[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (3.13.0-35.62)

[Oracle Ksplice]

Synopsis: 3.13.0-35.62 can now be patched using Ksplice
CVEs: CVE-2014-0155 CVE-2014-0181 CVE-2014-0206 CVE-2014-4014 CVE-2014-4171 CVE-2014-4508 CVE-2014-4611 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-4667 CVE-2014-4715 CVE-2014-5045 CVE-2014-5077

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-35.62.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.

Linux kernel built with the support for Stream Control Transmission
Protocol is vulnerable to a NULL pointer dereference flaw. It could occur
when simultaneous new connections are initiated between the same pair of
hosts. A remote user/program could use this flaw to crash the system kernel
resulting in denial-of-service.


* Kernel crash in ACPI core string printing.

Missing length validation could result in accessing past the end of a
buffer resulting in a kernel crash in rare conditions.


* Use-after-free in Micro PCIe SSDs block driver when unloading the module.

Wrong order when calling de-allocations routines at module exit could cause
a use-after-free and kernel panic. A local, privileged user could this flaw
to cause a denial-of-service.


* NULL pointer dereference in Maxim MAX77693 MUIC probing.

Missing platform data validation could result in a NULL pointer
dereference when probing a MAX77693 device.


* NULL pointer dereference in Maxim MAX8997 MUIC probing.

Missing platform data validation could result in a NULL pointer
dereference when probing a MAX8997 device.


* Data corruption in EXT4 filesystems in ordered mode.

Incorrect synchronization between the EXT4 filesystem and page cache
could result in data corruption when the filesystem is in ordered mode
and a sync operation is followed by truncation.


* Use-after-free in InfiniBand SCSI RDMA Protocol when unplugging a cable.

As a result of unplugging a cable, a SCSI command could be free while still
in use, resulting in a use-after-free and kernel panic. An attacker with
physical access could use this flaw to cause a denial-of-service.


* Use-after-free in Infiniband iSCSI extension unload.

Missing synchronization could allow asynchronous work to run after
unloading the iser module causing a kernel crash.


* Kernel BUG in reiserfs when NFS changes file attributes.

Incorrect locking in the reiserfs code could lead to a race condition when
NFS changes a file attribute concurrently with the file being released,
leading to a kernel BUG and denial-of-service. A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Denial-of-service in CIFS SMB2 file opening.

Missing memory freeing could result in memory exhaustion in the kernel.
A local, unprivileged user could use this flaw to trigger a
denial-of-service.


* Denial-of-service in EXT4 block allocation.

Incorrect validation of request sizes could result in hitting a kernel
assertion and crashing the system.  A local, privileged user could use
this flaw to crash the system with a carefully crafted filesystem image.


* Denial-of-service on mac80211 station rate selection.

If the rate control algorithm uses a selection table, the
table gets leaked when the station is destroyed.  A malicious
privileged user could exploit this to cause a denial-of-service.


* Kernel oops in mac80211 debugfs access.

An invalid check of the netdev state during a debugfs read
or write for mac80211 can cause a kernel oops.


* Use-after-free in HyperV guest driver when connecting to the host.

A logic error in the HyperV driver code when there's an error connecting to
the host leads to free-ing a page which hasn't been previously allocated,
potentially leading to use-after-free or double-free errors.


* Task hang in memory control group under out-of-memory conditions.

Incorrect handling of exiting tasks could result in a hang in the memory
control group controller when the control group was out of memory.


* Integer overflow in ID radix tree.

An integer overflow in the ID to pointer radix tree could result in
incorrect ID's being returned.  This could result in undefined behaviour
in kernel subsystems using the IDR tree.


* Memory leak in NFS filesystem when releasing a lock stateid.

A flaw in the NFS filesystem code when releasing a lock stateid results in
the lock owner not being free'ed, resulting in a memory leak. A local,
unprivileged user could use this flaw to exhaust the memory on the system
and cause a denial-of-service.


* Use-after-free in BTRFS extent writing.

A double-free in BTRFS extent writing could result in a use-after-free
under specific conditions, resulting in memory corruption.


* NULL pointer dereference when remounting NFS filesystem mounted over IPv6.

A missing initialization of the networking namespace field of
nfs_parsed_mount_data structure leads to a NULL pointer dereference and
kernel panic when remounting a NFS filesystem mounted over IPv6. A local,
privileged user could use this flaw to cause a denial-of-service.


* CVE-2014-4014: Privilege escalation in user namespace.

