[Ksplice-Fedora-19-updates] New updates available via Ksplice (FEDORA-2014-13020)

[Oracle Ksplice]

Synopsis: FEDORA-2014-13020 can now be patched using Ksplice
CVEs: CVE-2014-7970 CVE-2014-7975

Systems running Fedora 19 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-13020.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 19 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory corruption during percpu allocation failures.

Incorrect cleanup during percpu allocation failures could result in
freeing incorrect pages leading to memory corruption and a kernel crash.


* Division by zero in DRM Translation Table Manager (TTM) driver.

A flaw in the DRM TTM driver could lead to a division by zero in kernel,
causing a kernel panic and denial-of-service.


* Memory corruption in Intel iSMT I2C driver.

An off-by-one error in the Intel iSMT I2C driver could result in memory
corruption when performing a transfer.


* Buffer overflow in ALSA line accessor.

An off-by-one error in the ALSA subsystem could result in accessing
beyond the end of a buffer and corrupting memory.


* Divide-by-zero in CFQ group IO scheduling.

A race condition in group weight handling could result in a
divide-by-zero when updating group weight calculation.  A local,
privileged user could use this flaw to cause a denial-of-service.


* Buffer overflows in USB serial probes.

A failure to verify ports and/or endpoints in the USB serial code
could lead to writing off the end of an array, causing heap and/or
stack overflows.  A malicious user could exploit this to cause a
denial of service.


* Kernel crash in Ultra Wideband device registration.

Use of unintialized data could result in a kernel crash when registering
an ultra wideband device.


* NULL pointer dereference in XHCI initialization failure.

Incorrect cleanup during XHCI initialization failure could result in a
NULL pointer dereference and kernel crash.


* Kernel crash in NFSv3 filesystem mounting.

Incorrect locking in NFSv3 mounting could result in a race condition
between kernel threads and causing a kernel panic.


* NULL pointer dereference in Synopsys DesignWare SPI PCI driver.

Missing mapping of I/O registers during PCI initialization could result
in a NULL pointer dereference when accessing the device.


* Kernel crash in symlink creation on SMB2 or SMB3 filesystems.

Incorrect checking for symlink support could result in a kernel panic
when creating a symlink if the server does not support the operation.


* Use-after-free in Industrial I/O trigger assignment.

Missing reference counting could result in a use-after-free with
Industrial I/O devices when allocating triggers.


* NULL pointer dereference in iSCSI target memory allocation failure.

Incorrect error handling on allocation failure when copying a parameter
list could result in a NULL pointer dereference and kernel crash.


* Memory corruption in iSCSI target logout handler.

A logic error in the logout handler could result in memory corruption
when a target was disconnected.


* Buffer overflow in NFC microread driver.

Missing validation of untrusted input data could result in a buffer
overflow when discovering a new target.  A malicious device could use
this flaw to trigger a denial-of-service or potentially gain code
execution.


* Privilege escalation in iSCSI PDU sending.

Missing bounds checks could allow a user with privileges to send PDUs to
an iSCSI device to overflow a buffer and potentially escalate
privileges.


* Kernel hang in PI futex requeueing.

A missing queue unlock operation could result in returning to userspace
with preemption disabled.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* Data corruption in DM cache devices during writes.

A race condition in the DM cache driver could result in failing to mark
blocks as dirty causing data corruption on disk.


* Buffer overflow in dm-crypt crypto handling.

Incorrect buffer allocation in the dm-crypt subsystem could result in
accessing beyond the end of an allocation resulting in memory corruption
and a kernel crash.


* Kernel information leak in IEEE80211 regulatory rules.

Incorrect string termination could result in a leak of kernel memory
contents to userspace.


* rpcbind crash during lockd startup failure.

Under specific conditions rpcbind could crash the kernel if startup
failed.


* Data corruption in NILFS with files during mmap().

Incorrect handling of dirty pages with NILFS mmapped files could result
in failure to write to disk correctly.  This could result in data
corruption when remounting the filesystem or after eviction from the
page cache.


* NULL pointer defereference in CPU hotplug cache management.

