[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (USN-1431-1)

Christine Spang christine.spang at oracle.com
Thu May 3 14:18:42 PDT 2012 

Synopsis: USN-1431-1 can now be patched using Ksplice
CVEs: CVE-2011-4086 CVE-2011-4347 CVE-2012-0045 CVE-2012-1090 
CVE-2012-1097 CVE-2012-1146 CVE-2012-1179

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1431-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2012-1097: NULL pointer dereference in the ptrace subsystem.

Under certain circumstances, ptrace-ing a process could lead to a NULL
pointer dereference and kernel panic.


* CVE-2012-1146: Denial of service in the cgroup eventfd handling.

The cgroup event handler didn't check whether there are any events 
registered for
a specific memory cgroup before trying to unregister them. This would 
lead to a
kernel OOPS if there weren't any events to be unregistered.


* Improved fix to CVE-2011-4347.

The vendor's original fix did not prevent devices from being assigned
without IOMMU protection which could allow a virtual machine to access
arbitrary host memory through a device.


* NULL pointer dereference in network emulator.

When reordering packets in netem_enqueue, qdisc could be NULL in some
cases, leading to a NULL pointer dereference and kernel OOPS.


* Kernel OOPS when USB2 ports outnumber USB3 ports.

An incorrect array index in xhci_usb2_hub_descriptor would cause a
kernel OOPS on machines with more USB 2.0 ports than USB 3.0 ports.


* Memory corruption in ath9k wireless driver.

Insufficient checks on negative transmission rates in
ath_debug_stat_rc resulted in memory corruption.


* Use-after-free in epoll.

Insufficient cleanup in the epoll driver could use previously released
memory which an attacker could use to corrupt kernel memory.


* Kernel crash in 802.11 drivers.

The 802.11 subsystem was initializing device drivers with incorrect
rate control values, leading to kernel crashes.


* Denial of service in transparent hugepage memory subsystem.

It is possible to trigger a BUG() when exiting a process or freeing a large
block of memory which was mapped using transparent hugepages.


* Kernel OOPS in discard support for MD RAID driver.

dm_mirror could send REQ_DISCARD on discard-enabled devices without
corresponding support in dm_io, causing a kernel OOPS.


* CVE-2012-0045: Denial of service in KVM system call emulation.

A bug in the system call emulation for the syscall instruction allowed
local users on a 32-bit KVM guest system to cause the guest system to
panic.


* Use-after-free in Async IO creation and deletion.

A race condition in the Async IO context creation and destruction code
could result in a use-after-free.


* Use after free due to race between Async IO and memory mapping.

A race between the destruction of an Async IO context and an munmap call
may result in a use after free.


* Invalid reference counting on complete walks in the VFS subsystem.

A complete walk of VFS descriptor would lead to a double put of that 
descriptor.
This would cause kernel OOPS since the second put may access invalid memory.


* Kernel OOPS when handling IPsec frames without a MAC header.

Multiple XFRM modes failed to check whether or not a MAC header
existed before copying it, resulting in a kernel OOPS.


* Kernel OOPS on AFS remote abort.

Failure to free all skbs in call->rx_queue before calling
afs_free_call resulted in a failed ASSERT and kernel OOPS.


* NULL pointer dereference in iwl3945 driver.

Race conditions in iwl3945_bg_reg_txpower_periodic and
iwl3945_bg_alive_start between releasing a mutex and cancelling
delayed work could result in a NULL pointer dereference and kernel
OOPS.


* NULL pointer dereference with misconfigured USB FTDI devices.

A USB FTDI without a manufacturer string would result in a NULL pointer
dereference and kernel crash when the device was plugged in.


* Missing device memory allocation failure checks in rtlwifi.

The rtlwifi driver was missing device memory allocation failure checks
when freeing resources resulting in a NULL pointer dereference and
kernel panic.


* Divide-by-zero in NTP.

Integer overflow in NTP when setting the time could result in a
divide-by-zero and kernel panic.


* Inode corruption in XFS inode lookup.

The XFS inode cache did not correctly initialize the inode before
insertion into the cache which could result in corruption when racing
with an inode lookup.


* Faulty error handling in UBI device scanning.

Incorrect error handling in the UBI device scanning code meant that a
NULL pointer dereference or double-free could be triggered on releasing
a kernel cache.


* Resource leak in USB networking driver.

The usbnet core incorrectly cleared a pointer to the underlying device
resulting in a resource leak when unlinking requests.


* Kernel crash in EXT4 filesystem with zero-length extents.

Mounting an EXT4 filesystem with a zero-length extent would trigger a
kernel BUG() and system crash.


* Unbalanced locking in VFS non-local alias search.

A code path responsible for finding aliases on a non-local filesystem
did not correctly release a lock resulting in a system hang.


* Kernel information leak in X86 ptrace TLS regset.

The TLS lookup could run off the end of the descriptor list reading from
kernel memory.


* Kernel crash in SUNRPC cache management.

Many SUNRPC cache implementations would not handle a zero-length
string resulting in a kernel panic.


* Incorrect code generation in Berkeley Packet Filter JIT.

The Berkeley Packet Filter JIT for X86 could generate incorrect code
when handling a negative offset in certain instructions.


* CVE-2012-1179: Denial of service in page mapping of the hugepage 
subsystem.

In some cases, the hugepage subsystem would allocate new PMDs when not 
expected
by the memory management subsystem. A privileged user in the KVM guest 
can use
this flaw to crash the host, an unprivileged local user could use this 
flaw to
crash the system.


* Missing length constraint in Virtual Ethernet attribute validation policy.

A missing minimum length on VETH_INFO_PEER in struct veth_policy
allowed access beyond the limits of the netlink message.


* CVE-2012-1090: Denial of service in the CIFS filesystem reference 
counting.

Under certain circumstances, the CIFS filesystem would open files on
lookup. If the file was determined later to be a FIFO or any other
special file the file handle would be leaked, leading to reference
counting mismatch and a kernel OOPS on unmount.

An unprivileged local user could use this flaw to crash the system.


* CVE-2011-4086: Denial of service in journaling block device.

The journal block device assumed that a buffer marked as unwritten
or delay could be live without checking if the buffer was mapped.

An unprivileged local user could use this flaw to crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-11.10-Updates mailing list