Incorrect use of the inode_capable() function to check permissions in a
user namespace allows unprivileged users to change the GID bit of files for
which they are not the group owner. A local, unprivileged user could use
this flaw to escalate privileges.


* Divide-by-zero in i915 driver with pixel_multiplier of zero.

When processing the config for SDVO, a missing zero check
could lead to a divide-by-zero error.


* Use-after-free in epoll file descriptor closing.

Incorrect locking when closing an epoll file descriptor could result in
a use-after-free condition.  A local, unprivileged user could use this
flaw to crash the system or possibly escalate privileges.


* CVE-2014-4652: Arbitrary memory disclosure in ALSA user controls.

Lack of synchronization between reads and writes to ALSA user controls
could lead to a kernel memory disclosure.


* CVE-2014-4654, CVE-2014-4655: Missing validity checks in ALSA user controls.

Missing validity checks when replacing user controls could lead to an attempt
to free something that is not a user control or a control that is not owned
by the process. Userspace was also allowed to to bypass user control count
by overflowing it.


* CVE-2014-4653: Use after free in ALSA card controls.

Missing synchronization in ALSA card controls could lead to a control
being freed while being in use.


* CVE-2014-4656: ALSA Control ID overflow.

Missing range checks in ALSA control IDs could lead to an integer overflow.


* Multiple denial-of-service problems in bluetooth code.

Multiple race conditions in the bluetooth code could cause deadlocks
in the bluetooth code.


* Denial-of-service with TKIP on Ralink USB devices.

The rt2x00 driver cannot atomically get a TKIP key, so disable TKIP
support.  Otherwise, it can lead to a kernel BUG().  A malicious user
could exploit this to cause a denial-of-service.


* Data corruption in rbd block driver.

A bug in the rbd object request code could cause data corruption
when freeing an object request.


* CVE-2014-4508: Denial-of-service in syscall audit code when using wrong syscall number.

A flaw in the error path of the entry point of a syscall leads to a kernel
panic if syscall auditing is enabled and the syscall number is larger than
the number of syscalls. A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Denial-of-service when updating the watchdog threshold from procfs.

Incorrect locking when updating the watchdogs timers on all CPU could
trigger a kernel BUG. A local, privileged user could use this flaw to cause
a denial-of-service by changing the watchdog threshold in procfs.


* Use-after-free in mbind vma merge.

A bug in the mm code could result in a use-after-free when doing
a vma merge, leading to a kernel crash.


* Invalid memory dereference in i915 debugfs file traverse.

A race condition while iterating through the i915 debugfs file list
could cause an invalid memory dereference, leading to a kernel panic.


* CVE-2014-0206: Information leak in asynchronous I/O ring buffer.

It was found that the aio_read_events_ring() function of the Linux
kernel's Asynchronous I/O (AIO) subsystem did not properly sanitize the
AIO ring head received from user space. A local, unprivileged user could
use this flaw to disclose random parts of the (physical) memory
belonging to the kernel and/or other processes.


* Kernel oops in Allwinner Sun4i driver probe.

A failure to properly clean up after a failure in the mdio probe function
means that an interrupt is not properly freed, leading to a kernel oops if
that interface gets set up again.


* Use-after-free in ALSA card driver when closing PCM.

A race condition in the ALSA driver could lead to a use-after-free when
disconnecting from the device and closing the PCM concurrently. A local,
privileged user could use this flaw to cause a denial-of-service.


* Use-after-free in Target Core Module (TCM) when accessing sysfs.

A pointer is not cleared after being free'ed when removing a device
symlink, leading to a use-after-free later when reading the ALUA attributes
from the sysfs. A local, privileged user could use this flaw to cause a
denial-of-service.


* List corruption in iSCSI Target driver when checking output data header.

A list corruption could be triggered under specific conditions in the iSCSI
Target driver when rejecting an output payload, potentially causing a
denial-of-service.


* CVE-2014-0155: Denial-of-service on KVM host when handling end of interrupts.

A lack of input validation in KVM hosts when handling redirection table of
an emulated interrupt controller could lead to a crash of the host. A
local, privileged user of a guest could use this flaw to cause a
denial-of-service via a specifically crafted redirection table entry.


* Information leak in mcp ram disk.

A failure to clear out mcp ramdisk pages could allow sensitive
information to be leaked via reads from a ramdisk_mcp.


* CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.

Incorrect reference counting in the error path of sctp_unpack_cookie()
could corrupt the backlog reference counter, preventing any future SCTP
association. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2014-4171: Denial-of-service in shared memory when faulting into a hole while it's punched.

