[Ksplice][Ubuntu-16.04-Updates] New updates available via Ksplice (USN-3099-1)

[Oracle Ksplice]

Synopsis: USN-3099-1 can now be patched using Ksplice
CVEs: CVE-2016-6480 CVE-2016-6828 CVE-2016-7039

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3099-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 16.04 Xenial
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in user-space VFIO driver interrupt setup.

Missing validation of user-supplied data could result in incorrectly
configuring interrupts.  A local, privileged user could use this flaw to
crash the system.


* Use-after-free in ACPI PCC channel request error handling.

Incorrect error handling could result in dereferencing an invalid
pointer and crashing the system under specific conditions.


* Memory leak in USB hub disconnection.

A race condition when handling removal of a USB hub could result in
leaking a memory allocation.  A local user with physical access to the
system could potentially use this flaw to exhaust memory and trigger a
denial-of-service.


* Denial-of-service in USB endpoint parsing.

Missing validation of the endpoint maximum packet size could result in a
denial-of-service when a user could attach malicious USB devices to the
system.


* NULL pointer dereference in USB XHCI disconnection.

A race condition when disconnecting XHCI devices could result in a NULL
pointer dereference and kernel crash.


* Kernel hang in XHCI PCI device disconnection.

Incorrect handling of device quirks could result in a kernel hang when
removing specific USB devices from the system.


* Memory leak in USB serial port driver registration failure.

Missing resource cleanup on registration failure could result in failure
to return allocated memory.  A malicious user with physical access to
the system could use this flaw to cause a denial-of-service.


* Denial-of-service in AMD graphics connector detection.

Missing validation could result in an out-of-bounds access and kernel
crash when detecting a connector.


* CVE-2016-6480: Denial-of-service in Adaptec AACRAID driver.

A race condition in fetching parameters from userspace could result in
accessing beyond the bounds of a buffer.  A local user with privileges
to access the device could use this flaw to crash the system.


* Kernel crash in LSI MTP Fusion SAS 3.0 WarpDrive resume.

A logic error in the resume path for WarpDrive devices could result in
accessing a stale pointer and kernel crash on resume from suspend.


* Information leak in seq_file reading.

A logic error in the seq_file read implementation could result in
leaking information from beyond the end of the buffer.  A local,
unprivileged user could use this flaw to gain sensitive kernel
information.


* Denial-of-service in Moschip USB serial writing.

Incorrect memory allocations could result in deadlock and a kernel crash
when writing to the port.


* Use-after-free in Line6 USB volume controls.

Incorrect reference counting in the Line6 USB volume control could
result in prematurely freeing the USB device and causing a kernel crash.
A local user with privileges to access the device could use this flaw to
crash the system.


* Kernel crash in Line6 USB audio device stream stopping.

Missing locking in the Line6 USB audio device driver whilst stopping a
stream could result in recursive locking and a kernel crash.


* Kernel crash in Line6 USB audio device sysfs attributes.

Incorrect typecasting of pointers could result in a dereference of an
invalid pointer and kernel crash.  A local, unprivileged user could use
this flaw to crash the system or leak sensitive kernel data.


* Denial-of-service in ext4 xattr manipulation.

A logic error when expanding the size of an extended attribute can
cause a kernel deadlock or assertion fail which triggers a kernel panic.


* Data loss in ext4 checksum verification.

Invalid locking can cause checksum verification to incorrectly fail
which could lead to data loss on ext4 filesystems.


* Denial of service in Direct Rendering Manager CRTC.

A logic error when attempting to flip pages on a device which does not
support modeset can trigger a kernel panic.


* Denial-of-service in uprobes memory control group accounting.

Incorrect interaction with the memory control group subsystem could
result in an integer overflow and memory exhaustion.  A local,
privileged user could use this flaw to trigger a denial-of-service.


* Deadlock in FireWire TASCAM devices.

Incorrect locking when accessing userspace can trigger a deadlock and
kernel panic when reading from a FireWire TASCAM device.


* Use after free in ALSA timer SELECT ioctl.

Missing locking when handling the SNDRV_TIMER_IOCTL_SELECT ioctl in the
ALSA subsystem can trigger a use-after-free and kernel panic.


* CVE-2016-6828: Use after free during TCP transmission.

A logic error when a memory allocation fails during TCP transmission can
cause the kernel TCP stack to use freed memory causing a kernel panic.


* Denial of service in ALSA timer CONTINUE ioctl.

A division by zero and kernel panic can be triggered when the ALSA
subsystem handles the SNDRV_TIMER_IOCTL_CONTINUE ioctl.


* Denial of service in ALSA device opening under memory pressure.

A logic error in the ALSA subsystem can trigger a NULL pointer
dereference and kernel panic when a memory allocation fails.


* Denial-of-service in malformed overlayfs extended attributes.

The overlay filesystem does not correctly handle malformed extended
attributes from the lower filesystem which can trigger an assertion
failure and kernel panic.


* Denial-of-service in CIFS filesystem mounting error handling.

Failure to free memory allocations when handling errors during CIFS mounting
could result in memory exhaustion.  A local user with privileges to mount
filesystems could use this flaw to crash the system.


* CIFS Distributed Filesystem mounting failure.

Missing path comparisons during CIFS Distributed Filesystem mounting could
result in failure to mount a volume.


* Kernel crash in nvme device removal.

An error caused early on when probing an nvme device could cause a queue to
be suspended before it has been initialised.


* Kernel crash when adding unsorted pages to a HyperV guest.

Incorrect handling of unsorted pages could result in a kernel crash when
adding pages to a HyperV guest during balloon deflation.


* Undefined behaviour in Multiprecision maths library.

Failure to handle leading zeros in MPI values could result in undefined
behaviour under specific conditions.


* Denial-of-service in overlapping EXT4 filesystems with data and superblocks.

A malformed EXT4 filesystem with overlapping data and superblocks could
result in triggering kernel assertions and crashing the system.  A local
user with the ability to mount filesystems could use this flaw to trigger a
denial-of-service.


* Denial-of-service in Huge TLB mappings during process exit.

Incorrect reference counting on shared page tables could result in
triggering a kernel assertion and crash when exiting a process.  A local,
unprivileged user could use this flaw to crash the system.


* Kernel crash in block multiqueue queue initialization.

Incorrect handling of CPU masks could result in dereferencing invalid memory
addresses and crashing the kernel when mapping a software queue.


* Kernel hang when block layer queue is being frozen.

A reference acquired whilst a queue freeze is starting is never released,
causing the queue freeze to hang forever.


* Memory leak in HyperV PCI driver during event handling.

Failure to free resources in the HyperV PCI driver during event handling could
result in a memory leak and eventual memory exhaustion.  Under specific
conditions this could result in a kernel crash.


* CVE-2016-7039: Kernel crash due to unbounded recursion in vlan GRO processing.

Linux kernel built with the 802.1Q/802.1ad VLAN OR Virtual eXtensible LAN
with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack
overflow issue, leading to a stack corruption in the kernel.

A remote user could use this flaw to cause kernel panic by sending malicious
packets to a server that has GRO enabled.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.