[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-15200)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Nov 26 16:19:37 PST 2014 

Synopsis: FEDORA-2014-15200 can now be patched using Ksplice
CVEs: CVE-2014-3647 CVE-2014-7207 CVE-2014-7825 CVE-2014-7826

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-15200.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-7825, CVE-2014-7826: Perf DoS and local privilege escalation.

A missing validation of syscall id range allows an attacker to trigger a
kernel panic, or leverage it into gaining root privileges if root was
doing perf tracing at that time.


* Denial of service in generic filesystem mounting.

The generic filesystem mounting implementation does not correctly
validate filesystem parameters leading to a division by zero and kernel
panic.


* Use after free in netlink socket and PPP ioctl.

Incorrect reference counting in netlink sendmsg and the PPPIOCDETACH
ioctl can trigger a use-after-free condition and cause kernel memory
corruption.


* Memory leak in Unsorted Block Image flash filesystem.

The kernel does not correctly handle orphaned volumes on an Unsorted
Block Image flash filesystem leading to a kernel memory leak.


* Memory corruption in generic SELinux filesystem support.

The kernel SELinux subsystem does not correctly lock resources when
initializing SELinux for a filesystem leading to possible memory
corruption and a kernel panic.


* Use after free in ALSA Dynamic Power Management.

A use-after-free condition can be triggered in the ALSA SoC Dynamic
Audio Power Management module when creating a new mixer leading to
possible kernel memory corruption.


* CVE-2014-3647: Denial-of-service in guest KVM when changing RIP to non-canonical address.

A flaw in the KVM emulator mishandles non-canonical addresses when
emulating instructions which change the instruction pointer, potentially
causing a failed VM-entry. A privileged guest user could use this flaw to
cause a denial-of-service in the guest.


* Use-after-free in VXLAN encapsulation bypass.

A bug in the vxlan code could cause an skb structure to be used
after it is freed in the vxlan encapsulation bypass code.  This
could cause a kernel panic.


* Use after free during VXLAN transmit.

A bug in the vxlan code could result in a use after free condition
during transmit, leading to a kernel panic.


* Memory leak in ipv4 unicast reply.

Improper error handling in the ipv4 code could lead to leaked memory
when an error occurs while sending a unicast reply.  A malicious user
could use this to cause a denial of service.


* Use-after-free with ipv4 tunnel headers.

A bug in the ipv4 tunneling code could lead to a use-after-free
within the skb structure.  This could cause a kernel panic.


* Data corruption during Hyper-V NetVSC packet send.

An improperly calculated data length in the Hyper-V netvsc send
code could lead to a buffer overrun and subsequent data corruption.


* Memory leak during MAC VLAN port dismantling.

A race condition in the macvlan code while dismantling a port
could lead to leaking skb data structures.  This could be used
by a malicious user to cause a denial-of-service.


* Use-after-free in ALSA platform removal.

A bug in the platform removal code in ALSA could result in an
use-after-free condition.  This could cause a kernel panic.


* Memory corruption in VFS mmapped data.

When the block size is less than the page size, a bug in the VFS code
can lead to data corruption during writes.


* CVE-2014-7207: Denial-of-service in UFO with virtual networking.

A flaw in the virtio and associated network virtualization subsystems
could result in a NULL pointer dereference or incorrect IPv6
fragmentation ID's.  A local user with access to tun or macvtap devices,
or a virtual machine connected to such a device, can cause a
denial-of-service.


* Kernel oops while setting xattr in EVM and IMA security.

A failure to check the xattr value length could result in a kernel oops
while doing a setfattr with security.evm or security.ima  A malicious
user could exploit this to cause a denial-of-service.


* Memory leak in Xen block backend driver on grant map error.

A failure to correctly handle failures during grant mapping can
lead to a memory leak.  A malicious user could use this to cause
a denial of service.


* NULL pointer dereference with i915 user pointer registration.

