege escalation in Berkeley Packet Filter.

A use-after-free in the Berkeley Packet Filter could allow a local,
unprivileged user to crash the system or escalate privileges with a
carefully crafted BPF program.


* Deadlock when performing direct IO to FUSE device.

Incorrect locking when performing a direct IO operation to a FUSE device
can trigger a deadlock and subsequent kernel panic.


* Kernel panic in OCFS2 when extending size of filesystem.

A logic error in the OCFS2 filesystem driver can trigger an assertion
failure and kernel panic when extending the size of an existing
filesystem. A local user could use this flaw to trigger a
denial-of-service.


* Denial-of-service when converting and migrating concurrently on OCFS2.

A race condition in the OCFS2 filesystem when converting and migrating
concurrently could lead to a kernel BUG assertion to trigger.  A local user
with mount privileges could use this flaw to cause a denial-of-service.


* Trust bypass in PKCS#7 trust validation.

An uninitialized variable could result in trusting a PKCS#7 SignedInfo
block when the verification had actually failed.


* Information leak in cryptographic scatterwalk subsystem.

A logic error when encrypting and decrypting spanning across multiple
pages can cause data to not be processed which may cause an information
leak.


* Kernel crash in crypto daemon when importing hash request.

Incorrect initialization when importing a hash request could cause a
kernel crash in the software asynchronous crypto daemon. A malicious
user could potentially use this to cause denial of service.


* NULL pointer dereference in the crypto block cypher sub-system.

A logic error when walking to the next block in the crypto sub-system could
lead to a NULL pointer dereference when the host is on low memory.


* CVE-2016-2187: Denial of service in GTCO CallComp/InterWrite USB
descriptor parsing.

A logic error in the GTCO CallComp/InterWrite USB driver can allow a
malformed USB descriptor with zero endpoints to trigger a NULL pointer
dereference and kernel panic.


* Denial of service in wireless networking netlink interface.

A logic error when handling netlink notifications for wireless devices
can allow malicious local users to disable networking interfaces.


* Kernel panic when completing SHA1 multibuffer operations.

A logic error in the cryptographic subsystem handling multibuffer
operations can trigger a use-after-free and kernel panic.


* Deadlock in Digigram PCXHR ALSA IRQs.

Incorrect locking the in the PCXHR IRQ can trigger a deadlock and kernel
panic when handling interrupts from a Digigram PCXHR device.


* Memory corruption when mapping buffer objects from userspace.

Missing validation when mapping buffer objects from userspace can allow
a malicious local users to corrupt kernel memory and escalate privileges.


* CVE-2016-3961: Xen PV guest crash when using HugeTLBFS.

HugeTLBFS is not supported on Xen PV guests and leads to a kernel crash
when an application tries to mmap() a Huge TLB.  A local user with the
ability to mmap() Huge TLB pages in a Xen PV guest can cause a
denial-of-service of the guest.


* Denial-of-service in USB device reset.

Memory corruption during device reset could result in a kernel crash
when a USB device was active.  A user with physical access to the system
could use this flaw to crash the system.


* Kernel panic in when handling unvalidated ports in kernel DRM subsystem.

The kernel DRM driver does not validate ports which are passed from
userspace which can trigger a use-after-free and kernel panic when
handling DRM ioctls.


* Kernel panic when using madvise on a hugepage mapping.

The kernel hugepage subsystem does not correctly handle calling madvise
on certain hugepage mapping which can trigger a bogus BUG_ON and kernel
panic.


* Use after free in Bluetooth VHCI device opening.

The kernel Bluetooth driver does not correctly handle opening VHCI
devices, used for emulating HCI devices, which can trigger a use after
free and kernel panic.


* Memory leak in Bluetooth VHCI device opening.

The kernel Bluetooth driver does not handle closing a VHCI device before
packets are delivered to userspace which leads to a kernel memory leak
and subsequent denial of service.


* Kernel panic when setting baud-rate on generic PCI serial devices.

Setting the baud-rate of a generic PCI serial device can trigger a
divide-by-zero error and subsequent kernel panic. A local user could
use this flaw to trigger a denial of service.


* Denial of service with corrupt orphan list on ext4 filesystem.

The kernel ext4 filesystem driver does not correctly corrupt orphan
inode lists which can trigger an infinite loop and kernel deadlock.


