[Ksplice-Fedora-19-updates] New updates available via Ksplice (FEDORA-2014-8487)

[Oracle Ksplice]

Synopsis: FEDORA-2014-8487 can now be patched using Ksplice
CVEs: CVE-2014-0206 CVE-2014-4508 CVE-2014-4608 CVE-2014-4611 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-4667 CVE-2014-4699 CVE-2014-4715 CVE-2014-4943

Systems running Fedora 19 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-8487.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 19 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-4699: Privilege escalation in ptrace() RIP modification.

Missing validation of the RIP value could allow an unprivileged user to
cause the CPU to fetch instructions from a non-canonical address.  On
some CPUs this could result in a denial-of-service or potentially allow
escalation of privileges.


* CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.

PPP over L2TP sockets incorrectly used UDP's getsockopt and setsockopt
as a fallback handler. Since UDP's implementation expects different
data structures, a local attacker could corrupt kernel memory and gain
root privileges.


* Double-free in PHY core driver when releasing a PHY.

A flaw in the PHY driver could lead to a double free of a PHY device if the
PHY creation failed. A local, privileged user could use this flaw to cause
a denial-of-service.


* Memory leak in crypto CAAM Job Rings driver at module unloading.

Incorrect logic in the crypto CAAM Job Rings driver probe function leads to
a memory leak when unloading the module. A local, privileged user could use
this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Kernel panic in thermal hardware monitoring driver when unloading module.

A flaw in the thermal hardware monitoring driver could lead to
dereferencing an invalid address on module removal. A local, privileged
user could use this flaw to cause a denial-of-service.


* Use-after-free in mbind vma merge.

A bug in the mm code could result in a use-after-free when doing
a vma merge, leading to a kernel crash.


* Denial-of-service in NUMA memory management code.

A flaw in the NUMA memory management code could lead to a Kernel oops if a
PMD is turned into a NUMA while handling a page fault.


* Invalid memory reference in NFSv4 symlink decoding.

A bug in how the nfsd decoded the data for a symlink operation
could lead to the nfsd code writing to an invalid memory location.


* Data loss in ext4 block preallocation.

Incorrect computation on the number of blocks that needed
to be cleared with preallocation leads to extra blocks being
cleared out, causing possible data loss.


* Double free in ext4 branch allocation.

A bug in the ext4 error recovery during branch allocation could
lead to a double free.


* Kernel oops in Allwinner Sun4i driver probe.

A failure to properly clean up after a failure in the mdio probe function
means that an interrupt is not properly freed, leading to a kernel oops if
that interface gets set up again.


* Denial-of-service on mac80211 station rate selection.

If the rate control algorithm uses a selection table, the
table gets leaked when the station is destroyed.  A malicious
privileged user could exploit this to cause a denial-of-service.


* Kernel oops in mac80211 debugfs access.

An invalid check of the netdev state during a debugfs read
or write for mac80211 can cause a kernel oops.


* Data corruption in rbd block driver.

A bug in the rbd object request code could cause data corruption
when freeing an object request.


* Divide-by-zero in i915 driver with pixel_multiplier of zero.

When processing the config for SDVO, a missing zero check
could lead to a divide-by-zero error.


* Denial-of-service with TKIP on Ralink USB devices.

The rt2x00 driver cannot atomically get a TKIP key, so disable TKIP
support.  Otherwise, it can lead to a kernel BUG().  A malicious user
could exploit this to cause a denial-of-service.


* NULL pointer dereference in USB gadget with empty string descriptors.

A NULL pointer dereference can occur if user space sends in an empty set
of strings to the USB gadget string descriptors.  This could cause a
kernel crash.


* NULL pointer dereference when probing non-FTDI devices.

If a users forces a non-FTDI device to be probed by the USB
serial FTDI code, it causes a NULL pointer dereference.  This can
lead to a kernel crash.


* Kernel crash in virtio scsi aborted requests.

A race condition in virtio scsi cause task management requests to be
completed more than once, leading to kernel BUGs or oopses.


* Kernel crash in virtio scsi workqueue.

A bug in the virtio scsi code allowed uninitialized work queue
items being processed.  This could lead to an invalid memory
reference and kernel crash.


* Use-after-free in ALSA card driver when closing PCM.

A race condition in the ALSA driver could lead to a use-after-free when
disconnecting from the device and closing the PCM concurrently. A local,
privileged user could use this flaw to cause a denial-of-service.


* CVE-2014-4715: Integer overflow in LZ4 library when uncompressing large blocks.

Integer overflow in the LZ4 algorithm implementation on 32 bits kernels
might allow attackers to cause a denial of service (memory corruption) or
possibly have unspecified other impact via crafted compressed data.


* Improved fix to CVE-2014-4699: Privilege escalation in ptrace() RIP modification.

