[Ksplice][Ubuntu-13.10-Updates] New updates available via Ksplice (USN-2117-1)

[Samson Yeung]

Synopsis: USN-2117-1 can now be patched using Ksplice
CVEs: CVE-2013-1059 CVE-2013-4563 CVE-2013-4587 CVE-2013-6382 
CVE-2013-6432 CVE-2014-1446

Systems running Ubuntu 13.10 Saucy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2117-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.10 Saucy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Deadlock in SELinux/netlabel on connect().

Incorrect locking in the SELinux/netlabel glue code could lead to a
deadlock. A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Out-of-bounds write in iscsi-target when computing checksums.

Incorrect length checking in iscsi-target code could lead to a one byte
out-of-bounds write. An attacker could use this to cause a
denial-of-service or potentially, escalate privileges.


* Incorrect credentials checking in iscsi-target with CHAP authentication.

A flaw in the username checking in iscsi-target CHAP authentication causes
all usernames with the correct username as prefix to be accepted.


* Denial-of-service in cpuset subsystem when changing cpuset.

Incorrect locking when changing cpuset of a running test could result in a
deadlock. A local, privileged user could use this flaw to cause a
denial-of-service.


* Memory leak in QXL DRM driver releases.

Releases were incorrectly freed in the QXL DRM driver resulting in a
memory leak and eventual kernel crash on memory exhaustion.


* Memory leak in pseudo terminal filesystem.

The pseudo terminal filesystem, /dev/pts, does not free memory when it is
unmounted leading to a kernel memory leak and possible kernel panic.


* Denial-of-service in System V message queue send path.

Incorrect comparison between signed and unsigned integer could lead
msgsnd() to bypass msgmax message queue limit and lead to a kernel crash. A
local, privileged user could use this flaw to cause a denial-of-service.


* Denial-of-service in loop block subsystem when unloading the loop module.

A logic error in the error path when allocating a block queue in the loop
module could result in a NULL pointer dereference. A local, privileged user
could use this flaw to cause a denial-of-service.


* NULL pointer dereference in GPMI Nand controller when DMA operations 
on-going.

A race condition in the GPMI Nand controller driver could result in a NULL
pointer dereference and kernel crash. A local, privileged user could use
this flaw to cause a denial-of-service.


* Memory leak in ext4 filesystem when expanding inode with extended 
attributes.

A flaw in the ext4 inode expanding code could result in a buffer header
memory leak. A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Resource leak in Xen blkback block driver during discard.

Incorrect reference counting could result in a failure to free the block
interface.  This could cause device hotplug to fail.


* Memory corruption in block core on control group queue initialization 
failure.

Incorrect error handling could result in memory corruption and a kernel
crash when queue initialization fails.


* Use-after-free in netfilter connection tracking extensions.

A race condition in netfilter connection tracking allows the kernel to free
in-use extensions leading to a use-after-free condition and kernel panic.


* Use-after free in NFS client file locking.

If a file locking operation is denied by a NFS server, the kernel NFS 
client does
not correctly free memory leading to a use-after-free condition and 
kernel panic
when retrying the file lock operation.


* Denial-of-service in NFSv4 open recovery.

Incorrect handling of open recoveries on an NFSv4 filesystem with
delegations enabled could result in a NULL pointer dereference.  A
local, unprivileged user could use this flaw to crash the system.


* Kernel crash in bonding device updelay/downdelay setting.

Missing locking in the updelay/downdelay setting functions could result
in the kernel using a user-supplied value before validation.  A
privileged, local user could use this to cause a divide-by-zero error,
crashing the kernel.


* Denial-of-service in ISDN Loop driver when starting a card.

A lack of input validation in the ISDN Loop driver could lead to a buffer
overflow. Using a specially crafted ioctl, a local attacker could use this
flaw to cause a kernel crash or potentially executes arbitrary code in
kernel mode.


* Deadlock in UDP stack on connect().

Incorrect locking the UDP connect() code could lead to a deadlock or
memory corruption. A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Information leak in IPv6 UDP stack when dequeuing error messages.

Lack of initialization in the IPv6 UDP stack could lead to leaking
information from the stack. A remote attacker could use this flaw to obtain
information about the running kernel.


