[Ksplice][Ubuntu-14.10-Updates] New updates available via Ksplice (3.16.0-29.39)

[Oracle Ksplice]

Synopsis: 3.16.0-29.39 can now be patched using Ksplice
CVEs: CVE-2014-7842 CVE-2014-8884

Systems running Ubuntu 14.10 Utopic can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.16.0-29.39.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.10 Utopic
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial of service in Xen netfront fragment processing.

An incorrect assertion in the Xen netfront network driver can trigger a
kernel panic (BUG_ON) in the guest when processing fragmented packets
which cross page boundaries.


* Kernel panic in rbd block driver during read.

Improper error handling when a memory allocation fails during
a read in the rbd driver could result in an invalid memory access
and kernel panic.


* Invalid free in BTRFS lookup code.

In the case of an error during btrfs lookup, the wrong list
was being freed, leading to memory leak and possible use-after-free.
A malicious user could exploit this to cause a denial-of-service.


* Divide-by-zero with UART baud rate setting.

The serial driver did not deal correctly in some scenarios
with setting the baud rate to 38400.  This caused an invalid
baud rate to be returned and a kernel WARNING.


* Data corruption in GFS2 file system on rename.

A flaw in the GFS2 file system could cause a dirent write on an invalid
location when renaming a file, leading to data corruption. An attacker
could use this flaw to cause data loss and potentially denial-of-service.


* Out of bounds memory read access in Netfilter stack.

A logic error in the Netfilter stack when getting a reference to a netlink
socket leads to reading memory past an array boundaries, potentially
causing a kernel panic. A local user could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when creating a netfilter new chain.

A logic error when testing the results of a per CPU allocation could lead
to a NULL pointer dereference. A local, privileged user could use this flaw
to cause a denial-of-service.


* Integer overflow in netfilter userspace logging with large payloads.

A flaw in the netlink code when sending large payloads to userspace could
lead to an integer overflow and data corruption.


* Memory leak in netfilter stack when sending a packet on the netlink socket.

In case of error when appending a DONE message to a netfilter netlink
socket buffer, the socket buffer is never released, causing a memory leak
and blocking further communication on the netlink socket. A local,
privileged user could use this flaw to cause a denial-of-service.


* Use after free in ALSA Dynamic Power Management.

A use-after-free condition can be triggered in the ALSA SoC Dynamic
Audio Power Management module when creating a new mixer leading to
possible kernel memory corruption.


* Denial of service in generic filesystem mounting.

The generic filesystem mounting implementation does not correctly
validate filesystem parameters leading to a division by zero and kernel
panic.


* Use after free in netlink socket and PPP ioctl.

Incorrect reference counting in netlink sendmsg and the PPPIOCDETACH
ioctl can trigger a use-after-free condition and cause kernel memory
corruption.


* Memory corruption in generic SELinux filesystem support.

The kernel SELinux subsystem does not correctly lock resources when
initializing SELinux for a filesystem leading to possible memory
corruption and a kernel panic.


* Memory leak in i915 driver when freeing user pointer objects.

Incomplete freeing of data when freeing user pointer objects in the
i915 driver could result in a memory leak.  This could be exploited
to cause a denial-of-service.


* Memory leak in Unsorted Block Image flash filesystem.

The kernel does not correctly handle orphaned volumes on an Unsorted
Block Image flash filesystem leading to a kernel memory leak.


* Memory leak in Xen block backend driver on grant map error.

A failure to correctly handle failures during grant mapping can
lead to a memory leak.  A malicious user could use this to cause
a denial of service.


* CVE-2014-8884: Buffer overflow in DEC2000 and DEC3000 USB adapters.

A lack of input validation when copying an ioctl command could lead to
overflowing data on the stack, causing a kernel panic. A local user could
use this flaw to cause a denial-of-service or potentially escalate
privileges.


* Use-after-free in IEEE80211 stack when defragmenting a packet.

A flaw in the IEEE80211 stack upon receiving a fragmented packet leads to a
use-after-free and kernel panic when updating the network statistics. An
attacker could use this flaw to cause a denial-of-service.


* Memory leak in Cryptographic Accelerator and Assurance Module on key generation.

A flaw in the crypto CAAM driver leaves the input DMA area mapped in case
of failure to map the output DMA area when generating a key, leading to a
memory leak. A local user could use this flaw to exhaust the DMA memory
pool and cause a denial-of-service.