The original fix to CVE-2014-4699 was superseded with more complete fix
to cover all cases.


* Kernel BUG in reiserfs when NFS changes file attributes.

Incorrect locking in the reiserfs code could lead to a race condition when
NFS changes a file attribute concurrently with the file being released,
leading to a kernel BUG and denial-of-service. A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Data corruption on NFS when updating inode due to cache misusage.

Incorrect use of the internal validity cache for an inode could result in
data corruption when there are multiple concurrent access to a file. A
local, unprivileged user could use this flaw to cause data corruption.


* Memory leak in NFS filesystem when releasing a lock stateid.

A flaw in the NFS filesystem code when releasing a lock stateid results in
the lock owner not being freed, resulting in a memory leak. A local,
unprivileged user could use this flaw to exhaust the memory on the system
and cause a denial-of-service.


* Invalid pointer dereference in NFS filesystem after allocating a file layout.

Missing check for NULL after allocating memory for a file layout in the NFS
filesystem could lead to an invalid pointer dereference and kernel panic
under memory pressure.


* Use-after-free in InfiniBand SCSI RDMA Protocol when unplugging a cable.

As a result of unplugging a cable, a SCSI command could be freed while still
in use, resulting in a use-after-free and kernel panic. An attacker with
physical access could use this flaw to cause a denial-of-service.


* Denial-of-service when updating the watchdog threshold from procfs.

Incorrect locking when updating the watchdogs timers on all CPU could
trigger a kernel BUG. A local, privileged user could use this flaw to cause
a denial-of-service by changing the watchdog threshold in procfs.


* Use-after-free in Micro PCIe SSDs block driver when unloading the module.

Wrong order when calling de-allocations routines at module exit could cause
a use-after-free and kernel panic. A local, privileged user could this flaw
to cause a denial-of-service.


* List corruption in iSCSI Target driver when checking output data header.

A list corruption could be triggered under specific conditions in the iSCSI
Target driver when rejecting an output payload, potentially causing a
denial-of-service.


* Use-after-free in Target Core Module (TCM) when accessing sysfs.

A pointer is not cleared after being freed when removing a device
symlink, leading to a use-after-free later when reading the ALUA attributes
from the sysfs. A local, privileged user could use this flaw to cause a
denial-of-service.


* Use-after-free in epoll file descriptor closing.

Incorrect locking when closing an epoll file descriptor could result in
a use-after-free condition.  A local, unprivileged user could use this
flaw to crash the system or possibly escalate privileges.


* CVE-2014-4508: Denial-of-service in syscall audit code when using wrong syscall number.

A flaw in the error path of the entry point of a syscall leads to a kernel
panic if syscall auditing is enabled and the syscall number is larger than
the number of syscalls. A local, unprivileged user could use this flaw to
cause a denial-of-service.


* CVE-2014-4611: Integer overflow in LZ4 library when uncompressing large blocks.

Lack of input validation in the LZ4 library could cause an integer overflow
when uncompressing blocks larger than 16MB, potentially leading to kernel
code execution. A local attacker could use this flaw to elevate privileges


* NULL pointer dereference in BTRFS device removal.

A missing loop escape could result in a NULL pointer dereference when
removing a device from a BTRFS filesystem under specific conditions.


* Kernel bug on BTRFS unmounting during active work.

Under rare conditions a BTRFS filesystem could continue to perform
asynchronous work on unmounting which could trigger a kernel assertion
and crash the system.


* Use-after-free in BTRFS extent writing.

A double-free in BTRFS extent writing could result in a use-after-free
under specific conditions, resulting in memory corruption.


* Denial-of-service in CIFS SMB2 file opening.

Missing memory freeing could result in memory exhaustion in the kernel.
A local, unprivileged user could use this flaw to trigger a
denial-of-service.


* CVE-2014-0206: Information leak in asynchronous I/O ring buffer.

It was found that the aio_read_events_ring() function of the Linux
kernel's Asynchronous I/O (AIO) subsystem did not properly sanitize the
AIO ring head received from user space. A local, unprivileged user could
use this flaw to disclose random parts of the (physical) memory
belonging to the kernel and/or other processes.


* Information leak in mcp ram disk.

A failure to clear out mcp ramdisk pages could allow sensitive
information to be leaked via reads from a ramdisk_mcp.


* Use-after-free in Infiniband iSCSI extension unload.

Missing synchronization could allow asynchronous work to run after
unloading the iser module causing a kernel crash.


* Kernel crash in ACPI core string printing.

Missing length validation could result in accessing past the end of a
buffer resulting in a kernel crash in rare conditions.


* Memory leaks in Sierra wireless serial driver on disconnect and resume.

Missing resource freeing could result in a memory leak on repeated
device closing or system resume, eventually resulting in a system crash.
A local user with access to the device could use this flaw to trigger a
denial-of-service.


