[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-12366)

[Oracle Ksplice]

Synopsis: FEDORA-2014-12366 can now be patched using Ksplice

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-12366.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash in module registration failure.

Incorrect error handling in module registration failure could result in
leaving some mappings as read-only and non-executable.  This could
result in a kernel crash when subsequently writing to the mapping.


* Memory corruption during percpu allocation failures.

Incorrect cleanup during percpu allocation failures could result in
freeing incorrect pages leading to memory corruption and a kernel crash.


* Division by zero in DRM Translation Table Manager (TTM) driver.

A flaw in the DRM TTM driver could lead to a division by zero in kernel,
causing a kernel panic and denial-of-service.


* Buffer overflows in USB serial probes.

A failure to verify ports and/or endpoints in the USB serial code
could lead to writing off the end of an array, causing heap and/or
stack overflows.  A malicious user could exploit this to cause a
denial of service.


* Kernel crash in Intel framebuffer initialization.

Access to stale pointers during MIPI VBT parsing could cause a kernel
hang when initializing the framebuffer with an Intel graphics adapter.


* Memory corruption in Intel iSMT I2C driver.

An off-by-one error in the Intel iSMT I2C driver could result in memory
corruption when performing a transfer.


* Buffer overflow in ALSA line accessor.

An off-by-one error in the ALSA subsystem could result in accessing
beyond the end of a buffer and corrupting memory.


* Divide-by-zero in CFQ group IO scheduling.

A race condition in group weight handling could result in a
divide-by-zero when updating group weight calculation.  A local,
privileged user could use this flaw to cause a denial-of-service.


* Memory corruption in file lease list.

Incorrect list management could result in memory corruption when adding
a file lease.


* Deadlock in Unix filesystem inode management.

Incorrect locking could result in deadlock when adding or removing an
inode on a Unix filesystem.


* Kernel crash in Ultra Wideband device registration.

Use of unintialized data could result in a kernel crash when registering
an ultra wideband device.


* NULL pointer dereference in XHCI initialization failure.

Incorrect cleanup during XHCI initialization failure could result in a
NULL pointer dereference and kernel crash.


* Use-after-free in XHCI on S2/S3 resume.

The XHCI driver could dereference a stale pointer on resuming from S2/S3
idle state causing a kernel crash.


* Kernel crash in NFSv3 filesystem mounting.

Incorrect locking in NFSv3 mounting could result in a race condition
between kernel threads and causing a kernel panic.


* Data corruption on NFSv4 splice() reads.

Incorrect address calculation for buffers not aligned to a page boundary
could result in corruption of read data when performing a splice()
operation.


* NULL pointer dereference in Synopsis DesignWare SPI transfer completion.

The Synopsis DesignWare SPI driver could dereference a stale pointer
when completing a transfer, resulting in a NULL Pointer dereference and
kernel crash.


* NULL pointer dereference in Synopsys DesignWare SPI PCI driver.

Missing mapping of I/O registers during PCI initialization could result
in a NULL pointer dereference when accessing the device.


* Kernel crash in symlink creation on SMB2 or SMB3 filesystems.

Incorrect checking for symlink support could result in a kernel panic
when creating a symlink if the server does not support the operation.


* Use-after-free in Industrial I/O trigger assignment.

Missing reference counting could result in a use-after-free with
Industrial I/O devices when allocating triggers.


* NULL pointer dereference in iSCSI target memory allocation failure.

Incorrect error handling on allocation failure when copying a parameter
list could result in a NULL pointer dereference and kernel crash.


* Memory corruption in iSCSI target logout handler.

A logic error in the logout handler could result in memory corruption
when a target was disconnected.


* Buffer overflow in NFC microread driver.

Missing validation of untrusted input data could result in a buffer
overflow when discovering a new target.  A malicious device could use
this flaw to trigger a denial-of-service or potentially gain code
execution.


* Privilege escalation in iSCSI PDU sending.

Missing bounds checks could allow a user with privileges to send PDUs to
an iSCSI device to overflow a buffer and potentially escalate
privileges.


* Kernel hang in PI futex requeueing.

A missing queue unlock operation could result in returning to userspace
with preemption disabled.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* Data corruption in DM cache devices during writes.

A race condition in the DM cache driver could result in failing to mark
blocks as dirty causing data corruption on disk.


* Buffer overflow in dm-crypt crypto handling.

Incorrect buffer allocation in the dm-crypt subsystem could result in
accessing beyond the end of an allocation resulting in memory corruption
and a kernel crash.


* NULL pointer dereference in GPIO IRQ handlers.

Incorrect initialization could result in a GPIO IRQ firing before all
data structures were allocated.  This could trigger a NULL-pointer
dereference and kernel crash.


* Kernel information leak in IEE80211 regulatory rules.

Incorrect string termination could result in a leak of kernel memory
contents to userspace.


* rpcbind crash during lockd startup failure.

Under specific conditions rpcbind could crash the kernel if startup
failed.


* Data corruption in NILFS with files during mmap().

Incorrect handling of dirty pages with NILFS mmapped files could result
in failure to write to disk correctly.  This could result in data
corruption when remounting the filesystem or after eviction from the
page cache.


* NULL pointer defereference in CPU hotplug cache management.

Incorrect handling of hotplug removal could result in a NULL pointer
dereference and kernel crash.


* Inode corruption in GFS2 files.

Incorrect inode management could result in a reference count imbalance.
Under specific conditions this could cause memory exhaustion or
filesystem corruption.


* NULL pointer dereference in Mellanox MLX4 Infiniband driver.

Failure to handle ports where a network device was not present could
result in a NULL pointer dereference and kernel crash when performing
network device scanning.


* Deadlock in DMA pool creation failure.

Failure to unlock a mutex when DMA pool creation fails could result in
deadlock and a kernel hang.


* Kernel hang in block device buffer with large disks.

32-bit systems with disks larger than 4TB could result in an integer
overflow when accessing block devices.  This could cause an infinite
loop and kernel hang.


* Deadlock in CPU frequency scaling error handling.

Failure to release a mutex during error handling when adding a CPU
frequency scaling device could result in deadlock and subsequent
registration failure.


* Kernel crash in Conexant CX23418 MPEG encoder probing.

Incorrect data structure initialization could result in dereferencing an
invalid pointer and crashing the kernel.


* Out-of-bounds memory access in Video4Linux2 plane cookie handling.

Incorrect bounds checks when getting a plane coookie could result in an
out-of-bounds memory access and kernel crash.


* RAID1 data corruption during array resync.

Incorrect handling of read-balancing during array resync could result in
reading data from a device that was not fully synchronized.  This could
return corrupted data to the system.


* Off-by-one error in AIX partition table parsing.

Incorrect bounds checking could result in an out-of-bounds array access
and kernel crash.  A specially crafted disk image could be used to crash
the system.


* List corruption during peripheral clock rate change.

Incorrect list traversal could result in list corruption when changing
the rate of a peripheral clock.


* Kernel stack information leak in filesystem notify.

Missing error handling could result in leaking kernel stack data to
userspace when showing a handle in the inotify operations.


* Kerrnel crash in ext4 rename error handling.

Incorrect error handling in the ext4 rename function could result in
attempting to free an invalid poitner.  This could cause a kernel crash
under specific conditions.


* Use-after-free in control group directory removal.

A race condition in control group directory removal could result in a
use-after-free and kernel crash.  A local, unprivileged user could use
this flaw to trigger a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.