A flaw in the shared memory fault implementation could lead to a kernel
hang if the fault happens to be in a hole which is being punched or
sliced. A local, privileged user could use this flaw to cause a
denial-of-service.


* Kernel panic in IP virtual server netfilter.

The kernel does not correctly handle the case of a non-linear ICMP
packet being received in response to an IPIP packet, leading to an
out-of-bounds read and kernel panic.


* NULL pointer dereference in USB gadget with empty string descriptors.

A NULL pointer dereference can occur if user space sends in an empty set
of strings to the USB gadget string descriptors.  This could cause a
kernel crash.


* NULL pointer dereference when probing non-FTDI devices.

If a users forces a non-FTDI device to be probed by the USB
serial FTDI code, it causes a NULL pointer dereference.  This can
lead to a kernel crash.


* Kernel crash in virtio scsi workqueue.

A bug in the virtio scsi code allowed uninitialized work queue
items being processed.  This could lead to an invalid memory
reference and kernel crash.


* Kernel crash in virtio scsi aborted requests.

A race condition in virtio scsi cause task management requests to be
completed more than once, leading to kernel BUGs or oopses.


* Data loss in ext4 block preallocation.

Incorrect computation on the number of blocks that needed
to be cleared with preallocation leads to extra blocks being
cleared out, causing possible data loss.


* Invalid memory reference in NFSv4 symlink decoding.

A bug in how the nfsd decoded the data for a symlink operation
could lead to the nfsd code writing to an invalid memory location.


* CVE-2014-4715: Integer overflow in LZ4 library when uncompressing large blocks.

Integer overflow in the LZ4 algorithm implementation on 32 bits kernels
might allow attackers to cause a denial of service (memory corruption) or
possibly have unspecified other impact via crafted compressed data.


* Kernel panic in thermal hardware monitoring driver when unloading module.

A flaw in the thermal hardware monitoring driver could lead to
dereferencing an invalid address on module removal. A local, privileged
user could use this flaw to cause a denial-of-service.


* Multiple journal corruptions in the ext4 filesystem.

Multiple flaws in the ext4 filesystem could lead to incorrect checksums
being computed in the journal under specific conditions. These flaws could
cause the filesystem to be re-mounted read-only or cause data corruption
and denial-of-service.


* Memory leak in crypto CAAM Job Rings driver at module unloading.

Incorrect logic in the crypto CAAM Job Rings driver probe function leads to
a memory leak when unloading the module. A local, privileged user could use
this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Double-free in PHY core driver when releasing a PHY.

A flaw in the PHY driver could lead to a double free of a PHY device if the
PHY creation failed. A local, privileged user could use this flaw to cause
a denial-of-service.


* NULL pointer dereference in three-wire uart protocol support.

A flaw in the three-wire uart protocol (Bluetooth H5) leads to a NULL
pointer dereference when a non-link packet is found in the receive queue. A
remote attacker could inject specially crafted packets in the air to cause
a denial-of-service.


* Deadlock in the time stamp counter driver on CPU removal.

A logic error in the time stamp counter driver leads to a deadlock on CPU
removal. A local, privileged user could use this flaw to cause a
denial-of-service.


* Memory corruption in asynchronous IO driver under heavy load.

Incorrect locking in the asynchronous IO driver could lead to memory
corruptions. A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Denial-of-service in Intel high definition audio driver on suspend resume path.

A flaw in the Intel high definition audio driver leads the power management
stack to dereference invalid pointers if the Intel high definition audio
driver fails to load because of missing symbols. A local, privileged user
could use this flaw to cause a kernel panic and denial-of-service.


* Memory corruption in quota subsystem when shrinking its cache.

Missing locks when iterating over the free dquot list could lead to memory
corruptions and kernel panic. A local user could use this flaw to cause a
denial-of-service.


* Divide by zero when reading sched procfs file.

A 64 bits type is truncated to 32 bits after having been tested for
non-zero, which could still leave the resulting 32 bits type as zero and
cause a divide-by-zero in-kernel when reading /proc/<pid>/sched procfs
file. A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Memory leak in the Radeon display driver when retrieving the display modes.

The EDID of a display device could be allocated multiple times under
specific conditions, leading the first one allocated to be unreachable and
leaked. A local, privileged user could use this flaw to exhaust the memory
on the system and cause a denial-of-service.


* NULL pointer dereference in block control group queue draining.

A race between draining and destruction of a block control group queue
could result in a NULL pointer dereference and kernel crash.


* CVE-2014-5045: Denial-of-service in virtual filesystem core when trying to unmount a symlink.

