[Ksplice-Fedora-19-updates] New updates available via Ksplice (FEDORA-2014-7320)

Wed Jun 18 08:12:28 PDT 2014

Synopsis: FEDORA-2014-7320 can now be patched using Ksplice
CVEs: CVE-2014-1739 CVE-2014-3917 CVE-2014-3940

Systems running Fedora 19 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-7320.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 19 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Buffer overflow in SCSI megaraid driver when servicing an ioctl.

Lack of input validation in the SCSI megaraid driver could lead to a buffer
overflow and kernel panic. A local, privileged user could use this flaw to
cause a denial-of-service or potentially gain kernel code execution.

* Audit bypass with process namespaces with PPID based filters.

The audit logging used the PPID from inside the namespace rather than
the ID from the initial namespace.  This could allow malicious processes
to bypass audit rules.

* Use-after-free in netfilter xtables when copying counters to userspace.

A logic error in the netfilter ebtables, arp tables and IPv4/IPv6 tables
may lead to a use-after-free if there is an error when copying counters to
userspace as this will result in freeing the tables when they have already
been exposed to userspace. Any subsequent packet processing will lead to a
use-after-free and kernel panic.

* Memory leak in RAID1 buffer allocation failure.

Incorrect handling of memory allocation failure could result in failure
to free existing allocations.  This memory leak could result in an
eventual out-of-memory condition and kernel crash.

* Memory leak in userspace probes when disabling a probe.

A missing de-allocation routine when disabling a userspace probe causes a
memory leak. A local, un-privileged user could use this flaw to exhaust the
memory on the system and cause a denial-of-service.

* Kernel BUG() in transparent huge page code between split and zap.

A missing lock could lead to a race condition in the transparent huge page
code between splitting and zapping a transparent huge page, leading to a
kernel BUG().

* Soft lockup in huge page code when releasing huge TLB pool.

A missing call to the scheduler when releasing a huge TLB pool could lead
to a soft lockup. A local, privileged user could use this flaw to cause a
denial-of-service.

* Deadlock in USB serial driver when unloading the module.

Incorrect locking between module removal and sysfs callbacks in the USB
serial driver could lead to a deadlock. A local, privileged user could use
this flaw to cause a denial-of-service.

* Deadlock in VMWare graphic card driver when destroying a hardware context.

Incorrect locking in the VMWare graphic card driver when destroying a
hardware context could lead to a deadlock. A local user could potentially
use this flaw to cause a denial-of-service.

* Memory corruption in VMWare graphic driver when doing a DMA transfer.

A missing bound check in the VMWare graphic driver code could lead to
memory corruption. A local user could use this flaw to cause a
denial-of-service.

* Kernel crash in QXL virtual graphics adapter object reference counting.

Incorrect handling of unreferenced objects could result in hitting a
kernel assertion and crashing the system.

* Remote denial-of-service in bridge driver when filtering packets.

A logic error in the bridge driver when filtering packets could lead to a
double-free of the dropped socket buffer, potentially leading to a kernel
panic. A remote user could use this flaw to cause a denial-of-service.

* Use-after-free in IPv6 generic routing encapsulation driver on device removal.

Lack of reference counting between the IPv6 generic routing encapsulation
driver and its use of a tunnel net device could lead to a use-after-free a
kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service or potentially escalate privileges.

* Divide-by-zero in TCP cubic congestion algorithm when computing delayed ack.

A logic error in the TCP cubic congestion algorithm could lead to a
divide-by-zero and kernel panic. A remote attacker could potentially use
this flaw to cause a denial-of-service.

* Denial-of-service in Heavy-hitter filter packet scheduling algorithm.

Incorrect locking in the Heavy-hitter filter packet scheduling driver in
the error path of changing the queue discipline could lead to a deadlock. A
local, privileged user could use this flaw to cause a denial-of-service.

* Out-of-bounds memory write in USB network control model class driver.

A logic error in the code checking boundaries before sending a USB packet
in the network control model class driver could lead to an off-by-one
memory write under specific conditions, potentially leading to a kernel
panic.

* NULL pointer dereference in IPv6 netlink validation callback.

A missing check for NULL in the IPv6 netlink validation callback leads to a
NULL pointer dereference. A local, privileged user could use this flaw to
cause a kernel panic and denial-of-service.

* Memory leak in BATMAN routing protocol on processing an originator message.

A missing call to a de-allocation routine in BATMAN routing protocol on
processing an originator message for an outgoing interface can lead to a
memory leak. An attacker could potentially use this flaw to exhaust the
memory on the system and cause a denial-of-service.

* Memory leak in BATMAN routing protocol when removing an interface.

A missing call to a de-allocation routine when removing an interface in the
BATMAN routing protocol could lead to a memory leak. A local, privileged
user could use this flaw to exhaust the memory on the system and cause a
denial-of-service.

* Memory corruption when computing the size of IPv6 headers.

A logic error when calculating the size of the IPv6 header when IPv6
extensions are used could lead to a memory corruption and kernel panic.

* Use-after-free in the PHY network driver on HW initialization failure.

