[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2420-1)

[Oracle Ksplice]

Synopsis: USN-2420-1 can now be patched using Ksplice
CVEs: CVE-2014-3690 CVE-2014-4608 CVE-2014-7825 CVE-2014-7826 CVE-2014-7970 CVE-2014-7975

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2420-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-7825, CVE-2014-7826: Perf DoS and local privilege escalation.

A missing validation of syscall id range allows an attacker to trigger a
kernel panic, or leverage it into gaining root privileges if root was
doing perf tracing at that time.


* rpcbind crash during lockd startup failure.

Under specific conditions rpcbind could crash the kernel if startup
failed.


* Kernel crash in Ultra Wideband device registration.

Use of unintialized data could result in a kernel crash when registering
an ultra wideband device.


* Data corruption in DM cache devices during writes.

A race condition in the DM cache driver could result in failing to mark
blocks as dirty causing data corruption on disk.


* Invalid memory access in libceph with large replies.

A failure to correctly allocate new messages with large replies
from the mon in libceph could result in a buffer overrun.


* NULL pointer dereference in XHCI initialization failure.

Incorrect cleanup during XHCI initialization failure could result in a
NULL pointer dereference and kernel crash.


* Use-after-free in XHCI on S2/S3 resume.

The XHCI driver could dereference a stale pointer on resuming from S2/S3
idle state causing a kernel crash.


* Kernel hang in PI futex requeueing.

A missing queue unlock operation could result in returning to userspace
with preemption disabled.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* Use-after-free in Industrial I/O trigger assignment.

Missing reference counting could result in a use-after-free with
Industrial I/O devices when allocating triggers.


* Kernel crash in Conexant CX23418 MPEG encoder probing.

Incorrect data structure initialization could result in dereferencing an
invalid pointer and crashing the kernel.


* Memory corruption in iSCSI target logout handler.

A logic error in the logout handler could result in memory corruption
when a target was disconnected.


* NULL pointer dereference in iSCSI target memory allocation failure.

Incorrect error handling on allocation failure when copying a parameter
list could result in a NULL pointer dereference and kernel crash.


* Kernel crash in NFSv3 filesystem mounting.

Incorrect locking in NFSv3 mounting could result in a race condition
between kernel threads and causing a kernel panic.


* Privilege escalation in iSCSI PDU sending.

Missing bounds checks could allow a user with privileges to send PDUs to
an iSCSI device to overflow a buffer and potentially escalate
privileges.


* Kernel hang in block device buffer with large disks.

32-bit systems with disks larger than 4TB could result in an integer
overflow when accessing block devices.  This could cause an infinite
loop and kernel hang.


* NULL pointer defereference in CPU hotplug cache management.

Incorrect handling of hotplug removal could result in a NULL pointer
dereference and kernel crash.


* Data corruption in NILFS with files during mmap().

Incorrect handling of dirty pages with NILFS mmapped files could result
in failure to write to disk correctly.  This could result in data
corruption when remounting the filesystem or after eviction from the
page cache.


* Use-after-free in perf subsystem on fork error path.

A flaw in the perf subsystem could lead to releasing a perf event on fork
failure while it is still in use, leading to a use-after-free and kernel
panic. A local attacker could use this flaw to cause a denial-of-service.


* CVE-2014-7975: Denial-of-service in do_umount.

A missing capability check in do_umount allows unprivileged local users to
remount the root file system read-only, causing a denial-of-service (loss
of writability).


* Out of bounds memory access in crypto CAAM driver when computing hash.

A flaw in the crypto CAAM driver leads to out of bounds memory access when
computing a hash, potentially leading to a kernel crash. A local attacker
could use this flaw to cause a denial-of-service or potentially escalate
privileges.


* Information leak in Intel Management Engine Interface devices.

Incorrect string termination could result in reading off the end of a
buffer when probing an MEI device if the device name was 32 characters
or longer.  This could result in leaking the contents of heap memory to
userspace.


* Improved fix to CVE-2014-4608: Memory corruption in kernel lzo decompressor.

The original upstream fix for CVE-2014-4608 did not cover all cases and
was still exploitable.


* NULL pointer dereference in generic register map debugfs entries.

Under specific conditions some register maps may not have a Linux device
associated with them which could trigger a NULL pointer dereference when
creating debugfs entries for the register map.


* Kernel crash in register map bulk register writes.

Incorrect handling of zero length bulk register writes could result in
dereferencing an invalid pointer and crashing the kernel under specific
conditions.


* Privilege escalation in ServerEngines BladeEngine 2 iSCSI driver.

Missing validation of user supplied data could allow a local user with
permissions to access the iSCSI device to overflow a stack buffer and
potentially escalate privileges.


* Denial-of-service in ecryptfs extended attribute setting.

A missing NULL pointer check could result in a kernel crash when setting
an extended attribute on an ecryptfs filesystem.  A local, unprivileged
user could use this flaw to trigger a denial-of-service.


* CVE-2014-7970: Memory corruption when using pivot_root.

A flaw in the pivot_root syscall leads to a corruption of the mount tree
when calling with a directory outside a chroot. A local user could use this
flaw to cause a memory corruption and likely a denial-of-service.


* Kernel stack information leak in filesystem notify.

Missing error handling could result in leaking kernel stack data to
userspace when showing a handle in the inotify operations.


* Memory leak in Unsorted Block Image flash filesystem.

The kernel does not correctly handle orphaned volumes on an Unsorted
Block Image flash filesystem leading to a kernel memory leak.


* Use after free in ALSA Dynamic Power Management.

A use-after-free condition can be triggered in the ALSA SoC Dynamic
Audio Power Management module when creating a new mixer leading to
possible kernel memory corruption.


* Memory corruption in generic SELinux filesystem support.

The kernel SELinux subsystem does not correctly lock resources when
initializing SELinux for a filesystem leading to possible memory
corruption and a kernel panic.


* Denial of service in generic filesystem mounting.

The generic filesystem mounting implementation does not correctly
validate filesystem parameters leading to a division by zero and kernel
panic.


* Use after free in netlink socket and PPP ioctl.

Incorrect reference counting in netlink sendmsg and the PPPIOCDETACH
ioctl can trigger a use-after-free condition and cause kernel memory
corruption.


* CVE-2014-3690: Denial of Service in KVM/VMX CR4 register management.

KVM on VMX does not reload the CR4 register when it changes on the host,
which means that host features aren't updated on guests. This could lead
to a local denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.