* Kernel panic when adding orphaned inodes on ext4 filesystem.

A logic error when adding orphaned inodes on ext4 filesystems can
trigger memory corruption and kernel panic.


* Privilege escalation when probing Keyspan USB Serial devices.

A logic error when failing to probe a Keyspan USB Serial device can
trigger a use-after-free and possible privilege escalation.


* Privilege escalation when probing Quatech USB Serial devices.

A logic error when failing to probe a Quatech USB Serial device can
trigger a use-after-free and possible privilege escalation.


* Use after free in when failing xfs inode writeback.

Incorrect locking when flushing inodes on an xfs filesystem can trigger
a use after free and kernel panic.


* Use after free in 802.11 mesh networking station cleanup.

A race condition when destroying 802.11 mesh network station information
can trigger a use after free and kernel panic.


* Kernel panic in KVM emulated IRQ chip.

A privileged guest can trigger a NULL pointer dereference and kernel
panic in the host when a non-existent IRQ route is modified.


* Kernel panic when setting KVM emulated debug registers.

The KVM subsystem does not validate the value of emulated debug
registers which can trigger a kernel panic when resuming a guest. A
privileged guest can use this flaw to crash the host.


* Use after free when closing dummy soundcard.

Incorrect reference counting when closing a dummy soundcard with a
high-resolution timer backend can trigger a use after free condition and
kernel panic.


* Memory leak in NFS atomic file opening.

Incorrect reference counting in the kernel NFS client when an error is
encountered opening a file atomically can trigger a memory leak and
kernel panic.


* Use after free when removing USB-3 host controller.

A race condition when removing a shared USB-3 host controller can
trigger a use after free condition and kernel panic.


* Use-after-free in mount namespace detaching.

Incorrect handling of an event counter during mount detaching could
result in a use-after-free and kernel crash.


* Denial-of-service in POSIX file locking on overlayfs.

A use-after-free when releasing a lease on a file on an overlayfs
filesystem could result in a kernel crash.  A local, unprivileged user
could use this flaw to crash the system.


* Denial-of-service in device mapper snapshot devices.

Creating a device mapper snapshot device where the copy-on-write and
origin devices used the same device would result in a NULL pointer
dereference and kernel crash.


* Kernel crash in ALSA timer arming.

Incorrect use of the timer API could result in triggering a kernel
assertion when rearming the ALSA system timer.


* Kernel crash in NUMA page migration.

Incorrect handling of NUMA nodes could result in a kernel crash when
allocating memory during page isolation.


* Infinite loop when calculating the IP checksum on destination link
failure.

Lack of proper memory zeroing in case of destination link failure could
lead to an infinite loop when calculating IP checksums.


* Use-after-free in PPP ioctl() handling.

Incorrect locking in the PPP ioctl handler could result in dereferencing
an invalid pointer and a kernel crash.  A local user with access to the
PPP device could use this flaw to crash the system.


* Use-after-free when decrypting a packet after the netdevice was
unregistered.

Asynchronous decryptions of packets on the netdevice receive queue were not
properly taking a reference on the netdevice, potentially leading to a
use-after-free if the netdevice is unregistered after queueing such packets
for decryption.


* Denial-of-service in 802.11 interface stopping.

Missing locking could result in memory corruption and dereferencing an
invalid pointer.  A local, privileged user could use this flaw to crash
the system.


* Kernel panic when marking dirty inodes on ext4 filesystems.

A logic error when marking dirty inodes on ext4 filesystems can trigger
a NULL pointer dereference and kernel panic.


* Denial-of-service in SUNRPC cache management.

Incorrect error handling could result in a reference count imbalance of
the SUNRPC cache object, triggering either a resource leak, or
potentially, a use-after-free.


* Information leak in 'environ' procfs file.

A race condition when forking a process can allow another process to
access the 'environ' file before it is initialized which can leak the
contents of kernel memory.


* Kernel panic when processing VLAN traffic over a BATMAN interface.

The BATMAN mesh networking driver does not correctly account for VLAN
headers when processing ethernet traffic which can lead to an
out-of-bounds read and kernel panic.


* Use after free when updating BATMAN routing information.

A logic error when updating the routing information of a BATMAN mesh
network can lead to a reference count imbalance and use after free and
kernel panic.


