[Ksplice][Ubuntu-15.04-Updates] New updates available via Ksplice (USN-3001-1)

[Oracle Ksplice]

Synopsis: USN-3001-1 can now be patched using Ksplice
CVEs: CVE-2016-1583 CVE-2016-2117 CVE-2016-2187 CVE-2016-3672 CVE-2016-3951 CVE-2016-3955 CVE-2016-3961 CVE-2016-4485 CVE-2016-4486 CVE-2016-4565 CVE-2016-4581

Systems running Ubuntu 15.04 Vivid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3001-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.04 Vivid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

IMPORTANT NOTE

The Ksplice update fixing CVE-2016-1583 will not apply if there are any
mounted eCryptfs filesystem.  Please unmount them temporarily whilst
running uptrack-upgrade.

DESCRIPTION

* CVE-2016-3951: Use-after-free in USB networking device probe failure.

Incorrect error handling when registering a USB networking device could
result in a use-after-free condition and kernel crash.


* CVE-2016-3955: Privilege escalation in IP over USB driver.

Missing user supplied input validation could result in an out-of-bounds
write allowing a local user to crash the system or potentially escalate
privileges.


* CVE-2016-3672: ASLR bypass on 32-bit processes.

Enabling an unlimited stack size would completely disable ASLR for
process with the limit applied.  A local user could use this flaw to
reduce the security of a setuid/setgid application.


* CVE-2016-2187: Denial of service in GTCO CallComp/InterWrite USB descriptor parsing.

A logic error in the GTCO CallComp/InterWrite USB driver can allow a
malformed USB descriptor with zero endpoints to trigger a NULL pointer
dereference and kernel panic.


* Infinite loop when calculating the IP checksum on destination link failure.

Lack of proper memory zeroing in case of destination link failure could
lead to an infinite loop when calculating IP checksums.


* Use-after-free when decrypting a packet after the netdevice was unregistered.

Asynchronous decryptions of packets on the netdevice receive queue were not
properly taking a reference on the netdevice, potentially leading to a
use-after-free if the netdevice is unregistered after queueing such packets
for decryption.


* Memory corruption when inserting data into associative arrays.

A logic error in the generic associative array module can trigger an
out-of-bounds read when inserting a new member. This can be triggered,
for example, by inserting a new cryptographic key into the kernel's
keyring.


* Denial of service in wireless networking netlink interface.

A logic error when handling netlink notifications for wireless devices
can allow malicious local users to disable networking interfaces.


* Use after free when disabling a USB XHCI device.

A logic error in the USB XHCI driver can trigger a use-after-free and
kernel panic when disabling a XHCI device multiple times.


* Memory corruption when probing USB Host Controller devices.

A logic error in the Host Controller driver (HCD) can trigger memory
corruption and kernel panic when an HCD device has an invalid companion
device.


* Kernel panic when completing SHA1 multibuffer operations.

A logic error in the cryptographic subsystem handling multibuffer
operations can trigger a use-after-free and kernel panic.


* Information leak in AMD cryptographic coprocessor support.

The AMD cryptographic coprocessor driver does not correctly handle
memory when exporting the state of SHA1 operations which can cause the
contents of the kernel stack to be leaked to userspace.


* Deadlock in Digigram PCXHR ALSA IRQs.

Incorrect locking the in the PCXHR IRQ can trigger a deadlock and kernel
panic when handling interrupts from a Digigram PCXHR device.


* Kernel panic in when handling unvalidated ports in kernel DRM subsystem.

The kernel DRM driver does not validate ports which are passed from
userspace which can trigger a use-after-free and kernel panic when
handling DRM ioctls.


* Memory corruption when mapping buffer objects from userspace.

Missing validation when mapping buffer objects from userspace can allow
a malicious local users to corrupt kernel memory and escalate privileges.


* CVE-2016-2117: Information leak in Atheros ATL2 transmission.

The Atheros ATL2 driver advertised features that weren't supported by
the hardware and this could result in a buffer overflow, leaking the
contents of kernel memory into transmitted packets.


* CVE-2016-4485: Information leak in LLC message processing.

The Logical Link Layer networking driver does not initialize memory when
processing ancillary data requests to an LLC socket which leaks the
contents of kernel memory to userspace. A local user could use this flaw
to infer the layout of kernel memory.


* CVE-2016-4486: Information leak in routing netlink interface.

The netlink interface for querying network routing information does not
initialize memory which leaks the contents of kernel memory to userspace.
A local user could use this flaw to infer the layout of kernel memory.


* Kernel panic when parsing EFI variables.

Incorrect parsing logic can trigger an out-of-bounds read and kernel
panic when reading or writing to EFI variables.


* Kernel panic when using madvise on a hugepage mapping.

The kernel hugepage subsystem does not correctly handle calling madvise
on certain hugepage mapping which can trigger a bogus BUG_ON and kernel
panic.


* CVE-2016-4581: Denial-of-service in slave mount propagation.

Incorrect handling of mount propagation could result in a NULL pointer
dereference.  A local, unprivileged user could use this flaw to crash
the system.


* Kernel panic when displaying dynamic audio power information.

The sysfs interface for displaying dynamic audio power information to
userspace can trigger a NULL pointer dereference and kernel panic when a
system has a dummy component.


* CVE-2016-4565: Privilege escalation in Infiniband ioctl.

The Infiniband ioctl interface does not correctly validate parameters
from userspace which can allow local users to corrupt kernel memory and
escalate privileges.


* Kernel hang when removing XHCI USB Host Controller.

Improper command handling when the HCD is dying or halted can lead to
a kernel hang when a new device is detected.


* CVE-2016-3961: Xen PV guest crash when using HugeTLBFS.

HugeTLBFS is not supported on Xen PV guests and leads to a kernel crash
when an application tries to mmap() a Huge TLB.  A local user with the
ability to mmap() Huge TLB pages in a Xen PV guest can cause a
denial-of-service of the guest.


* Information leak in mclist netlink attribute.

The netlink interface for querying the mclist attribute does not
initialize memory which leaks the contents of kernel memory to
userspace. A local user could use this flaw to infer the layout of
kernel memory.


* Kernel crash when the DaVinci emac Ethernet driver is removed and re-probed.

Improper pointer initialization of a pointer with a stale value in the
TI DaVinci emac Ethernet drive causes a kernel crash.


* Memory leak when creating handle to GEM object.

Incorrect reference counting when creating a handle to a Graphics
Execution Manager (GEM) object can trigger a kernel memory leak and
possible kernel panic.


* Kernel panic when processing VLAN traffic over a BATMAN interface.

The BATMAN mesh networking driver does not correctly account for VLAN
headers when processing ethernet traffic which can lead to an
out-of-bounds read and kernel panic.


* Use after free when updating BATMAN routing information.

A logic error when updating the routing information of a BATMAN mesh
network can lead to a reference count imbalance and use after free and
kernel panic.


* NULL pointer dereference in AK8975 Magnetometer interrupt handler.

A NULL pointer dereference can occur in the Ashai Kasei AK8975 3-Axis
Magnetometer interrupt handler if an interrupt occurs during device
initialization leading to a kernel crash.


* Kernel information leak in Chelsio iSCSI IPv6 route information.

The Chelsio iSCSI IPv6 route lookup does not initialize memory which leaks
the contents of kernel memory to userspace. A local user could use this flaw
to infer the layout of kernel memory.


* CVE-2016-1583: Privilege escalation in eCryptfs.

eCryptfs was incorrectly trying to use the mmap() file operation on lower
filesystem that may not support it.  A local, unprivileged user could use
this flaw to cause a denial-of-service through recursive faults or
potentially escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.