* Memory leak in ATM driver after device initialization.

Incorrect reference counting in the ATM driver causes a memory leak. A
local, privileged user could use this flaw to exhaust the memory on the
system and potentially lead to a denial-of-service.


* Filesystem corruption via preallocated file truncation.

Missing permission checks in a preallocated XFS file could allow an
unprivileged local user to corrupt files that they did not own.


* Denial-of-service in NFSv4 client session delegation.

An incorrect assumption in the kernel NFSv4 client can cause the kernel 
to stop
processing all server responses when handling delegation responses.


* Memory leak in Marvell Wifi-Ex driver.

When re-connecting to an ad-hoc network the Marvell WiFi driver does not 
free
memory leading to a kernel memory leak and subsequent kernel panic.


* Memory corruption in Intel WiFi driver debugfs.

The debugfs interface to the Intel WiFi driver does not validate station 
IDs when
writing to the 'sta_drain' file leading to an out-of-bounds read and 
possible
memory corruption.


* Memory corruption XFS filesystem resizing.

The kernel XFS filesystem driver uses an incorrect offset when resizing V4
filesystem images leading to memory corruption and a kernel panic.


* Memory corruption in block device TABLE_LOAD ioctl.

The kernel block device driver does not correctly handle large a large 
number of
targets in the DM_TABLE_LOAD_CMD ioctl leading to memory corruption and 
a kernel
panic.


* Memory corruption in block device persistent meta-data storage.

A missing error check when allocating meta-data for an on-disk 
persistent data
structure can trigger memory corruption and a kernel panic.


* Use-after-free in NFS duplicate request cache.

Under certain circumstances the kernel NFS server will incorrectly reuse a
Duplicate Request Cache entry leading to a use-after-free condition and 
kernel
panic.


* Denial-of-service when deleting btrfs subvolumes.

A reference count is not correctly updated if a process is killed when 
deleting a
subvolume on a btrfs filesystem. This makes it impossible to unmount the
filesystem and leaks kernel resources.


* Memory corruption in btrfs IOC_SEND ioctl.

An incorrect access check when processing a BTRFS_IOC_SEND ioctl can 
allow a local
privileged user to trigger kernel memory corruption and cause a kernel 
panic.


* CVE-2013-4587: Privilege escalation in KVM when creating VCPU.

A lack of input validation in the KVM code when creating a VCPU could lead
to an out-of-bounds memory write. A local user could use this flaw to cause
a kernel crash or potentially escalate privileges.


* Use-after-free in block device persistent storage.

A reference counting error in the implementation of on-disk persistent data
structures on block devices can trigger a use-after-free condition and 
cause a
kernel panic.


* CVE-2013-6382: Denial-of-service in XFS filesystem ioctls.

Multiple buffer underflows in the XFS implementation in the Linux kernel
could allow local users with the CAP_SYS_ADMIN capability to cause a
denial of service (memory corruption) or possibly have unspecified other
impact.


* Memory leak when reading btrfs extent map.

If an invalid extent map is found when mounting a btrfs filesystem, the 
extent
map is not freed causing a kernel memory leak and subsequent kernel panic.


* Incorrect default ACLs on btrfs directories.

When creating a directory on a btrfs filesystem which inherits default 
ACLs from
its parent, an incorrect error check causes the ACLs to be discarded 
from the
newly created directory.


* NULL pointer dereference in Huge TLB subsystem.

A missing check in the Huge TLB subsystem could lead to a NULL pointer 
dereference
and panic. An attacker could use this flaw to cause a denial-of-service.


* Missing check in selinux for outbound IPSec packets.

A missing check in selinux allowed any outbound IPSec packets to pass
through. This flaw could lead a local, unprivileged user to send
unauthorized traffic.


* Data loss using ext4 with journaling.

Incorrect handling of errors from the journal layer could result in
deadlock between ext4 and jbd2, eventually resulting in data loss.


* Use-after-free in ext4 when creating new block.

Incorrect locking in ext4 could lead to a use-after-free and to kernel
crash when creating new block on ext4 filesystem.


* Denial-of-service in ext2 when writing quota.

A flaw in ext2 quota management could lead to use uninitialized memory. A
local, privileged user could use this to cause a denial-of-service.


