[Ksplice][Ubuntu-15.04-Updates] New updates available via Ksplice (3.19.0-58.64)

Tue Apr 5 11:54:29 PDT 2016

Synopsis: 3.19.0-58.64 can now be patched using Ksplice
CVEs: CVE-2015-2085 CVE-2015-8812

Systems running Ubuntu 15.04 Vivid can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.19.0-58.64.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.04 Vivid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2015-8812: Use-after-free in Infiniband CXGB3 driver on network congestion.

A logic error in the Infiniband CXGB3 driver could lead to a use-after-free
of a socket buffer when the network is congested.  A local, unprivileged
user could use this flaw to cause a kernel crash or potentially escalate
privileges.

* CVE-2015-2085: Timing side channel attack in EVM integrity module.

The verification routine of the EVM HMAC was using a regular non-constant
memcmp(), allowing attackers to do timing side channel attacks and reduce
the MAC forgery complexity from 2^128 to 2^12.

* Deadlock when reading from rfkill sysfs file.

Incorrect locking in the rfkill sysfs interface can cause a kernel panic
when reading events. A privileged local user could use this flaw to
cause a denial of service.

* Kernel crash in userspace interface for hash algorithm when sending a message.

A failure to wait for the completion of crypto_ahash_init() when using
sendpage()/sendmsg() could cause a kernel crash.  A local, unprivileged
user could use this flaw to cause a denial-of-service.

* NULL pointer dereference in the Industrial IO (IIO) driver when releasing a channel.

A missing check for NULL pointer when releasing an IIO channel could lead
to a NULL pointer dereference and kernel panic.

* Integer underflow when accessing Intel Storage Controller Unit (SCU) registers.

A flaw in the Intel SCU driver could lead to an integer underflow when
accessing the SCU registers.  A local user with CAP_SYS_RAWIO could use
this flaw to cause out of range memory accesses leading to a kernel crash.

* Kernel log buffer flood in ALSA rawmidi driver.

The ALSA rawmidi driver would dump the kernel stack to the kernel log
buffer every time userspace would pass it a NULL pointer.  A local,
unprivileged user with access to the ALSA device could use this flaw to
flood the kernel logs, potentially causing a denial-of-service or gaining
information about the running kernel if he's able to read the kernel log.

* Multiple kernel deadlocks in ALSA OSS emulation.

Incorrect locking in the ALSA OSS emulation code could lead to AB-BA
deadlocks when accessing read()/write() and mmap() concurrently.  A local
user could use these flaws to cause a denial-of-service.

* Multiple use-after-free in ALSA sequencers when closing the device.

Incorrect locking in the ALSA sequencers sub-system could lead to different
use-after-free under certain conditions.  A local user could use these
flaws to cause a denial-of-service.

* Kernel panic when handling interrupts for SATA devices.

Incorrect locking can trigger an assertion failure and kernel panic when
handling an interrupt for a SATA device.

* Memory corruption in ALSA rawmidi driver on concurrent read/write.

Incorrect locking in the ALSA rawmidi driver on concurrent read/write
operations could lead to memory corruptions.  A local, unprivileged user
could use this flaw to cause a denial-of-service.

* Kernel panic in the radix tree library when doing a gang lookup.

A race condition in the radix tree library in the kernel could lead to type
confusion and kernel panic when doing a gang lookup and concurrently
growing the radix tree.  A local user could use this flaw to cause a
denial-of-service.

* Use-after-free when unloading xHCI host driver.

A flaw in the xHCI host driver could lead to reading already freed memory
when removing the driver.  A local user with the ability to unload the xHCI
kernel module could use this flaw to cause a denial-of-service.

* Kernel hang in Btrfs filesystem when using the BTRFS_IOC_INO_PATHS ioctl.

Double locking of the same read/write lock in the Btrfs filesystem when
querying the path of an inode could lead to a kernel deadlock.  A local,
unprivileged user could use this flaw to cause a denial-of-service.

* Information leak in ALSA sound sub-system when parsing the HDMI EDID-Like-Data (ELD).

Lack of proper bounds checking when copying the HDMI ELD structure could
lead to leaking 256 bytes of kernel memory under certain conditions.

* Kernel deadlock when dumping the call stack on multiple CPUs.

Incorrect locking when dumping the kernel stack to the kernel log buffer on
multiple CPUs could lead to a deadlock.  An attacker with the ability to
trigger concurrent dump_stack() calls could use this flaw to cause a
denial-of-service.

