[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (DSA-3426-1)

[Oracle Ksplice]

Synopsis: DSA-3426-1 can now be patched using Ksplice
CVEs: CVE-2013-7446 CVE-2015-7799 CVE-2015-7833 CVE-2015-8104

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-3426-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free in SMACK security module.

Incorrect locking in the SMACK security module can trigger a
use-after-free and kernel panic when looking up the credentials of a
userspace process. This flaw can be used by a local unprivileged user to
trigger a kernel panic or elevate privileges.


* Use-after-free in USB Host Controller Device driver.

Incorrect memory management in he USB Host Controller Driver (HCD) can
trigger a use-after-free condition and kernel panic.


* Security bypass in kernel pseudo terminal subsystem.

The kernel pseudo-terminal (PTY) subsystem does not enforce restrictions
on which users can signal processes which allows local unprivileged
users to send arbitrary signals to privileged process.


* Memory corruption when configuring a virtual interface link through netlink.

A minimum length was mistakenly interpreted as a maximum length when
configuring a virtual interface link through netlink, leading to memory
corruption and potentially a kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Denial of service when decoding NFSv4.1 sequence operations.

The kernel NFSv4.1 client tries to free invalid memory when decoding NFS
sequence operations which can trigger a kernel panic. This flaw can be
triggered by remote users.


* Kernel bug when handling a huge page fault.

A race condition in the huge page fault handler could lead to a BUG()
assertion to be hit, causing a denial-of-service.


* Denial-of-service when changing permissions of a huge page.

A race condition when changing the permissions of a huge page on concurrent
migration could lead to kernel panic and denial-of-service.  An attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service in the mmap() system call.

An integer overflow in the routine checking if there is enough memory to
satisfy an allocation request leads all future allocations to fail.  A
local, unprivileged user could use this flaw to cause a denial-of-service.


* Denial-of-service when reading physical memory from user-space.

The routine generic_phys_access(), used by the /dev/mem and userspace IO
drivers, was only re-mapping one page of IO memory when the request could
span a bigger range, causing out of bounds memory accesses and kernel
panic.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Memory corruption when mounting malformed JFFS2 disk images.

The kernel JFFS2 filesystem driver does no validate the eraseblock which
can trigger an assertion and kernel panic.


* Kernel panic when probing iSCSI BladeEngine devices.

An invalid DMA configuration can trigger an assertion and kernel panic
when probing a iSCSI BladeEngine device.


* Kernel crash in netfilter socket matching.

Incorrect use of stack-allocated variables could result in accessing
stale data.  This could potentially be used by a local, privileged user
to cause a denial-of-service or potentially, escalate privileges.


* Use-after-free in the Multiple devices driver when taking a reference count.

Incorrect locking in the Multiple devices driver (RAID and LVM) could lead
to a use-after-free.  A local, privileged user could use this flaw to cause
a denial-of-service.


* Use-after-free in the Multiple devices driver when taking a snapshot.

An internal structure of the Multiple devices (RAID and LVM) driver was
being accessed after it was released.  An attacker could use this flaw to
cause a denial-of-service.


* Use-after-free when disconnecting CephFS client.

A race condition when closing a connection to a CephFS service can
trigger a use-after-free condition and kernel panic.


* Out of bounds memory access in autofs4 filesystem ioctl.

A time of check to time of use vulnerability when validating the size of
the ioctl input buffer in the autofs4 could lead to out of bounds memory
access.  A local, unprivileged user could use this flaw to cause a
denial-of-service or potentially escalate their privileges.


* XFS filesystem corruption during truncation.

Failure to write zeroed blocks to disk during truncation on an XFS
filesystem could result in failure to zero those blocks during a crash.
This could leave sensitive information on the disk.


* Information leak in the USB stack when sending signals to userspace.

A lack of clearing a struct siginfo sent to user-space leads to leaking
kernel stack content to userspace.  A local, unprivileged user could use
this flaw to gain information about the running kernel, facilitating an
attack.


* Use-after-free in USB serial stack on failure to probe a device.

A logic error in the USB serial stack could lead to a use-after-free and
kernel panic on failure to probe a device.  A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference in Radeon DRM_IOCTL_RADEON_CS ioctl().

Incorrect initialization could result in a NULL pointer dereference when
performing a DRM_IOCTL_RADEON_CS ioctl().  A local user with access to
the DRM device could use this flaw to trigger a denial-of-service
attack.


