[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3146-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Dec 2 01:30:32 PST 2016 

Synopsis: USN-3146-1 can now be patched using Ksplice
CVEs: CVE-2016-7097 CVE-2016-7425 CVE-2016-9644

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3146-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Race condition in USB core could cause incorrect data transfer.

A race condition when bulk transferring data to a USB device is
improperly synchronized, potentially allowing access to protected
memory.


* Deadlock in Integrity Management Architecture attribute update.

When updating an attribute on an object in the underlying overlayfs,
the Integrity Management Architecture system accesses the object's
directory entry improperly, potentially deadlocking on the associated
inode and causing a denial of service.


* Data race in Trusted Platform Module 2.0 when unsealing trusted key.

A logic error in the TPM2 code could allow a data race, potentially
breaking or disrupting the chain of trust.


* Missing cancel in Trusted Platform Module 2.0 request callback.

Missing logic to correctly cancel a TPM2 request could cause incorrect
protocol behavior and a break in the chain of trust.


* CVE-2016-7425: Heap corruption in ARECA SATA/SAS RAID host adapter.

Lack of bounds checking when copying data from userspace could lead to heap
corruption.  A local user with the ability to transfer messages to the
ARECA SATA/SAS RAID driver could use this flaw to gain kernel execution.


* Memory corruption when configuring Broadcom 802.11 AP.

Missing data validation when configuring an 802.11 access point using a
Broadcom chipset can allow a privileged local user to trigger kernel
memory corruption and potentially gain elevated privileges.


* Permission bypass in fuse filesystem when changing directory mode.

A flaw in the fuse filesystem could allow a local user to use
previously cached directory modes when they have been changed.
A local user could potentially use this flaw to escalate privileges
or access restricted information.


* Permission bypass in fuse filesystem when using write/truncate/chown.

A flaw in the fuse filesystem could allow a local user to restore
stalled directory modes by using write, truncate or chown operations.
A local user could potentially use this flaw to escalate privileges
or access restricted information.


* NULL pointer dereference in Intel XL710 ethernet driver.

A flaw in pci error handling of XL170 ethernet driver could lead to NULL
pointer dereference.
A local user with capability to load a module and to trigger pci errors
could cause a denial of service.


* Memory corruption in Intel Atom audio driver.

Type confusion when controlling an audio stream leads to memory
corruption and kernel panic. An attacker with the ability to
pause and resume an audio stream multiple times could cause a denial
of service.


* Denial-of-service in reiserfs quota handling on mount.

Incorrect locking when initializing quotas for a reiserfs mount could
lead to a deadlock.  A local user with mount permission could use this
flaw to cause a denial-of-service.


* Denial of service when validating RAID6 syndromes.

A reference on a DMA buffer is never released when validating RAID6
syndromes, leading to a memory leak.  A local user with the ability to
cause a RAID6 sync could use this flaw to exhaust the memory on the
system and cause a denial-of-service.


* Filesystem corruption during online defragmentation in the ext4 filesystem.

Moving extents of encrypted files in the ext4 filesystem is not
supported and leads to filesystem corruption.  A local user with the
ability to trigger an online defragmentation could use this flaw to
cause data loss.


* Metadata corruption of uid/gid on ext4 file system.

A logic error when removing an inode from an Ext4 filesystem could
lead to metadata corruptions and early zeroing of high 16 bits of the
uid/gid bits before the inode deletion had been committed on disk. An
attacker could potentially use this flaw to bypass permission checks
on ext4 filesystem.


* Memory leak in ext4 while inserting a range.

A path is not released when inserting a range in ext4 filesystem.
A local user could use this flaw to exhaust the memory on the system and
cause a denial of service.


* Data leak when removing data in direct access mode in ext4.

Multiple logic errors in the ext4 filesystem prevent removing data in
file on disk when using direct access mode in ext4, potentially
leading to data leak. An attacker could use this flaw to recover
presumably removed data.


* Use-after-free in Distributed Lock Manager.

A logic error when closing dlm filesystem entries could lead to
use-after-free. A user with ability to close dlm filesystem connection
could generate multiple use-after-free and cause a denial of service.


* General protection faults in Intel Pstate driver when hotplugging cpus.

An incorrect logic in Intel Pstate driver when accessing Hardware
Managed Performance MSR during cpu hotplug could lead to general
protection fault. A user with the ability to hotplug CPUs could cause a
denial-of-service.


