[Ksplice][Fedora-17-updates] New updates available via Ksplice (FEDORA-2013-1965)

[Samson Yeung]

Synopsis: FEDORA-2013-1965 can now be patched using Ksplice
CVEs: CVE-2013-0268

Systems running Fedora 17 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2013-1965.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 17 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use after free on LUN RESET of target driver IO handling driver.

A LUN RESET command during a long backend IO can trigger a use-after-free
on IO completion.


* NULL pointer dereference in Radeon CS parser in UMS mode.

When running in UMS mode the parser might try to dereference the
device pointer, which is NULL in that mode.


* Invalid memory free in Radeon CS parser in UMS mode.

The CS parser in the Radeon driver may attempt to free a memory
which was never dynamically allocated in the first place in
UMS mode.


* NULL pointer dereference in USB Inside Out Edgeport serial driver.

A NULL pointer dereference may occur during disconnection of the driver
due to a missing check.


* Denial-of-service in Extended Verification Module.

A missing NULL pointer check could lead to an NULL pointer dereference
and a kernel oops when removing an extended attribute from a file that
does not implemented extended attributes.  This could allow an
unprivileged user to crash the system.


* User buffer overflow in VFIO.

The VFIO PCI driver could overflow the user buffer with certain read
operations.


* Race condition in USB UHCI during initialization.

A race condition exists in the USB UHCI code that could cause the
interrupt handler to be called before all data structures are setup,
leading to potential invalid memory accesses.


* NULL pointer dereference in ACPI with cpuidle disabled.

The ACPI code does not correctly handle all cases where cpuidle is
disabled, leading to a kernel NULL pointer dereference.


* Use-after-free in XFS AIO handling.

An inode reference was released before all operations on it were complete.
This might lead to a use-after-free if the inode was freed.


* Memory leak in ATH9K HTC layer skb allocation.

All SKBs which were allocated by the ATH9K HTC layer were not freed,
causing a memory leak.


* Memory corruption in ATH9K handling to flush command.

DMA activity wasn't stopped when handling a flush command, leading
to a memory corruption.


* Double free on ATH9K beacon generate failure.

An incorrect re-use of objects between beacon generation attempts would
lead to a system crash.


* CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.

Access to /dev/cpu/*/msr was protected only using filesystem
checks. A local uid 0 (root) user with all capabilities dropped
could use this flaw to execute arbitrary code in kernel mode.


* Invalid memory access in KVM IRQFD assignment.

KVM didn't iterate existing irqfd lists correctly, causing access to invalid
areas of the memory and system crashes.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.