[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (4.4.0-63.84)

Jamie Iles jamie.iles at oracle.com
Thu Feb 23 07:48:07 PST 2017 

Synopsis: 4.4.0-63.84 can now be patched using Ksplice
CVEs: CVE-2016-9191 CVE-2016-9588 CVE-2017-2583 CVE-2017-2584

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.4.0-63.84.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Double-closing block device while listing devices causes denial-of-service.

If a block device is closed while other block devices are being
enumerated with iterate_bdevs(), a NULL data member can be dereferenced,
causing a crash and denial-of-service.


* Memory corruption in Infiniband RDMA-over-ethernet driver.

Missing synchronization code allowed possible memory corruption when
using Infiniband RDMA, potentially causing a crash and
denial-of-service.


* Denial-of-service in DRV260x haptic input driver.

Incorrectly specifying the parent device on a DRV260x haptic device
could cause a kernel crash and denial-of-service.


* Ceph authorize reply not verified as authentic.

When establishing a Ceph connection, the authorizer reply is not
actually verified as authentic, potentially allowing an attacker to
spoof another connection.


* Denial-of-service when using POSTROUTING rule on VRF interface.

A missing reset after sending data on a Virtual Routing and Forwarding
(VRF) enabled interface while POSTROUTING rule is enabled could lead to
a memory corruption. An attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using specific options of raw ipv6 socket.

A missing check when sending data through ipv6 socket configured with
IPV6_CHECKSUM and IPV6_DSTOPTS options could lead to a kernel panic. An
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in traffic control when using any net scheduler.

An incorrect variable initialization when classifying traffic control
could lead to a soft lockup. An attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service in Crypress USB HID driver.

A missing check in Crypress USB HID driver when parsing usb descriptors
could lead to an out of bounds access. An attacker with physical access
to the machine could use this flaw to cause a denial-of-service.


* CVE-2017-2583: Denial-of-service due to incorrect segments configuration within VMs.

A logic error leads to an incorrect configuration of segment selector
within a Virtual Machine. An attacker could use this incorrect
configuration to cause a denial-of-service of the VM.


* Denial-of-service when registering two VMs concurrently.

A logic error in the way VMs sharing same eventfd are registered could
lead to a NULL pointer dereference. An attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service when scanning and closing nl80211 netlink socket.

A logic error when closing a nl80211 netlink socket could lead to a
memory leak if a scan was in progress. An attacker could use this flaw
to cause a denial-of-service.


* Information leak in USB Winchiphead CH341 driver when using TIOCMGET.

A logic error in USB CH341 Serial driver could lead to leaking heap
data to userspace by using TIOCMGET. An attacker could use this flaw
to leak sensitive data and facilitate an exploit.


* Information leak when using I2C_SMBUS ioctl.

A missing variable initialization could lead to kernel sensitive
information leak when using I2C_SMBUS ioctl. An attacker could use this
flaw to leak kernel information and facilitate an exploit.


* CVE-2016-9191: Denial-of-service when using sysctl concurrently.

A refcounting error in sysctl handling could lead to an infinite loop if
unregister_sysctl_table() is called concurrently with sysctl actions
from userspace. An attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using mac80211 transmit fast path.

An incorrect logic in transmit fast path of mac82011 could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when setting vcpu events in KVM.

An error in flags handling could lead to a NULL-pointer-dereference when
using KVM_SET_VCPU_EVENTS. A local attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service when writing data to usb gadgetfs endpoints.

A missing check on packet length size written to endpoint 0 could lead
to an out of bounds write. A local attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service when using special gadgetfs configuration.

A logic error when configuring a new usb gadgetfs device could lead to
a use-after-free. A local user could use this flaw to cause a
denial-of-service.


* Denial-of-service when passing wrong descriptors to gadgetfs.

A missing check when using configuration descriptors coming from
userspace could lead to a buffer overflow. A local user could use this
flaw to cause a denial-of-service


* Denial-of-service when opening/disconnecting multiple USB serial devices.

A missing callback registration in multiple USB serial driver could lead
to a NULL pointer dereference. A local attacker could use open and
disconnect tty operations to cause a denial-of-service.


* Denial-of-service when probing a pl2303 USB serial device.

A missing check on available endpoints of pl2303 USB device could lead
to a NULL pointer dereference. A malicious user could plug such devices
and cause a denial-of-service.


* Denial-of-service when using Edge Port USB serial driver.

Missing checks in Edge Port USB serial driver could lead to multiple
NULL pointer dereference. A local attacker could use such device to
cause a denial-of-service.


* Denial-of-service when transferring data to Garmin GPS device.

A missing free after sending data to Garmin GPS device could lead to a
memory leak. A local attacker could use this flaw to exhaust host
memory and cause a denial-of-service.


* Denial-of-service when opening USB 3410/5052 serial device.

A logic error when opening USB 3410/5052 serial device could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service when opening USB Edge Port serial device.

A logic error when opening USB Edge Port serial device could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service when using USB Moschip 7720 serial devices.

Logic errors when using USB Moschip 7720 serial devices could lead to a
NULL pointer dereference or a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service when setting fan speed using G762 driver.

A logic error when setting fan speed though sysfs attributes using G762
driver could lead to division by zero error. A local attacker could set
a specific value for the fan speed to cause a denial-of-service.


* Denial-of-service when adding new iSCSI target portal group fail.

A redundant kfree in the error path when adding new portal group could
lead to a double-free. An attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when registering a dummy timer.

A missing check when registering a dummy timer could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when using GPADL as Hyper-V guest.

A logic error when using GPADL(Guest Physical Address Descriptor List)
could lead to a memory leak. A local attacker could use this flaw to
exhaust memory and cause a denial-of-service.


* Denial-of-service when opening Hyper-V channel.

A too short timeout when waiting for message completion on channel
opening could lead to an infinite loop. An attacker could use this flaw
to cause a denial-of-service.


* Denial-of-service when using Distributed Lock Manager with OCFS2.

A locking error when using Distributed Lock Manager (DLM) with OCFS2
filesystem could lead to a kernel BUG(). An attacker could use this flaw
to cause a denial-of-service.


* CVE-2017-2584: Denial-of-service when emulating sgdt/sidt instructions.

A missing check in KVM when emulating sgdt and sidt x86 instructions
could lead to a kernel memory leak or cause a use-after-free. An
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when writing to huge pages of another process.

A missing check when writing to read-only regions of memory backed by
transparent huge pages cause an infinite loop. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2016-9588: Denial-of-service in Intel nested VMX exception handling.

Failure to handle exceptions thrown by an L2 guest could result in
kernel crash.  A malicious guest could use this flaw to crash the
virtualization host.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list