[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2017-3609)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2017-3609 can now be patched using Ksplice
CVEs: CVE-2017-1000365 CVE-2017-12134 CVE-2017-2671 CVE-2017-7477 CVE-2017-8797 CVE-2017-9074

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2017-3609.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-1000365: Privilege escalation when performing exec.

A logic error allows an unprivileged local user to bypass argument and
environmental string size limits when performing an exec syscall. A
local user could use this flaw to bypass guard pages between the stack
and another mapping, leading to potential privilege escalation.


* Reference leak when using Reliable Datagram Sockets.

A logic error when establishing a TCP Connection using Reliable Datagram
Sockets could lead to a reference leak. An attacker could use this flaw
to cause a denial-of-service.


* CIFS Distributed Filesystem mounting failure.

Missing path comparisons during CIFS Distributed Filesystem mounting could
result in failure to mount a volume.


* CVE-2017-8797: DoS when receiving pNFS LAYOUTGET and GETDEVICEINFO.

When receiving a pNFS LAYOUTGET or GETDEVICEINFO operation on a UDP
packet, the layout type offset is computed without being checked for
correctness, potentially dereferencing out-of-bounds memory and causing
a kernel crash. A remote attacker could exploit this to cause a
denial-of-service or soft lockup.


* CVE-2017-2671: Use-after-free in ping implementation.

A race condition in the kernel ping implementation can result in a
use-after-free. A local attacker with access to ping sockets could use
this flaw to cause a kernel crash or escalate privileges.


* Denial of guest service when shutting down Xen guest with inflight I/O.

When disconnecting a guest from a xen-blkback device, inflight I/O
threads would not be properly terminated, potentially preventing the
device from ever being unmounted.


* Information leak via ipv6 fragment header.

The header size of an ipv6 fragment is not properly checked, potentially
allowing an attacker to read out-of-bounds memory when attempting to
parse it, leaking information.


* Use-after-free on failed allocation in vma_adjust().

When expanding a virtual memory mapping, the vma_adjust function could
erroneously use a pointer to a virtual memory area it had just freed,
causing a kernel crash and denial-of-service.


* Memory leak in QLogic ethernet driver when receiving LL2 packet.

When receiving a Light L2 packet, the QLogic QED ethernet driver fails
to deallocate the previous buffer, potentially allowing an attacker to
starve the system of resources and cause a denial-of-service.


* Potential buffer overrun in Broadcom bnx2x driver multicast.

The Broadcom bnx2x network driver does not properly check the number of
multicast addresses it broadcasts to, potentially allowing a buffer
overflow and corruption of associated memory.


* NULL pointer dereference in Broadcom bnx2x PTP device time counter.

Accessing a PTP device with its associated bnx2x interface down causes
an invalid access of the device's time counter structure, causing a
kernel crash and denial-of-service.


* NULL pointer dereference in LPFC Emulex Fiber Channel devices.

Failing to sanitize the log level control could cause a NULL pointer
dereference and kernel crash in the LPFC Emulex driver.


* Race condition in xen-blkfront causes I/O hang.

A race condition in the Xen virtual block device driver could cause
queued IO to become deadlocked, hanging processes and causing a
denial-of-service.


* Information leak in Intel e1000e statistics reporting.

Uninitialized values in the Inteo e1000e driver statistics reporting
could potentially expose kernel memory to an unprivileged user.


* NULL pointer dereference in Intel e1000 ethernet driver setup.

Failing to initialize the driver for an Intel e1000 ethernet adapter
will cause the code to attempt to cleanup unallocated resources, causing
a NULL pointer dereference and crash.


* Race between close and suspend in Intel ethernet drivers.

A race condition between close and suspend in the Intel ixgbe 10-gigabit
and ixgbevf virtual ethernet drivers could cause a double free or kernel
BUG in rare cases, resulting in a denial-of-service.


* Deadlock in Intel gigabit ethernet driver resume path.

When resuming from a suspended state, the Intel gigabit ethernet driver
could fail to allocate its interrupts, leaking a lock and potentially
deadlocking the system.


* Memory leak when probing Intel gigabit ethernet driver.

A missing kfree() call causes the ibg_probe() function to leak memory,
degrading performance and potentially eventually causing a
denial-of-service.


* Deadlock between btrfs extent and page locking.

An order reversal of the locks governing the btrfs extent ranges and
pages could deadlock, potentially causing a denial-of-service.


* Array overrun in Infiniband CMA callback table.

Incorrect bounds checking in the Infiniband Connection Manager
Abstraction callback table would allow an array overrun if an Infiniband
server provided callback operations the client was not aware of.


* Race conditions in Sun Logical Domain vSwitch driver registration.

Race conditions in the Sun Logcical Domain vSwitch driver could cause a
denial-of-service when the device was being enabled or disabled.


* Memory corruption when sending messages over tcp socket.

An incorrect check on max_skb_frags sysctl value when sending tcp
messages could lead to a memory corruption. An attacker could use this
flaw to cause a denial-of-service.


* Memory leak when using InfiniBand userspace driver.

A missing free of Queue Pairs during cleanup when userspace release
the driver could lead to a memory leak. An attacker could use this
flaw to cause a denial-of-service.


* Information leak via ext4 direct IO failure.

Failed direct IO reads on the ext4 filesystem could, in rare cases,
return uninitialized data from the kernel instead of failing,
potentially granting an attacker information about the running system.


* Reusing pointers in multi-queue block IO deletion causes denial-of-service.

Failing to sanitize a list pointer in the multi-queue block IO request
queue deletion logic could lead to the list pointer being reused by
subsequent request queues. This could lead to a kernel panic and
denial-of-service when using drivers that utiize the multi-queue block
IO system, such as hotpluggable CPUs.


* Permissions bypass in XenStore via invalid transaction id.

XenXtore transaction ids are not correctly validated on every request.
This could potentially allow one XenStore user to intercept data from
another.


* Deadlock when cloning duplicate extents on btrfs volume.

Incorrect locking in the btrfs filesystem driver can cause a deadlock
and kernel panic when cloning file-extents which are not unique.


* Denial-of-service when handling PCIe errors in Intel ethernet drivers.

When handling PCI Express errors in the Intel ixgbevf and ixgbe drivers,
the driver interrupts lists are not freed, leading to a kernel BUG()
assertion.


* CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.

A missing check when using Generic Segmentation Offload on IPV6 socket
could lead to a memory leak. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.

Incorrect merging of block IO vectors could result in corruption of data
accesses to/from a block device.  A malicious guest could use this flaw
to crash the host, or potentially, gain privileges in the host.


* Updated fix for CVE-2017-7477: Remote Denial-of-service in 802.1AE.

An incorrect backport of the fix for CVE-2017-7477 could cause a similar
buffer overrun, resulting in a kernel panic and denial-of-service.


* Kernel panic in xve_create_arp due to mishandled vlan header.

When generating an ARP on an Xsigo Virtual Ethernet device, the vlan
offset was incorrectly computed from an uninitialized offset,
potentially causing a kernel panic and denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.