Trying to unmount a symlink file on a mounted filesystem would increase the
reference counter for the mount point, preventing any further unmounting. A
local, privileged user could use this flaw to prevent any mount point to be
unmounted.


* NULL pointer dereference in 802.11 event tracing.

A missing NULL pointer check could result in a NULL pointer dereference
when tracing the 802.11 wireless subsystem.


* Denial-of-service in network sendmsg() calls.

Missing validation of msg_namelen on a sendmsg call could result in a
NULL pointer dereference.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* Divide-by-zero during page writeback under memory pressure.

Missing validation could result in a divide-by-zero when performing
writeback on a system under memory pressure.


* NULL pointer dereference in IDT Tsi721 PCI Express SRIO Controller.

Missing error handling could result in a NULL pointer dereference when
managing descriptors in a Tsi721 device.


* Use-after-free in out-of-free conditions in memory control groups.

Missing locking could result in a use-after-free condition after
removing a notification eventfd from a memory control group under low
memory conditions.


* Incorrect SELinux label in cryptographic sockets.

The kernel does not correctly apply an SELinux label to cryptographic
control sockets. This can allow local users to bypass SELinux policies.


* Information leak in QLogic Data Center Bridging (DCB).

A lack of structure initialization in the QLogic DCB driver discloses 2
bytes of kernel stack to userspace. This could be used by an attacker to
gather information about the running kernel and help in a potential attack.


* Use-after-free in UDP stack in the fast transmit path.

Incorrect locking in the UDP stack when using the lockless transmit path
can lead to a race-condition causing a use-after-free and kernel panic. An
attacker could use this flaw to cause a denial-of-service.


* Information leak in the Stream Control Transmission protocol.

Failing to check the error code from proc_dointvec() when handling a write
on the sysfs auth_enable could lead to leaking 4 bytes of kernel memory to
userspace. A local, privileged user could use this flaw to cause a
denial-of-service.


* Memory leak in 802.1Q VLAN error handling.

Incorrect error handling when untagging an 802.1Q frame could result in
a memory leak and eventual kernel crash.


* NULL pointer dereference in Broadcom BN2X ethernet driver under memory pressure.

Under memory pressure, an allocation in the Broadcom BN2X could fail and
leads to a NULL pointer dereference as the return value isn't checked. An
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in TCP stack when pushing during TCP repair.

A flaw in the TCP stack when pushing during a TCP repair could trigger a
divide-by-zero fault. A local, privileged user could use this flaw to cause
a denial-of-service.


* Memory corruption in transparent inter-process communication protocol.

A missing initialization to NULL of a pointer to the next packet in the
TIPC stack could lead to an invalid memory access and packet corruption
when re-assembling the packet. A remote user could use this flaw to cause a
denial-of-service.


* Information leak in the stream control transmission protocol stack.

Some structures exchanged between user space and kernel space in the stream
control transmission protocol stack contain holes which may be left
uninitialized. A local, unprivileged user could use this flaw to obtain
information about the running kernel.


* Memory leak in sunvnet ethernet driver when removing the module.

The vnet ethernet driver wasn't releasing the resources it had allocated at
creation time, leading to memory leaks. A local, privileged user could use
this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Out of bounds memory access in the DNS resolver when querying.

A logic error in the DNS resolver could lead to an out of bound read of one
byte, possibly causing a kernel panic. A local, unprivileged user could use
this flaw to cause a denial-of-service.


* Deadlock in clockevent delta modification.

Circular locking when printing a kernel log message during the
modification of a clockevent timer could result in deadlock and a kernel
hang.


* Deadlock in Xen console driver on resume path.

Incorrect locking in the Xen console driver on suspend could lead to a
deadlock. A local, privileged user could use this flaw to cause a
denial-of-service.


* Improved fix for CVE-2014-4611: Integer overflow in LZ4 library.

The original upstream fix did not cover all possible overflows.


* Data corruption on NFS when updating inode due to cache misusage.

Incorrect use of the internal validity cache for an inode could result in
data corruption when there are multiple concurrent access to a file. A
local, unprivileged user could use this flaw to cause data corruption.


* Missing permission check in netlink socket connecting to a PID.

A missing permission check in the netlink socket connection code could
incorrectly allow an unprivileged user to connect to an arbitrary PID
which could potentially be used to escalate privileges.


* Improved fix to CVE-2014-0181: Incorrect namespace permission check in netlink sockets.

The original vendor fix for CVE-2014-0181 did not include all patches
and was still vulnerable under certain conditions.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.