* NULL pointer dereference in Sierra wireless driver on suspend/resume.

Missing NULL checks could result in a NULL pointer dereference when
suspending or resuming a system with a Sierra wireless serial device.


* Denial-of-service in EXT4 block allocation.

Incorrect validation of request sizes could result in hitting a kernel
assertion and crashing the system.  A local, privileged user could use
this flaw to crash the system with a carefully crafted filesystem image.


* Data corruption in EXT4 filesystems in ordered mode.

Incorrect synchronization between the EXT4 filesystem and page cache
could result in data corruption when the filesystem is in ordered mode
and a sync operation is followed by truncation.


* Integer overflow in ID radix tree.

An integer overflow in the ID to pointer radix tree could result in
incorrect ID's being returned.  This could result in undefined behaviour
in kernel subsystems using the IDR tree.


* NULL pointer dereference in Applicom Intelligent Fieldbus device probe failure.

Incorrect error handling in the Applicom Intelligent Fieldbus driver
initialization could result in a NULL pointer dereference, crashing the
system.


* Remote privilege escalation in Realtek RTL8188EU wireless driver.

Missing validation of network supplied information could result in
memory corruption.  A remote user could use this flaw to crash the
system or possibly escalate privileges.


* NULL pointer dereference in Maxim MAX77693 MUIC probing.

Missing platform data validation could result in a NULL pointer
dereference when probing a MAX77693 device.


* NULL pointer dereference in Maxim MAX8997 MUIC probing.

Missing platform data validation could result in a NULL pointer
dereference when probing a MAX8997 device.


* CVE-2014-4656: ALSA Control ID overflow.

Missing range checks in ALSA control IDs could lead to an integer overflow.


* CVE-2014-4653: Use after free in ALSA card controls.

Missing synchronization in ALSA card controls could lead to a control
being freed while being in use.


* CVE-2014-4654, CVE-2014-4655: Missing validity checks in ALSA user controls.

Missing validity checks when replacing user controls could lead to an attempt
to free something that is not a user control or a control that is not owned
by the process. Userspace was also allowed to to bypass user control count
by overflowing it.


* CVE-2014-4652: Arbitrary memory disclosure in ALSA user controls.

Lack of synchronization between reads and writes to ALSA user controls
could lead to a kernel memory disclosure.


* CVE-2014-4608: Integer overflow in LZO when uncompressing blocks larger than 16MB.

Lack of input validation in the LZO library could cause an integer overflow
when uncompressing blocks larger than 16MB, potentially leading to kernel
code execution. A local attacker could use this flaw to elevate privileges.


* Use-after-free in HyperV guest driver when connecting to the host.

A logic error in the HyperV driver code when there's an error connecting to
the host leads to free-ing a page which hasn't been previously allocated,
potentially leading to use-after-free or double-free errors.


* Memory leak in USB Modem class support when transmitting URBs.

A missing check to ensure that the suspend path is not running concurrently
when transmitting URBs to the USB modem can lead to a memory leak and
reference counters imbalance. A local, privileged user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.

Incorrect reference counting in the error path of sctp_unpack_cookie()
could corrupt the backlog reference counter, preventing any future SCTP
association. A remote attacker could use this flaw to cause a
denial-of-service.


* Use-after-free in UDP stack in the fast transmit path.

Incorrect locking in the UDP stack when using the lockless transmit path
can lead to a race-condition causing a use-after-free and kernel panic. An
attacker could use this flaw to cause a denial-of-service.


* Information leak in QLogic Data Center Bridging (DCB).

A lack of structure initialization in the QLogic DCB driver discloses 2
bytes of kernel stack to userspace. This could be used by an attacker to
gather information about the running kernel and help in a potential attack.


* NULL pointer dereference in Target Core Mod (TCM) when releasing a session.

A missing check for NULL before dereferencing a pointer in the TCM driver
when releasing a session could lead to a kernel panic.


* Multiple journal corruptions in the ext4 filesystem.

Multiple flaws in the ext4 filesystem could lead to incorrect checksums
being computed in the journal under specific conditions. These flaws could
cause the filesystem to be re-mounted read-only or cause data corruption
and denial-of-service.


* Multiple denial-of-service problems in bluetooth code.

Multiple race conditions in the bluetooth code could cause deadlocks
in the bluetooth code.


* Kernel panic in IP virtual server netfilter.

The kernel does not correctly handle the case of a non-linear ICMP
packet being received in response to an IPIP packet, leading to an
out-of-bounds read and kernel panic.


* Kernel panic when unloading netfilter NAT module.

The netfilter NAT module does not correctly release resources when
unloading which can trigger a kernel panic. A local, privileged user
could use this flaw to cause a denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.