* Resource leak in IP virtual server backup sync protocol.

Missing resource freeing could result in a memory leak and failure to
remove an IP virtual server instance.


* Memory corruption in Multiple Device driver when destroying a device.

Incorrect locking in the Multiple Device driver when destroying a device
could lead to memory corruptions and kernel panic.  A local, privileged
user could use this flaw to cause a denial-of-service.


* Frames filtering bypass in mesh forwarding in mac80211 stack.

A flaw in the mac80211 mesh forwarding allows un-encrypted frames to pass
through.  A remote attacker could use this flaw to inject un-encrypted
frames to an otherwise encrypted network.


* Kernel crash in SAS driver during expander discovery.

Incorrect handling of expander device discovery could result in a NULL
pointer dereference and kernel crash.


* Kernel crash in controller area network (CAN) sockets.

Incorrect initialization of CAN sockets could result in a kernel crash
when using AF_PACKET sockets.


* Denial-of-service in Intel Memory Protection Extensions.

Incorrect checking for user mode tasks could result in a
denial-of-service when handling bounds faults on a system with MPX
available.


* Deadlock during NILFS2 filesystem recovery.

Mounting a NILFS2 filesystem could cause deadlock if roll-forward
recovery was required.  This could happen after a crash during a
datasync write.


* Information leak in /proc/PID/pagemap.

/proc/PID/pagemap includes the virtual to physical mappings and could be
accessed by a local, unprivileged user.  This could be used in
conjuction with flaws such as ROWHAMMER to elevate privileges.


* Denial-of-service in pSCSI backend.

A missing NULL pointer check could result in a denial-of-service,
triggerable by a local, unprivileged user for incomplete configurations.


* Use-after-free in Industrial I/O core error handling.

Incorrect error handling in the Industrial I/O device registration
function could result in a double-free and kernel crash.


* Kernel crash in compat sendmsg/recvmsg calls.

Incorrect validation of user supplied data could result in memory
corruption when sending or receiving messages to a datagram socket and
the audit subsystem was enabled.


* Use-after-free in CIFS page writing during intermittent network connectivity.

Incorrect error handling during loss of network connection could result
in a use-after-free when writing pages on a CIFS filesystem.


* Use-after-free in network namespace device moving.

Incorrect linked list manipulation could result in a use-after-free and
kernel crash when moving devices between namespaces.


* Kernel crash in physical to virtual reverse mapping lookup.

Incorrect error handling when adjusting a virtual memory area could
result in integer underflow and a crash in the address reverse mapping
code.


* Data corruption on hfsplus filesystem when inserting node at position zero.

A logic error in the hfsplus filesystem driver leads to on-disk data
corruption when inserting a node at position zero.


* Kernel panic in ServerEngines iSCSI BladeEngine 2 initialization failure.

An incorrect call to remove the device in the error handling path could
result in a kernel crash when a BladeEngine 2 device failed to
initialize.


* Kernel crash in SCSI devices during unplug.

Incorrect handling of unoperational links could result in accessing a
device when it should not be possible to do so.  This could result in an
invalid pointer dereference and kernel crash.


* Information leak when reading IPv4 and IPv6 error queue.

The error queue mechanism (MSG_ERRQUEUE) in IPv4 and IPv6 sockets does
not correctly initialise kernel data-structures which causes the
contents of kernel memory to be leaked to userspace.


* Denial of service when routing IPv6 atomic fragments.

The kernel IPv6 implementation processes atomic fragments according to
the IPv6 RFC. However, remote attackers can leverage a feature of
atomic fragments to stop the routing of IPv6 traffic, causing a denial
of service.


* Kernel panic when receiving compressed PPP data.

The kernel Point-to-Point networking implementation does not correctly
handle decompressing large PPP packets which can trigger an assertion
failure and kernel panic.


* Memory leak when adding a vlan device to a shut down interface.

A lack of un-registering stacked devices in the error path of rtnl_newlink()
leads to a memory leak.  A local, privileged user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* Use-after-free in the extended matches network classifier.

A logic error in the extended matches (ematch) network classifier could
lead to a use-after-free and kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Denial-of-service when binding an ICMP socket on IPv6.

A logic error in the IPv6 stack could lead to a kernel panic when
user-space binds an IPv4 ICMP socket.  A local, privileged user could use
this flaw to cause a denial-of-service.


* Kernel hang in Realtek 8169 ethernet driver.

The Realtek 8169 ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.


