[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2290-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Jul 21 18:30:08 PDT 2014 

Synopsis: USN-2290-1 can now be patched using Ksplice
CVEs: CVE-2014-0181 CVE-2014-1739 CVE-2014-3144 CVE-2014-4608 CVE-2014-4611 CVE-2014-4943

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2290-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.

PPP over L2TP sockets incorrectly used UDP's getsockopt and setsockopt
as a fallback handler. Since UDP's implementation expects different
data structures, a local attacker could corrupt kernel memory and gain
root privileges.


* Integer overflow during btrfs defragmentation.

Use of the wrong data type in the btrfs defragmentation code meant that
certain integer variables could overflow, leading to kernel panic.


* Kernel panic when hotplugging a PCI USB controller card.

A race condition in the USB subsystem can trigger a kernel panic when
hotplugging a PCI USB controller card.


* Memory leak in Radeon buffer object reservation failure.

Incorrect failure handling could result in a memory leak when an
allocation failed resulting in an eventual kernel crash.


* Soft lockup in huge page code when releasing huge TLB pool.

A missing call to the scheduler when releasing a huge TLB pool could lead
to a soft lockup. A local, privileged user could use this flaw to cause a
denial-of-service.


* Kernel BUG() in transparent huge page code between split and zap.

A missing lock could lead to a race condition in the transparent huge page
code between splitting and zapping a transparent huge page, leading to a
kernel BUG().


* Data corruption in ext4 when resizing filesystem.

A race condition between resizing a ext4 filesystem and mapping a file extent
can cause filesystem corruption and loss of data.


* Data corruption in ext4 unaligned asynchronous IO.

A race condition between reading the size of an inode and performing an
asynchronous file write can trigger data corruption on an ext4 filesystem.


* Kernel crash in AHCI with dummy port.

System may crash in ahci_hw_interrupt() or ahci_thread_fn() when
accessing the interrupt status in a port's private_data if the port is
actually a DUMMY port.


* Deadlock in USB serial driver when unloading the module.

Incorrect locking between module removal and sysfs callbacks in the USB
serial driver could lead to a deadlock. A local, privileged user could use
this flaw to cause a denial-of-service.


* Double-free in ASoC power management.

Unregistering a sound card with auto-disabled DAPM kcontrols
causes a double free and possible kernel panic.


* Memory corruption in VMWare graphic driver when doing a DMA transfer.

A missing bound check in the VMWare graphic driver code could lead to
memory corruption. A local user could use this flaw to cause a
denial-of-service.


* Memory leak in asynchronous IO subsystem when running a callback.

A missing de-allocation routine in the error path of the function calling
an asynchronous IO callback leads to a memory leak. An attacker could use
this flaw to exhaust the memory and cause a denial-of-service.


* CVE-2014-0181: Incorrect namespace permission check in netlink sockets.

The kernel uses an incorrect set of permissions when querying netlink sockets
from different namespaces, allowing unprivileged users to disclose information
about networking in privileged namespaces.


* NULL pointer dereference in the filesystem stack when checking ACL.

A missing check for NULL when checking if a filesystem ACL can be
represented using traditional UNIX permissions could lead to a kernel
panic. A remote attacker controlling a NFS server or a local unprivileged
user could use this flaw to cause a denial-of-service.


* Divide-by-zero in mm page writeback.

When computing limits in page-writeback, some values were not
checked for zero, leading to a divide-by-zero error.


* Use-after-free in autofs when accessing private data of a removed dentry.

A logic error when checking a dentry is still allocated could lead to a
use-after-free and kernel panic. A local, unprivileged user could use this
flaw to cause a denial-of-service.


* Remote denial-of-service in bridge driver when filtering packets.

A logic error in the bridge driver when filtering packets could lead to a
double-free of the dropped socket buffer, potentially leading to a kernel
panic. A remote user could use this flaw to cause a denial-of-service.


* CVE-2014-3144: Multiple local denial of service vulnerabilities in netlink.

The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extension implementations
in the sk_run_filter function in net/core/filter.c failed to check whether
a certain length value is sufficiently large, which allows local users to
cause a denial of service (integer underflow and system crash) via crafted
BPF instructions.


