[Ksplice-Fedora-21-updates] New updates available via Ksplice (FEDORA-2015-4457)

[Oracle Ksplice]

Synopsis: FEDORA-2015-4457 can now be patched using Ksplice
CVEs: CVE-2015-2666 CVE-2015-2672 CVE-2015-2686

Systems running Fedora 21 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-4457.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 21 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-2672: Denial-of-service when saving or restoring the FPU.

A flaw in the code handling saving or restoring the FPU leads to
unprotected calls to instructions which might cause a general protection
fault in kernel.  A local un-privileged user could use this flaw to cause a
denial-of-service.


* CVE-2015-2666: Privilege escalation in the Intel early microcode loader.

A lack of bounds checking when writing to an on-stack array when parsing
the microcode headers in the Intel early loader could cause a kernel panic
or potentially leads to kernel execution.  A local, privileged user could
use this flaw to escalate their privileges.


* CVE-2015-2686: Privilege escalation in sendto() and recvfrom() syscalls.

Lack of input validation in the sendto() and recvfrom() syscalls allows
user-space to overwrites kernel memory.  A local, unprivileged user could
use this flaw to escalate their privileges.


* Kernel panic when garbage collecting the IPv4 and IPv6 flow caches.

A miscalculation of a field offset when garbage collecting flow caches
leads to invalid memory access and kernel panic.


* Memory corruption when configuring a virtual interface link through netlink.

A minimum length was mistakenly interpreted as a maximum length when
configuring a virtual interface link through netlink, leading to memory
corruption and potentially a kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Use-after-free in IPv6 stack on TCP fast open.

TCP fast open could release a socket buffer which is still in use by the
IPv6 stack, leading to a use-after-free and kernel panic.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Use-after-free in the extended matches network classifier.

A logic error in the extended matches (ematch) network classifier could
lead to a use-after-free and kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Memory corruption in the socket sub-system when dequeuing a socket buffer.

Dequeuing a socket buffer was not properly disabling hard IRQs during the
operation, which could lead to memory corruptions and kernel panic.


* NULL pointer dereference in the Team driver on concurrent device un-registering.

A race condition in the network Team driver could lead to NULL pointer
dereference on concurrent network device un-registering.  A local,
privileged user could use this flaw to cause a denial-of-service.


* Out of bounds memory write in macvtap driver with IPv6.

A logic error in the macvtap driver when allocating room in the socket
buffer for the ethernet header potentially leads to a two bytes memory
overwrites.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Denial-of-service when binding an ICMP socket on IPv6.

A logic error in the IPv6 stack could lead to a kernel panic when
user-space binds an IPv4 ICMP socket.  A local, privileged user could use
this flaw to cause a denial-of-service.


* Memory leak when adding a vlan device to a shut down interface.

A lack of un-registering stacked devices in the error path of rtnl_newlink()
leads to a memory leak.  A local, privileged user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* Memory corruption when using burst transmit on a virtual device.

Burst transmit is not supported on virtual devices and would cause various
memory corruptions.  An attacker could use this flaw to cause a
denial-of-service.


* Use-after-free in Intel i915 video driver when invalidating a memory range.

A race condition in the Intel i915 video driver could lead to a
use-after-free when invalidating a memory range.  A local, privileged user
could use this flaw to cause a denial-of-service.


* Kernel bug when handling a huge page fault.

A race condition in the huge page fault handler could lead to a BUG()
assertion to be hit, causing a denial-of-service.


* Denial-of-service when changing permissions of a huge page.

A race condition when changing the permissions of a huge page on concurrent
migration could lead to kernel panic and denial-of-service.  An attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service in the mmap() system call.

An integer overflow in the routine checking if there is enough memory to
satisfy an allocation request leads all future allocations to fail.  A
local, unprivileged user could use this flaw to cause a denial-of-service.


* Denial-of-service when reading physical memory from user-space.

The routine generic_phys_access(), used by the /dev/mem and userspace IO
drivers, was only re-mapping one page of IO memory when the request could
span a bigger range, causing out of bounds memory accesses and kernel
panic.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Denial-of-service when soft-offlining a page on concurrent migration.

