[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2946-1)

[Jamie Iles]

Synopsis: USN-2946-1 can now be patched using Ksplice
CVEs: CVE-2015-2085 CVE-2015-8812

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2946-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-8812: Use-after-free in Infiniband CXGB3 driver on network congestion.

A logic error in the Infiniband CXGB3 driver could lead to a use-after-free
of a socket buffer when the network is congested.  A local, unprivileged
user could use this flaw to cause a kernel crash or potentially escalate
privileges.


* CVE-2015-2085: Timing side channel attack in EVM integrity module.

The verification routine of the EVM HMAC was using a regular non-constant
memcmp(), allowing attackers to do timing side channel attacks and reduce
the MAC forgery complexity from 2^128 to 2^12.


* Deadlock when reading from rfkill sysfs file.

Incorrect locking in the rfkill sysfs interface can cause a kernel panic
when reading events. A privileged local user could use this flaw to
cause a denial of service.


* Kernel crash in userspace interface for hash algorithm when sending a message.

A failure to wait for the completion of crypto_ahash_init() when using
sendpage()/sendmsg() could cause a kernel crash.  A local, unprivileged
user could use this flaw to cause a denial-of-service.


* NULL pointer dereference in the Industrial IO (IIO) driver when releasing a channel.

A missing check for NULL pointer when releasing an IIO channel could lead
to a NULL pointer dereference and kernel panic.


* Integer underflow when accessing Intel Storage Controller Unit (SCU) registers.

A flaw in the Intel SCU driver could lead to an integer underflow when
accessing the SCU registers.  A local user with CAP_SYS_RAWIO could use
this flaw to cause out of range memory accesses leading to a kernel crash.


* Kernel log buffer flood in ALSA rawmidi driver.

The ALSA rawmidi driver would dump the kernel stack to the kernel log
buffer every time userspace would pass it a NULL pointer.  A local,
unprivileged user with access to the ALSA device could use this flaw to
flood the kernel logs, potentially causing a denial-of-service or gaining
information about the running kernel if he's able to read the kernel log.


* Multiple kernel deadlocks in ALSA OSS emulation.

Incorrect locking in the ALSA OSS emulation code could lead to AB-BA
deadlocks when accessing read()/write() and mmap() concurrently.  A local
user could use these flaws to cause a denial-of-service.


* Multiple use-after-free in ALSA sequencers when closing the device.

Incorrect locking in the ALSA sequencers sub-system could lead to different
use-after-free under certain conditions.  A local user could use these
flaws to cause a denial-of-service.


* Kernel panic when handling interrupts for SATA devices.

Incorrect locking can trigger an assertion failure and kernel panic when
handling an interrupt for a SATA device.


* Memory corruption in ALSA rawmidi driver on concurrent read/write.

Incorrect locking in the ALSA rawmidi driver on concurrent read/write
operations could lead to memory corruptions.  A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Use-after-free when unloading xHCI host driver.

A flaw in the xHCI host driver could lead to reading already freed memory
when removing the driver.  A local user with the ability to unload the xHCI
kernel module could use this flaw to cause a denial-of-service.


* Kernel hang in Btrfs filesystem when using the BTRFS_IOC_INO_PATHS ioctl.

Double locking of the same read/write lock in the Btrfs filesystem when
querying the path of an inode could lead to a kernel deadlock.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Information leak in ALSA sound sub-system when parsing the HDMI EDID-Like-Data (ELD).

Lack of proper bounds checking when copying the HDMI ELD structure could
lead to leaking 256 bytes of kernel memory under certain conditions.


* Kernel deadlock when dumping the call stack on multiple CPUs.

Incorrect locking when dumping the kernel stack to the kernel log buffer on
multiple CPUs could lead to a deadlock.  An attacker with the ability to
trigger concurrent dump_stack() calls could use this flaw to cause a
denial-of-service.


* Use-after-free in the crypto sub-system when traversing the list of crypto algorithms.

Incorrect locking when traversing the list of crypto algorithms could lead
to a use-after-free when concurrently unregistering an algorithm.  A local,
unprivileged user could use this flaw to cause a kernel crash.


* Integer overflow in ext4 buffer allocation.

An integer overflow in ext4 could cause access to invalid memory regions
not owned by the filesystem, possibly corrupting them.


* Data corruption on ext4 filesystem when moving data to a donor file.

A flaw in the ext4 filesystem when moving data to a donor file could lead
to data corruption.


* Memory corruption in QXL virtual GPU ioctls.

An integer overflow in the QXL virtual GPU can allow a local user to
cause kernel memory corruption via ioctls.


* Memory corruption when parsing numbers from NFS requests.

The kernel NFS server does not correctly parse hex strings from
userspace which can trigger kernel memory corruption.


* Kernel panic when starting fastopen TCP connections.

The kernel TCP stack does not correctly handle starting fastopen
connections which can trigger a NULL pointer deference and kernel panic.


* Memory leak when reading from AF_UNIX socket.

Incorrect reference counting when reading from AF_UNIX can trigger a
memory leak when a signal is delivered to a process.


* Memory leak when sending IPv4 data with ancillary data.

The kernel IPv4 stack does not free ancillary data when failing to send
IPv4 data which causes a kernel memory leak.


* Denial-of-service in ALSA timer handling.

Multiple locking flaws in the ALSA timer handling could lead to memory
corruptions and denial-of-service on concurrent operations.  A local user
could use these flaws to cause a denial-of-service.


* Kernel panic in the radix tree library when doing a gang lookup.

A race condition in the radix tree library in the kernel could lead to type
confusion and kernel panic when doing a gang lookup and concurrently
growing the radix tree.  A local user could use this flaw to cause a
denial-of-service.


* Memory leak in the ALSA audio driver on concurrent writes to the sequencer device.

Incorrect locking in the ALSA audio sequencer could lead to a memory leak
on concurrent writes to the sequencer device.  A local user with write
access to the sequencer device could use this flaw to exhaust the memory on
the system.


* Infinite loop when unmounting an OCFS2 filesystem using the kernel distributed lock manager.

A logic error when releasing the locks of an OCFS2 recovery master dead
node could lead to an infinite loop when later trying to unmount the OCFS2
filesystem.


* Kernel deadlock when validating a memory context.

A race condition in the virtual memory subsystem when validating a memory
context could lead to a deadlock.  A local, unprivileged user could use
this flaw to cause a denial-of-service.


* Kernel panic when failing to open file.

The generic VFS subsystem does not validate the status of filesystem
operations which can trigger a kernel panic.


* Kernel panic when closing Philips SAA7134 devices.

The Philips SAA7134 TV card driver does not correctly free memory when
closing a device which can lead to a NULL pointer dereference and kernel
panic.


* Data corruption with direct IO on ext4.

A race in the handling of locked and unlocked IO completion with Direct IO
can cause data corruption on ext4 filesystems.


* SMAP bypass in 32bit compatibility syscall handler.

The 32bit compatibility syscall does not disable the Access Control flag
when entering kernel-mode which can allow kernel code to incorrectly
access user-mode data.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.