[Ksplice][Ubuntu-16.04-Updates] New updates available via Ksplice (4.4.0-23.41)

[Oracle Ksplice]

Synopsis: 4.4.0-23.41 can now be patched using Ksplice
CVEs: CVE-2016-1583 CVE-2016-2117 CVE-2016-2187 CVE-2016-3961 CVE-2016-4485 CVE-2016-4486 CVE-2016-4558 CVE-2016-4565 CVE-2016-4568 CVE-2016-4581

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.4.0-23.41.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 16.04 Xenial
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2016-2187: Denial of service in GTCO CallComp/InterWrite USB descriptor parsing.

A logic error in the GTCO CallComp/InterWrite USB driver can allow a
malformed USB descriptor with zero endpoints to trigger a NULL pointer
dereference and kernel panic.


* Data corruption when performing asynchronous IO to loop device.

A logic error in the loop device driver can trigger data corruption when
a process preforms an asynchronous write to a loop device.


* Memory corruption when inserting data into associative arrays.

A logic error in the generic associative array module can trigger an
out-of-bounds read when inserting a new member. This can be triggered,
for example, by inserting a new cryptographic key into the kernel's
keyring.


* Use after free when disabling a USB XHCI device.

A logic error in the USB XHCI driver can trigger a use-after-free and
kernel panic when disabling a XHCI device multiple times.


* Memory corruption when probing USB Host Controller devices.

A logic error in the Host Controller driver (HCD) can trigger memory
corruption and kernel panic when an HCD device has an invalid companion
device.


* Use after free when using asynchronous IO on USB gadget device.

A logic error in the USB gadget driver can trigger a use-after-free and
kernel panic when completing an asynchronous read or write to a device.


* Deadlock in Digigram PCXHR ALSA IRQs.

Incorrect locking the in the PCXHR IRQ can trigger a deadlock and kernel
panic when handling interrupts from a Digigram PCXHR device.


* Kernel panic when modesetting Intel 915 graphics devices.

A race condition in Intel i915 driver can trigger a kernel panic when
attempting to perform a modeset on a non-existent device.


* Memory leak during Intel Wireless WiFi driver unloading.

Due to a missing free in the Intel Wireless WiFi buffer management code,
unloading the driver would not be freed. A user capable of
loading/unloading the driver could cause the machine to run out of
memory.


* Information leak in AMD cryptographic coprocessor support.

The AMD cryptographic coprocessor driver does not correctly handle
memory when exporting the state of SHA1 operations which can cause the
contents of the kernel stack to be leaked to userspace.


* Kernel panic when completing SHA1 multibuffer operations.

A logic error in the cryptographic subsystem handling multibuffer
operations can trigger a use-after-free and kernel panic.


* Denial of service in wireless networking netlink interface.

A logic error when handling netlink notifications for wireless devices
can allow malicious local users to disable networking interfaces.


* Memory corruption when mapping buffer objects from userspace.

Missing validation when mapping buffer objects from userspace can allow
a malicious local users to corrupt kernel memory and escalate privileges.


* Kernel panic in when handling unvalidated ports in kernel DRM subsystem.

The kernel DRM driver does not validate ports which are passed from
userspace which can trigger a use-after-free and kernel panic when
handling DRM ioctls.


* Kernel panic when displaying dynamic audio power information.

The sysfs interface for displaying dynamic audio power information to
userspace can trigger a NULL pointer dereference and kernel panic when a
system has a dummy component.


* CVE-2016-4565: Privilege escalation in Infiniband ioctl.

The Infiniband ioctl interface does not correctly validate parameters
from userspace which can allow local users to corrupt kernel memory and
escalate privileges.


* Kernel panic when parsing EFI variables.

Incorrect parsing logic can trigger an out-of-bounds read and kernel
panic when reading or writing to EFI variables.


* Kernel panic when using madvise on a hugepage mapping.

The kernel hugepage subsystem does not correctly handle calling madvise
on certain hugepage mapping which can trigger a bogus BUG_ON and kernel
panic.


* Kernel panic in hugepage procfs interface.

A logic error in the transparent hugepage procfs interface can trigger
an out-of-bounds read and kernel panic when reading the 'numa_maps'
procfs file.


* Use after free when freeing cgroups.

A race condition when freeing cgroups can trigger a use-after-free
condition and kernel panic when a cgroup's parent is freed before the
child cgroup.


* CVE-2016-4568: Buffer overflow in V4L2 during VIDIOC_DQBUF ioctl.

Due to missing length checks in the V4L2 core when servicing a
VIDIOC_DQBUF ioctl request, a userspace program could overwrite kernel
memory beyond the end of the buffer. A malicious user could potentially
use this to escalate privileges or crash the kernel.


* Buffer overflow in SCIF ioctl().

Incorrect buffer size checks in SCIF memory registration/unregistration
routines could allow a user with access to SCIF devices to crash the
kernel or potentially overwrite kernel memory.


