[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-8396)

[Oracle Ksplice]

Synopsis: FEDORA-2014-8396 can now be patched using Ksplice
CVEs: CVE-2014-4943

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-8396.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.

PPP over L2TP sockets incorrectly used UDP's getsockopt and setsockopt
as a fallback handler. Since UDP's implementation expects different
data structures, a local attacker could corrupt kernel memory and gain
root privileges.


* Denial-of-service in NUMA memory management code.

A flaw in the NUMA memory management code could lead to a Kernel oops if a
PMD is turned into a NUMA while handling a page fault.


* Use-after-free in mbind vma merge.

A bug in the mm code could result in a use-after-free when doing
a vma merge, leading to a kernel crash.


* Kernel crash in virtio scsi workqueue.

A bug in the virtio scsi code allowed uninitialized work queue
items being processed.  This could lead to an invalid memory
reference and kernel crash.


* Kernel crash in virtio scsi aborted requests.

A race condition in virtio scsi cause task management requests to be
completed more than once, leading to kernel BUGs or oopses.


* NULL pointer dereference when probing non-FTDI devices.

If a users forces a non-FTDI device to be probed by the USB
serial FTDI code, it causes a NULL pointer dereference.  This can
lead to a kernel crash.


* NULL pointer dereference in USB gadget with empty string descriptors.

A NULL pointer dereference can occur if user space sends in an empty set
of strings to the USB gadget string descriptors.  This could cause a
kernel crash.


* Denial-of-service with TKIP on Ralink USB devices.

The rt2x00 driver cannot atomically get a TKIP key, so disable TKIP
support.  Otherwise, it can lead to a kernel BUG().  A malicious user
could exploit this to cause a denial-of-service.


* Divide-by-zero in i915 driver with pixel_multiplier of zero.

When processing the config for SDVO, a missing zero check
could lead to a divide-by-zero error.


* Invalid memory dereference in i915 debugfs file traverse.

A race condition while iterating through the i915 debugfs file list
could cause an invalid memory dereference, leading to a kernel panic.


* Denial-of-service in gpu drm ioctl.

Invalid argument checking in the gpu drm driver code allows a NULL
pointer dereference to occur when a specially crafted invalid ioctl
command is sent.  A malicious, privileged user could exploit this
to cause a denial-of-service.


* Use-after-free in TDA998x I2C encoder destruction.

A misplaced drm_i2c_encoder_destroy call could result in
an use-after-free  when destroying the encoder.  This could
cause a kernel panic.


* Multiple denial-of-service problems in bluetooth code.

Multiple race conditions in the bluetooth code could cause deadlocks
in the bluetooth code.


* NULL pointer dereference in dm era destroy.

A missing NULL pointer check in era_destroy() can lead to a
NULL pointer dereference and possible kernel crash.


* Data corruption in rbd block driver.

A bug in the rbd object request code could cause data corruption
when freeing an object request.


* Denial-of-service on mac80211 station rate selection.

If the rate control algorithm uses a selection table, the
table gets leaked when the station is destroyed.  A malicious
privileged user could exploit this to cause a denial-of-service.


* Kernel oops in Allwinner Sun4i driver probe.

A failure to properly clean up after a failure in the mdio probe function
means that an interrupt is not properly freed, leading to a kernel oops if
that interface gets set up again.


* Double free in ext4 branch allocation.

A bug in the ext4 error recovery during branch allocation could
lead to a double free.


* Data loss in ext4 block preallocation.

Incorrect computation on the number of blocks that needed
to be cleared with preallocation leads to extra blocks being
cleared out, causing possible data loss.


* Invalid memory reference in NFSv4 symlink decoding.

A bug in how the nfsd decoded the data for a symlink operation
could lead to the nfsd code writing to an invalid memory location.


* Kernel BUG in btrfs locking.

An invalid unlock in btrfs parent verification can cause a kernel BUG().


* Kernel oops in mac80211 debugfs access.

An invalid check of the netdev state during a debugfs read
or write for mac80211 can cause a kernel oops.


* Memory leak in netfilter ctnetlink list dumper.

Invalid reference counting in dying/unconfirmed list dumper for ctnetlink
could lead to a refcnt leak.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.