* Divide-by-zero in TCP cubic congestion algorithm when computing delayed ack.

A logic error in the TCP cubic congestion algorithm could lead to a
divide-by-zero and kernel panic. A remote attacker could potentially use
this flaw to cause a denial-of-service.


* Out-of-bounds memory write in USB network control model class driver.

A logic error in the code checking boundaries before sending a USB packet
in the network control model class driver could lead to an off-by-one
memory write under specific conditions, potentially leading to a kernel
panic.


* NULL pointer dereference in IPv6 netlink validation callback.

A missing check for NULL in the IPv6 netlink validation callback leads to a
NULL pointer dereference. A local, privileged user could use this flaw to
cause a kernel panic and denial-of-service.


* Memory corruption when computing the size of IPv6 headers.

A logic error when calculating the size of the IPv6 header when IPv6
extensions are used could lead to a memory corruption and kernel panic.


* Memory leak in BATMAN routing protocol code when sending fragmented packets.

Incorrect reference counting in the BATMAN routing code when sending a
fragmented packet leads to a memory leak. An attacker could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* Race conditions in the workqueue subsystem.

Incorrect locking in various places in the workqueue subsystem could lead
to a kernel panic.


* Incorrect permission checking in cgroup subsystem.

Incorrect permission checking in the cgroup subsystem could allow a local
unprivileged user to bypass cgroup exceptions.


* NULL pointer dereference in CAAM crypto driver.

A missing check for NULL after allocating a buffer could lead to a NULL
pointer dereference when the system is under memory pressure. An attacker
could use this flaw to cause a denial-of-service.


* Kernel panic in libata after detaching a port.

Lack of resources cleanup when detaching an ATA port can lead to a kernel
panic. A local, privileged user could use this flaw to cause a
denial-of-service.


* Kernel BUG() in NFS daemon when setting ACL with no entries.

A logic error in the NFS daemon code could trigger a kernel BUG() when
setting ACL with no entries.


* Kernel panic when moving a transparent huge page concurrently with splitting it.

A race condition in the code moving page tables if a transparent huge page
is concurrently being split can lead to a kernel panic under specific
conditions.


* Memory corruption when accessing a huge TLB of a copy-on-write page.

A missing flush of the huge translation lookaside buffer for a page copied
after a write could lead to a memory corruption as it can lead a parent
process to access the child copied version of the page rather than the
original page. A local, unprivileged user could use this flaw to cause a
memory corruption or potentially elevate privileges.


* Use-after-free in Target core mod when releasing a command.

Improper ordering of de-allocation routines could lead to a use-after-free and
kernel panic.


* Use-after-free in libceph when sending pages over TCP.

RADOS block devices do not handle properly sending pages with page_count 0
over TCP which will result in incorrectly free-ing the page while still in
use leading to a memory corruption and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.


* Memory leak in Target core mod storage engine on every xcopy.

Missing initialization of a reference counter leads to 1Kb of kernel memory
being leaked for every xcopy operation. A local, unprivileged user could
use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Information leak in sysfs when the read callback uses seq_file.

A missing zeroing of a structure from the stack can be copied to userspace
without initialization, potentially leaking important information about the
running kernel. A local, unprivileged attacker user could use this flaw to
gain information, potentially helping in an attack.


* Use-after-free in NFSv4 daemon kernel implementation when releasing a state ID.

A lack of clean-up of a lock owner attached to a state ID when releasing
the state ID could lead to use-after-free and kernel panic in the NFSv4
daemon implementation.


* Memory corruption in CPU frequency driver when accessing the current policy.

A lack of locking when accessing the current policy in the CPU frequency
driver could lead to data corruption and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.


* Information leak in Intel i915 graphics driver when copying execbuffer.

When copying an execbuffer to userspace, the Intel i915 graphics drivers
also exports internal structure that needs to be hidden from userspace.


* NULL pointer dereference in Radeon graphics drivers.

The Radeon graphics driver fails to verify that VM command submission is
available which can lead to a kernel crash. A local, privileged user could
use this flaw to cause a denial-of-service.