* Free error in ramoops driver during removal.

A flaw in ramoops driver removal could lead to a segmentation fault by
freeing unwanted memory. A user with capability to load modules could
use this flaw to cause a denial-of-service.


* Use-after-free in device mapper driver when removing dm devices.

A locking error when stopping device mapper queue could lead to a
use-after-free of a work. An attacker could use this flaw to cause a
denial-of-service.


* Infinite loop when activating path in device mapper.

An error in condition check when activation path in device mapper
multipathing driver could lead to infinite loop. An attacker with
permissions to use multipath_prepare ioctl could cause a
denial-of-service.


* Kernel information leak in overlayfs directory entry.

A struct dentry address is used as unique id in an overlayfs dir
function. A local attacker could use this to gain information
about the running kernel and facilitate an attack.


* Permission bypass in NFSv4 during open state recovery.

An incorrect error checking on open state recovery could lead to
unaligned permissions between client and server. An attacker could use
this flaw to bypass permissions.


* Use-after-free when probing some scsi devices.

An error in refcounting when probing scsi device could lead to a
use-after-free. A user with the ability to probe scsi devices could
cause a denial-of-service.


* Race condition in super block handling of filesystems.

Due to a race condition when locking and unlocking the file system, a
BUG_ON could be triggered. An attacker could use this race to cause a
denial-of-service.


* Multiple memory leak in cifs ioctls.

Missing memory free in copychunk_file and file_clone ioctls of cifs
leads to memory leak. An attacker could use those ioctls to exhaust
the memory and  cause a denial-of-service.


* Incorrect memory free in Ceph Distributed File System.

A logic error in Ceph file read error handling leads to a random oops
because of incorrect memory free. An attacker could use this flaw to
generate a denial-of-service.


* Reference count leak in target transport layer on scsi command reception.

An error in flag handling could lead to reference count leak when
receiving scsi command. An attacker could use this flaw to cause
a denial-of-service.


* Vmalloc exhaustion in VMware virtual gpu driver.

An user submitting command using execbuf ioctl could overflow command
size and cause a vmalloc space exhaustion. A local user could use this
ioctl to cause a denial-of-service.


* Out-of-bounds memory access when setting key in crypto gcm.

An error in array declaration while setting gcm key could lead to
out-of-bounds memory access. A local user with ability to set gcm key
could use this flaw to cause a denial-of-service.


* Memory leak in the Broadcom WiFi driver when listing scan results.

A temporary 2KiB buffer is never released when listing the scan results
in the Broadcom WiFi driver.  A local user could use this flaw to exhaust
the memory on the system and cause a denial-of-service.


* Information leak in overlayfs.

Due to a flaw in overlayfs, an attacker could obtain confidential
information stored on the filesystem.


* Buffer overflow while copying up xattr in overlayfs.

A check error could cause an overflow while copying up xattrs from
underlying filesystems. An attacker could use this flaw to cause a
denial-of-service.


* Kernel crash with memory page shadow entries handling during read.

Improper handling of shadow entries for file data in the memory management
subsystem can lead to a memory leak or kernel crash during read.


* Overflow in Cifs credit handling.

A cifs client can get as much credit as requested from the server,
leading to an integer overflow of the credit counter. An attacker
could use this flaw to cause a denial-of-service.


* CVE-2016-7097: privilege escalation when setting xattr.

A missing clear of SGID bit during a setxattr call could allow a local
user to gain group privileges.


* Double free in GenWQE PCIe Accelerator driver during ioctl.

Improper error handling in the the GenWQE PCIe Accelerator driver
when allocating DMA memory can lead to a double free if interrupted.


* Kernel crash in when under memory pressure and fuse filesystem in use.

Improper management of cache pages used by the fuse filesystem can lead
to a kernel crash when under memory pressure. A local authenticated user could
this bug to cause a denial-of-service.


* Memory leak in AMD GPU driver on close.

The kernel driver for AMD GPU drivers does not correctly free memory for
the drm mode parameters. A local authenticated user could trigger a
denial-of-service by intentionally closing the driver multiple times.


* CVE-2016-9644: Privilege escalation in exception table handling.

A flaw in the exception handling code for the stable backport of
CVE-2016-9178 could result in incorrectly processing exception tables
and jumping to an incorrect address.  A local, unprivileged user could
use this flaw to escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list