A logic error in the PHY network driver on HW initialization failure could
lead to a use-after-free and kernel panic. A local, privileged user could
use this flaw to cause a denial-of-service.

* NULL pointer dereference in BATMAN when printing information to debugfs.

A missing check for NULL in the debugfs callback for the "originators"
debugfs file could lead to a NULL pointer dereference and kernel panic. A
local, unprivileged user could use this flaw to cause a denial-of-service.

* Memory leak in BATMAN routing protocol code when sending fragmented packets.

Incorrect reference counting in the BATMAN routing code when sending a
fragmented packet leads to a memory leak. An attacker could use this flaw
to exhaust the memory on the system and cause a denial-of-service.

* Deadlock in Broadcom IEEE802.11n PCIe SoftMAC WLAN driver firmware loading.

Incorrect firmware loading could result in deadlock when activating a
network device with no firmware installed.

* CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.

Linux kernel built with the system-call auditing support is vulnerable to a
kernel crash or information disclosure flaw caused by out of bounds memory
access.  When system call audit rules are present on a system, an
unprivileged user could use this flaw to leak kernel memory or cause a
denial-of-service.

* NULL pointer dereference in cfg80211 when changing regulatory domain.

A missing check for NULL could lead to a NULL pointer dereference and
kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service.

* Deadlock in wireless stack when reconfiguring a network interface.

Incorrect locking in the wireless stack could lead to a deadlock when
reconfiguring a wireless interface. A local, privileged user could use this
flaw to cause a denial-of-service.

* Kernel panic when moving a transparent huge page concurrently with splitting it.

A race condition in the code moving page tables if a transparent huge page
is concurrently being split can lead to a kernel panic under specific
conditions.

* Memory corruption when accessing a huge TLB of a copy-on-write page.

A missing flush of the huge translation lookaside buffer for a page copied
after a write could lead to a memory corruption as it can lead a parent
process to access the child copied version of the page rather than the
original page. A local, unprivileged user could use this flaw to cause a
memory corruption or potentially elevate privileges.

* Memory leak in asynchronous IO subsystem when running a callback.

A missing de-allocation routine in the error path of the function calling
an asynchronous IO callback leads to a memory leak. An attacker could use
this flaw to exhaust the memory and cause a denial-of-service.

* NULL pointer dereference in the filesystem stack when checking ACL.

A missing check for NULL when checking if a filesystem ACL can be
represented using traditional UNIX permissions could lead to a kernel
panic. A remote attacker controlling a NFS server or a local unprivileged
user could use this flaw to cause a denial-of-service.

* Double free in AFFS filesystem when mounting a filesystem.

If an error happens when mounting an AFFS filesystem, some objects will be
freed twice, leading to a kernel panic. A local, privileged user could use
this flaw to cause a denial-of-service.

* NULL pointer dereference in Intel gigabit ethernet driver when resetting interrupt vector.

A missing check for NULL in the Intel gigabit ethernet when resetting its
interrupt vector could lead to a NULL pointer dereference and kernel panic.

* Deadlock in Nouveau driver when updating fan speed.

Incorrect locking in the Nouveau driver when updating the fan speed could
lead to a deadlock and denial-of-service under specific conditions.

* CVE-2014-1739: Information leak in the media stack when enumerating media devices.

The ioctl() to enumerate media devices can copy to userspace 200 bytes of
kernel stack. A local user with write access to /dev/mediaX could use this
flaw to gather information about the running kernel.

* Use-after-free in autofs when accessing private data of a removed dentry.

A logic error when checking a dentry is still allocated could lead to a
use-after-free and kernel panic. A local, unprivileged user could use this
flaw to cause a denial-of-service.

* Kernel panic in filesystem stack when walking inode dcache.

Race conditions in the filesystem stack when checking dentry flags could
lead to a kernel panic. A local, unprivileged could use this flaw to cause
a denial-of-service.

* Kernel BUG() in NFS daemon when setting ACL with no entries.

A logic error in the NFS daemon code could trigger a kernel BUG() when
setting ACL with no entries.

* Incorrect permission checking in cgroup subsystem.

Incorrect permission checking in the cgroup subsystem could allow a local
unprivileged user to bypass cgroup exceptions.

* Deadlock in Intel WiFi driver when setting channel in monitor mode.

Incorrect locking in the Intel WiFi driver could lead to a deadlock when
setting any channel but 1 to monitor mode. A local, privileged user could
use this flaw to cause a denial-of-service.

* Information leak in sysfs when the read callback uses seq_file.

A missing zeroing of a structure from the stack can be copied to userspace
without initialization, potentially leaking important information about the
running kernel. A local, unprivileged attacker user could use this flaw to
gain information, potentially helping in an attack.

* Memory leak in Target core mod storage engine on every xcopy.

Missing initialization of a reference counter leads to 1Kb of kernel memory
being leaked for every xcopy operation. A local, unprivileged user could
use this flaw to exhaust the memory on the system and cause a
denial-of-service.

* Race conditions in the workqueue subsystem.

Incorrect locking in various places in the workqueue subsystem could lead
to a kernel panic.

* Use-after-free in Target core mod when releasing a command.

