[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-7128)

[Oracle Ksplice]

Synopsis: FEDORA-2014-7128 can now be patched using Ksplice
CVEs: CVE-2014-1739 CVE-2014-3153 CVE-2014-3940

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-7128.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference in cfg80211 when changing regulatory domain.

A missing check for NULL could lead to a NULL pointer dereference and
kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service.


* Deadlock in wireless stack when reconfiguring a network interface.

Incorrect locking in the wireless stack could lead to a deadlock when
reconfiguring a wireless interface. A local, privileged user could use this
flaw to cause a denial-of-service.


* Kernel panic when moving a transparent huge page concurrently with splitting it.

A race condition in the code moving page tables if a transparent huge page
is concurrently being split can lead to a kernel panic under specific
conditions.


* Memory corruption when accessing a huge TLB of a copy-on-write page.

A missing flush of the huge translation lookaside buffer for a page copied
after a write could lead to a memory corruption as it can lead a parent
process to access the child copied version of the page rather than the
original page. A local, unprivileged user could use this flaw to cause a
memory corruption or potentially elevate privileges.


* Memory leak in asynchronous IO subsystem when running a callback.

A missing de-allocation routine in the error path of the function calling
an asynchronous IO callback leads to a memory leak. An attacker could use
this flaw to exhaust the memory and cause a denial-of-service.


* NULL pointer dereference in the filesystem stack when checking ACL.

A missing check for NULL when checking if a filesystem ACL can be
represented using traditional UNIX permissions could lead to a kernel
panic. A remote attacker controlling a NFS server or a local unprivileged
user could use this flaw to cause a denial-of-service.


* Double free in AFFS filesystem when mounting a filesystem.

If an error happens when mounting an AFFS filesystem, some objects will be
freed twice, leading to a kernel panic. A local, privileged user could use
this flaw to cause a denial-of-service.


* NULL pointer dereference in Intel gigabit ethernet driver when resetting interrupt vector.

A missing check for NULL in the Intel gigabit ethernet when resetting its
interrupt vector could lead to a NULL pointer dereference and kernel panic.


* Deadlock in Nouveau driver when updating fan speed.

Incorrect locking in the Nouveau driver when updating the fan speed could
lead to a deadlock and denial-of-service under specific conditions.


* CVE-2014-1739: Information leak in the media stack when enumerating media devices.

The ioctl() to enumerate media devices can copy to userspace 200 bytes of
kernel stack. A local user with write access to /dev/mediaX could use this
flaw to gather information about the running kernel.


* Use-after-free in autofs when accessing private data of a removed dentry.

A logic error when checking a dentry is still allocated could lead to a
use-after-free and kernel panic. A local, unprivileged user could use this
flaw to cause a denial-of-service.


* Kernel panic in filesystem stack when walking inode dcache.

Race conditions in the filesystem stack when checking dentry flags could
lead to a kernel panic. A local, unprivileged could use this flaw to cause
a denial-of-service.


* Kernel BUG() in NFS daemon when setting ACL with no entries.

A logic error in the NFS daemon code could trigger a kernel BUG() when
setting ACL with no entries.


* Incorrect permission checking in cgroup subsystem.

Incorrect permission checking in the cgroup subsystem could allow a local
unprivileged user to bypass cgroup exceptions.


* Deadlock in Intel WiFi driver when setting channel in monitor mode.

Incorrect locking in the Intel WiFi driver could lead to a deadlock when
setting any channel but 1 to monitor mode. A local, privileged user could
use this flaw to cause a denial-of-service.


* Information leak in sysfs when the read callback uses seq_file.

A missing zeroing of a structure from the stack can be copied to userspace
without initialization, potentially leaking important information about the
running kernel. A local, unprivileged attacker user could use this flaw to
gain information, potentially helping in an attack.


* Memory leak in Target core mod storage engine on every xcopy.

Missing initialization of a reference counter leads to 1Kb of kernel memory
being leaked for every xcopy operation. A local, unprivileged user could
use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Race conditions in the workqueue subsystem.

Incorrect locking in various places in the workqueue subsystem could lead
to a kernel panic.


* Use-after-free in Target core mod when releasing a command.

Improper ordering of de-allocation routines could lead to a use-after-free and
kernel panic.


* Kernel panic in libata after detaching a port.

Lack of resources cleanup when detaching an ATA port can lead to a kernel
panic. A local, privileged user could use this flaw to cause a
denial-of-service.


* NULL pointer dereference in CAAM crypto driver.

A missing check for NULL after allocating a buffer could lead to a NULL
pointer dereference when the system is under memory pressure. An attacker
could use this flaw to cause a denial-of-service.


* Memory corruption when unregistering a clock driver.

A list is iterated over with an unsafe iterator when the elements are being
removed from the list, which causes memory corruption and could lead to a
kernel panic. A local, privileged user could use this to cause a
denial-of-service.


* Use-after-free in libceph when sending pages over TCP.

RADOS block devices do not handle properly sending pages with page_count 0
over TCP which will result in incorrectly free-ing the page while still in
use leading to a memory corruption and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.


* Out of bounds memory access in V4L2 OmniVision driver.

Incorrect use of an untrusted index coming from userspace leads to an out
of bounds memory access. A local, privileged user could use this flaw to
cause a kernel panic or potentially escalate privileges.


* CVE-2014-3940: Memory corruption during huge page migration.

A missing check to verify the page table entry is present when gathering
stats about huge pages could lead to a memory corruption if the huge pages
are being migrated concurrently. A local, unprivileged user could use this
flaw to cause a denial-of-service.


* Divide-by-zero in mm page writeback.

When computing limits in page-writeback, some values were not
checked for zero, leading to a divide-by-zero error.


* Use-after-free in NFSv4 daemon kernel implementation when releasing a state ID.

A lack of clean-up of a lock owner attached to a state ID when releasing
the state ID could lead to use-after-free and kernel panic in the NFSv4
daemon implementation.


* Improved fix for CVE-2014-3153: Local privilege escalation in futex requeueing.

Invalid parameters to the futex() syscall may break assumptions made in
the kernel and would leave dangling pointers that could be exploited
to gain root privileges.


* Deadlock in Broadcom IEEE802.11n PCIe SoftMAC WLAN driver firmware loading.

Incorrect firmware loading could result in deadlock when activating a
network device with no firmware installed.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.