[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-11040)

[Oracle Ksplice]

Synopsis: FEDORA-2014-11040 can now be patched using Ksplice
CVEs: CVE-2014-6416 CVE-2014-6417 CVE-2014-6418 CVE-2014-7145

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-11040.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free in AMD iommu mass device removal.

Incomplete cleanup during mass device remove in the AMD
iommu could result in a use-after-free.


* Data corruption in trace ring buffer during reads.

A race condition while reading a trace file could cause the
ring buffer iterator to get corrupted, leading to a kernel
panic.


* Denial-of-service in Bluetooth sockets during task exit.

Invalid treatment of a Bluetooth socket (BTPROTO_L2CAP, BTPROTO_SCO,
or BTPROTO_RGCOMM) close could result in an unkillable process.  A
malicious user could exploit this to cause a denial-of-service.


* Invalid recovery during RAID1 and RAID10 recoveries.

Invalid treatment of a write error during recovery in raid1
and raid10 drivers could result in some sectors not being correctly
recovered.


* Data corruption in XFS when extending EOF.

Invalid dirty buffer handling in XFS could result in data
corruption when one process extends the EOF while another
process attempts to write via direct I/O to the same file.
A malicious user could use this to cause a denial-of-service.


* XFS page cache corruption with O_DIRECT operations.

XFS reads and writes with O_DIRECT can zero out partial ranges in a page in
a cache. This page can stay in the cache, causing normal, buffered reads to
read zeros instead of the actual content.


* Denial-of-service in libceph TCP send and receive page.

A miscalculation in the libceph code could cause an invalid message
length to be passed in ceph_tcp_{send,recv}page, which causes various
assertions to fire.  This could be used by a malicious user to cause
a denial-of-service attack.


* Invalid memory access in libceph with large replies.

A failure to correctly allocate new messages with large replies
from the monitor in libceph could result in a buffer overrun.


* CVE-2014-7145: NULL pointer dereference in CIFS SMB2 error handling.

Invalid error handling in the cifs smb2 code could result in
a NULL pointer dereference and kernel panic.


* Use-after-free in keyring associative array garbage collection.

The keyring garbage collection was incorrectly using a data
structure after it had potentially been freed, leading to an
use-after-free and potential kernel panic.


* Memory corruption when balancing Reiser filesystems.

The Reiser filesystem uses an incorrect offset when balancing a
filesystem leading to memory corruption and kernel panic.


* Memory corruption in fanotify permission events.

The fanotify subsystem incorrectly frees pending permission events
leading to a double free and kernel memory corruption. A local
unprivileged user could use this flaw to cause a denial of service or
elevate privileges.


* CVE-2014-6416, CVE-2014-6417, CVE-2014-6418: Buffer overflow in libceph authorization.

An invalid hard-coded buffer size could lead to buffer overflows
and kernel panics during ticket authorization.


* Information leak in OCFS2_IOC_INFO ioctl.

The OCFS2_IOC_INFO ioctl in the OCFS2 filesystem does not initialise
memory before returning to userspace, causing 31 bits of kernel memory
to be disclosed to userspace.


* Memory leak in ALSA SOC pcm update.

A missing release in dpcm runtime updates could result in a memory
leak.  A malicious user could exploit this to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.