[Ksplice][Ubuntu-15.04-Updates] New updates available via Ksplice (3.19.0-30.33)

Mon Sep 28 17:45:28 PDT 2015

Synopsis: 3.19.0-30.33 can now be patched using Ksplice
CVEs: CVE-2015-5697

Systems running Ubuntu 15.04 Vivid can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.19.0-30.33.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.04 Vivid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2015-5697: information leak in RAID/LVM GET_BITMAP_FILE ioctl().

Missing initialization of the buffer used for reading bitmaps could
result in leaking up to 4095 of kernel heap memory to userspace.  A
local user with access to an MD device could use this flaw to gain
information about kernel layout.

* NULL pointer dereference in USB XHCI endpoint creation.

Incorrect handling of cached rings during XHCI endpoint creation could
result in a NULL pointer dereference and kernel crash.

* RAID0/RAID10 device corruption during discard.

Under specific conditions an I/O operation could corrupt when performing
a discard operation on a RAID0 or RAID10 device.

* Kernel crash when closing serial TTY device.

A race condition in the generic serial TTY device driver could
cause kernel crashes when simultaneously receiving data and closing
the serial device. A malicious user could use this to cause denial
of service.

* Kernel panic in SDHCI MMC/SD driver when adding host.

Due to a missing check in the MMC host driver, adding an SDHCI host
could cause a NULL pointer dereference or kernel panic.

* Page faults during Nouveau framebuffer console initialization.

Incorrect calculation of free ring buffer space during Nouveau
framebuffer console initialization could cause memory accesses
outside the ring buffer and subsequent page faults and kernel crashes.

* Kernel panic when queueing commands to IBM Power RAID driver.

A race condition caused by incorrect locking in the IBM Power RAID
driver can trigger a kernel panic when removing devices from a RAID
controller.

* Memory corruption in IBM Power RAID driver.

Incorrect logic in the IBM Power RAID tracing support can trigger an
out-of-bounds write causing kernel memory corruption and a kernel panic.

* Memory leak in multiqueue support for SCSI block devices.

Under certain circumstances, sending commands with large data transfer
lengths could result in a memory leak. A malicious user could
potentially use this to cause denial of service.

* Data loss when reshaping RAID10 volume.

A logic error when calculating metadata can trigger data loss when
resizing a RAID10 volume.

* NULL pointer dereference when replacing BPF-based traffic classifier.

A logic error in the he kernel traffic classification system can trigger
a NULL pointer dereference when replacing an existing BPF traffic
classifier.

* Use-after-free in Controlled Delay (CODEL) packet scheduler.

Incorrect memory management in the Controlled Delay (CODEL) packet
scheduler can trigger a use-after-free condition and kernel panic when
dropping packets.

* Use-after-free in Stochastic Fairness Queueing (SFQ) packet scheduler.

Incorrect memory management in the Stochastic Fairness Queueing (SFQ)
packet scheduler can trigger a use-after-free condition and kernel panic
when dropping packets.

* Memory corruption when receiving datagram packets.

Incorrect reference counting can cause a double-free and kernel panic
when peeking received datagram packets, such as the UDP and netlink
protocols.

* NULL pointer dereference when replacing flow-based traffic classifier.

A logic error in the he kernel traffic classification system can trigger
a NULL pointer dereference when replacing an existing flow-based traffic
classifier.

* Denial of service when freeing Xen netback driver grants.

A logic error in the Xen netback driver can trigger an assertion failure
and kernel panic when freeing grants used in zerocopy transfers.

* Kernel panic in IP virtual server syncing.

A logic error in the kernel IP virtual server support can trigger a
kernel panic when synchronizing a connection using version 0 of the sync
protocol.

* Memory leak when attaching hook to AF_PACKET sockets.

Incorrect reference counting in the AF_PACKET socket implementation can
cause a memory leak when attaching a packet hook to a AF_PACKET socket.
This flaw can be triggered by local user with CAP_NET_RAW capabilities.

* Domain ID leak in VT-d IOMMU during domain exit.

Due to a missing test during VT-d domain exits, the domain ID is
leaked and never recovered. A malicious user with the ability to
create and destroy domains can exhaust the set of domain IDs and
thus cause denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.