* Information leak in mclist netlink attribute.

The netlink interface for querying the mclist attribute does not
initialize memory which leaks the contents of kernel memory to
userspace. A local user could use this flaw to infer the layout of
kernel memory.


* CVE-2016-4486: Information leak in routing netlink interface.

The netlink interface for querying network routing information does not
initialize memory which leaks the contents of kernel memory to userspace.
A local user could use this flaw to infer the layout of kernel memory.


* Use-after-free in network bridge ioctl().

Missing locking in the bridge ioctl handler for receiving network
interface indices could result in a use-after-free and kernel crash
under specific conditions.


* Memory corruption when removing Echoaudio ALSA devices.

A logic error when allocating memory for Echoaudio ALSA devices can
trigger kernel memory corruption and kernel panic.


* Denial-of-service in ioprio_get() syscall.

Incorrect locking in the ioprio_get() syscall could result in a
use-after-free and kernel crash.  A local, unprivileged user could use
this flaw to crash the system.


* Permission bypass when setting attributes on overlayfs files.

A logic error when updating attributes on an overlayfs file can allow a
local user to write to a setuid or setgid file. This could be used by a
malicious user to gain elevated privileges.


* Permission bypass when updating attributes on overlayfs files.

A logic error when updating attributes on an overlayfs file can allow a
local user to write to a setuid or setgid file. This could be used by a
malicious user to gain elevated privileges.


* Use after free when closing ALSA digital audio stream.

A logic error when closing an ALSA digital audio stream with channel
mapping controls can trigger a use after free and kernel panic.


* Information leak in virtual terminal key mapping.

A logic error when mapping raw scan codes to keys in the virtual
terminal driver can trigger an out-of-bounds read which can leak the
contents of kernel memory to userspace.


* NULL pointer dereference in Pulse Per Second parallel port registration.

Failure to claim the parallel port could result in a NULL pointer
dereference when attempting to register the Pulse Per Second module.


* Denial of service in ext4 extent validation.

A logic error in the kernel ext4 driver can allow malformed extents to
be processed which can trigger a kernel panic when mounting a malformed
disk image.


* Deadlock during ext4 page writeback.

Incorrect locking when writing a transaction to disk and performing a
page writeback can trigger a deadlock and kernel panic.


* Kernel panic in ext4 inode eviction.

A malformed superblock encountered when mounting an ext4 filesystem can
trigger a kernel panic because of an uninitialized superblock flag.


* Memory corruption in ext4 with large GDT blocks.

A ext4 filesystem with a large number of reserved GDT blocks can trigger
kernel memory corruption when mounting the filesystem.


* Kernel panic when opening a file on a CIFS mount.

Failure to check if a file being opened on a CIFS mount with the O_CREAT
flag is a directory could lead to a kernel panic.  A local unprivileged
user could use this flaw to cause a denial-of-service.


* Infinite loop in ext4 orphan cleanup.

A logic error when a malformed orphan list is encountered on an ext4
filesystem can trigger an infinite loop and denial of service.


* NULL pointer dereference in CIFS filesystem when handling checksums.

A race condition due to incorrect locking in the CIFS filesystem code when
handling a hash message authentication code could lead to a NULL pointer
dereference on concurrent mounts.  A local, privileged user could use this
flaw to cause a denial-of-service.


* Denial of service in filesystem directory cache.

A logic error when multiple CPUs are accessing a file can trigger a soft
lockup. A local unprivileged user could use this flaw to trigger a
denial of service.


* Kernel panic when following a symlink on CIFS.

Lack of input validation when following a symlink in a CIFS mount could
lead to invalid memory access and kernel panic.


* Out-of-bounds memory access when setting key in crypto gcm.

An error in array declaration while setting gcm key could lead to
out-of-bounds memory access. A local user with ability to set gcm key
could use this flaw to cause a denial-of-service.


* Kernel panic when encrypting zero-length data.

The kernel crypto subsystem does not correctly handle encrypting
zero-length data which can lead to a kernel panic. A local, unprivileged
user could use this flaw to cause a denial of service.


* Denial-of-service when hot-removing memory on missing sections.

A logic error in the routine checking the pages in a memory zone could lead
to a kernel crash when offlining memory.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Kernel BUG due to incorrect abort handling in lpfc driver.

