[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (2.6.32-45.99)

[Sonja Tideman]

Synopsis: 2.6.32-45.99 can now be patched using Ksplice
CVEs: CVE-2011-1083

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch
against the latest Ubuntu kernel update, 2.6.32-45.99.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.04 Lucid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* IRQ stack overflow in apparmor.

A profile replacement can lead to an IRQ stack overflow in apparmor.  This
can result in memory corruption and a kernel crash.


* Denial of service in futexes located in special memory regions.

When using a futex located in a specially mapped memory region, such as the
gate area for example, the kernel thread trying to retrieve the page
mapping would be stuck in an infinite loop trying to acquire the mapping.


* Use-after-free in USB networking.

The USB networking driver had an internal race condition that could
cause a use-after-free when unlinking requests resulting in memory
corruption.


* Kernel crash in oprofile NMI.

A race condition in the oprofile NMI can cause kernel crashes
if the KM_USER0 slot is in use when the oprofile NMI hits.


* Resource leak in USB networking driver.

The usbnet core incorrectly cleared a pointer to the underlying device
resulting in a resource leak when unlinking requests.


* Denial-of-service in TCP retransmission timer.

Invalid socket locking could allow the kernel to modify a socket whilst
owned by the user resulting in a kernel crash and denial-of-service.


* Memory corruption in IPsec frame handling.

The IPsec subsystem does not correctly handle frames with missing
MAC headers leading to memory corruption and a kernel crash.


* NULL pointer dereference with misconfigured USB FTDI devices.

A USB FTDI without a manufacturer string would result in a NULL pointer
dereference and kernel crash when the device was plugged in.


* Denial of service with SUNRPC wait queues.

A race condition associated with adding new tasks onto the SUNRPC work
queue could cause some functions waiting on priority wait queues to
never be woken up, leading to system hangs.


* Avoid bug caused by corrupted Ext4 filesystem.

When mounting an ext4 filesystem, the kernel was not checking for zero
length extents. This would cause a BUG_ON assertion failure in the log.


* Kernel crash in SUNRPC cache management.

Many SUNRPC cache implementations would not handle a zero-length
string resulting in a kernel panic.


* Arithmetic overflow in clock source calculations on 32 bit kernels.

An insufficiently designed calculation in the CPU accelerator in the
previous kernel caused an arithmetic overflow in the sched_clock()
function when system uptime exceeded 208.5 days. This overflow led to
a kernel panic on the systems using the Time Stamp Counter (TSC) or
Virtual Machine Interface (VMI) clock source. This update corrects the
aforementioned calculation so that this arithmetic overflow and kernel
panic can no longer occur under these circumstances.


* NULL pointer dereferences in Bluetooth driver.

Fix two NULL pointer dereferences in hci_uart_tty_close.  The first
occurs if the driver doesn't find a device pointer associated with
the close and the second occurs due to a race condition between
closing the protocol driver and unregistering the device when a device
is disconnected.


* NULL pointer dereference in USB serial driver.

A race condition between probing and opening a USB serial device
could result in a NULL pointer dereference.


* Byte counter overflow in SHA-512.

An incorrect check in sha512_update prevented the upper 64 bits of the
SHA-512 byte counter from being incremented when the lower 64 bits
overflowed.


* Denial of service in PHONET message sending.

The PHONET driver would attempt to allocate any packet size requested
from userspace. This could lead to memory exhaustion and OOM kills.


* Use-after-free in netlink receive queue.

A race between threads on consuming a buffer from the receive queue in
netlink_sendskb could result in a use-after-free.


* Use-after-free in socket error queue.

A race between threads on consuming a buffer from the socket error
queue in sock_queue_err_skb could result in a use-after-free.


* Buffer overflow in KS8851 network driver.

Insufficient buffer space when processing pending frames in ks_rcv
could result in a buffer overflow.


* Denial of service in the network GRED scheduler.

A kernel OOPS may occur in the GRED (Generic Random Early Detection)
network scheduler due to incorrect usage of the internal qdisc API.


