[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2907-1)

[Oracle Ksplice]

Synopsis: USN-2907-1 can now be patched using Ksplice
CVEs: CVE-2015-1575 CVE-2015-1576 CVE-2015-7513 CVE-2015-7550 CVE-2015-8543 CVE-2015-8569

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2907-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free in IPv6 multicast router.

Late timer deinitialization could cause a use-after-free when freeing
IPv6 multicast router tables.


* Use-after-free in IPv6 SCTP accept() calls.

Incorrect cloning of IP options during accept() could result in a kernel
crash.  A local, unprivileged user could use this flaw to crash the
system.


* CVE-2015-8569: Information leak in point-to-point protocol.

A lack of validating user input could cause kernel stack memory to be
leaked to userspace in the point-to-point bind() and connect() functions.
A local, unprivileged user could use this flaw to gain information about
the running kernel.


* Information leak in Bluetooth socket binding.

Lack of input validation when binding a Bluetooth socket could result in
kernel stack memory being leaked to userspace.  A local attacker could use
this flaw to gain information about the running kernel.


* Memory leak when removing routing table in the IPv4 and IPv6 stacks.

Incorrect reference counting when destroying a routing table in the IPv4
and IPv6 stacks leads to a memory leak.  A local user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* Infinite loop when submitting invalid io vectors to FUSE filesystem.

Due to a logic error in the io vector handling during FUSE filesystem
write operations, a malicious local user with access to the filesystem
could cause the kernel to enter an infinite loop.


* Untimely page reclaim when truncating files in Ext4/OCFS2 filesystems.

When an Ext4/OCFS2 filesystem is mounted with data=journal mode,
truncating a file can cause the pages belonging to that file to remain
in memory for a long time, potentially tying up resources for other
users.


* Kernel hang in TTM memory manager.

A read/write-lock locking imbalance in the TTM manager could cause the
kernel to hang indefinitely.


* NULL pointer dereference when disconnecting a USB 3.0 mass storage in transporting state.

A missing check for NULL pointer when disabling the low power mode of a USB
3.0 mass storage device could lead to a NULL pointer dereference when
disconnecting the device whilst it's in transporting state.  A local,
un-privileged user with physical access could use this flaw to cause a
denial-of-service.


* Kernel crash in Wireless USB Host Controller Interface (WHCI) driver.

A missing error check when setting up DMA mappings could cause the
kernel and/or hardware to attempt to access nonexistant memory and
subsequently crash.


* Memory leak in Multiple Devices (MD) persistent data driver.

In certain circumstances, a missing error check during btree splitting
could cause the MD persistent data driver to leak memory. A malicious
local user with sufficient privileges could use this to cause denial of
service.


* Kernel crash in 9P filesystem driver.

Due to a logic error in the 9P filesystem driver, closing a device
node on a 9P filesystem which is open on another filesystem could
cause the kernel to crash. A malicious local user with access to a
9P filesystem could use this to cause denial of service.


* Buffer memory leaks in Multiple Devices (MD) persistent data driver.

In certain circumstances involving invalid metadata, a missing error
check could cause the MD persistent data driver to leak memory. A
malicious local user could possibly use this to cause denial of service.


* Kernel BUG during huge page table page fault handling.

A race between page migration/hardware poisoning and huge page handling
could cause an assertion failure. A malicious local user with access to
huge pages could use this to cause denial of service.


* NULL pointer dereference in the TTY line discipline on receival.

A missing check for NULL before calling the receive_buf function pointer on
a line discipline could lead to a NULL pointer dereference.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Memory leak in SPI stack when allocating master device.

A reference was taken on the wrong device when allocating a SPI master
device, leading to a memory leak.  A local user could use this flaw to
exhaust the memory on the system.


* Use-after-free when taking a reference on an IPv6 label.

A logic error in the IPv6 stack could lead to a use-after-free under
certain circumstances.  A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Use-after-free in network destination cache removal.

A use-after-free when removing a network destination cache entry could
result in a kernel crash and denial-of-service.


* CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.

It was discovered that a local user permitted to create raw sockets could
cause a denial-of-service by specifying an invalid protocol number for the
socket.


* Multiple out-of-bounds memory accesses in SCSI enclosure support.

Multiples flaw in the SCSI enclosure support driver could lead to
out-of-bounds memory accesses and kernel panic.  A local user could use
this flaw to cause a denial-of-service.


* CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.

A race condition in the cryptographic key management sub-system could lead
to a kernel crash when revoking and reading a key concurrently.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Denial-of-service when hot-removing memory on missing sections.

A logic error in the routine checking the pages in a memory zone could lead
to a kernel crash when offlining memory.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Use-after-free in ISDN Gigaset driver on device shutdown.

A logic error in the ISDN Gigaset device shutdown path could lead to a
use-after-free and kernel panic.


* Crash in SCSI runtime power management.

A logic error in the handling of SCSI power management could lead to a
kernel crash when devices are manually put into low power mode. A local,
privileged user could use this flaw to cause a denial-of-service.


* Crash in crypto block ciphers when provided a 0 length plaintext.

Failure to copy the IV when provided a zero length plaintext could lead
to a kernel crash during cipher block initialization. A local, privileged
user could use this flaw to cause a denial-of-service.


* Data corruption during RAID and LVM metadata snapshot.

Improper locking while taking a metadata snapshot could cause out of
date data to be saved in the snapshot leading to data corruption.


* Use-after-free in WiFi/NFC RF switch subsystem after device rename.

The RF switch subsystem improperly handles the device name provided by
the WiFi and NFC drivers causing an use-after-free when a device is
renamed.


* Deadlock in oneshot interrupt handling.

Improper locking in one shot interrupt handling could result in a
deadlock on multi-core systems.


* Crash in USB hub initialization due to improper locking.

Improper locking of memory structures during USB hub initialization may
result in a crash if a USB hub is connected and disconnected rapidly.


* Kernel panic after Machine Check Exception with offline CPU.

Intel's Machine Check Architecture broadcasts Machine Check Exceptions to
all CPUs, including offline ones. Offline CPUs will never successfully
complete the rendezvous process causing a kernel panic.


* Crash in Kernel tracing of printk_formats.

Improper handling of list indexes in the Kernel tracing subsystem
causes a crash when iterating printk_formats. A local, privileged user
could use this flaw to cause a denial-of-service.


* Crash in DMA engine operations used by multiple drivers, including RAID5.

Improper memory allocation type in DMA engine operations used by
multiple drivers, including RAID5 may cause a kernel panic.


* Crash in MDIO Bus multiplexer driver under memory pressure.

Improper handling of memory allocation in the MDIO Bus multiplexer
driver may result in a crash when a memory allocation fails.


* Infinite loop in Aufs when sendfile() is interrupted.

Improper handling of EINTR signal in Aufs when sendfile() is interrupted
results in infinite loop. A local user could use this flaw to cause a
denial-of-service.


* Improve fix for CVE-2015-7513: Divide-by-zero in KVM when reloading the programmable interrupt timer.

A missing input sanitization when loading the programmable interrupt timer
counters from userspace could cause KVM to make a division by zero, causing
a kernel crash.  A local user with the capability to run KVM machines could
use this flaw to cause a denial-of-service.


* CVE-2015-1575, CVE-2015-1576: Multiple permission bypasses on overlayfs mounts.

Overlayfs mounts did not propagate correctly file attributes when mounted
on top of a fuse filesystem and would also incorrectly propagate file
extended attributes (like POSIX ACLs) under certain circumstances.  A
local, unprivileged user could use these flaws to escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.