An incorrect change to the lpfc driver can cause a kernel BUG to be
incorrectly asserted during error handling.


* Buffer memory leaks in Multiple Devices (MD) persistent data driver.

In certain circumstances involving invalid metadata, a missing error
check could cause the MD persistent data driver to leak memory. A
malicious local user could possibly use this to cause denial of service.


* Data loss when passing command to megaraid controller.

A bug in the way SYNCHRONIZE_CACHE command was handled resulted in
cached data not being flushed to disk properly in JBOD mode. This
results in data integrity failure.


* Kernel crash in LSI MTP Fusion SAS 3.0 WarpDrive resume.

A logic error in the resume path for WarpDrive devices could result in
accessing a stale pointer and kernel crash on resume from suspend.


* Denial of service in vmxnet3 driver.

An incorrect assertion in vmxnet3 driver could cause kernel panic on
receiving valid packet when Large Receive Offload (LRO) is enabled.


* NULL pointer dereference in Intel XL710 ethernet driver.

A flaw in pci error handling of XL170 ethernet driver could lead to NULL
pointer dereference. A local user with capability to load a module and
to trigger pci errors could cause a denial of service.


* Kernel hang when removing a SCSI target.

A flaw in the SCSI sysfs subsystem could cause the kernel to hang when
removing a SCSI target.  A local user with the ability to remove a SCSI
target could use this flaw to cause a denial-of-service.


* NULL pointer dereference in Intel Ethernet Controller XL710 family.

An error in condition checks during configuration of Receive Side
Scaling (RSS) of the controller could lead to NULL pointer dereference.
A local user with capability to set RSS could use this flaw to cause a
denial-of-service.


* Permission bypass when mounting filesystem in user namespace.

A logic error when mounting a filesystem can allow a read-only
filesystem to be mounted read-write in a user namespace allowing an
unprivileged user to write data outside their namespace.


* Information leak in Xen pci backend.

A flaw in the reporting of PCI memory configuration information can
result in disclosure of information about the address space of the
system. An attacker in a guest VM could use this flaw to gain
information about the host system.


* Denial-of-service in fsync on BTRFS filesystems.

A flaw in the handling of fsync requests to a BTRFS filesystem can
result in data corruption. A local attacker could use this flaw to
corrupt the filesystem leading to a denial-of-service.


* Denial-of-service in RDS when freeing connection.

Due to a flaw in the memory handling of RDS TCP connections a local
attacker could cause a NULL pointer dereference and trigger a kernel
crash.


* Use-after-free in RDS TCP termination.

Due to incorrect locking in the RDS driver a use-after-free can occur
when an TCP connection is terminated. A local attacker could use this
flaw to escalate privileges.


* Denial-of-service in swap activation.

A flaw in the handling of swap activation can lead to an incorrect
assertion triggering, resulting in a kernel panic. A local attacker with
the ability to enable swap could use this flaw to cause a
denial-of-service.


* Denial-of-service during XFS mmap write whilst freezing.

A failure to protect against freezing can result in a deadlock in the
XFS mmap handler.


* Memory leak in Xen blkback hotplug error handling.

A failure to free memory in the error path of the xen block device
backend can result in a memory leak during a hotplug event.


* Denial-of-service in XFS file size manipulation.

Failure to handle an error case during a file size update could allow a
local
attacker to prevent a filesystem umount, causing a denial-of-service.


* NULL pointer dereference in OCFS2 transaction abort handling.

A logic error in the OCFS2 abort trigger can result in a NULL pointer
dereference causing a kernel crash.


* Filesystem corruption during rename operation in OCFS2.

A failure to handle out-of-memory conditions in OCFS2 can result in
filesystem corruption when renaming a file.


* Denial-of-service in hugepage error reporting.

A logic error in an error handler of the hugetlb driver could allow a
local attacker to fill the kernel print buffer with messages, leading to
a denial-of-service.


* Denial-of-service in block device teardown.

A race condition in the block device teardown code could allow an
attacker to cause a NULL pointer dereference, resulting in a
denial-of-service.


* Denial-of-service in bnx2fc connection recovery.

A race condition the bnx2fc driver can lead to a NULL pointer
dereference when a timer expires during connection recovery. An attacker
with access to the local network could use this flaw to cause a
denial-of-service.


