[Ksplice-Fedora-21-updates] New updates available via Ksplice (3.18.5-201.fc21)

[Oracle Ksplice]

Synopsis: 3.18.5-201.fc21 can now be patched using Ksplice
CVEs: CVE-2014-8480 CVE-2015-0239 CVE-2015-1465

Systems running Fedora 21 can now use Ksplice to patch against the
latest Fedora kernel update, 3.18.5-201.fc21.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 21 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference in nl80211 when parsing invalid sched scan request.

Lack of proper input validation in the nl80211 stack could lead to a NULL
pointer dereference when parsing an invalid sched scan request.  A local,
privileged user could use this flaw to cause a denial-of-service.


* Memory leak in cfg80211 when processing an already set driver hint.

Lack of verification that a driver hint is already set in the cfg80211
stack leads to a memory leak. A local, privileged user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* Use-after-free when reading from /proc/interrupts.

A lack of proper synchronization between the generic IRQ subsystem when
releasing an interrupt descriptor and reading the interrupt descriptor from
/proc/interrupts could lead to a use-after-free and potentially kernel
crash.


* Memory corruption in SCSI library when clearing scatter gather segment.

Lack of bounds testing when using an index inside a scatter gather array of
segments could lead to random memory corruption and kernel panic.


* Possible deadlock when registering a debug clock.

Incorrect locking when registering a debug clock could lead to a kernel
deadlock and denial-of-service under certain circumstances.


* Use-after-free when releasing a clock.

A logic error in the clock driver when releasing a clock leads to a
use-after-free and possible kernel panic.


* Use-after-free in USB Video Class driver when removing a device.

Incorrect ordering when removing sysfs device when disconnecting a webcam
leads to use-after-free and potentially kernel panic.


* NULL pointer dereference in file locking support when removing a lease.

A logic error in the virtual filesystem locking support could lead to a
NULL pointer dereference under certain circumstances.  A local user could
this flaw to cause a denial-of-service.


* Deadlock when unregistering GPIO chip.

Incorrect locking in the kernel GPIO driver when unregister a GPIO chip
can trigger a deadlock and kernel panic.


* NULL pointer dereference in Keyspan SB driver.

A race condition when initializing a Keyspan USB serial device can
trigger a NULL pointer dereference and kernel panic.


* Deadlock when configuring line discipline of USB console device.

A kernel lock is not correctly initialized when a USB console device is
initialized. This can later trigger a deadlock when a user attempts to
configure a line discipline for the console device.


* Off-by-one in kernel bunzip2 decompressor.

The kernel bunzip2 decompressor does not correctly validate offsets when
decompressing data which can lead to an out-of-bound read and possible
kernel panic.


* Deadlock when unregistering pin control devices.

Incorrect locking when the kernel pin control (pinctrl) driver attempts
to unregister a device can trigger a deadlock and kernel panic.


* Deadlock when suspending Realtek USB card readers.

The kernel driver for Realtek USB card reader devices incorrectly holds
a lock which can trigger a deadlock and kernel panic.


* Kernel panic when flushing SFF ATA devices.

Incorrect locking when flushing Small Form Factor ATA devices can
trigger a BUG_ON and kernel panic.


* Integer overflow in adjtimex syscall.

The adjtimex syscall does not validate the 'freq' argument which can
allow a malicious local user to set the clock frequency to an invalid
value.


* Deadlock in CIFS COPYCHUNK_FILE ioctl.

The CIFS filesystem COPYCHUNK_FILE ioctl does not validate that the file
descriptor arguments are regular files which can trigger a deadlock and
kernel panic.


* CVE-2015-0239: Privilege escalation in KVM sysenter emulation.

The KVM emulation of the sysenter instruction does not validate 16-bit
code segments which can allow a local attacker to potentially elevate
privileges.


* Improved fix for CVE-2014-8480: Guest triggerable kernel panic in KVM instruction decoder.

An incomplete fix was applied for CVE-2014-8480 which can allow a
malicious KVM guest to trigger a kernel panic in the host when decoding
SLDT and STR instructions.


* Kernel panic when filtering netlink packets.

The kernel netlink netfilter implementation does not correctly validate
the length of received netlink packets which can trigger an out-of-
bounds read and possible kernel panic.


* Use-after-free when flushing netfilter rules.

The kernel netfilter implementation frees kernel resources in an
incorrect order which can trigger a use-after-free condition and
possible kernel panic when flushing a netfilter table.


* Kernel panic in netfilter connection tracking.

A race condition when establishing a new connection and flushing
netfilter connection tracking information can trigger a kernel panic.


* CVE-2015-1465: Denial of service in IPv4 packet forwarding.

A remote user can trigger a denial-of-service by sending a large number
of packets needing redirection which triggers high CPU load.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.