[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (USN-1452-1)

[Jessica McKellar]

Synopsis: USN-1452-1 can now be patched using Ksplice
CVEs: CVE-2012-1601 CVE-2012-2123

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1452-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use after free in the 802.11 RX reorder timer.

The RX reorder timer might be armed even after the session has been
stopped due to RCU grace period. This can lead to a use after free
when the timer tries to access a non-existing session.


* Memory corruption in DRM framebuffer allocation.

A userspace application could request a framebuffer size which is bigger
than the maximum size allocated in the kernel, this would lead to memory
corruption and system hangs.


* Bad access control permissions to dmesg_restrict sysctl.

The root user without the CAP_SYS_ADMIN capability was able to reset the
contents of the "/proc/sys/kernel/dmesg_restrict" configuration file to
0.  Consequently, the unprivileged root user could bypass the protection
of the "dmesg_restrict" file and read the kernel ring buffer.


* Use after free when copying credentials for a newly-forked process.

The child process could inherit an invalid replacement_session_keyring
in copy_creds, resulting in a use after free.


* NULL pointer dereference when closing a Bluetooth TTY.

A NULL pointer dereference would occur when closing a Bluetooth TTY
because the driver would attempt to close the protocol driver before
the device had unregistered.


* Kernel OOPS in HugeTLB page fault management for multi-threaded tasks.

A reference counting error in hugetlb_fault could result in the
use-after-free of a struct page on a failed fork().


* Data corruption and kernel OOPS in HMC5843 magnetometer driver.

Client data was incorrectly extracted and initialized in
hmc5843_init_client, causing data corruption and an eventual kernel
panic.


* NULL pointer dereference in Altera UART driver.

A missing check on platp in altera_uart_probe allowed a NULL pointer
dereference and kernel OOPS.


* NULL pointer dereference in USB serial driver.

A race condition between probing and opening a USB serial device
could result in a NULL pointer dereference.


* NULL pointer dereference in USB scatter-gather library.

In a race between the unlinking and completion logic, sg_complete
could set urb->dev to NULL when it was still in use, causing a NULL
pointer dereference and kernel OOPS.


* CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.

If a process increases permissions using fcaps, all of the dangerous
personality flags which are cleared for suid apps are not cleared. This has
allowed programs that gained elevated permissions using fcaps to disable
the address space randomization of other processes.


* NULL pointer dereference during Bluetooth HCI unregistration.

A race between hci_dev_open and hci_dev_unregister could result in a
NULL pointer dereference and kernel OOPS.


* Information disclosure in futex robust list handling.

An unprivileged user may acquire the address of a robust list
head from a setuid process, allowing an ASLR info leak.


* CVE-2012-1601: Denial of service in KVM VCPU creation.

Inconsistent state in the creation of KVM virtual CPU's could
lead to NULL pointer dereferences.  A unprivileged local user
could use this flaw to crash the system.


* Byte counter overflow in SHA-512.

An incorrect check in sha512_update prevented the upper 64 bits of the
SHA-512 byte counter from being incremented when the lower 64 bits
overflowed.


* NULL pointer dereference in USB gadget FunctionFS ioctl.

A missing check in ffs_ep0_ioctl on whether or not the FunctionFS was
bound allowed a NULL pointer dereference and kernel OOPS.


* Denial of service in PHONET message sending.

The PHONET driver would attempt to allocate any packet size requested
from userspace. This could lead to memory exhaustion and OOM kills.


* NULL pointer dereference when firmware name of i2400 driver is not set.

If the firmware name of the i2400 network driver was not set, a
strncpy of a NULL pointer in i2400m_get_drvinfo would result in a NULL
pointer dereference and kernel OOPS.


* Use-after-free in netlink receive queue.

A race between threads on consuming a buffer from the receive queue in
netlink_sendskb could result in a use-after-free.


* Use-after-free in socket error queue.

A race between threads on consuming a buffer from the socket error
queue in sock_queue_err_skb could result in a use-after-free.


* Buffer overflow in KS8851 network driver.

Insufficient buffer space when processing pending frames in ks_rcv
could result in a buffer overflow.


* Denial of service in the network GRED scheduler.

A kernel OOPS may occur in the GRED (Generic Random Early Detection)
network scheduler due to incorrect usage of the internal qdisc API.


* Denial of service in network namespace initialization.

The network namespace initialization routine would leak internal
network generic structure if the initialization of one of the network
subsystems would fail, leading to possible denial of service.


* Device reference leak when removing PCI root bus.

When removing a PCI root bus, several references were not released
during PNP matching. This would cause the references to get leaked
when the matching completed.

SUPPORT

Ksplice support is available atksplice-support_ww at oracle.com.