Incorrect handling of hotplug removal could result in a NULL pointer
dereference and kernel crash.


* Inode corruption in GFS2 files.

Incorrect inode management could result in a reference count imbalance.
Under specific conditions this could cause memory exhaustion or
filesystem corruption.


* NULL pointer dereference in Mellanox MLX4 Infiniband driver.

Failure to handle ports where a network device was not present could
result in a NULL pointer dereference and kernel crash when performing
network device scanning.


* Kernel hang in block device buffer with large disks.

32-bit systems with disks larger than 4TB could result in an integer
overflow when accessing block devices.  This could cause an infinite
loop and kernel hang.


* Deadlock in CPU frequency scaling error handling.

Failure to release a mutex during error handling when adding a CPU
frequency scaling device could result in deadlock and subsequent
registration failure.


* Kernel crash in Conexant CX23418 MPEG encoder probing.

Incorrect data structure initialization could result in dereferencing an
invalid pointer and crashing the kernel.


* RAID1 data corruption during array resync.

Incorrect handling of read-balancing during array resync could result in
reading data from a device that was not fully synchronized.  This could
return corrupted data to the system.


* Off-by-one error in AIX partition table parsing.

Incorrect bounds checking could result in an out-of-bounds array access
and kernel crash.  A specially crafted disk image could be used to crash
the system.


* List corruption during peripheral clock rate change.

Incorrect list traversal could result in list corruption when changing
the rate of a peripheral clock.


* Use-after-free in perf subsystem on fork error path.

A flaw in the perf subsystem could lead to releasing a perf event on fork
failure while it is still in use, leading to a use-after-free and kernel
panic. A local attacker could use this flaw to cause a denial-of-service.


* Buffer overflow in raw packet socket receive function.

Lack of bounds checking when receiving a packet in the raw packet driver
could lead to a buffer overflow and overwrite of kernel memory. A remote
attacker could use this flaw to cause a denial-of-service or potentially
escalate privileges.


* Kernel BUG() in openvswitch driver when using multiple VLAN headers.

A flaw in the openvswitch driver on receive of a frame with multiple VLAN
headers leads to a kernel BUG(). A remote attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference in LT2P stack when getting PMTU.

A race condition in the LT2P stack when getting PMTU over PPP could lead to
a NULL pointer dereference and kernel panic. A local attacker could use
this flaw to cause a denial-of-service.


* Divide by zero in bonding driver when enslaving and transmitting.

A flaw in the bonding driver could lead to a division by zero in kernel
when enslaving and transmitting in round robin or XOR mode. An attacker
could use this flaw to cause a denial-of-service.


* Memory corruption in macvtap driver on concurrent delete and open.

Incorrect locking in the macvtap driver could lead to a list corruption and
kernel panic when deleting and opening macvtap devices concurrently. A
local, privileged user could use this flaw to cause a denial-of-service.


* Out of bounds memory access in crypto CAAM driver when computing hash.

A flaw in the crypto CAAM driver leads to out of bounds memory access when
computing a hash, potentially leading to a kernel crash. A local attacker
could use this flaw to cause a denial-of-service or potentially escalate
privileges.


* CVE-2014-7970: Memory corruption when using pivot_root.

A flaw in the pivot_root syscall leads to a corruption of the mount tree
when calling with a directory outside a chroot. A local user could use this
flaw to cause a memory corruption and likely a denial-of-service.


* CVE-2014-7975: Denial-of-service in do_umount.

A missing capability check in do_umount allows unprivileged local users to
remount the root file system read-only, causing a denial-of-service (loss
of writability).


* Use-after-free in HyperV network driver when transmitting.

A flaw in the HyperV network driver could lead to a use-after-free and
kernel panic. A local user could use this flaw to cause a
denial-of-service.


* Kernel stack information leak in filesystem notify.

Missing error handling could result in leaking kernel stack data to
userspace when showing a handle in the inotify operations.


* Kernel crash in perf subsystem when initializing the power management unit.

Reading the Running Average Power Limits (RAPL) from the Model Specific
Register (MSR) could trigger a page fault and kernel crash when running
inside a KVM. An attacker could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.