* Denial-of-service in ext4 filesystem unmounting.

A race condition in ext4 could result in a use-after-free and kernel
crash. A local, privileged user could use this flaw to cause a
denial-of-service, or potentially escalate privileges.


* Out of bound memory access in Radio tap.

A lack of input validation in the Radio tap iterator code could lead to out
of bound memory access. A local, privileged user, could use this to cause a
denial-of-service, or potentially escalate privileges.


* Denial-of-service in ext4 when partition is full.

Incorrect locking in ext4 could lead to a use-after-free. An attacker could
use this to cause denial-of-service.


* Disk corruption on ext4 filesystems due to physical block address 
corruption.

Incorrect calculation of physical block addresses could result in corruption
of the on-disk filesystem.


* Logic error in selinux when checking permissions on recv socket.

Due to a flaw in selinux permission checking, a logic error could lead to
forbidden data coming in.


* Memory leak in CIFS symlink management code.

Incorrect reference counting in the CIFS code leads to a memory leak. A
local, unprivileged user could use this flaw to cause a denial-of-service.


* Use-after-free in memory management subsystem when remapping files.

A flaw in the memory management subsystem could lead to a use-after-free
and panic. An attacker could use this to cause a denial-of-service.


* NULL pointer dereference in memory management on memory failures.

Incorrect reference counting in the memory management subsystem could lead
to a panic. An attacker could use this to cause a denial-of-service.


* Denial-of-service in GFS2 filesystem when mounting.

Incorrect locking in the GFS2 filesystem could lead to a deadlock when
mounting more than once a partition. A local, privileged user, could use
this flaw to cause a denial-of-service.


* CVE-2013-1059: NULL pointer dereference in CephFS authentication.

A lack of validation can allow a remote user to trigger a NULL pointer 
dereference
and kernel panic by attempting to authenticate with the "auth_none" Ceph
authentication.


* Denial-of-service in ext4 created with bigalloc.

A logic error in ext4 filesystem with bigalloc feature could cause
unexpected journaling errors, potentially leaving the filesystem in a read
only state. A local, unprivileged user could use this to cause a
denial-of-service.


* Use-after-free in virtio device removal.

The recently added multiqueue support for virtio devices introduced a 
use-after-
free vulnerability when removing virtio devices leading to a kernel panic.


* CVE-2013-4563: Memory corruption in UDPv6 fragment offloading.

An integer overflow can occur when preparing fragmented UDPv6 packets
leading to memory corruption and kernel panic.


* Information leak in socket monitoring interface.

For non-AF_INET6 sockets the kernel does not initialize fields in socket 
monitoring
data causing the contents of kernel memory being leaked to userspace.


* CVE-2014-1446: Information leak YAM radio modem ioctl.

The YAM radio modem driver does not initialize kernel memory when 
processing the
SIOCYAMGCFG ioctl, leading to the contents of kernel memory being leaked to
userspace.


* NULL pointer dereference in RDS socket binding.

A missing pointer validation can trigger a NULL pointer dereference and 
kernel
panic when binding an RDS socket.


* Memory leak in virtio mergeable buffers.

If an error is encountered when receiving mergeable packets on a virtio 
device
any remaining packets are leaked, leading to a loss of networking.


* Use-after-free in logical link control stream sockets.

Receiving stream data on a LLC socket can trigger a use-after-free 
condition and
kernel panic if the MSG_PEEK flag is not used.


* NULL pointer dereference in netpoll packet transmission.

When an error is encountered adding a VLAN tag to a packet, the error path
attempts to dereference a NULL pointer leading to a kernel panic.


* Deadlock in bridge multicast 'hash_max' sysfs file.

Incorrect locking when changing the 'hash_max' setting via the sysfs 
interface
can trigger a deadlock and kernel panic.


* NULL pointer dereference in selinux code when checking inode permission.

A race condition in the selinux code could lead to a NULL pointer
dereference and kernel panic. A local, unprivileged user could use this
flaw by opening and closing files in parallel to cause a denial-of-service.


* Information leak in audit subsystem when getting status from audit 
netlink.

