[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-16632)

Wed Dec 17 07:42:08 PST 2014

Synopsis: FEDORA-2014-16632 can now be patched using Ksplice
CVEs: CVE-2014-9090

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-16632.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Incorrect executable permission on kernel memory.

A logic error in the mark_rodata_ro() function leaves some kernel memory
with the executable bit set when they aren't supposed to be
executable. This flaw could facilitate an attack by allowing an attacker to
run code in this memory area.

* Kernel panic in emulated low-rate wireless personal area network.

A flaw in the fake LR-WPAN driver leads to unregistering a network device
before its registration in certain circumstances. This could lead to a
kernel panic and denial-of-service.

* Information leak in point-to-point tunneling protocol.

A lack of on-stack structure initialization in the ppptp_getname() function
leads to leaking 16 bytes of kernel stack to userspace when using
getsockname(). This information could be used to facilitate an attack on
the running kernel.

* Deadlock in Novell networking protocol when using recvmsg.

Incorrect locking in the Novell networking protocol (IPX) recvmsg function
causes a deadlock when waiting for new data.

* Memory leak when unbinding Electronic System Design CAN-USB driver.

Private structures used by the Electronic System Design (ESD) CAN-USB
driver are not properly released when un-binding the driver. A local,
privileged user could use this flaw to exhaust the memory on the system and
cause a denial-of-service.

* Kernel crash Target Core Mod when sending zero-length command.

A missing check to validate that a command contains data could lead to a
kernel crash depending on the transport driver. A local attacker could use
this flaw to cause a denial-of-service.

* Kernel BUG in mac80211 when decrypting empty packets.

A lack of validating a packet is not empty before trying to decrypt it
causes a kernel bug assertion to be triggered. A remote attacker could use
this flaw to cause a denial-of-service.

* Memory corruption in Realtek 2x00 WiFi driver when re-transmitting a frame.

A logic error in the Realtek 2x00 WiFi driver consumes 4 bytes of a socket
buffer at each retransmission, leading to a kernel panic. A remote attacker
could potentially use this flaw to cause a denial-of-service.

* Memory corruption in QLogic NetXtreme II FCoE driver.

A logic error in the BNX2FC driver leads to an early removal of a shared
socket buffer, and corruptions of the other references. An attacker could
use this flaw to cause a denial-of-service.

* Memory corruption in Radeon graphic driver on error path.

A lack of initializing a pointer to NULL in various places in the Radeon
graphic driver leads to incorrectly free-ing garbage data from the stack on
certain conditions. An attacker could use this flaw to cause a
denial-of-service.

* Deadlock in Intel WiFi driver when sending ROC commands.

Incorrect locking in the Intel WiFi driver when sending ROC commands could
lead to a kernel deadlock. A local, privileged user could use this flaw to
cause a denial-of-service.

* Use-after-free in WM Audio DSP driver when loading coefficients to the DSP.

A logic error in the WM Audio DSP driver leads to releasing resources
while there are still being used, potentially causing a kernel panic. A
local user could use this flaw to cause a denial-of-service.

* Integer overflow when generating a mask in bitops header file.

A flaw in the way the macros GENMASK() and GENMASK_ULL() were implemented
could lead to an integer overflow, potentially causing memory corruption
and a kernel panic.

* CVE-2014-9090: Denial-of-service in double-fault handling on bad stack segment.

A flaw when handling double faults associated with the stack segment
register could lead to a kernel panic.  A local, unprivileged user could
use this flaw via the modify_ldt() system call to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.