[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (3.13.0-44.73)

[Oracle Ksplice]

Synopsis: 3.13.0-44.73 can now be patched using Ksplice
CVEs: CVE-2014-7842 CVE-2014-8884

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-44.73.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial of service in Xen netfront fragment processing.

An incorrect assertion in the Xen netfront network driver can trigger a
kernel panic (BUG_ON) in the guest when processing fragmented packets
which cross page boundaries.


* Memory corruption in Radeon graphic driver on error path.

A lack of initializing a pointer to NULL in various places in the Radeon
graphic driver leads to incorrectly free-ing garbage data from the stack on
certain conditions. An attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference with SCTP server during ASCONF.

A problem with how the SCTP verifies input can lead to a NULL pointer
dereference and kernel panic.  A malicious user could exploit this using
a specially crafted packet to cause a denial-of-service.


* Kernel panic in rbd block driver during read.

Improper error handling when a memory allocation fails during
a read in the rbd driver could result in an invalid memory access
and kernel panic.


* Invalid free in BTRFS lookup code.

In the case of an error during btrfs lookup, the wrong list
was being freed, leading to memory leak and possible use-after-free.
A malicious user could exploit this to cause a denial-of-service.


* Divide-by-zero with UART baud rate setting.

The serial driver did not deal correctly in some scenarios
with setting the baud rate to 38400.  This caused an invalid
baud rate to be returned and a kernel WARNING.


* Use-after-free in IEEE80211 stack when defragmenting a packet.

A flaw in the IEEE80211 stack upon receiving a fragmented packet leads to a
use-after-free and kernel panic when updating the network statistics. An
attacker could use this flaw to cause a denial-of-service.


* Memory leak in Cryptographic Accelerator and Assurance Module on key generation.

A flaw in the crypto CAAM driver leaves the input DMA area mapped in case
of failure to map the output DMA area when generating a key, leading to a
memory leak. A local user could use this flaw to exhaust the DMA memory
pool and cause a denial-of-service.


* Invalid memory access when updating bandwidth in Radeon graphic drivers.

Radeon graphic drivers lack a check to verify the device has been fully
initialized before updating their bandwidth, potentially leading to using
uninitialized memory and causing a kernel panic on suspend path. An
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in audit watch sub-system on inode cache eviction.

A lack of pinning the inode being watched in the audit sub-system leads the
watch rule to being ignored if the inode being watched is evicted from the
cache. A local user could use this flaw to bypass audit watch rules.


* Memory leak in NFS stack when releasing a direct request.

The routine to release a direct request in the NFS stack was lacking to
release an internal cinfo structure, leading to a memory leak. A local user
could use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Kernel panic in libceph AES encryption engine on large authentication packets.

A flaw in the libceph AES encryption engine leads to a kernel panic on
large authentication packets. An attacker could use this flaw to cause a
denial-of-service.


* Information leak in Firewire stack when doing an ioctl.

A uninitialized variable on the stack could be leaked to userspace when
doing an ioctl() on a Firewire char device. An attacker could use this flaw
to gain knowledge about the running kernel in order to facilitate an
attack.


* Kernel crash Target Core Mod when sending zero-length command.

A missing check to validate that a command contains data could lead to a
kernel crash depending on the transport driver. A local attacker could use
this flaw to cause a denial-of-service.


* Kernel BUG in mac80211 when decrypting empty packets.

A lack of validating a packet is not empty before trying to decrypt it
causes a kernel bug assertion to be triggered. A remote attacker could use
this flaw to cause a denial-of-service.


* Memory corruption in Realtek 2x00 WiFi driver when re-transmitting a frame.

A logic error in the Realtek 2x00 WiFi driver consumes 4 bytes of a socket
buffer at each retransmission, leading to a kernel panic. A remote attacker
could potentially use this flaw to cause a denial-of-service.


* Use-after-free in WM Audio DSP driver when loading coefficients to the DSP.

A logic error in the WM Audio DSP driver leads to releasing resources
while there are still being used, potentially causing a kernel panic. A
local user could use this flaw to cause a denial-of-service.


* Memory leak when unbinding Electronic System Design CAN-USB driver.

Private structures used by the Electronic System Design (ESD) CAN-USB
driver are not properly released when un-binding the driver. A local,
privileged user could use this flaw to exhaust the memory on the system and
cause a denial-of-service.


* Incorrect executable permission on kernel memory.

A logic error in the mark_rodata_ro() function leaves some kernel memory
with the executable bit set when they aren't supposed to be
executable. This flaw could facilitate an attack by allowing an attacker to
run code in this memory area.


* CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.

A malicious nested L2 KVM guest can cause the L1 guest to crash by
triggering a race condition when accessing MMIO memory. A local attacker
could use this flaw to cause a denial of service.


* Denial-of-service in ZRAM partial writes.

Under specific conditions a ZRAM page that was zero-filled could result
in trying to unmap an already unmapped page.  A local, unprivileged user
could use this flaw to trigger a denial-of-service.


* Invalid memory access in KVM x86 emulator.

The KVM x86 emulator fails to initialize the operand type to immediate for
specific instructions, possibly leading to re-using previous operand type
causing invalid read/write access to memory. A local attacker could use
this flaw to crash the guest kernel or potentially elevate privileges.


* CVE-2014-8884: Buffer overflow in DEC2000 and DEC3000 USB adapters.

A lack of input validation when copying an ioctl command could lead to
overflowing data on the stack, causing a kernel panic. A local user could
use this flaw to cause a denial-of-service or potentially escalate
privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.