[Ksplice-Fedora-21-updates] New updates available via Ksplice (FEDORA-2015-4887)

[Oracle Ksplice]

Synopsis: FEDORA-2015-4887 can now be patched using Ksplice

Systems running Fedora 21 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-4887.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 21 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in network packet transmission and reception.

Missing validation of the net.core.rmem_default and
net.core.wmem_default controls could allow a local, privileged user to
trigger a denial-of-service by setting low values for these parameters
and sending or receiving large packets.


* Use-after-free in virtio-net module unloading.

Missing cleanup on module unload could allow asynchronous work to
continue after the module had loaded causing a kernel crash.


* Kernel crash in IPv4 socket monitoring interface.

Incorrect allocation could result in a heap overflow and subsequent
kernel crash when receiving diagnostics for an IPv4 socket.


* Kernel crash during IPv6 UDP offloading fragmentation.

Under specific conditions, the kernel could crash when performing
fragmentation when UDP offloading was enabled for an IPv6 connection.


* Kernel crash in compat sendmsg/recvmsg calls.

Incorrect validation of user supplied data could result in memory
corruption when sending or receiving messages to a datagram socket and
the audit subsystem was enabled.


* NULL pointer dereference in Radeon DRM_IOCTL_RADEON_CS ioctl().

Incorrect initialization could result in a NULL pointer dereference when
performing a DRM_IOCTL_RADEON_CS ioctl().  A local user with access to
the DRM device could use this flaw to trigger a denial-of-service
attack.


* Kernel crash in LZ4 decompression.

Incorrect handling of invalid LZ4 data could result in accessing invalid
memory and a page fault.


* Kernel crash in kernel function graph tracer during enabling.

The kernel function graph tracer did not correctly handle changing the
tracer when ftrace was disabled.  A local, privileged user could use
this flaw to crash the system.


* Kernel crash in controller area network (CAN) sockets.

Incorrect initialization of CAN sockets could result in a kernel crash
when using AF_PACKET sockets.


* NULL pointer dereference in Synopsys DesignWare SPI DMA allocation failure.

The Synopsys DesignWare SPI driver did not correctly handle DMA
allocation failures, resulting in a NULL pointer dereference when under
memory pressure.


* Deadlock during NILFS2 filesystem recovery.

Mounting a NILFS2 filesystem could cause deadlock if roll-forward
recovery was required.  This could happen after a crash during a
datasync write.


* NULL pointer dereference in Xen event channel on large systems.

Large systems could fail to allocate a port IRQ for a Xen event channel
under specific conditions.  This could result in a NULL pointer
dereference and kernel crash.


* Kernel crash in SAS driver during expander discovery.

Incorrect handling of expander device discovery could result in a NULL
pointer dereference and kernel crash.


* Denial-of-service in PCI device sysfs "driver_override" attribute.

Missing length validation of the "driver_override" attribute in a PCI
device sysfs entry could result in accessing invalid memory and
triggering a kernel crash.  A local, unprivileged user could use this
flaw to trigger a denial-of-service under specific conditions.


* Information leak in /proc/PID/pagemap.

/proc/PID/pagemap includes the virtual to physical mappings and could be
accessed by a local, unprivileged user.  This could be used in
conjuction with flaws such as ROWHAMMER to elevate privileges.


* Denial-of-service in Intel AES RFC4106 decryption.

Incorrect mapping of buffers in the Intel AES RFC4106 implementation
could result in a kernel crash.  A local, unprivileged user with access
to AF_ALG(aead) sockets could use this flaw to trigger a
denial-of-service.


* Denial-of-service in Intel Memory Protection Extensions.

Incorrect checking for user mode tasks could result in a
denial-of-service when handling bounds faults on a system with MPX
available.


* Resource leak in IP virtual server backup sync protocol.

Missing resource freeing could result in a memory leak and failure to
remove an IP virtual server instance.


* Kernel crash in netfilter socket matching.

Incorrect use of stack-allocated variables could result in accessing
stale data.  This could potentially be used by a local, privileged user
to cause a denial-of-service or potentially, escalate privileges.


* Use-after-free in netfilter nf_tables table commit/abort.

A number of of flaws in netfilter nf_tables commit/abort handling could
result in a use-after-free condition and kernel crash.


* NULL pointer dereference during Target device initialization failure.

Failure to create a workqueue when initializing a target device could
result in a NULL pointer dereference and kernel crash under specific
conditions.


* Use-after-free in ISCSI target connection closing.

A race condition in the ISCSI target connection closing procedure could
result in a use-after-free condition and subsequent kernel crash.


* Denial-of-service in pSCSI backend.

A missing NULL pointer check could result in a denial-of-service,
triggerable by a local, unprivileged user for incomplete configurations.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.