[Ksplice][Ubuntu-16.04-Updates] New updates available via Ksplice (USN-3084-1)

[Oracle Ksplice]

Synopsis: USN-3084-1 can now be patched using Ksplice
CVEs: CVE-2016-4565 CVE-2016-6156 CVE-2016-6197

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3084-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 16.04 Xenial
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in NILFS2 filesystem mounting.

Missing range checks in the NILFS2 superblock validation could result in
an out-of-bounds memory access.  A maliciously crafted filesystem could
use this flaw to crash the system.


* NULL pointer dereference in Pulse Per Second parallel port registration.

Failure to claim the parallel port could result in a NULL pointer
dereference when attempting to register the Pulse Per Second module.


* Denial-of-service in Xenbus handle validation.

The Xenbus driver incorrectly used an assertion to validate user
handles, allowing a local, privileged user to crash the system.


* Denial-of-service when attaching Xbox One gamepad.

Connecting an unrecognized Xbox One gamepad could result in a kernel
crash when accessing an invalid endpoint descriptor.  A user with
physical access to the system could use this flaw to crash the system.


* Denial-of-service in POSIX file locking on overlayfs.

A use-after-free when releasing a lease on a file on an overlayfs
filesystem could result in a kernel crash.  A local, unprivileged user
could use this flaw to crash the system.


* Denial-of-service in overlayfs on Plan 9 filesystem.

Incorrect handling of v9fs as a lower filesystem for overlayfs could
result in a NULL pointer dereference when creating a file.  A local,
unprivileged user could use this flaw to crash the system.


* Use-after-free in mount namespace detaching.

Incorrect handling of an event counter during mount detaching could
result in a use-after-free and kernel crash.


* CVE-2016-6156: Memory corruption in Chrome OS Embedded Controller.

A race condition in ioctl interface to the Chrome OS Embedded Controller
device can allow a privileged user to trigger kernel memory corruption
and obtain kernel code execution.


* Denial-of-service in ioprio_get() syscall.

Incorrect locking in the ioprio_get() syscall could result in a
use-after-free and kernel crash.  A local, unprivileged user could use
this flaw to crash the system.


* Out-of-bounds access in SCSI device vendor and model matching.

An off-by-one error when handling strings could result in accessing
beyond the end of a string causing access of an invalid address.  This
could result in failure to match a SCSI device, or potentially, crash
the system.


* Denial-of-service in file privilege removal on overlayfs filesystems.

Confusion between inodes and dentrys in layers of an overlayfs
filesystem could result in deadlock after removing privileges from a
file and then setting new attributes.


* Denial of service when connecting to Infrared device.

Under memory pressure a kernel memory allocation can fail when
connecting to an Infrared IrDA device which can trigger a kernel panic.


* Use after free in block device procfs interface.

The generic block device procfs interface incorrectly handles memory
when reading from the 'diskstats' and 'partitions' file which can
trigger a use-after-free condition and kernel panic.


* Denial of service in filesystem directory cache.

A logic error when multiple CPUs are accessing a file can trigger a soft
lockup. A local unprivileged user could use this flaw to trigger a
denial of service.


* Information leak in cryptographic scatterwalk subsystem.

A logic error when encrypting and decrypting spanning across multiple
pages can cause data to not be processed which may cause an information
leak.


* Denial of service in ext4 extent validation.

A logic error in the kernel ext4 driver can allow malformed extents to
be processed which can trigger a kernel panic when mounting a malformed
disk image.


* Deadlock during ext4 page writeback.

Incorrect locking when writing a transaction to disk and performing a
page writeback can trigger a deadlock and kernel panic.


* Kernel panic in ext4 inode eviction.

A malformed superblock encountered when mounting an ext4 filesystem can
trigger a kernel panic because of an uninitialized superblock flag.


* Memory corruption in ext4 with large GDT blocks.

A ext4 filesystem with a large number of reserved GDT blocks can trigger
kernel memory corruption when mounting the filesystem.


* Infinite loop in ext4 orphan cleanup.

A logic error when a malformed orphan list is encountered on an ext4
filesystem can trigger an infinite loop and denial of service.


* Use after free in ext4 block allocation.

Incorrect reference counting when failing to allocate a block on an ext4
filesystem can trigger a use after free condition and kernel panic.


* Memory leak in Infiniband driver on send failure.

Improper cleanup on message send failure leads to a memory leak in the
Infiniband driver.


* Use after free when removing USB-3 host controller.

A race condition when removing a shared USB-3 host controller can
trigger a use after free condition and kernel panic.


* Permission bypass when setting attributes on overlayfs files.

A logic error when updating attributes on an overlayfs file can allow a
local user to write to a setuid or setgid file. This could be used by a
malicious user to gain elevated privileges.


* NULL pointer dereference in the IPv4 Forwarding sub-system.

A lack of input validation could lead to a NULL pointer dereference and
kernel panic when configuring an interface as dead from userspace.  A
privileged user could use this flaw to cause a denial-of-service.


* Improved fix for CVE-2016-4565: Privilege escalation in Infiniband ioctl.

The Infiniband ioctl interface does not correctly validate parameters from
userspace which can allow local users to corrupt kernel memory and escalate
privileges.  The previous fix was incomplete and missed to protect the
deprecated QLogic HTX QHT7140 driver.


* NULL pointer dereference in the network transformation sub-system.

Changing thresholds in the network transformation sub-system (XFRM)
concurrently with installing any new socket policies could lead to a NULL
pointer dereference.  A local, privileged user could use this flaw to cause
a denial-of-service.


* Information leak in the USB gadget sub-system.

Lack of clearing an on-stack structure when answering an audio class
specific request in the USB gadget sub-system could leak 4 bytes from the
kernel stack to the attached USB host.  This flaw could facilitate an
attack.