* Invalid memory access when updating bandwidth in Radeon graphic drivers.

Radeon graphic drivers lack a check to verify the device has been fully
initialized before updating their bandwidth, potentially leading to using
uninitialized memory and causing a kernel panic on suspend path. An
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference in CPUfreq sub-system on resume path.

A missing check that the CPUfreq policy isn't NULL when restoring the
policy during a system resume could lead to a NULL pointer dereference. A
local user could use this flaw to cause a denial-of-service.


* Denial-of-service in audit watch sub-system on inode cache eviction.

A lack of pinning the inode being watched in the audit sub-system leads the
watch rule to being ignored if the inode being watched is evicted from the
cache. A local user could use this flaw to bypass audit watch rules.


* Memory leak in NFS stack when releasing a direct request.

The routine to release a direct request in the NFS stack was lacking to
release an internal cinfo structure, leading to a memory leak. A local user
could use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Kernel panic in libceph AES encryption engine on large authentication packets.

A flaw in the libceph AES encryption engine leads to a kernel panic on
large authentication packets. An attacker could use this flaw to cause a
denial-of-service.


* Kernel panic in zram sub-system when unmapping a page.

A flaw in the zram sub-system could lead to trying to unmap a NULL pointer,
leading to a kernel panic. An attacker could use this flaw to cause a
denial-of-service under specific conditions.


* Information leak in Firewire stack when doing an ioctl.

A uninitialized variable on the stack could be leaked to userspace when
doing an ioctl() on a Firewire char device. An attacker could use this flaw
to gain knowledge about the running kernel in order to facilitate an
attack.


* NULL pointer dereference in Virtual eXtensible LAN over IPv6.

A flaw in the Virtual eXtensible LAN kernel driver could lead to a NULL
pointer dereference when creating a VXLAN over IPv6 if another VXLAN has
the same source port in use over IPv4. A local, privileged user could use
this flaw to crash the kernel and cause a denial-of-service.


* NULL pointer dereference with SCTP server during ASCONF.

A problem with how the SCTP verifies input can lead to a NULL pointer
dereference and kernel panic.  A malicious user could exploit this using
a specially crafted packet to cause a denial-of-service.


* Memory leak in SCTP authentication key management.

Incorrect reference counting when setting the SCTP_AUTH_KEY socket option
on an SCTP socket leads to a memory leak of sensitive keying materials.

A local, unprivileged user could use this flaw to exhaust the memory on the
system and cause a denial-of-service. An attacker with memory read access
could also later gain sensitive information about the keys.


* Memory corruption in Radeon graphic driver on error path.

A lack of initializing a pointer to NULL in various places in the Radeon
graphic driver leads to incorrectly free-ing garbage data from the stack on
certain conditions. An attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference in Cryptographic Accelerator and Assurance Module.

Incorrect use of scatter-gather functions for DMA operations in the crypto
CAAM module could lead to dereferencing a NULL pointer when updating the
crypto hash multiple times. A local user could use this flaw to cause a
denial-of-service.


* Use-after-free in MAC80211 when registering a new radio.

Lack of unregistering IEEE80211 hardware in the error path of
mac80211_hwsim_create_radio() leads to a use-after-free and possible kernel
panic. A local, privileged user could use this flaw to cause a
denial-of-service.


* Information leak in InfiniBand core stack when creating an address handle.

A missing structure initialization leads to leaking kernel memory to user
space. A local user could use this flaw to gain precious information about
the running kernel in order to facilitate an attack.


* Out of bounds memory access in Dell WMI hotkeys driver.

A flaw in the Dell WMI driver leads when notifying of a hot key event could
lead to dereferencing memory above the boundaries of a dynamically
allocated array, potentially causing a kernel panic and/or leaking
information about the running kernel. A local user could use this flaw to
cause a denial-of-service or obtain sensitive information about the
allocator.


* Invalid memory access in KVM x86 emulator.

The KVM x86 emulator fails to initialize the operand type to immediate for
specific instructions, possibly leading to re-using previous operand type
causing invalid read/write access to memory. A local attacker could use
this flaw to crash the guest kernel or potentially elevate privileges.


* CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.

A malicious nested L2 KVM guest can cause the L1 guest to crash by
triggering a race condition when accessing MMIO memory. A local attacker
could use this flaw to cause a denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.