[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (3.2.0-33.52)

[Sonja Tideman]

Synopsis: 3.2.0-33.52 can now be patched using Ksplice

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.2.0-33.52.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel hang when unregistering sysctl entry.

A reference counting error in procfs can cause a kernel hang when
unregistering a sysctl entry.


* Denial of service in network block device.

A race condition when a network block device server fails can lead to
memory exhaustion.


* Kernel panic in Broadcom 5709 driver.

A kernel panic can be triggered when a Broadcom 5709 device is under
heavy load.


* Data corruption in HP Smart Array SCSI driver.

An unhandled protocol error could result in data corruption when
configured in a multipath system.


* CIFS pathname memory corruption.

A heap buffer-overflow can be triggered remotely when processing UTF-16
pathnames.


* Deadlock in cfg80211 wireless subsystem.

Incorrect locking could result in circular locking leading to deadlock
and a system hang.


* Use-after-free in TI High End CAN controller.

The TI High End CAN controller driver freed I/O memory before it was
finished with on module unload resulting in a use-after-free condition
and kernel crash.


* Use-after-free in USB.

A race condition that occurs when removing host controllers can
cause a use-after-free if a process is reading the
/sys/kernel/debug/usb/devices when the controller is being removed.


* Kernel hang in device probing.

The kernel can hang when probing devices in parallel on a single
CPU machine.


* System lock up in USB gadget.

Invalid memory accesses can occur when a USB2 host controller probes
fine but USB3 does not.  This causes the USB HUB code to lock up the
system trying to enumerate the USB2 controller using memory that is
no longer available.


* Memory leak in HID hidraw.

Fixes two sources of memory leaks in HID hidraw code.  The first is
if it doesn't read fast enough from the hidraw device, hidraw_report_event
will cycle and leak list->buffer. The second source is from not freeing
the list->buffer upon release.


* Use-after-free in HID hidraw.

When a device is unplugged, the memory associated with the device was being
freed without waiting for all processes that have opened the device to 
close,
causing a potential use-after-free.  Fixed so that it waits until all
processes that have opened the device close it before freeing the memory.


* NULL pointer dereferences in xfrm code.

A unexpected return of a NULL pointer in two functions in the xfrm
code could cause a NULL pointer dereference.  This could lead to a
privilege escalation if an attacker has CAP_NET_ADMIN and is able
to map address 0.


* Kernel information leaks in network transformation subsystem.

This fixes several cases where xfrm_user code could lead kernel
memory to user space.


* Guest crash when attaching a netxen NIC to a VM.

If the root bus is null when attaching a netxen NIC to a VM
the guest will crash due to a NULL pointer dereference.


* Denial of service with net sched cbq configuration.

It is possible to setup the net scheduler class based queing
configuration that leads to an infinite loop in cbq_classify().


* Kernel crash in packet scheduler.

Invalid start times can be assigned to a class in the Quick Fair Queue
(QFQ) scheduler.  This can lead to data structure corruption which may
result in a crash.


* Denial of service in TCP IOAT DMA.

When the receive wait queue is zero and the sk_async_wait_queue is
non-empty, a recv() syscall can cause sk_wait_data() to block
forever.


* Kernel crash with keepalive on raw TCP sockets.

Its possible to use RAW sockets to get a crash in
tcp_set_keepalive() / sk_reset_timer() when attempting
to set TCP keepalive on a RAW socket.


* Deadlock in VFS file renaming.

A deadlock can be triggered in the VFS subsystem when renaming files.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.