* Kernel hang in Broadcom Tigon3 ethernet driver.

The Broadcom Tigon3 ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.


* Kernel hang in Intel PRO 10GbE ethernet driver.

The Intel PRO 10GbE ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.


* Deadlock during packet transmission in Emulex BladeEngine driver.

A locking error in the be2net driver could in rare circumstances cause
a deadlock during packet transmission.


* Kernel panic in IPv4 forwarding of timewait sockets.

The kernel IPv4 stack does not correctly handle forwarding data from
timewait sockets which can trigger an assertion failure and kernel
panic.


* Memory corruption in SPI device ioctl.

An integer overflow in the kernel SPI driver can allow malformed ioctls
to trigger kernel memory corruption and allow a local user to gain
elevated privileges.


* Information leak in Infiniband Userspace events.

The Infiniband uverbs driver did not clear the events structure
resulting in leaking 4-8 bytes of kernel stack contents to userspace.


* Kernel crash in IP Virtual Server support when re-routing to local clients.

A logic error in the IP Virtual Server support could lead to a kernel crash
when re-routing packets to clients on the local network.  An attacker could
use this flaw to cause a denial-of-service.


* Data loss when mounting btrfs volume with the 'discard' option.

When mounting a btrfs volume with '-o discard' the btrfs driver can
possibly overwrite filesystem metadata causing data loss.


* Denial of service in btrfs IOC_CLONE ioctl.

Attempting to clone a zero-length region from one file to another on a
btrfs volume can trigger an infinite loop and kernel panic. A local
user could use this flaw to cause a denial of service.


* Denial of service in KVM host when handling machine check in guest VM.

The KVM host incorrectly handles machine check exceptions in guest VMs
which allows a malicious user in a guest VM to trigger a denial of
service in the host.


* Multiple divide-by-zero in the page write-back code.

Multiple logic errors in the page write-back code could lead to
divide-by-zero and denial-of-service under certain conditions.


* Multiple deadlocks in ALSA emux driver.

Incorrect locking in the ALSA emux driver could lead to AB-BA deadlocks in
the kernel under various conditions.


* Filesystem corruption in ext4 fallocate().

A race condition in the fallocate() implementation on an ext4 filesystem
could result in filesystem corruption under specific conditions.


* Kernel hang in the ocfs2 driver when locking resources.

A race condition in the dlm_get_lock_resource() function in the ocfs2
driver could lead to a kernel hang on concurrent purge.  A local attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service in JBD2 journal recovery.

An integer overflow in the JBD2 journal could result in an out-of-bounds
memory access and kernel crash.  A local user could use a maliciously
crafted filesystem to crash the system.


* Denial-of-service in SonicBlue Optimized MPEG File System mounting.

Missing mount option termination could allow a user with permission to
mount filesystems to trigger a denial-of-service by passing an
unrecognized mount option.


* Infinite loop when bridging IGMP traffic.

Incorrect reference counting in the network bridge subsystem can trigger
an infinite loop when processing IGMP traffic causing further bridged
network traffic to be dropped.


* NULL pointer dereference in CAIF and Unix sockets on receival.

Lack of checking that the socket has been destroyed in the recvmsg()
handlers for CAIF and Unix sockets could lead to a NULL pointer
dereference.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Use-after-free in network bridging when changing ports.

Incorrect locking when adding or removing bridge ports can trigger a
use-after-free condition. A privileged user could use this flaw to gain
kernel code execution.


* Denial of service in networking packet fanout.

Incorrect locking in the networking subsystem can trigger a
divide-by-zero and kernel panic when a userspace process uses the
PACKET_FANOUT socket option.


* Kernel panic in networking round-robin packet fanout.

Incorrect synchronization can trigger an out-of-bound read and kernel
panic when a userspace process uses the PACKET_FANOUT_LB socket option.


* Use-after-free when updating networking neighbors.

Incorrect locking in the generic networking subsystem can trigger a
use-after-free condition when updating stale network neighbor
information. This flaw can trigger kernel memory corruption.


* Denial of service when processing OOTB SCTP packets.

A race condition between processing 'out-of-the-blue' OOTB packets and
removing a SCTP route can trigger a NULL pointer dereference and kernel
panic. A remote attacker could use this flaw to trigger a denial of
service.


* Multiple privilege escalations in DVB frontends.

Missing user input validation could allow a local user with access to
the device to trigger buffer overflows when reading or writing data.
This out of bounds access could result in an out-of-bounds access and
kernel crash or potentially escalate privileges.


