[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-4317)

[Oracle Ksplice]

Synopsis: FEDORA-2014-4317 can now be patched using Ksplice
CVEs: CVE-2014-0131 CVE-2014-2309 CVE-2014-2523

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-4317.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference in compressed RAM device.

A failure to check that an allocation succeeded could result
in a NULL pointer dereference and system hang.


* Kernel panic when unlocking memory.

Invalid flags on VM pages can cause the kernel to incorrectly
identify the type of page it is unlocking, leading to an invalid
memory access and kernel panic.


* Quota file corruption in ocfs2.

Improper caching of quota file structures could result in
corruption of the quota file.


* Data corruption in ocfs2 sync.

The ocfs2 file system was syncing the wrong range.  This could
allow data to not be correctly synced and therefore cause
corruption.


* Denial-of-service in memcfg cgroup.

A race condition can cause memcfg to endlessly loop while
iterating in __mem_cgroup_iter_next().  This could be used to
cause a denial-of-service.


* Invalid fragmentation IDs on IPv6 UFO segmentation.

The fragment ids generated on UFO segmentation were either
unreliable or very predictable.  This could allow a malicious user
to guess the fragment ids.


* NULL pointer dereference in Ethernet Solarflare driver.

A race condition in the sfc driver could lead to a PTP event
coming in from the NIC without being properly setup.  This
causes a NULL pointer dereference, leading to a kernel panic.


* Memory leak in schedule tbf.

In certain error conditions, an allocated child qdisk is not freed
in tbf_change(), leading to a memory leak.


* Kernel panic in ip_tunnel multicast.

A bug in the ip_tunnel code could lead to a NULL pointer dereference when
trying to process multicast packets, causing a kernel panic.


* Information leak in mac80211 QoS-null frames.

Uninitialized memory in QoS-null frames in the mac80211 code
could leak information.


* Kernel panic in ath9k transmit.

A race condition in the ath9k xmit driver code could lead
to multiple frees on the same object, causing an invalid memory
access and a kernel panic.


* Kernel panic in mwifiex wireless driver during cleanup.

The mwifiex driver code was attempting to clean the PCIe buffer
without the device being present, leading to an invalid memory
access and kernel panic.


* NULL pointer dereference in mwifiex wireless driver during receive.

A failure to check the outcome of a skb allocation could
result in a NULL pointer dereference and kernel panic.


* NULL pointer dereference in drm TTM code.

The TTM code didn't check that a TTM driver had an invalidate_caches()
function and tried to call it, leading to a NULL pointer dereference
and kernel panic.


* Use-after-free in firewire.

An error in a failure path in the firewire code could result in an
use-after-free error and kernel panic.


* On disk data corruption with Crucial M500 SSDs.

The libata code wasn't properly blacklisting the Crucial M500
SSDs as not supporting queued TRIM commands.  This could lead to
an improper TRIM command being sent and causing on-disk data
corruption.


* NULL pointer dereference in NFS async code.

A NULL pointer check in the NFS delegation code could lead
to a NULL pointer dereference and kernel panic.


* General protection fault in proc filesystem.

A race condition in the proc filesystem could lead to a
GPF when accessing /proc/$PID/map_files.  A local unprivileged
user could use this to cause a denial-of-service.


* Use-after-free in i915 PCI device enumeration.

Invalid reference counting in the i915 PCI device enumeration
can lead to a use-after-free condition and kernel panic.


* Data corruption in vmxnet3 netpoll driver.

A race condition in the vmxnet3 poll driver can lead to data
corruption and kernel panics.


* Kernel BUG in mm compaction.

Improper error handling in the mm compaction code could lead to
a bad page state and kernel BUG().


* Kernel BUG on SCSI isci hard reset timeout.

The isci code was incorrectly generating a kernel BUG() in the
case of a hard reset timeout.


* Kernel panic in isci host code.

An invalid loop in the isci for_each_isci_host macro could
lead to a NULL pointer dereference and kernel panic.


* Denial-of-service with x86 fpu code and aesni-intel.

A bug in the x86 fpu code could lead to interrupts being improperly
disabled in subsequent calls.  Specifically, this has been seen to
cause a kernel BUG() when a user process dumps code on an ecrypt fs
while aesni-intel is loaded.  In this case, all subsequent accesses
to the ecrypt fs filesystem will hang.  A malicious user could exploit
this to cause a denial-of-service.


* Memory leak in linkat.

A bug in the linkat code could allow a mountpoint reference
leak and a memory link when attempting to retry on ESTALE.


* CVE-2014-2309: Denial-of-service in ICMPv6 route code.

The ip6_route_add function does not properly count the addition of routes,
which allows remote attackers to cause a denial of service (memory
consumption) via a flood of ICMPv6 Router Advertisement packets.


* CVE-2014-2523: Remote crash via DCCP conntrack.

A flaw in the dccp protocol could allow a remote user to cause a crash
resulting in a denial-of-service.


* CVE-2014-0131: Information leak in skb_segment function.

Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c
allows attackers to obtain sensitive information from kernel memory by
leveraging the absence of a certain orphaning operation.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.