[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3189-1)

[Oracle Ksplice]

Synopsis: USN-3189-1 can now be patched using Ksplice
CVEs: CVE-2016-10147 CVE-2016-8399 CVE-2016-8650 CVE-2016-9576

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3189-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* General protection fault in KVM interrupt controller.

A missing check in KVM x86 interrupt controller resulted in NULL pointer
dereference. An attacker with KVM_CAP_IRQ_ROUTING capability can exploit
this to cause denial-of-service.


* CVE-2016-8650: NULL pointer dereference in the key management subsystem.

A missing check in the Multiprecision maths library used to implement
RSA digital signature verification could lead to a NULL pointer
dereference. A local user could use this flaw to cause a denial-of-service.


* Denial-of-service during zram hot removal.

Failure to a check a return value can cause a zram device to remain
available after unloading the zram module. Attempting the mount the
remaining device after the module has been unloaded can cause an
assertion failure in the kernel.


* Information leak in mwifiex driver.

Incorrect logging of SSID strings in the mwifiex driver can leak kernel
stack information to userspace. A local attacker could use this flaw to
gain information about the running kernel.


* Denial-of-service when creating L2TP sockets using concurrent thread.

A missing check when creating L2TP socket could lead to a use-after-free
if a concurrent thread modify socket's flag while creating it. An attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service when checking DCCP packet validity.

Incorrect logic when checking the validity of a received DCCP packet
header could lead to a use-after-free. A remote attacker could use this
flaw to cause denial of service.


* Denial-of-service when sending socket buffer through GENEVE interface.

A missing check when sending socket buffer through GENEVE (Generic
Network Virtualization Encapsulation) interface could lead to a
use-after-free of socket buffer data. An attacker could use this flaw
to cause a denial-of-service.


* CVE-2016-8399: Information leak using ICMP protocol.

A missing check on ICMP header length could cause an out-of-bounds read
of stack. A user could use this flaw to leak information about
kernel memory and facilitate an attack.


* CVE-2016-9576: Use-after-free in SCSI device interface.

Incorrect validation of sendfile arguments can cause a use-after-free in
the SCSI subsystem. A local user with access to /dev/sg* devices could
use this flaw to read kernel memory or escalate privileges.


* Missing privilege check in zram device initialization.

Incorrect privilege logic could allow a non-root user to create
uninitialized zram devices on the system. This could potentially
allow privileged memory access or a denial-of-service.


* Three-way race condition in rtmutex causes lock corruption.

A race condition between three concurrent threads could cause corruption
of the associated rtmutex, causing the mutex to potentially be granted
to the wrong waiter. This would likely lead to a kernel panic and
denial-of-service.


* CVE-2016-10147: Denial-of-service in mcryptd when using incompatible algorithm.

If mcryptd is provided a cryptographic algorithm it is not compatible
with, the kernel will panic. An unprivileged user could use this flaw
to cause a denial-of-service.


* Denial-of-service in PEAK USB/CAN adapter driver.

A use-after-free of memory in the PEAK USB-to-CAN driver could cause a
kernel oops and denial-of-service.


* Invalid memory access when failing allocation in BATMAN driver.

Failing to check whether memory allocation succeeded in the BATMAN
network driver could cause already-allocated memory to be returned,
potentially exposing kernel memory.


* Denial-of-service in BTRFS subvolume delayed work.

An unprivileged user with access to a btrfs volume can cause the system
to allocate unbounded amounts of memory, eventually causing a
denial-of-service.


* Denial-of-service in BTRFS during multi-delete replay.

Incorrect logic when replaying a delete of directory entries could cause
an out-of-bounds access, potentially causing a denial-of-service or
exposing privileged memory.


* Denial-of-service in BTRFS concurrent block reading.

A race condition between between an automatic read-ahead and
a user-initiated read of the same block can leak memory, causing
system performance degradation and an eventual denial-of-service.


* Denial-of-service in BTRFS extent tree walking.

A missing free in the btrfs extent tree do_walk_down function leaks
memory, causing performance degradation and an eventual
denial-of-service.


* Race condition in generic block device code causes spurious BUG.

An incorrect condition when attempting to exclusively lock a block
device could cause error checking code to erroneously fire, causing a
BUG and denial-of-service.


* Denial-of-service in EXT4 filesystems with 64K block size.

Utilizing an ext4 filesystem with block size greater than 64k can cause
memory corruption, potentially causing a denial-of-service.


* Permission bypass in close-on-exec file descriptors.

A race condition in setup_new_exec could allow reading a process's file
descriptors via /proc if they were opened with O_CLOEXEC.


* Memory corruption in SMB2 client when reacquiring lost locks.

When attempting to require locks lost after a session break, an
incorrectly sized buffer could be used for the lock structure,
corrupting memory and potentially causing a denial-of-service.


* Denial-of-service in driver core glue directory creation.

Failing to hold a mutex reference through the full usage of its
associated object when cleaning up the glue directory for a device could
cause the cleanup to race with the creation of another device,
potentially causing memory corruption and a denial-of-service.


* Denial-of-service when receiving packet with packet editing enabled.

A missing argument validation when receiving malformed packet while
packet editing is enabled could lead to a memory overflow. A remote
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in BTRFS when dropping a snapshot.

Incorrect error checking when dropping a btrfs snapshot could cause a
spurious BUG call in some cases, causing a denial-of-service.


* Denial-of-service in EXT4 filesystems with negative sized inodes.

A maliciously formed EXT4 filesystem could trigger an integer overflow
in the virtual filesystem layer, leading to a kernel crash.


* Information leak when ptracing an unreadable executable.

A missing check when ptracing a process could allow an unprivileged
user to read an unreadable executable code from outside the user
namespace. An attacker could use this flaw to leak information.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.