* Use-after-free in MTD block device.

Missing locking could result in a use-after-free when accessing an MTD
block device.  A local user with access to the MTD device could use this
flaw to crash the system.


* Remote privilege escalation in Realtek RTL8712U USB driver.

Incorrect buffer sizing could result in a heap buffer overflow when
receiving a fragmented packet.  A remote user could use this flaw to
crash the system or potentially escalate privileges in rare conditions.


* NULL pointer dereference in VIA VT6655 packet reception.

A race condition between receiving a packet and interrupt processing
could result in a NULL pointer dereference and kernel crash.


* Stack buffer overflow in regulator device registration.

Insufficient buffer sizing could result in a stack buffer overflow when
registering a regulator device.


* Kernel crash in ext4 during truncate + write race.

Incorrect locking could result in a kernel crash when threads raced
between writing a journalled page and truncation.


* NULL pointer dereference in Amateur Radio ROSE protocol.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when killing a ROSE device.


* Privilege escalation when writing to setuid files.

A logic error in the file I/O subsystem can cause the setuid bit to be
set on world-writable files when root modifies a file. This could allow
unprivileged users to elevate privileges by modifying a setuid file.


* Memory leak when filtering transmitted bridge traffic.

An malformed IP packet transmitted via a bridge with a netfilter hook
can trigger a kernel memory leak and cause a denial of service.


* Filesystem corruption on Plan 9 9p filesystem during abort.

Aborted transactions were incorrectly handled resulting in corruption of
future requests.  This could corrupt the filesystem or provide incorrect
data to applications.


* BTRFS filesystem corruption on inline extent cloning.

Incorrect copying of inline extents could result in corruption of the
BTRFS filesystem or a kernel crash.  A local, unprivileged user could
use this flaw to crash the system.


* NULL pointer dereference in USB XHCI endpoint creation.

Incorrect handling of cached rings during XHCI endpoint creation could
result in a NULL pointer dereference and kernel crash.


* Out of bounds memory write in macvtap driver with IPv6.

A logic error in the macvtap driver when allocating room in the socket
buffer for the ethernet header potentially leads to a two bytes memory
overwrites.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Denial-of-service in BTRFS inode cache during deletion.

Missing locking during inode unpinning could result in memory
corruption.  A local user with access to the BTRFS filesystem could use
this flaw to trigger a denial-of-service.


* Infinite loop during connection teardown iSCSI library code.

Incorrect locking in the iSCSI library code could cause the kernel to
enter an infinite loop.


* Kernel BUG in FibreChannel library code during SCSI device reset.

Incorrect locking in FibreChannel library code could cause a reschedule
while a spinlock was held, thus potentially causing either a kernel
assertion failure or a deadlock. A malicious local user with access to
the SCSI device could use this to cause denial of service.


* Use-after-free in IPC semaphores during task exit.

Due to incorrect locking, two tasks with shared IPC semaphore references
could exit and simultaneously try to free the semaphores. This could lead
to a use-after-free and memory corruption, allowing a malicious local user
to cause denial of service.


* Kernel crash in 80211 mesh network transmission.

Incorrect handling of peering state could result in a kernel crash when
transmitting frames on a network with fixed mesh paths and all stations
had not yet completed peering.


* Invalid memory free in device resource management.

A logic error in the device resource management code could cause the
wrong pointer to be freed, possibly crashing the kernel. A malicious
local user with device configuration privileges could use this to cause
denial of service.


* Invalid memory accesses in accelerated GHASH crypto algorithm.

Due to an incorrectly specified context size, the kernel would allocate
too little memory for the GHASH context and possibly access invalid
memory. A local user could potentially use this to cause denial of
service or escalate privileges.


* Use after-free in HFS B-tree node handling.

Incorrect releasing of pages for HFS B-tree nodes could result in a
use-after-free and kernel crash.  On a heavily loaded system, a local
attacker could use this flaw to crash the system.


* Denial-of-service in IP datagram socket connection.

Missing locking when creating an IP datagram socket could result in list
corruption.  A local, unprivileged user could use this flaw to trigger a
denial-of-service.


* Kernel hang in IPv6 multicast router addition.

Incorrect handling of IPv6 multicast router iteration could result in
failure to acquire a lock and a kernel deadlock.


* Out of bounds memory access in the UBI driver.