* Kernel panic when marking dirty inodes on ext4 filesystems.

A logic error when marking dirty inodes on ext4 filesystems can trigger
a NULL pointer dereference and kernel panic.


* Kernel panic when probing NAND devices.

A logic error in the NAND subsystem can trigger a bogus BUG() and kernel
panic when a NAND device does not have an owner.


* Denial-of-service in SUNRPC cache management.

Incorrect error handling could result in a reference count imbalance of
the SUNRPC cache object, triggering either a resource leak, or
potentially, a use-after-free.


* Memory corruption in Maxim MAX77843 USB driver.

A logic error in the Maxim MAX77843 USB driver can trigger kernel memory
corruption when probing a micro-USB device.


* CVE-2016-4485: Information leak in LLC message processing.

The Logical Link Layer networking driver does not initialize memory when
proesssing ancillary data requests to an LLC socket which leaks the
contents of kernel memory to userspace. A local user could use this flaw
to infer the layout of kernel memory.


* Deadlock when locking voltage regulators.

Incorrect locking in the kernel voltage regulator support can trigger a
deadlock and kernel panic.


* CVE-2016-4486: Information leak in routing netlink interface.

The netlink interface for querying network routing information does not
initialize memory which leaks the contents of kernel memory to userspace.
A local user could use this flaw to infer the layout of kernel memory.


* CVE-2016-4558: Privilege escalation in BPF reference counting.

On systems with more than 32GB of physical memory, a Berkeley Packet
Filter (BPF) program can overflow a reference count which leads to a use
after free condition and kernel panic. A local user could use this flaw
to escalate privileges.


* Memory corruption in Xen page conversion.

A logic error when the Xen kernel driver converts pages to PFNs can
trigger an integer overflow and cause incorrect PFNs. This can cause
kernel memory corruption and possible data loss.


* Kernel panic in Xen balloon driver with sparse memory.

The Xen memory balloon driver does not correctly handle memory on 32bit
PAE systems with large amounts of physical memory. This can lead to a
kernel panic when allocating memory for a guest VM.


* CVE-2016-4581: Denial-of-service in slave mount propagation.

Incorrect handling of mount propagation could result in a NULL pointer
dereference.  A local, unprivileged user could use this flaw to crash
the system.


* Information leak in 'environ' procfs file.

A race condition when forking a process can allow another process to
access the 'environ' file before it is initialized which can leak the
contents of kernel memory.


* Kernel panic in remap_file_pages syscall.

Incorrect reference counting in the remap_file_pages syscall can trigger
a use after free condition and kernel panic. A local user can use this
flaw to trigger a kernel panic and possibly escalate privileges.


* Memory leak when creating handle to GEM object.

Incorrect reference counting when creating a handle to a Graphics
Execution Manager (GEM) object can trigger a kernel memory leak and
possible kernel panic.


* Kernel panic in Chelsio T4 RDMA queue management.

The management of queues for Chelsio T4 iWARP/RDMA devices is incorrect
and can lead to a kernel panic when processing doorbell operations


* Kernel panic when processing malformed IP virtual server traffic.

A logic error in the IP virtual server netfilter driver can trigger a
kernel panic when IPVS traffic does not contain a valid IP header.


* Memory leak in IEEE 802.11 interface management.

The kernel IEEE 802.11 driver does not correctly handle memory when
adding a new interface which can lead to a memory leak and possible
kernel panic.


* Use after free when updating BATMAN routing information.

A logic error when updating the routing information of a BATMAN mesh
network can lead to a reference count inbalance and use after free and
kernel panic.


* Use after free in AMD Radeon metadata management.

A logic error when freeing buffer object metadata can trigger a use
after free condition and kernel panic.


* Information leak in Xen event-channel ring resizing.

A logic error in the Xen kernel driver can leak to an information leak
and potential kernel panic when the Xen event-channel ring-buffer
becomes full.


* CVE-2016-3961: Xen PV guest crash when using HugeTLBFS.

HugeTLBFS is not supported on Xen PV guests and leads to a kernel crash
when an application tries to mmap() a Huge TLB.  A local user with the
ability to mmap() Huge TLB pages in a Xen PV guest can cause a
denial-of-service of the guest.


* CVE-2016-2117: Information leak in Atheros ATL2 transmission.

The Atheros ATL2 driver advertised features that weren't supported by
the hardware and this could result in a buffer overflow, leaking the
contents of kernel memory into transmitted packets.


* Kernel panic when processing VLAN traffic over a BATMAN interface.

The BATMAN mesh networking driver does not correctly account for VLAN
headers when processing ethernet traffic which can lead to an
out-of-bounds read and kernel panic.


* CVE-2016-1583: Privilege escalation in eCryptfs.

eCryptfs was incorrectly trying to use the mmap() file operation on lower
filesystem that may not support it.  A local, unprivileged user could use
this flaw to cause a denial-of-service through recursive faults or
potentially escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.