* Kernel deadlock when validating a memory context.

A race condition in the virtual memory subsystem when validating a memory
context could lead to a deadlock.  A local, unprivileged user could use
this flaw to cause a denial-of-service.

* Use-after-free in the crypto sub-system when traversing the list of crypto algorithms.

Incorrect locking when traversing the list of crypto algorithms could lead
to a use-after-free when concurrently unregistering an algorithm.  A local,
unprivileged user could use this flaw to cause a kernel crash.

* Use-after-free in QLogic QLA2xxx queue management.

Incorrect memory management in the QLogic QLA2xxx SCSI devices can
trigger a use-after-free and kernel panic when manipulating queues.

* Kernel panic when parsing VBT in Intel integrated graphics.

The Intel integrated graphics driver does not validate VBT data which
can trigger an out-of-bounds access and kernel panic.

* Kernel hang when removing a SCSI target.

A flaw in the SCSI sysfs subsystem could cause the kernel to hang when
removing a SCSI target.  A local user with the ability to remove a SCSI
target could use this flaw to cause a denial-of-service.

* Integer overflow in ext4 buffer allocation.

An integer overflow in ext4 could cause access to invalid memory regions
not owned by the filesystem, possibly corrupting them.

* Data corruption on ext4 filesystem when moving data to a donor file.

A flaw in the ext4 filesystem when moving data to a donor file could lead
to data corruption.

* Memory corruption in QXL virtual GPU ioctls.

An integer overflow in the QXL virtual GPU can allow a local user to
cause kernel memory corruption via ioctls.

* Kernel deadlock in ALSA sound driver when handling pulse code modulation.

Incorrect locking in the ALSA sound driver when handling non-atomic PCM
streams could lead to a deadlock.  A local, unprivileged user could use
this flaw to cause a denial-of-service.

* Memory corruption when parsing numbers from NFS requests.

The kernel NFS server does not correctly parse hex strings from
userspace which can trigger kernel memory corruption.

* Kernel panic when handling signals under Intel MPX.

An out-of-bounds read can be triggered when handling signals under Intel
Memory Protection Extensions which can trigger a kernel panic.

* Kernel panic when starting fastopen TCP connections.

The kernel TCP stack does not correctly handle starting fastopen
connections which can trigger a NULL pointer deference and kernel panic.

* Memory leak when reading from AF_UNIX socket.

Incorrect reference counting when reading from AF_UNIX can trigger a
memory leak when a signal is delivered to a process.

* Memory leak when sending IPv4 data with ancillary data.

The kernel IPv4 stack does not free ancillary data when failing to send
IPv4 data which causes a kernel memory leak.

* Kernel panic when closing Philips SAA7134 devices.

The Philips SAA7134 TV card driver does not correctly free memory when
closing a device which can lead to a NULL pointer dereference and kernel
panic.

* Kernel panic when failing to open file.

The generic VFS subsystem does not validate the status of filesystem
operations which can trigger a kernel panic.

* Infinite loop when unmounting an OCFS2 filesystem using the kernel distributed lock manager.

A logic error when releasing the locks of an OCFS2 recovery master dead
node could lead to an infinite loop when later trying to unmount the OCFS2
filesystem.

* SMAP bypass in 32bit compatibility syscall handler.

The 32bit compatibility syscall does not disable the Access Control flag
when entering kernel-mode which can allow kernel code to incorrectly
access user-mode data.

* Denial-of-service in ALSA timer handling.

Multiple locking flaws in the ALSA timer handling could lead to memory
corruptions and denial-of-service on concurrent operations.  A local user
could use these flaws to cause a denial-of-service.

* Memory leak in the ALSA audio driver on concurrent writes to the sequencer device.

Incorrect locking in the ALSA audio sequencer could lead to a memory leak
on concurrent writes to the sequencer device.  A local user with write
access to the sequencer device could use this flaw to exhaust the memory on
the system.

* Data loss in ext4 with concurrent direct IO operations.

The ext4 filesystem driver does not correctly handle multiple direct IO
operations on the same file which can lead to data loss.

* Use-after-free in the kernel list library on concurrent hotplug events.

The starting node given to klist_iter_init_node() might not be on the list
anymore in case of concurrent hotplug events, potentially leading to a
user-after-free and crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.