[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2681-1)

Fri Jul 24 00:44:35 PDT 2015

Synopsis: USN-2681-1 can now be patched using Ksplice
CVEs: CVE-2015-1805 CVE-2015-4692 CVE-2015-4700

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2681-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* SLI data corruption in Emulex LightPulse Fibre Channel driver.

Missing memory barriers in the Service Level Interface (SLI) could lead
to reading stale data from the device, possibly causing data corruption
and unspecified kernel crashes.

* CVE-2015-1805: Memory corruption in handling of userspace pipe I/O vector.

Pipe I/O vector handling functions didn't handle failure of atomic accesses
correctly. This would allow a local unprivileged user to crash the system.

* CVE-2015-4692: Denial-of-service when checking for events in the emulated KVM APIC.

A missing check for NULL in the KVM code when checking if there are any
pending events on the emulated interrupt controller could lead to NULL
pointer dereference.  A local user with access to /dev/kvm could use this
flaw to cause a denial-of-service.

* Multiple deadlocks in ALSA emux driver.

Incorrect locking in the ALSA emux driver could lead to AB-BA deadlocks in
the kernel under various conditions.

* Denial-of-service in Rados Block Device (RBD) driver on end I/O.

Incorrect logic in the RBD driver on end I/O could trigger a kernel
assertion and lead to a denial-of-service under certain conditions.

* Multiple divide-by-zero in the page write-back code.

Multiple logic errors in the page write-back code could lead to
divide-by-zero and denial-of-service under certain conditions.

* Memory leak and denial-of-service in the memory-failure subsystem.

A logic error in the memory-failure subsystem when handling transparent
huge page could result in a memory leak and to a machine check error
killing the application using the transparent huge page.

* Out-of-bounds memory access in the nilfs driver.

An off-by-one error when checking the btree level in the nilfs driver could
lead to out-of-bounds memory access.  An attacker could use a specially
crafted nilfs image to cause a denial-of-service.

* Kernel hang in the ocfs2 driver when locking resources.

A race condition in the dlm_get_lock_resource() function in the ocfs2
driver could lead to a kernel hang on concurrent purge.  A local attacker
could use this flaw to cause a denial-of-service.

* Double-free in the VFS subsystem when opening an unnamed temporary file.

A logic error in the path_openat() function in the VFS subsystem when
opening an unnamed temporary file leads to a double-free.  A local,
unprivileged user could use this flaw to cause a denial-of-service or
potentially escalate privileges.

* Permission bypass in filesystem namespace.

A logic error in the filesystem namespace subsystem allows a restricted
user to bypass mount restrictions and mount /proc or /sys if there is a
bind mount of part of /proc or /sys in its namespace.

* Use-after-free in USB gadget configfs filesystem.

Missing invalidation of a pointer during function removal could result
in a use-after-free and kernel crash.

* Denial-of-service in JBD2 journal recovery.

An integer overflow in the JBD2 journal could result in an out-of-bounds
memory access and kernel crash.  A local user could use a maliciously
crafted filesystem to crash the system.

* NULL pointer dereference when handling IPv4 errors.

A missing check for NULL could lead to a NULL pointer dereference when
handling IP errors when the network device is being removed.  An attacker
could use this flaw to cause a denial-of-service.

* CVE-2015-4700: Denial-of-service in the BSD Packet Filter just-in-time compiler.

A logic error in the BSD Packet Filter (BPF) just-in-time (jit) compiler
could lead the jit'ed program to contain only software breakpoints instead
of the intended opcodes.  A local, privileged user could use this flaw to
cause a denial-of-service by using a specially crafter BPF program.

* NULL pointer dereference in CAIF and Unix sockets on receival.

Lack of checking that the socket has been destroyed in the recvmsg()
handlers for CAIF and Unix sockets could lead to a NULL pointer
dereference.  A local, unprivileged user could use this flaw to cause a
denial-of-service.

* Kernel crash when attaching a new queue discipline in the network scheduler.

A flaw in the networking scheduler could lead to a use-after-free when
attaching a new queue discipline to a network device.  A local, privileged
user could use this flaw to cause a denial-of-service.

* NULL pointer dereference in EXT4 journal restart failure.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when restarting the journal.  A local user could use a
maliciously crafted filesystem to crash the system.

* Memory corruption when replacing ECMP route on IPv6.

Replacing ECMP route on IPv6 replaces only the first matching route without
replacing the siblings, leading to a memory corruption.  A local,
privileged user could use this flaw to cause a denial-of-service.

* Kernel panic when handling a userspace page-fault.

An incorrectly backported fix to the handling of userspace page-faults
can allow unprivileged users to trigger a kernel panic.

* Revert "CVE-2015-1805: Memory corruption in handling of userspace pipe I/O vector."

This reverts commit 329970833e72be645fe4d78abe281f1b8c849a70.

* CVE-2015-1805: Memory corruption in handling of userspace pipe I/O vector.

Pipe I/O vector handling functions didn't handle failure of atomic accesses
correctly. This would allow a local unprivileged user to crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.