A lack of input validation when parsing a UBI image could cause out of
bounds memory accesses and lead to a kernel crash.  A local user able to
mount a special handcrafted image could use this flaw to cause a
denial-of-service.


* Out of bounds memory access in get_wchan().

A logic error when checking bounds of the current stack pointer in
get_wchan() could lead to out of bounds memory accesses.  A local,
un-privileged user could use this flaw to cause a kernel panic.


* Kernel BUG when unmapping a hugetlbfs page.

A logic error in the hugetlbfs when unmapping a page that is mapped both
with MAP_SHARED and MAP_PRIVATE could trigger a BUG() assertion.  A local,
un-privileged user could use this flaw to cause a denial-of-service.


* NULL pointer dereference in the Point to point over ethernet protocol.

A flaw in the Point to point over ethernet driver could lead to a NULL
pointer dereference and kernel panic when flushing the device.  A local,
un-privileged user could use this flaw to cause a denial-of-service.


* Kernel crash when using ahash driver without import/export callback.

Ahash drivers are required to provide import/export callbacks to be
registered with the ahash crypto sub-system, otherwise they could lead to a
kernel crash under certain circumstances.  A local, un-privileged user
could use this flaw to cause a denial-of-service.


* Use-after-free in Infiniband Connected Mode Service ID Resolution.

Incorrect handling of Service ID Resolution requests could result in a
use-after-free condition and kernel crash.


* NULL pointer dereference in Marvell 88SE64XX/88SE94XX task preparation.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when performing tasks on a Marvell 88SE64XX/88SE94XX
device under low memory conditions.


* Information leak when getting strings from the ethtool device.

A lack of cleaning an allocated buffer that is copied to user space on
ETHTOOL_GSTRINGS requests could leak information about the running kernel.
This could help an attacker to elevate privileges.


* Denial-of-service in ISDN PPP device opening.

Missing allocation failure checks could result in a NULL pointer
dereference when opening an ISDN PPP device.  A local user with access
to the device could use this flaw to crash the system.


* CVE-2015-7799: Denial-of-service in PPP compression slot parameters.

Missing validation of VJ compression slot parameters for a PPP device
could result in a NULL pointer dereference and kernel crash.  A local
user with access to the PPP device could use this flaw to crash the
system.


* Kernel panic when reshaping a RAID5 to RAID0.

A flaw in the RAID sub-system could lead to device errors and trigger a
kernel BUG() assertion when reshaping a RAID5 to a RAID0 in certain
circumstances.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Permission bypass in the tty driver.

A flaw in the tty code would allow someone with a file descriptor opened
write only to re-open the tty with different flags, allowing him to control
the terminal when this should require both read and write access to the
tty.


* CVE-2015-8104: KVM host denial-of-service in debug exception.

A guest could cause a denial-of-service on a KVM host by triggering a
debug exception to fire during an existing debug exception.  This could
cause the host to get trapped in an infinite loop causing a
denial-of-service.  A privileged user in a guest could use this flaw to
crash the host.


* NULL pointer dereference in PPP over Ethernet device releasing.

An incorrect check for disconnected PPP over Ethernet devices could
result in a NULL pointer dereference and kernel crash when closing the
device.


* Disable modification of LDT by userspace processes.

The seldom-used modify_ldt syscall allowing processes to modify their local
descriptor table has several vulnerabilities allowing local unprivileged
users to elevate privileges.

This update disables by default the modify_ldt syscall and introduces a new
sysctl 'ksplice_modify_ldt' to allow administrators to re-enable it.
Re-enabling the syscall will make the machine vulnerable.

To re-enable modify_ldt, run the following command as root:

  sysctl ksplice_modify_ldt=1

To disable, run:

  sysctl ksplice_modify_ldt=0

This mitigates CVE-2015-3290, CVE-2015-3291 and CVE-2015-5157.


* CVE-2013-7446: Use after free in Unix sockets.

Invalid reference counting in the kernel Unix socket subsystem can
trigger a use after free condition. A local unprivileged user could use
this flaw to bypass permission checks on Unix sockets or potentially
escalate privileges.


* Memory leaks in USBVision device driver.

Under multiple different circumstances, the USBVision device driver could
leak memory. A malicious local user could potentially use this to cause
denial of service.


* Improved fix for CVE-2015-7833: Denial-of-service when probing USBvision device.

Incorrect input validation when probing a USBvision device could lead to
out of bounds memory accesses and kernel panic.  A local attacker with
physical access could use a fake USB device with handcrafted USB descriptor
to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.