[Ksplice][Ubuntu-14.10-Updates] New updates available via Ksplice (3.16.0-33.44)

[Oracle Ksplice]

Synopsis: 3.16.0-33.44 can now be patched using Ksplice
CVEs: CVE-2013-7421 CVE-2014-9644 CVE-2015-1421 CVE-2015-1465

Systems running Ubuntu 14.10 Utopic can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.16.0-33.44.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.10 Utopic
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel panic when filtering netlink packets.

The kernel netlink netfilter implementation does not correctly validate
the length of received netlink packets which can trigger an out-of-
bounds read and possible kernel panic.


* Deadlock when unregistering pin control devices.

Incorrect locking when the kernel pin control (pinctrl) driver attempts
to unregister a device can trigger a deadlock and kernel panic.


* Deadlock when unregistering GPIO chip.

Incorrect locking in the kernel GPIO driver when unregister a GPIO chip
can trigger a deadlock and kernel panic.


* Deadlock in CIFS COPYCHUNK_FILE ioctl.

The CIFS filesystem COPYCHUNK_FILE ioctl does not validate that the file
descriptor arguments are regular files which can trigger a deadlock and
kernel panic.


* Kernel panic when flushing SFF ATA devices.

Incorrect locking when flushing Small Form Factor ATA devices can
trigger a BUG_ON and kernel panic.


* Off-by-one in kernel bunzip2 decompressor.

The kernel bunzip2 decompressor does not correctly validate offsets when
decompressing data which can lead to an out-of-bound read and possible
kernel panic.


* Deadlock in NFS when performing direct IO to regular file.

Direct IO is only supported on NFS mounts when writing to a swapfile. An
attempt to perform direct IO on a regular file will trigger a deadlock
and kernel panic.


* Kernel panic in NFSv4 client state recovery.

Attempting state recovery on an partially initialised NFSv4 client can
trigger memory corruption and a kernel panic.


* Resource leak in when unmapping Rados Block Device filesystem.

Incorrect reference counting in the Rados Block Device (RBD) filesystem
driver can cause a resource leak when unmapping a filesystem that has
been cloned.


* CVE-2015-1421: Privilege escalation in SCTP INIT collisions.

Missing reference counting could result in a use-after-free during an
INIT collision when establishing an SCTP socket.  A remote attacker
could use this flaw to trigger a denial-of-service or potentially gain
privileges.


* CVE-2015-1465: Denial of service in IPv4 packet forwarding.

A remote user can trigger a denial-of-service by sending a large number
of packets needing redirection which triggers high CPU load.


* NULL pointer dereference during hotplug CPU offline.

A race condition when hotplugging a CPU could result in failure to
initialize a percpu thread, causing a NULL pointer dereference when the
CPU was later offlined.


* Userspace memory corruption on page walks.

Incorrect handling of mapped files that had not been written to could
result in reading incorrect data when performing a page walk such as
reading /proc/pid/mem.


* Information leak when reading IPv4 and IPv6 error queue.

The error queue mechanism (MSG_ERRQUEUE) in IPv4 and IPv6 sockets does
not correctly initialise kernel data-structures which causes the
contents of kernel memory to be leaked to userspace.


* Denial of service when routing IPv6 atomic fragments.

The kernel IPv6 implementation processes atomic fragments according to
the IPv6 RFC. However, remote attackers can leverage a feature of
atomic fragments to stop the routing of IPv6 traffic, causing a denial
of service.


* Use-after-free when receiving IPv4 and IPv6 ICMP echo replies.

The kernel IPv4 and IPv6 subsystems incorrectly free memory when
receiving ICMP echo replies which can trigger a use-after-free condition
and kernel panic.


* Kernel panic when receiving compressed PPP data.

The kernel Point-to-Point networking implementation does not correctly
handle decompressing large PPP packets which can trigger an assertion
failure and kernel panic.


* Use-after-free when sending large frames via Hyper-V network driver.

The Hyper-V virtual network driver does not correctly handle errors when
sending large frames which allows a guest VM to trigger a use-after-free
condition and kernel panic in the host.


* Deadlock when suspending Realtek USB card readers.

The kernel driver for Realtek USB card reader devices incorrectly holds
a lock which can trigger a deadlock and kernel panic.


* Kernel panic in Multiple Device (RAID and LVM) metadata cache.

The metadata cache used by the Multiple Device (MD) driver uses an
invalid pointer when an error occurs triggering a kernel panic.


* Resource leak in GPIO during sysfs accesses.

Multiple call sites in the GPIO sysfs handling code failed to put
resources on exit.  This could result in failure to remove devices and
memory leaks.


* CVE-2013-7421, CVE-2014-9644: Arbitrary module loading by users in crypto API.

The kernel crypto API does not restrict which kernel modules can be
loaded automatically which allows users to load arbitrary kernel
modules. This allows an unprivileged user to increase the attack surface
of the kernel.


* Privilege escalation in user event interface ioctl().

Incorrect handling of bitmasks could result in a heap buffer overflow
when copying events to userspace.  A local, unprivileged user with
access to the input devices could use this flaw to crash the system, or
potentially escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.