* Deadlock in Intel WiFi driver when setting channel in monitor mode.

Incorrect locking in the Intel WiFi driver could lead to a deadlock when
setting any channel but 1 to monitor mode. A local, privileged user could
use this flaw to cause a denial-of-service.


* Use-after-free in USB host xHCI driver when releasing the device.

Incorrect ordering of de-allocation routines when releasing a xHCI device
could lead to a use-after-free and kernel panic. A local, privileged user
could use this flaw to cause a denial-of-service.


* Data corruption in multiple devices driver (MD) when reshaping a read only device.

A logic error in the MD driver could lead to data corruption when reshaping
a read only device. A local, privileged user could use this flaw to cause a
denial-of-service.


* Memory leak in Infiniband SCSI driver when SCSI WRITE command fails.

A missing reference put in the Infiniband SCSI driver when a SCSI WRITE
command with ImmediateData=Yes fails is causing a memory leak. An attacker
could use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* NULL pointer dereference in Target Core Mod (TCM) when releasing a session.

A missing check for NULL before dereferencing a pointer in the TCM driver
when releasing a session could lead to a kernel panic.


* CVE-2014-4608: Integer overflow in LZO when uncompressing blocks larger than 16MB.

Lack of input validation in the LZO library could cause an integer overflow
when uncompressing blocks larger than 16MB, potentially leading to kernel
code execution. A local attacker could use this flaw to elevate privileges.


* CVE-2014-4611: Integer overflow in LZ4 library when uncompressing large blocks.

Lack of input validation in the LZ4 library could cause an integer overflow
when uncompressing blocks larger than 16MB, potentially leading to kernel
code execution. A local attacker could use this flaw to elevate privileges


* Integer overflow in ext4 filesystem driver when mapping large blocks.

Missing input validation when mapping blocks from the filesystem could
result in an integer overflow and lead to a memory leak. A local,
unprivileged user could use this flaw to exhaust the memory on the system
by using the fallocate() syscall, leading to a denial-of-service.


* Denial-of-service in ext4 filesystem when reading the file block number.

A missing check that the block number is valid when userspace asks for the
block number could cause a kernel BUG(). A local, privileged user could use
this flaw with a specially crafted ext4 filesystem to cause a
denial-of-service.


* Use-after-free in PCIe SAS Host Adapters in suspend path.

A flaw in the PCIe SAS Host Adapters driver when suspending the device
leads to a use-after-free and kernel panic. A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference in virtio SCSI driver when setting affinity.

A missing check for NULL when setting the affinity of virtio queues leads
to a NULL pointer dereference and kernel panic. A local, privileged user
could use this flaw to cause a denial-of-service.


* Memory corruption in TTY driver when flushing line discipline.

A race condition in the TTY driver could lead to a memory corruption if the
line discipline is being flushed concurrently with the TTY driver extending
a buffer size. A local, unprivileged user could use this flaw to cause a
denial-of-service.


* CVE-2014-1739: Information leak in the media stack when enumerating media devices.

The ioctl() to enumerate media devices can copy to userspace 200 bytes of
kernel stack. A local user with write access to /dev/mediaX could use this
flaw to gather information about the running kernel.


* Out-of-bounds memory read in the V4L2 Omnivision 7670 VGA camera driver.

A logic error when iterating over the different frame sizes supported in
the Omnivision 7670 driver could lead to out of bounds memory access and
kernel panic. A local, unprivileged user could use this flaw to cause a
denial-of-service.


* NULL pointer dereference in Radeon graphic driver when no acceleration.

A missing check for NULL in the Radeon graphic driver on opening the device
could lead to a NULL pointer dereference and kernel panic when acceleration
is not working.


* NULL pointer dereference in Target Core Mod when reading from sysfs.

A missing check to verify that the backend device has been configured leads
to a NULL pointer dereference when writing to sysfs file
alua_access_state. A local, privileged user could use this to cause a
denial-of-service.


* Use-after-free in memory management subsystem when releasing VMA.

The order in which de-allocations routines are called in the memory
management subsystem when releasing a VMA leads to a use-after-free and
possibly to a kernel panic and denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-14.04-updates mailing list