[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-8171)

Fri Jul 11 14:24:03 PDT 2014

Synopsis: FEDORA-2014-8171 can now be patched using Ksplice
CVEs: CVE-2014-4699 CVE-2014-4715

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-8171.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-4699: Privilege escalation in ptrace() RIP modification.

Missing validation of the RIP value could allow an unprivileged user to
cause the CPU to fetch instructions from a non-canonical address.  On
some CPUs this could result in a denial-of-service or potentially allow
escalation of privileges.

* Use-after-free in Target Core Module (TCM) when accessing sysfs.

A pointer is not cleared after being free'ed when removing a device
symlink, leading to a use-after-free later when reading the ALUA attributes
from the sysfs. A local, privileged user could use this flaw to cause a
denial-of-service.

* List corruption in iSCSI Target driver when checking output data header.

A list corruption could be triggered under specific conditions in the iSCSI
Target driver when rejecting an output payload, potentially causing a
denial-of-service.

* Use-after-free in Micro PCIe SSDs block driver when unloading the module.

Wrong order when calling de-allocations routines at module exit could cause
a use-after-free and kernel panic. A local, privileged user could this flaw
to cause a denial-of-service.

* Memory leak in Chelsio T4/T5 driver after allocating private data.

The Chelsio T4/T5 driver doesn't release private data in the error path of
c4iw_alloc(), causing a memory leak. A local, privileged user could use
this flaw to exhaust the memory on the system and cause a
denial-of-service.

* Denial-of-service when updating the watchdog threshold from procfs.

Incorrect locking when updating the watchdogs timers on all CPU could
trigger a kernel BUG. A local, privileged user could use this flaw to cause
a denial-of-service by changing the watchdog threshold in procfs.

* Use-after-free in InfiniBand SCSI RDMA Protocol when unplugging a cable.

As a result of unplugging a cable, a SCSI command could be free while still
in use, resulting in a use-after-free and kernel panic. An attacker with
physical access could use this flaw to cause a denial-of-service.

* Invalid pointer dereference in NFS filesystem after allocating a file layout.

Missing check for NULL after allocating memory for a file layout in the NFS
filesystem could lead to an invalid pointer dereference and kernel panic
under memory pressure.

* Memory leak in NFS filesystem when releasing a lock stateid.

A flaw in the NFS filesystem code when releasing a lock stateid results in
the lock owner not being free'ed, resulting in a memory leak. A local,
unprivileged user could use this flaw to exhaust the memory on the system
and cause a denial-of-service.

* Data corruption on NFS when updating inode due to cache misusage.

Incorrect use of the internal validity cache for an inode could result in
data corruption when there are multiple concurrent access to a file. A
local, unprivileged user could use this flaw to cause data corruption.

* Kernel BUG in reiserfs when NFS changes file attributes.

Incorrect locking in the reiserfs code could lead to a race condition when
NFS changes a file attribute concurrently with the file being released,
leading to a kernel BUG and denial-of-service. A local, unprivileged user
could use this flaw to cause a denial-of-service.

* CVE-2014-4715: Integer overflow in LZ4 library when uncompressing large blocks.

Integer overflow in the LZ4 algorithm implementation on 32 bits kernels
might allow attackers to cause a denial of service (memory corruption) or
possibly have unspecified other impact via crafted compressed data.

* Use-after-free in ALSA card driver when closing PCM.

A race condition in the ALSA driver could lead to a use-after-free when
disconnecting from the device and closing the PCM concurrently. A local,
privileged user could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.