[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2946-1)
Jamie Iles
jamie.iles at oracle.com
Thu Apr 7 06:55:26 PDT 2016
Synopsis: USN-2946-1 can now be patched using Ksplice
CVEs: CVE-2015-2085 CVE-2015-8812
Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2946-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2015-8812: Use-after-free in Infiniband CXGB3 driver on network congestion.
A logic error in the Infiniband CXGB3 driver could lead to a use-after-free
of a socket buffer when the network is congested. A local, unprivileged
user could use this flaw to cause a kernel crash or potentially escalate
privileges.
* CVE-2015-2085: Timing side channel attack in EVM integrity module.
The verification routine of the EVM HMAC was using a regular non-constant
memcmp(), allowing attackers to do timing side channel attacks and reduce
the MAC forgery complexity from 2^128 to 2^12.
* Deadlock when reading from rfkill sysfs file.
Incorrect locking in the rfkill sysfs interface can cause a kernel panic
when reading events. A privileged local user could use this flaw to
cause a denial of service.
* Kernel crash in userspace interface for hash algorithm when sending a message.
A failure to wait for the completion of crypto_ahash_init() when using
sendpage()/sendmsg() could cause a kernel crash. A local, unprivileged
user could use this flaw to cause a denial-of-service.
* NULL pointer dereference in the Industrial IO (IIO) driver when releasing a channel.
A missing check for NULL pointer when releasing an IIO channel could lead
to a NULL pointer dereference and kernel panic.
* Integer underflow when accessing Intel Storage Controller Unit (SCU) registers.
A flaw in the Intel SCU driver could lead to an integer underflow when
accessing the SCU registers. A local user with CAP_SYS_RAWIO could use
this flaw to cause out of range memory accesses leading to a kernel crash.
* Kernel log buffer flood in ALSA rawmidi driver.
The ALSA rawmidi driver would dump the kernel stack to the kernel log
buffer every time userspace would pass it a NULL pointer. A local,
unprivileged user with access to the ALSA device could use this flaw to
flood the kernel logs, potentially causing a denial-of-service or gaining
information about the running kernel if he's able to read the kernel log.
* Multiple kernel deadlocks in ALSA OSS emulation.
Incorrect locking in the ALSA OSS emulation code could lead to AB-BA
deadlocks when accessing read()/write() and mmap() concurrently. A local
user could use these flaws to cause a denial-of-service.
* Multiple use-after-free in ALSA sequencers when closing the device.
Incorrect locking in the ALSA sequencers sub-system could lead to different
use-after-free under certain conditions. A local user could use these
flaws to cause a denial-of-service.
* Kernel panic when handling interrupts for SATA devices.
Incorrect locking can trigger an assertion failure and kernel panic when
handling an interrupt for a SATA device.
* Memory corruption in ALSA rawmidi driver on concurrent read/write.
Incorrect locking in the ALSA rawmidi driver on concurrent read/write
operations could lead to memory corruptions. A local, unprivileged user
could use this flaw to cause a denial-of-service.
* Use-after-free when unloading xHCI host driver.
A flaw in the xHCI host driver could lead to reading already freed memory
when removing the driver. A local user with the ability to unload the xHCI
kernel module could use this flaw to cause a denial-of-service.
* Kernel hang in Btrfs filesystem when using the BTRFS_IOC_INO_PATHS ioctl.
Double locking of the same read/write lock in the Btrfs filesystem when
querying the path of an inode could lead to a kernel deadlock. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* Information leak in ALSA sound sub-system when parsing the HDMI EDID-Like-Data (ELD).
Lack of proper bounds checking when copying the HDMI ELD structure could
lead to leaking 256 bytes of kernel memory under certain conditions.
* Kernel deadlock when dumping the call stack on multiple CPUs.
Incorrect locking when dumping the kernel stack to the kernel log buffer on
multiple CPUs could lead to a deadlock. An attacker with the ability to
trigger concurrent dump_stack() calls could use this flaw to cause a
denial-of-service.
* Use-after-free in the crypto sub-system when traversing the list of crypto algorithms.
Incorrect locking when traversing the list of crypto algorithms could lead
to a use-after-free when concurrently unregistering an algorithm. A local,
unprivileged user could use this flaw to cause a kernel crash.
* Integer overflow in ext4 buffer allocation.
An integer overflow in ext4 could cause access to invalid memory regions
not owned by the filesystem, possibly corrupting them.
* Data corruption on ext4 filesystem when moving data to a donor file.
A flaw in the ext4 filesystem when moving data to a donor file could lead
to data corruption.
* Memory corruption in QXL virtual GPU ioctls.
An integer overflow in the QXL virtual GPU can allow a local user to
cause kernel memory corruption via ioctls.
* Memory corruption when parsing numbers from NFS requests.
The kernel NFS server does not correctly parse hex strings from
userspace which can trigger kernel memory corruption.
* Kernel panic when starting fastopen TCP connections.
The kernel TCP stack does not correctly handle starting fastopen
connections which can trigger a NULL pointer deference and kernel panic.
* Memory leak when reading from AF_UNIX socket.
Incorrect reference counting when reading from AF_UNIX can trigger a
memory leak when a signal is delivered to a process.
* Memory leak when sending IPv4 data with ancillary data.
The kernel IPv4 stack does not free ancillary data when failing to send
IPv4 data which causes a kernel memory leak.
* Denial-of-service in ALSA timer handling.
Multiple locking flaws in the ALSA timer handling could lead to memory
corruptions and denial-of-service on concurrent operations. A local user
could use these flaws to cause a denial-of-service.
* Kernel panic in the radix tree library when doing a gang lookup.
A race condition in the radix tree library in the kernel could lead to type
confusion and kernel panic when doing a gang lookup and concurrently
growing the radix tree. A local user could use this flaw to cause a
denial-of-service.
* Memory leak in the ALSA audio driver on concurrent writes to the sequencer device.
Incorrect locking in the ALSA audio sequencer could lead to a memory leak
on concurrent writes to the sequencer device. A local user with write
access to the sequencer device could use this flaw to exhaust the memory on
the system.
* Infinite loop when unmounting an OCFS2 filesystem using the kernel distributed lock manager.
A logic error when releasing the locks of an OCFS2 recovery master dead
node could lead to an infinite loop when later trying to unmount the OCFS2
filesystem.
* Kernel deadlock when validating a memory context.
A race condition in the virtual memory subsystem when validating a memory
context could lead to a deadlock. A local, unprivileged user could use
this flaw to cause a denial-of-service.
* Kernel panic when failing to open file.
The generic VFS subsystem does not validate the status of filesystem
operations which can trigger a kernel panic.
* Kernel panic when closing Philips SAA7134 devices.
The Philips SAA7134 TV card driver does not correctly free memory when
closing a device which can lead to a NULL pointer dereference and kernel
panic.
* Data corruption with direct IO on ext4.
A race in the handling of locked and unlocked IO completion with Direct IO
can cause data corruption on ext4 filesystems.
* SMAP bypass in 32bit compatibility syscall handler.
The 32bit compatibility syscall does not disable the Access Control flag
when entering kernel-mode which can allow kernel code to incorrectly
access user-mode data.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-14.04-updates
mailing list