* Denial-of-service in x86 MCE handler.

A logic flaw in the MCE handler can incorrectly trigger a kernel panic
when panic_on_oops is set. A local attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service in dtrace additions to ptrace.

Incorrect locking in the ptrace subsystem can result in an oops if a
process under dtrace discards its address space after an exec. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in dtrace file descriptor handling.

A logic error in dtrace can result in undefined behaviour when a process
has run out of file descriptors. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service in xve driver proc handler.

Failure to correctly handle an error can result in a NULL pointer
dereference. A local attacker with read access to
/proc/driver/xve/devices/ could use this flaw to cause a
denial-of-service.


* Denial-of-service in hugepage truncation.

Due to a flaw in handling truncations and hole punches for huge pages
undefined behaviour can occur. A local attacker could use this flaw to
crash the kernel.


* Denial-of-service in radix tree iteration.

Incomplete initialization of the radix tree iterator could result in an
invalid memory dereference and kernel crash.


* Memory corruption in CIFS NTLM authentication.

Incorrect memory management in the kernel SMB server can allow a remote
user to cause kernel memory corruption by providing an over-sized
NTMLSSP message.


* Kernel panic with multiple commits to NFS files.

A race condition in the kernel NFS client when multiple requests attempt
to commit the same inode can trigger a NULL pointer dereference and
kernel panic.


* Memory corruption in nvme PCI reads.

A race condition in the nvme PCI interface could result in memory
corruption leading to undefined behaviour.


* Denial-of-service in qla2xxx IO read/write.

A race condition in the qla2xxx scsi driver can result in memory
corruption leading to a kernel crash.


* Kernel crash in timer manipulation on SMP systems.

A race condition in timer handling on SMP systems can result in a kernel
crash.


* Denial-of-service during fsync with overlayfs and BTRFS.

A logic error when BTRFS is used as the upper or lower directory of an
overlayfs mount can result in BTRFS accessing an invalid inode causing a
kernel crash. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2016-1237: Permission bypass in NFS filesystem when setting ACLs.

Missing permission checks when setting the ACLs on a file from a NFS mount
could allow unprivileged users to grant themselves access to an otherwise
not allowed file.  This could potentially be used to escalate privileges.


* Denial-of-service in qlogic netxen driver error handling.

Multiple logic errors in the netxen driver result in usage of
uninitialised memory which could result in a kernel crash.


* Memory corruption in gfs2 mount implementation.

A logic flaw in the gfs2 mount and umount code can result in slab
corruption. A local attacker could use this flaw to crash the kernel.


* Information leak in overlayfs.

Due to a flaw in overlayfs, an attacker could obtain confidential
information stored on the filesystem.


* CVE-2017-5669: Privilege bypass when using shmat() syscall to map page
zero.

A logic error when mapping a page using shmat() syscall could allow a
user to map page zero and consequently bypass a protection mechanism
that exists for the mmap() system call.


* Denial-of-service in xen-netfront out-of-memory handling.

A flaw in the retry logic of the xen-netfront driver in a low memory
situation can result in stalling the Rx path of the driver.


* NULL pointer dereference in ixgbe initialisation.

A failure to correctly initialise a structure in the ixgbe driver can
result in a NULL pointer dereference causing a kernel crash.


* Kernel crash when using macvlan and l2-fwd-offload in ixgbe driver.

A failure to check the status of the ixgbe driver when bringing up a
macvlan interface can result in a kernel crash.


* Kernel crash in lpfc reset logic.

Failure to correctly handle a reset of the driver can result in a kernel
crash.


* Memory corruption in crypto subsystem test manager.

A logic flaws in the tests for the crypto subsystem can result in
out-of-bounds memory access. A local attacker could use these flaws to
crash the kernel.


* Denial-of-service in crypto scatterwalk implementation.

An incorrect assertion can trigger a kernel BUG during normal operation.
A local attacker could use this flaw to flood the kernel print buffer,
resulting in a denial-of-service.


* Memory corruption in crypt asynchronous hash operations.

A logic flaw when calculating the size of a hash can result in
out-of-bounds memory access. A local attacker could use this flaw to
crash the kernel.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.






More information about the El-errata mailing list