[Ksplice][Fedora-17-updates] Updates available via Ksplice (kernel-3.4.6-2.fc17)

[Michael Ploujnikov]

Synopsis: kernel-3.4.6-2.fc17 can now be patched using Ksplice
CVEs: CVE-2012-2119 CVE-2012-2136 CVE-2012-2373

Systems running Fedora 17 can now use Ksplice to patch against the
latest Fedora kernel update, kernel-3.4.6-2.fc17.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 17 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial of service in hugepage walking.

A missing validation of the value returned by find_vma() could cause a
NULL ptr dereference when walking the pagetable.


* Integer overflow in ext4 buffer allocation.

An integer overflow in ext4 could cause access to invalid memory regions
not owned by the filesystem, possibly corrupting them.


* Kernel oops in unbound L2TP IP sockets.

Missing checks for unbound sockets in the connect() path when using the
AF_UNSPEC address family could result in a kernel oops.


* Race condition in IPv4 forwarding table.

A race condition in the IPv4 forwarding table code could result in a
kernel oops and denial of service.


* Out-of-bounds memory access in VMWare DRM driver.

An incorrect check for the command word size could result in corrupted
addresses being passed to the emulated device and memory corruption.


* Memory leak in usb-audio PCM driver.

A missing free() in the hardware unplug code resulted in a memory leak.


* Kernel oops in CIFS open file list traversal.

The modification of a list whilst traversing it looking for open file
handles could result in accessing an invalid list element and a kernel
oops.


* Integer overflow in mmap copying on clone().

An integer overflow mean that a fork/clone of a process could succeed,
even when the caller did not have enough memory to copy all mmaps
resulting in a denial-of-service.


* Use-after-free in ath9k driver.

Failing to setup a transmit buffer could result in a use-after-free
condition when transmitting other buffers.


* Memory corruption in B+Tree iterators.

Incorrect handling of B+Tree iterator internals could result in memory
corruption of the tree even on read-only operations leading to undefined
behaviour.


* Kernel crash in AESNI decryption for CBC mode.

The AESNI driver did not ensure the correct alignment of memory when
performing AES decryption in CBC mode leading to a kernel crash.


* Memory leak in DRM GPU memory management.

The TTM memory allocator incorrectly performed multiple allocations for
metadata when creating a buffer object leading to a memory leak.


* Kernel panic in mac80211 station management.

A race condition in the station info list could result in a kernel
panic.


* Denial of service accessing CAN devices.

A race condition when openning CAN devices may lead to interrupts
being disabled on devices, preventing them from working properly.


* Denial of service in NFS back-channel request handling.

A memory leak on the failure path of processing back-channel requests
can lead to a local denial of service.


* Denial of service in NFSd on uniprocessor hosts.

Incorrect handling of spinlock semantics on uniprocessor hosts can lead
to denial of service when closing a NFS session.


* Memory corruption in 9p virtio transport implementation.

A wrong condition used to protect against memory corruption could allow
a corruption to happen anyway.


* Denial of service in memory mappings when closing processes.

Incorrect release order of resources in the memory manager can lead to a
kernel panic when closing processes.


* Denial of service processing corrupted descriptors in ATH9K driver.

A failure to properly handle corrupt descriptors can lead to kernel 
panic when a corrupt
descriptor is encountered.


* CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.

The length of packet fragments to be sent wasn't validated before use,
leading to heap overflow. A user having access to TUN/TAP virtual
device could use this flaw to crash the system or to potentially
escalate their privileges.


* Use-after-free in l2tp_eth driver.

Incorrect module reference counts could result in the module being
unloaded whilst it was still in use and a use-after-free condition could
result in a kernel crash.


* Use-after-free in l2tp_ip module.

Incorrect use of RCU could result in a use-after-free condition and
kernel crash in the l2tp_ip module.


* Use-after-free in benet driver.

The benet driver could attempt to access a socket buffer after
transmission resulting in a use-after-free condition.


* Kernel panic in bnx2x network driver.

An off by one error in the bnx2x network driver could result in a kernel
crash under high traffic volumes.


* NULL pointer dereference in NFC raw socket closing.

Closing an NFC raw socket could result in a NULL pointer dereference and
kernel crash under specific conditions.


* Buffer overflow in NFC NCI interface.

Incorrect bounds checking in the NCI module could result in a stack
buffer overflow and remote code execution.


* Kernel crash in Xen block backend driver.

The Xen block backend driver didn't correctly set the response ID on a
discard operation triggering a crash in the frontend.


* Kernel crash in IGBVF network driver ethtool handling.

A divide-by-zero in the IGBVF network driver could result in a kernel
crash.


* Use-after-free in device-mapper persistent data management.

Incorrect error handling on allocation in the persistent data management
could result in a use-after-free condition and kernel crash.


* Kernel crash in eCryptfs on handling inherited files.

eCryptfs would fail with assertions and kernel crash rather than
returning error codes under specific circumstances when handling with
files that had been inherited on a fork() or passed by IPC.


* Lockup in eCryptfs message context handling.

Circular locking in eCryptfs could result in a lockup when accessing
files.


* NULL pointer dereference in e1000e network driver.

The e1000e driver could unconditionally access optional function
pointers resulting in a NULL pointer dereference and kernel crash.


* CVE-2012-2373: denial-of-service in PAE page tables.

On a PAE system, a non-atomic load could be corrupted by a page fault
resulting in a kernel crash, triggerable by an unprivileged user.


* Improved fix to CVE-2012-2119.

The previous upstream kernels did not contain all fixes for
CVE-2012-2119.

The vector length of pages passed to the host from the guest through
macvtap is not validated before the pages are pinned. A privileged guest
user could use this flaw to induce stack overflow on the host with
attacker non-controlled data but with attacker controlled length.


* Denial-of-service in pipe buffer management.

A race condition in the pipe buffer management could result in a kernel
crash when resizing buffers, allowing an unprivileged user to crash the
system.


* Denial-of-service in file advisory locking.

The virtual filesystem layer did not gracefully handle an unexpected
file lease type resulting in a kernel BUG() and system crash,
triggerable by an unprivileged user.


* Use-after-free in device mapper RAID1 data-check.

Under specific hardware configurations, the device mapper code could
attempt to read requests after they had been freed resulting in possible
kernel crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.