* Kernel crash in UDF filesystem.

A possible overflow in the partition table length can cause an invalid
length to not be detected, later leading to a read beyond the end of a
buffer and a kernel crash.


* Use-after-free in SCSI request handling.

A use-after-free may occur if a SCSI request has no more references,
but is still rescheduled for completion.


* Information leak via incomplete copies in USB.

Copies of non-contiguous isochronous buffers in the USB subsystem may
leak kernel memory to a potential attacker.


* Out-of-bound values allowed by fcntl_setlease.

A missing bounds check in fcntl_setlease may allow out-of-bounds values
due to an incorrect cast from a long to an integer.


* Fix ACPI oops when it is unable to initialize a power supply.

When the ACPI driver failed to initialize a power supply, the
failure wasn't getting returned causing the driver to mistakingly
believe the device was initialized.  This could lead to a kernel
oops.


* Data loss in ext4 filesystems.

An integer underflow in metadata block management could result in
allocation failure and data loss.


* Use-after-free in sctp.

In some circumstances, a sctp association could be used after it was
freed, leading to memory corruption and possibly a kernel oops.


* NULL pointer dereference in CIPSO socket options.

Adding a CIPSO option to a socket could result in a NULL pointer
dereference and kernel crash under specific conditions.


* Kernel crash in kaweth USB Ethernet driver.

Invalid memory allocation could cause the kernel to sleep in an atomic
state resulting in a kernel crash.


* Indefinite hang in recvmsg when TCP offload is enabled.




* Kernel stack information leak in tun ioctls.

Incorrect initialisation of ioctl structures could result in leaking
stack bytes to a userspace process.


* NULL pointer dereference in futex requeuing.

A missing NULL pointer check could result in a kernel crash when
attempting to requeue a futex.


* NULL pointer dereference in non-pi futexes.

Incorrect configuration of futex addresses could lead to a NULL pointer
dereference and kernel crash.


* Use-after-free in freed page LRU handling.

A race condition between MMU notifier release and page unmapping may cause
the memory manager to access a page which was already freed.


* Memory corruption in FUSE handling of vectored responses.

An incorrect check of the size of the response vector could lead to an
overflow and corruption of memory after the vector.


* Race-condition in VFS file operations.

A race condition when performing scatter-gather IO on a file can lead
to data corruption.


* Unreported error can cause unusable mount in NFS.

An unreported error can cause a mount to seem to succeed but have
completely unusable values for block sizes, maxfilesize, etc.


* Race condition in SUNRPC.

A race condition can cause data corruption when closing a SUNRPC socket.


* NULL pointer dereference in USB ACM.

A NULL pointer dereference can be triggered when probing a device that
provides an ACM endpoint.


* NUMA memory policy kernel panic.

A kernel panic can be triggered when querying a task's NUMA memory policy
via procfs.


* UDF data corruption fix.

Files stored in ICB (inode) can be partially overwritten with all
zeros.


* NULL pointer dereference in DCCP sockets.

A NULL pointer dereference can be triggered by querying or setting the
socket options of a DCCP socket that has no associated CCID.


* Denial of service in TCP sockets.

Splicing data to a TCP socket in out-of-memory conditions could result
stalls and a denial of service.


* Denial of service in TCP SYN+FIN messages.

SYN+FIN attacks can cause a denial of service with machines trying
to respond to the invalid messages.  This update will drop TCP
messages with both SYN and FIN set instead of trying to process
them.


* Kernel information leak in X86 ptrace TLS regset.

The TLS lookup could run off the end of the descriptor list reading from
kernel memory.


* Use-after-free in epoll.

Insufficient cleanup in the epoll driver could use previously released
memory which an attacker could use to corrupt kernel memory.


* CVE-2011-1083: Algorithmic denial of service in epoll.

A flaw was found in the way the Linux kernel's Event Poll (epoll)
subsystem handled large, nested epoll structures. A local,
unprivileged user could use this flaw to cause a denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.