Improper ordering of de-allocation routines could lead to a use-after-free and
kernel panic.

* Kernel panic in libata after detaching a port.

Lack of resources cleanup when detaching an ATA port can lead to a kernel
panic. A local, privileged user could use this flaw to cause a
denial-of-service.

* NULL pointer dereference in CAAM crypto driver.

A missing check for NULL after allocating a buffer could lead to a NULL
pointer dereference when the system is under memory pressure. An attacker
could use this flaw to cause a denial-of-service.

* Memory corruption when unregistering a clock driver.

A list is iterated over with an unsafe iterator when the elements are being
removed from the list, which causes memory corruption and could lead to a
kernel panic. A local, privileged user could use this to cause a
denial-of-service.

* Use-after-free in libceph when sending pages over TCP.

RADOS block devices do not handle properly sending pages with page_count 0
over TCP which will result in incorrectly free-ing the page while still in
use leading to a memory corruption and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.

* Out of bounds memory access in V4L2 OmniVision driver.

Incorrect use of an untrusted index coming from userspace leads to an out
of bounds memory access. A local, privileged user could use this flaw to
cause a kernel panic or potentially escalate privileges.

* CVE-2014-3940: Memory corruption during huge page migration.

A missing check to verify the page table entry is present when gathering
stats about huge pages could lead to a memory corruption if the huge pages
are being migrated concurrently. A local, unprivileged user could use this
flaw to cause a denial-of-service.

* Divide-by-zero in mm page writeback.

When computing limits in page-writeback, some values were not
checked for zero, leading to a divide-by-zero error.

* Use-after-free in NFSv4 daemon kernel implementation when releasing a state ID.

A lack of clean-up of a lock owner attached to a state ID when releasing
the state ID could lead to use-after-free and kernel panic in the NFSv4
daemon implementation.

* Improved fix for CVE-2014-3153: Local privilege escalation in futex requeueing.

Invalid parameters to the futex() syscall may break assumptions made in
the kernel and would leave dangling pointers that could be exploited
to gain root privileges.

* Invalid memory access in dynamic debug entry listing.

Modules may attempt to register dynamic debug entries while they don't
really have valid entries. This may cause invalid memory dereference
when listing dynamic debug entries.

* Memory leak in CPU deadline scheduler when releasing scheduler domain.

A missing de-allocation routine when releasing a scheduler domain with the
deadline scheduler can lead to a memory leak. A local, privileged user
could use this flaw to exhaust the memory on the system and cause a
denial-of-service.

* Memory corruption in CPU frequency driver when accessing the current policy.

A lack of locking when accessing the current policy in the CPU frequency
driver could lead to data corruption and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.

* Memory corruption in deadline scheduler when the timer thread is moved across CPUs.

A race condition in the timer thread of the deadline scheduler could lead
to a memory corruption if the task affinity changes while it is running. A
local, privileged user could use this flaw to cause kernel panic and
denial-of-service.

* NULL pointer dereference in Radeon graphics drivers.

The Radeon graphics driver fails to verify that VM command submission is
available which can lead to a kernel crash. A local, privileged user could
use this flaw to cause a denial-of-service.

* Information leak in Intel i915 graphics driver when copying execbuffer.

When copying an execbuffer to userspace, the Intel i915 graphics drivers
also exports internal structure that needs to be hidden from userspace.

* Data corruption in multiple devices driver (MD) when reshaping a read only device.

A logic error in the MD driver could lead to data corruption when reshaping
a read only device. A local, privileged user could use this flaw to cause a
denial-of-service.

* Use-after-free in USB host xHCI driver when releasing the device.

Incorrect ordering of de-allocation routines when releasing a xHCI device
could lead to a use-after-free and kernel panic. A local, privileged user
could use this flaw to cause a denial-of-service.

* Use-after-free in memory management subsystem when releasing a VMA.

Incorrect ordering of de-allocation routines when releasing a VMA could
lead to a use-after-free and kernel panic. A local, unprivileged user could
use this flaw to cause a denial-of-service.

* Memory leak in Infiniband SCSI driver when SCSI WRITE command fails.

A missing reference put in the Infiniband SCSI driver when a SCSI WRITE
command with ImmediateData=Yes fails is causing a memory leak. An attacker
could use this flaw to exhaust the memory on the system and cause a
denial-of-service.

* NULL pointer dereference in Target Core Mod when reading from sysfs.

A missing check to verify that the backend device has been configured leads
to a NULL pointer dereference when writing to sysfs file
alua_access_state. A local, privileged user could use this to cause a
denial-of-service.

* Multiple use-after-free in netfilter for IPv6 and Netlink sockets.

Incorrect ordering of de-allocation routines in netfilter
ip6_route_me_harder() and nfnetlink_rcv_batch() error paths leads to a
use-after-free and kernel panic. An attacker could use these flaw to cause
a denial-of-service.

* NULL pointer dereference when remounting NFS filesystem mounted over IPv6.

A missing initialization of the networking namespace field of
nfs_parsed_mount_data structure leads to a NULL pointer dereference and
kernel panic when remounting a NFS filesystem mounted over IPv6. A local,
privileged user could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.