* NULL pointer dereference in the Intel host bluetooth driver.

A failure to check for NULL when trying to get a handle on a General
Purpose Input Output (GPIO) line could lead to a NULL pointer dereference
and kernel panic.


* Invalid memory access in the KVM emulation of Memory Type Range Registers.

A failure to initialize properly a list iterator in the KVM emulation
Memory Type Range Registers (MTRR) leads to a kernel panic when later
dereferencing garbage value.  An attacker within a guest could potentially
use this flaw to cause a denial-of-service in the host.


* Memory corruption when releasing resources of a virtual CPU in KVM.

A failure to ensure that the shadow VMCS were active on the running CPU
before releasing them could lead to memory corruptions. An attacker inside
a guest could potentially use this flaw to cause a denial-of-service of the
host.


* Use-after-free in the USB TV driver on disconnect.

A race condition in the USB TV driver could lead to a user-after-free when
disconnecting the USB TV device.  A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference in the V4L2 driver when verifying planes.

A missing NULL pointer check when verifying planes in the Video For Linux
(V4L2) driver could lead to a NULL pointer dereference.  A local attacker
could use this flaw to cause a denial-of-service.


* Kernel panic when disconnecting a Sun40 touchscreen.

Failure to wait for all buffers to be cleaned up when stopping the
streaming on the Sun40 touchscreen could lead to a kernel panic under
certain circumstances.  A privileged user could use this flaw to cause a
denial-of-service.


* Kernel panic when opening a file on a CIFS mount.

Failure to check if a file being opened on a CIFS mount with the O_CREAT
flag is a directory could lead to a kernel panic.  A local unprivileged
user could use this flaw to cause a denial-of-service.


* NULL pointer dereference in CIFS filesystem when handling checksums.

A race condition due to incorrect locking in the CIFS filesystem code when
handling a hash message authentication code could lead to a NULL pointer
dereference on concurrent mounts.  A local, privileged user could use this
flaw to cause a denial-of-service.


* Kernel panic when following a symlink on CIFS.

Lack of input validation when following a symlink in a CIFS mount could
lead to invalid memory access and kernel panic.


* Improved fix for CVE-2016-6197: Denial-of-service in OverlayFS.

Incorrect handling of hard links could result in a kernel panic when a
rename operation targets a hardlink. This flaw could be used by local user
to cause a denial of service.  The original backport from Canonical
contained a logic error preventing detection of legacy whiteouts in some
cases.


* NULL pointer dereference in Renesas USB host driver on disconnect.

A race condition caused by incorrect locking in the Renesas USB host driver
could lead to a NULL pointer dereference on disconnect.  An attacker with
physical access could use this flaw to cause a denial-of-service.


* Kernel crash when initializing the IOMMU for a device using the identity mapping.

A logic error in the AMD IOMMU driver could lead to a kernel crash when
initializing the IOMMU for a device using the identity mapping.


* Data corruption in the NAND driver when writing a partial page.

An off-by-one error when determining if a write operation is partial in the
NAND base driver could lead to data corruption.  A local user with the
ability to write any number of bytes to a NAND disk could use this flaw to
corrupt the disk.


* Soft lockup when allocating multiple huge pages concurrently.

A failure to relinquish the CPU to the scheduler when allocating huge pages
from the free list could lead to a soft lockup under high load.  An
attacker with the ability to cause huge page allocations could use this
flaw to cause a denial-of-service.


* Potential memory leaks in the dynamic array implementation in ALSA.

A failure to properly zero-out the memory when resizing a dynamic array in
the ALSA kernel library could leak bytes in various other drivers.  An
attacker could potentially use this flaw to gain information about the
running kernel in order to facilitate an attack.


* Use-after-free in the Infiniband driver when sending Management Datagrams.

Multiple logic errors in the failure case when sending Management Datagrams
(MADs) under SR-IOV in the Infiniband driver could lead to use-after-free
and memory leaks.  A local user with the ability to trigger MADs transfer
could use this flaw to cause a denial-of-service.


* Memory leak in the Infiniband driver when failing to create a queue pair.

An omission to releasing temporary allocated resources on failure to
create a queue pair in the Infiniband driver leads to a memory leak.  An
attacker with the ability to trigger queue pair creation could use this
flaw to cause a denial-of-service.


* Multiple permission bypass in the apparmor kernel security module.

Multiple logic errors in the apparmor kernel security module could lead to
permission bypasses in certain circumstances.  A local, unprivileged user
could leverage those errors to bypass restrictions imposed on certain
security labels.


* Soft lockup in the apparmor kernel security module on namespace removal.

Incorrect locking in the apparmor kernel security module when removing a
namespace could lead to a soft lockup and denial-of-service.


* NULL pointer dereference when unpacking a policy profile in apparmor.

A failure to check for a NULL pointer when unpacking a policy profile in
the apparmor security module could lead to a NULL pointer dereference and
kernel panic.


* Kernel panic when a file handle is shared on many security domains in apparmor.

A logic error when iterating over the security domains of a file handle in
the apparmor security module could lead to invalid memory accesses.  A
local attacker could use this flaw to cause a denial-of-service.


* Weakness when checking the keys in the XTS crypto algorithm.

The FIPS 140-2 IG 1.9 mandates that the key is different from the tweak
key, which was not enforced in the kernel implementation, potentially
weakening its use.


* Kernel panic after syncing the filesystem caches on disk.

Some inodes could be left dirty after a call to write_inode_now() when
using the WB_SYNC_ALL flag, potentially leading to a kernel oops when the
write back sub-system would encounter an unexpected dirty inode.  A local
user with the ability to trigger calls to write_inode_now() could
potentially use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.