A race condition in the memory subsystem when soft-offlining a page being
migrated could lead to a BUG_ON() assertion to be triggered.  An attacker
could use this flaw to cause a denial-of-service.


* Multiple data losses on TCM Storage Engine.

Lack of input validation and range checks in the TCM Storage Engine (Target
Core) driver could lead to data loss or data corruption under certain
circumstances.


* Memory leak in btrfs filesystem on concurrent fsync calls.

A race condition in the btrfs filesystem on concurrent fsync could lead to
both memory leaks and inode leaks.  A local, unprivileged user could use
this flaw to exhaust the memory on the system and cause a denial-of-service.


* Denial-of-service in btrfs when reading extended ref.

Improper pointer arithmetic when calculating the address of the extended
ref could lead to an out of bounds memory read and kernel panic.  A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference in USB serial mxuport driver.

A missing check for NULL in the USB serial mxuport driver leads to a NULL
pointer dereference when it is used as a console.  A local, privileged user
could use this flaw to cause a denial-of-service.


* Information leak in the USB stack when sending signals to userspace.

A lack of clearing a struct siginfo sent to user-space leads to leaking
kernel stack content to userspace.  A local, unprivileged user could use
this flaw to gain information about the running kernel, facilitating an
attack.


* Use-after-free in USB serial stack on failure to probe a device.

A logic error in the USB serial stack could lead to a use-after-free and
kernel panic on failure to probe a device.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Out of bounds memory access in autofs4 filesystem ioctl.

A time of check to time of use vulnerability when validating the size of
the ioctl input buffer in the autofs4 could lead to out of bounds memory
access.  A local, unprivileged user could use this flaw to cause a
denial-of-service or potentially escalate their privileges.


* Information leak in the autofs4 filesystem when opening a directory.

The wrong format string was used to output information to the kernel log
buffer in the autofs4 filesystem.  A local user could use this flaw to gain
information about the running kernel and potentially facilitate an attack.


* Use-after-free on removing from debugfs on concurrent symlink traversal.

A race condition in the debugfs filesystem could lead to a use-after-free
when removing inodes from debugfs concurrently with traversing symlinks.  A
local, privileged user could use this flaw to cause a denial-of-service.


* Use-after-free on removing from procfs on concurrent symlink traversal.

A race condition in the procfs filesystem could lead to a use-after-free
when removing inodes from procfs concurrently with traversing symlinks.  A
local, privileged user could use this flaw to cause a denial-of-service.


* List corruption in the SUNRPC stack on back-channel request completion.

Improper locking in the routine handling a back-channel completion could
lead to list corruption and kernel panic.  An attacker could use this flaw
to cause a denial-of-service.


* NULL pointer dereference in real time mutex when handling a deadlock.

A lack of checking if there are waiters on a mutex when removing it could
lead to a NULL pointer dereference.  A local, unprivileged user could use
this flaw to cause a denial-of-service.


* Memory leak in Infiniband driver when modifying the queue port.

A failure to properly release resources in the Infiniband driver when
modifying the queue port leads to a memory leak.  A local, privileged user
could use this flaw to cause a denial-of-service by exhausting the memory
on the system.


* Use-after-free in the Multiple devices driver when taking a reference count.

Incorrect locking in the Multiple devices driver (RAID and LVM) could lead
to a use-after-free.  A local, privileged user could use this flaw to cause
a denial-of-service.


* Use-after-free in the Multiple devices driver when taking a snapshot.

An internal structure of the Multiple devices (RAID and LVM) driver was
being accessed after it was released.  An attacker could use this flaw to
cause a denial-of-service.


* Memory corruption in the Intel i915 video driver when setting the tiling.

Incorrect locking in the Intel i915 video driver when setting the tiling
could lead to list corruptions and kernel panic.  A local, privileged user
could use this flaw to cause a denial-of-service.


* NULL pointer dereference in GFS2 filesystem when deleting ACL.

A lack of NULL pointer check when deleting ACLs on a GFS2 filesystem could
lead to a NULL pointer dereference.  A local, privileged user could use
this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.