[Ksplice][Ubuntu-13.10-Updates] New updates available via Ksplice (USN-2239-1)

[Oracle Ksplice]

Synopsis: USN-2239-1 can now be patched using Ksplice
CVEs: CVE-2014-0155 CVE-2014-2568 CVE-2014-3122 CVE-2014-3153

Systems running Ubuntu 13.10 Saucy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2239-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.10 Saucy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-3153: Local privilege escalation in futex requeueing.

Invalid parameters to the futex() syscall may break assumptions made in
the kernel and would leave dangling pointers that could be exploited
to gain root privileges.


* Data corruption in ext4 extents lookup.

The ext4 file-system driver does not validate a return value when mapping
extents based files leading to possible data corruption.


* Use-after-free in jffs2 garbage collection.

A logic error can cause a use-after-free and kernel panic when reserving space
on a jffs2 file-system.


* Memory corruption when creating large files on jffs2 images.

An integer overflow in the jffs2 file-system driver when calculating the size
of a large file can trigger kernel memory corruption and kernel panic.


* Data corruption in ext4 when handling partial clusters.

Data corruption can be triggered on ext4 bigalloc filesystems by punching holes
in files with partial clusters.


* Memory corruption when sending Infiniband QLogic HTX diagnostic packets.

An integer overflow when sending diagnostic packets over a Infiniband QLogic
HTX device can trigger memory corruption and a kernel panic.


* NULL pointer deference when creating Infiniband NetEffect queue pairs.

A NULL pointer is dereferenced when creating a queue pair for a Infiniband
NetEffect RNIC device causing a kernel panic.


* Use-after-free in mac80211 BSS.

The mac80211 code was incorrectly using the bss struct after
it may have been freed in ieee80211_rx_bss_put, leading to a
kernel panic.


* Deadlock in nested btrfs transactions.

Invalid reference counting when handling nested btrfs transactions can lead to
a deadlock and kernel panic.


* Memory corruption in NFSv4.1 extended attributes.

Missing bounds checking in the NFSv4.1 server when encoding extended file
attributes could lead to memory corruption and kernel panic.


* Kernel BUG in NFS lockd socket creation.

When socket creation failed during lockd_up, all live sockets
were not getting properly cleaned up, causing a kernel BUG.


* Data corruption when deleting sparse files on ext4 filesystem.

The ext4 file-system driver does not correctly handle deleting sparse files on
ext4 bigalloc file-systems leading to data corruption.


* NULL pointer dereference in PID namespaces.

The kernel does not validate a pointer when looking up a PID namespace for a
given process which leads to a NULL pointer dereference and kernel panic.


* Denial-of-service in XFS directory lookup.

The XFS file-system driver incorrectly hashes directory entries when listing a
directory causing directory entries to be hidden. An local unprivileged user
can use this flaw to force the file-system to be remounted read-only.


* Kernel panic when recovering iSCSI target connections.

An invalid pointer is dereferenced when recovering a dropped iSCSI connection,
triggering a kernel panic.


* CVE-2014-3122: Denial-of-service in non-linear memory mappings.

An assertion failure and kernel panic can be triggered when unmapping a
non-linear memory mapping.  This could be exploited by a local,
unprivileged user to crash the system.


* NULL pointer dereference when exiting a process.

Kernel networking resources are released in the incorrect order when exiting a
process, leading to a possible NULL pointer dereference and kernel panic.


* Denial-of-service when exiting processes.

A race condition when a process is exiting can lead to a process not releasing
kernel resources. A local unprivileged user could use this flaw to exhaust
kernel resources and cause a kernel panic.


* Machine check exception in b43 wireless driver.

An improper access to a register in the b43 wireless driver can
lead to a CPU exception and kernel panic.


* Kernel panic in Infiniband SRP DMA.

A kernel panic can be triggered when transferring data over DMA to a device
supporting Infiniband SCSI RDMA.


* Kernel panic when hotplugging a PCI USB controller card.

A race condition in the USB subsystem can trigger a kernel panic when
hotplugging a PCI USB controller card.


* Kernel crash in AHCI with dummy port.

System may crash in ahci_hw_interrupt() or ahci_thread_fn() when
accessing the interrupt status in a port's private_data if the port is
actually a DUMMY port.


* Kernel panic when inserting function tracer.

Missing synchronization across CPUs can cause a kernel panic when inserting a
function tracer.


* Kernel oops in mpt2sas suspend.

A duplicate disable when suspending in mpt2sas can lead
to a kernel oops.  A malicious user could use this to
cause a denial of service.


* NULL pointer dereference in virtio-scsi.

A missing pointer check in set_affinity can lead to a NULL
pointer dereference and kernel crash.


* Kernel crash in QXL virtual graphics adapter object reference counting.

Incorrect handling of unreferenced objects could result in hitting a
kernel assertion and crashing the system.


* Kernel crash in OCFS2 distributed lock manager migration.

When recovering from a lock migration, the OCFS2 filesystem could
incorrectly dereference a wild pointer resulting in a kernel crash.


* Kernel crash in VMWare Virtual GPU DMA.

Incorrect DMA boundary checks could allow userspace to perform DMA to
invalid addresses resulting in memory corruption, or possibly escalating
privileges.


* CVE-2014-0155: Denial-of-service on KVM host when handling end of interrupts.

A lack of input validation in KVM hosts when handling redirection table of
an emulated interrupt controller could lead to a crash of the host. A
local, privileged user of a guest could use this flaw to cause a
denial-of-service via a specifically crafted redirection table entry.


* CVE-2014-2568: Information leak in netlink packet copying.

A reference counting error in the netlink net-filter subsystem can cause the
contents of kernel memory to be leaked to unprivileged users in netlink packets.


* Memory leak in Radeon buffer object reservation failure.

Incorrect failure handling could result in a memory leak when an
allocation failed resulting in an eventual kernel crash.


* Deadlock in Broadcom IEEE802.11n PCIe SoftMAC WLAN driver firmware loading.

Incorrect firmware loading could result in deadlock when activating a
network device with no firmware installed.


* NULL pointer dereference in POSIX access control lists.

Incorrect error checking could result in a NULL pointer dereference when
converting from a POSIX access control list to an extended access
control list on some filesystem types including GFS2.


* Audit bypass with process namespaces with PPID based filters.

The audit logging used the PPID from inside the namespace rather than
the ID from the initial namespace.  This could allow malicious processes
to bypass audit rules.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.