[Ksplice][Ubuntu-14.10-Updates] New updates available via Ksplice (USN-2421-1)

[Oracle Ksplice]

Synopsis: USN-2421-1 can now be patched using Ksplice
CVEs: CVE-2014-3690 CVE-2014-4608 CVE-2014-7825 CVE-2014-7826 CVE-2014-7975

Systems running Ubuntu 14.10 Utopic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2421-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.10 Utopic
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-7825, CVE-2014-7826: Perf DoS and local privilege escalation.

A missing validation of syscall id range allows an attacker to trigger a
kernel panic, or leverage it into gaining root privileges if root was
doing perf tracing at that time.


* Use-after-free in perf subsystem on fork error path.

A flaw in the perf subsystem could lead to releasing a perf event on fork
failure while it is still in use, leading to a use-after-free and kernel
panic. A local attacker could use this flaw to cause a denial-of-service.


* Kernel BUG() in processor clocking control interface driver.

Incorrect locking in the processor clocking control interface driver could
make the kernel sleep while in atomic context, leading to a kernel BUG(). A
local attacker could use this flaw to cause a denial-of-service.


* Buffer overflow in raw packet socket receive function.

Lack of bounds checking when receiving a packet in the raw packet driver
could lead to a buffer overflow and overwrite of kernel memory. A remote
attacker could use this flaw to cause a denial-of-service or potentially
escalate privileges.


* Kernel BUG() in IPv6 on route metrics commit.

Incorrect flags used to allocate memory when committing route metrics could
make the kernel sleep while in atomic context, causing a kernel BUG() and
denial-of-service.


* Kernel BUG() in openvswitch driver when using multiple VLAN headers.

A flaw in the openvswitch driver on receive of a frame with multiple VLAN
headers leads to a kernel BUG(). A remote attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference in LT2P stack when getting PMTU.

A race condition in the LT2P stack when getting PMTU over PPP could lead to
a NULL pointer dereference and kernel panic. A local attacker could use
this flaw to cause a denial-of-service.


* Divide by zero in bonding driver when enslaving and transmitting.

A flaw in the bonding driver could lead to a division by zero in kernel
when enslaving and transmitting in round robin or XOR mode. An attacker
could use this flaw to cause a denial-of-service.


* Memory corruption in macvtap driver on concurrent delete and open.

Incorrect locking in the macvtap driver could lead to a list corruption and
kernel panic when deleting and opening macvtap devices concurrently. A
local, privileged user could use this flaw to cause a denial-of-service.


* Multiple use-after-free in HyperV network driver when transmitting.

Multiple flaws in the HyperV network driver could lead to a use-after-free
and kernel panic. A local user could use this flaw to cause a
denial-of-service.


* Out of bounds memory access in crypto CAAM driver when computing hash.

A flaw in the crypto CAAM driver leads to out of bounds memory access when
computing a hash, potentially leading to a kernel crash. A local attacker
could use this flaw to cause a denial-of-service or potentially escalate
privileges.


* Double-free in base node driver when unregistering a node.

An extra call to kfree() when unregistering a node leads to a double free
and kernel panic. A local user could use this flaw to cause a
denial-of-service.


* CVE-2014-7975: Denial-of-service in do_umount.

A missing capability check in do_umount allows unprivileged local users to
remount the root file system read-only, causing a denial-of-service (loss
of writability).


* Deadlock in btrfs disk replacement.

Incorrect locking in btrfs disk replacement could result in deadlock
when replacing a device.  This could result in failure to access the
filesystem.


* File extent corruption in btrfs lseek() with extents.

Incorrect handling of negative offsets in the btrfs lseek()
implementation could result in incorrect extent insertion and locking.
This could cause corruption of files on a btrfs filesystem.


* Kernel panic in btrfs asynchronous reclaim during log recovery.

A missing check for active log recovery could result in performing
asynchronous reclaim at the same time.  This could trigger a kernel
panic.


* Kernel crash during balance failure in btrfs backref building.

Missing error handling in the btrfs backref code could result in hitting
a kernel assertion for a recoverable error.  A maliciously crafted
filesystem could crash the host when mounting the filesystem.


* Use-after-free in Synopsys DesignWare SPI master during module unload.

Missing cleanup could result in continued DMA transfers and a
use-after-free when the module was unloaded.


* Kernel crash in register map bulk register writes.

Incorrect handling of zero length bulk register writes could result in
dereferencing an invalid pointer and crashing the kernel under specific
conditions.


* NULL pointer dereference in QLogic QLA2XXX fibre channel sessions.

A missing pointer assignment during session opening could result in a
NULL pointer dereference and kernel crash.


* Use-after-free in QLogic QLA2XXX fibre channel device removal.

Incorrect handling of device removal could result in accessing a stale
pointer and triggering a kernel crash when removing a QLogic QLA2XXX
device.


* NULL pointer dereference in NFS writeback error handling.

A missing NULL pointer check in the NFS writeback error path could
result in dereferencing a NULL pointer and subsequent kernel crash.


* Out-of-bounds memory access in ALSA pin quirk handling.

Missing array termination could result in accessing beyond the end of an
array into undefined memory.  This could result in a kernel crash when
probing an audio device.


* Denial-of-service in ecryptfs extended attribute setting.

A missing NULL pointer check could result in a kernel crash when setting
an extended attribute on an ecryptfs filesystem.  A local, unprivileged
user could use this flaw to trigger a denial-of-service.


* XFS file corruption during writeback.

Incorrect handling of dirty partial pages on an XFS filesystem could
result in failure to write the contents back to disk.  Under specific
conditions this could cause corruption of a mounted filesystem.


* Improved fix to CVE-2014-4608: Memory corruption in kernel lzo decompressor.

The original upstream fix for CVE-2014-4608 did not cover all cases and
was still exploitable.


* Use-after-free in socket filtering.

Incorrect handling of low memory conditions could result in a
use-after-free when attaching a socket filter.  A local user could use
this flaw to trigger a denial-of-service under specific conditions.


* CVE-2014-3690: Denial of Service in KVM/VMX CR4 register management.

KVM on VMX does not reload the CR4 register when it changes on the host,
which means that host features aren't updated on guests. This could lead
to a local denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.