A missing field assignment in the receive loop of audit causes an
information leak. A local user with CAP_AUDIT_CONTROL could use this flaw
to obtain information on the running kernel.

===ksplice.

Merge commit 'ORIG_HEAD' into kernels/ubuntu-3.5.0-45.68/testing



* Denial-of-service in network stack on sending UDP/ICMP or connecting 
to TCP socket.

Incorrect locking in various places of the TCP stack could lead to a
deadlock under specific conditions.


* Incorrect SELinux security label marking of TCP SYN-ACK packets.

SELinux could mishandle TCP SYN-ACK packets when handled by
selinux_ip_postroute and store the incorrect security label.


* Missing check in selinux for IPSec TCP SYN-ACK packets.

Due to a flaw in the selinux code, IPSec TCP SYN-ACK packets could pass-
through without permission checking. An attacker could use this to send or
receive unauthorized traffic.


* Denial-of-service in ext4 extent validation.

Incorrect handling of overlapping extents could result in failing kernel
assertion and crashing the system. A local, privileged user, could use a
carefully crafted filesystem to cause a denial-of-service.


* Use-after-free in Intel graphic card driver when releasing file 
descriptor.

Incorrect locking in the Intel graphic card driver could lead to a
use-after-free and panic.


* Use-after-free in Intel graphic card driver under high memory pressure.

Heavy memory pressure could lead to a use-after-free and to a panic in
the Intel graphic card driver.


* Denial-of-service in XFS quota management.

Turning off group quota on a mounted XFS filesystem with user quota enabled
will lead xfs_quota to hang.


* Deadlock in QIB QLogic driver during SDMA transfer.

Incorrect locking in the QIB QLogic driver could lead to a deadlock in
specific conditions. A local, unprivileged user could use this flaw to
cause a denial-of-service.


* NULL pointer dereference in Renesas GPIO driver.

An incorrect error path could lead to an NULL pointer dereference and
kernel panic in the Renesas R-Car GPIO driver.


* Information leak in HID subsystem due to 64/32 bit mismatch.

The 64/32 bit compat-handler failed to zero out unused fields, which
could then leak information to user-space which an attacker could use to
obtain privileged information about the running kernel.


* Use-after-free in Infiniband SCSI RDMA protocol.

Incorrect target removal could result in a use-after-free and subsequent
kernel crash.


* Kernel crash in NFS SELinux label setting.

NFS could cause a kernel oops when trying to set the SELinux label due
to incorrect setup.


* Kernel panic while getting TCP metrics.

The kernel could panic or crash using TCP fast open which an attacker
could use to cause a Denial-of-service.


* CVE-2013-6432: Denial-of-service in ICMP sockets.

A missing NULL pointer check could result in a kernel crash and
denial-of-service, triggerable by a local user with permissions to
create ICMP sockets.


* Use-after-free in pipe_inode_info.

A race condition between the pipe_release and fifo_open syscalls could
result in a kernel crash, which an attacker could use to cause a
denial-of-service.


* NULL pointer dereference in cpuidle device unregistration.

A missing NULL check could result in a NULL pointer derefence and kernel
crash when a system has cpuidle disabled, including Xen guests.


* Denial-of-service in virtual function I/O IOMMU_MAP_DMA ioctl.

An incorrect assertion in the VFIO_IOMMU_MAP_DMA ioctl allows local
users with access to the /dev/vfio/vfio device to trigger a kernel
panic.


* Kyro video driver information leak and memory corruption.

The Kyro framebuffer video driver could copy more data than intended
which could cause memory corruption or leak kernel memory to userspace
which an attacker could use to cause a denial-of-service or read kernel
memory.


* Use-after-free in ipv6 tunnel driver.

The ipv6 tunnel driver had a bug which could cause a use-after-free when
unloading the ipv6_tunnel driver.


* NULL pointer dereference in Rados block device.

The Ceph distributed object store block device, Rados, could dereference
a NULL pointer which could cause a kernel oops.


* Use-after-free in IPv6 flow label allocation checks.

Incorrect locking could result in a use-after-free condition when
performing allocations and lead to a kernel crash.


* NULL pointer dereference in libceph.

If nr_maps is set to zero in both places it is used then a NULL pointer
dereference error could occur.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.