The i915 driver was incorrectly storing an error pointer if a user pointer
registration failed.  This caused repeat registration attempts to also fail
and a NULL pointer dereference and kernel panic.


* Memory leak in i915 driver when freeing user pointer objects.

Incomplete freeing of data when freeing user pointer objects in the
i915 driver could result in a memory leak.  This could be exploited
to cause a denial-of-service.


* Kernel crash in ext4 with extended attributes.

A missing check for an extended attribute entry's value offset
could cause a kernel crash.  A malicious user could use this to
cause a denial-of-service by mounting a filesystem with a custom
crafted extended attribute.


* Kernel panic in ext4 in cases of filesystem corruption.

It is possible in the case of a corrupted ext4 filesystem for the
boot loader inode to become visible.  Ext4 did not correctly deal
with this case, leading to corruption of an in-memory orphan list
and subsequent kernel panic.  A malicious user could exploit this
by mounting a carefully constructed ext4 filesystem to cause a denial
of service.


* NULL pointer dereference in Ext4 new inode creation.

Improper error handling in ext4 during the creation of a new inode
could lead to a NULL pointer dereference and kernel panic.


* Kernel BUG in ext4 during simultaneous writes and fcntl.

A race condition in ext4 between fcntl(F_SETFL) and write can
result in a BUG_ON.  A malicious user could exploit this to cause
a denial-of-service.


* Use-after-free in futex during requeue pi.

A race condition in the futex code between REQUEUE_PI and task
death could result in a use-after-free condition and possible
kernel panic.


* Inode leaks during dcache inode processing.

Improper error handling in the dcache during d_splice_alias
could result in a leaked inode.  A malicious user could use this
to cause a denial-of-service.


* Divide-by-zero with UART baud rate setting.

The serial driver did not deal correctly in some scenarios
with setting the baud rate to 38400.  This caused an invalid
baud rate to be returned and a kernel WARNING.


* Kernel panic using sysfs soft-connect on USB gadget controller.

The USB gadget controller code did not verify that the gadget driver
was correctly loaded with the soft connect interface.  This caused
a NULL pointer dereference and kernel panic.


* Memory leak with compound pages in mm code.

Invalid freeing of compound pages could lead to some tail pages
being leaked.


* NFSD4 kernel crash on invalid operation number.

Invalid handling of an invalid operation number in the nfsd4 code
could lead to a kernel crash.  A malicious user could exploit this to
cause a denial-of-service.


* NULL pointer dereference in comedi ioctl code.

A bug in the comedi ioctl call could lead to a NULL pointer dereference
and kernel panic.


* Stack information leak in POSIX timers creation.

A failure to properly initialize posix timers could lead
to kernel stack information being leaked to userspace.


* Kernel panic during MM CMA allocation.

Improper error handling in the mm code when a CMA area cannot be
activated could lead to an uninitialized mutex being used during
CMA allocation, leading to a kernel panic.


* Kernel panic in rbd block driver during read.

Improper error handling when a memory allocation fails during
a read in the rbd driver could result in an invalid memory access
and kernel panic.


* Denial-of-service in xfs bulkstat code.

Several bugs in the XFS bulkstat code could result in bulkstat
hanging for forever.  A malicious user could exploit this to cause
a denial-of-service.


* NULL pointer dereference with SCTP server during ASCONF.

A problem with how the SCTP verifies input can lead to a NULL pointer
dereference and kernel panic.  A malicious user could exploit this using
a specially crafted packet to cause a denial-of-service.


* Invalid free in BTRFS lookup code.

In the case of an error during btrfs lookup, the wrong list
was being freed, leading to memory leak and possible use-after-free.
A malicious user could exploit this to cause a denial-of-service.


* Memory leak in scatterlist with SCSI mq.

A bug in the scatterlist code could cause a memory leak during
commands with a large data transfer length.  A malicious user could
exploit this to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-20-Updates mailing list