[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (2.6.35-32.64)

[Tim Abbott]

Synopsis: 2.6.35-32.64 can now be patched using Ksplice
CVEs: CVE-2011-1017 CVE-2011-1162 CVE-2011-2203 CVE-2011-2707 
CVE-2011-2898 CVE-2011-4110

Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch
against the latest Ubuntu kernel update, 2.6.35-32.64.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.10
Maverick install these updates.  You can install these updates by
running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* Null kernel dereference in the USB subsystem.

tty_port_tty_get could return NULL, which was dereferenced in
usb_wwan_indat_callback, causing a kernel OOPS.


* Require CAP_SYS_ADMIN to rebalance btrfs filesystems.


* Kernel panic in network bonding on ARP receipt.

When receiving an ARP packet, the kernel's network interface bonding 
code could
fail to manage shared buffers correctly, resulting in failure to establish
bonding, or a kernel panic.


* Buffer underflow in CIFS session setup.

When decoding the string area in a SESSION_SETUP response, the
ssetup_ntlmssp_authenticate function in the CIFS subsystems did not
check whether for bytes_remaining having reached 0, resulting in a
buffer underflow.


* Buffer overflow in CIFS password processing.

When processing passwords, the cifs_parse_mount_options function in
the CIFS subsystem did not properly bounds-check the options array,
resulting in a buffer overflow.


* Missing validation of user-supplied data in the megaraid_sas driver.

The user-supplied ioc->sgl[i].iov_len was not validated before being
passed to dma_alloc_coherent, allowing a kernel OOPS.


* Information leak in kernel memory leak detector.

In kmemleak_seq_next, failure to get the last object during list
traversal leaked a pointer when it should have returned NULL.


* ext3 filesystem corruption when no space is left on the device.

When make_indexed_dir failed because there was no space left on the
device, not all changed buffers were being marked as dirty and thus
being written to disk, corrupting the directory.


* Denial of service in JBD fsync transaction handling.

Certain workloads involving fdatasync() and fsync() on filesystems
using the JBD layer could cause denial of service (BUG assertion
failure).


* Additional fix for CVE-2011-1017.

Ubuntu provided an additional fix for CVE-2011-1017 (Missing boundary
checks in LDM partition table parsing).


* Kernel crash in suspend/resume system memory snapshotting.

If a failure occurred in the callback chain when opening
/dev/snapshot, snapshot_release was never called, triggering a BUG_ON
create_basic_memory_bitmaps on subsequent attempts to open
/dev/snapshot.


* Denial of service in uvcvideo video driver.

The uvcvideo driver did not correctly remove certain buffers from a
queue before freeing them, resulting in a possible denial of service
(kernel oops) or memory corruption.


* Denial of service in CFQ disk scheduler.

Incorrect locking in the __cfq_exit_single_io_context function could
lead to denial of service via kernel oops.


* CVE-2011-2707: Arbitrary read vulnerability in ptrace.

A missing access control check in the ptrace_setxregs() function in
the xtensa architecture allowed an unprivileged user to read arbitrary
kernel memory.


* Kernel crash in semtimedop.

If a semaphore array was removed while a sleeping task was woken up,
the woken up task would not wait until wake_up_sem_queue_do
completed. wake_up_sem_queue_do would then read from a stale pointer,
causing a kernel crash.


* System freeze in JMicron driver.

A missing dma_unmap in the JMicron ethernet device driver caused
system freezes under heavy loads.


* Memory corruption on nfsd shutdown.

A logic error in the svc_delete_xprt function could result in a
use-after-free condition on nfsd shutdown, resulting in a potential
denial-of-service or privilege escalation.


* Threading bugs caused by incorrect declaration in rpcbind client.

struct rpcbind_args *map was declared static, allowing the values
assigned to map to be sent two two different tasks if two threads
entered this method at the same time, causing use-after-free and
double-free memory bugs.


* TKIP replay vulnerability in the mac80211 driver.

Missing protections against a TKIP replay vulnerability allowed an
attacker to take a QoS packet with TID 0 and replay it as a non-QoS
packet.


* CVE-2011-1162: Information leak in TPM driver.

A buffer in tpm_read was not initialized before being returned to
userspace, leading to a leak of potentially sensitive kernel memory.


* CVE-2011-2203: Null pointer dereference mounting HFS filesystems.

A NULL pointer dereference flaw was found in the Linux kernel's HFS
file system implementation. A local attacker could use this flaw to
cause a denial of service by mounting a disk that contains a
specially-crafted HFS file system with a corrupted MDB extent
record.


* CVE-2011-4110: Null pointer dereference in key subsystem.

A NULL pointer dereference flaw was found in the way the Linux
kernel's key management facility handled user-defined key types. A
local, unprivileged user could use the keyctl utility to cause a
denial of service. (CVE-2011-4110, Moderate)


* Kernel OOPS in Phonet driver.


* Heap corruption bug in pmcraid driver.

The pmcraid driver had a bug that allowed a privileged user to cause
heap corruption and other issues.


* CVE-2011-2898: Information leak in packet subsystem.

Uninitialized struct padding in the packet subsystem led to an
information leak of two bytes of kernel memory to userspace.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.