[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (4.4.0-83.106)

[Oracle Ksplice]

Synopsis: 4.4.0-83.106 can now be patched using Ksplice
CVEs: CVE-2017-1000364 CVE-2017-100363 CVE-2017-7487 CVE-2017-8890 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 CVE-2017-9242

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.4.0-83.106.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in Plan 9 filesystem access control list manipulation.

Incorrect error handling when updating access control lists in the plan
9 filesystem can result in a memory leak. A local attacker could use
this flaw to exhaust kernel memory, resulting in a denial-of-service.


* Kernel crash in mwifiex 802.11 packet transmission.

A logic error in the processing of wifi transmission packets in the
mwifiex driver can result in a buffer overrun, resulting in a kernel
crash.


* Kernel crash in Broadcom flexible MAC wifi driver.

A logic error in the processing of wifi transmission packets can result
in the access of uninitialised memory resulting in a kernel crash.


* Denial-of-service in TCP transmission buffer management.

A logic error during management of TCP packet buffers can cause an
assertion failure in the Kernel leading to undefined behaviour or
potentially a Kernel crash. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service in TCP accept handling.

A failure to correctly initialize a pointer when accepting TCP
connections could result in a double free. A local attacker could use
this flaw to cause undefined behaviour or a kernel crash, leading to a
denial-of-service.


* Denial-of-service in raw socket IP header processing.

A failure to validate IP packets submitted to raw sockets can result in
the access of invalid memory. This could result in a kernel crash,
leading to a denial-of-service.


* Kernel crash in Broadcom NetXtreme Receive Flow Steering.

A failure to allocate enough memory for Receive Flow Steering management
can result in a buffer overrun leading to undefined behaviour or a
kernel crash.


* Use-after-free in DRM/TTM fault handling.

A race condition in the DRM/TTM driver can result in a use-after-free
during vm fault handling. A local attacker could use this flaw to cause
a kernel crash.


* Race condition in USB device initialization causes denial-of-service.

Two USB devices calling init_usb_class simultaneously can race and
corrupt kernel memory, potentially causing a crash and
denial-of-service.


* Auto-suspending disconnected USB devices causes denial-of-service.

In rare cases, the generic USB driver can attempt to auto-suspend a USB
device not actually connected to the system. This causes a NULL pointer
dereference and denial-of-service.


* Incorrect event handling in KVM causes SMM errors in client.

Incorrect logic when entering system management mode on a KVM client
could cause the system to misbehave, potentially causing the client SMM
to report errors.


* Denial-of-service when writing to small memory-mapped file on ext4.

In rare cases, writing to a very small memory-mapped file on the ext4
filesystem can execute invalid code, causing a denial-of-service.


* Information leak via unsanitized buffer in getxattr.

Failing to zero out a buffer returned by getxattr in low-memory
situations could cause kernel memory to be exposed to userspace.


* Denial-of-service in Ceph file system extended attributes.

Failure to free memory when the filesystem failed to set an extended
attribute could result in memory exhaustion.  A local, unprivileged user
could use this flaw to cause a denial of service.


* CVE-2017-100363: Denial-of-service in printer driver setup.

Missing validation on the "lp" module parameter could result in an
out-of-bounds access and integer overflow.  A local, privileged user
could use this flaw to crash the kernel or defeat secure boot
protections.


* CVE-2017-7487: Use-after-free in IPX reference count handling.

A reference count leak in the IPX ioctl handler can result in a
reference count overflow leading a use-after-free. A local attacker
could use this flaw to crash the kernel or escalate privileges.


* CVE-2017-8890, CVE-2017-9076, CVE-2017-9077: Incorrectly copying list headers on socket clone causes denial-of-service.

When cloning sockets, several list headers are incorrectly copied to the
child sockets, which then leads to double-frees when both sockets are
closed, causing a kernel panic and denial-of-service.


* CVE-2017-9074: Information leak via ipv6 fragment header.

The header size of an ipv6 fragment is not properly checked, potentially
allowing an attacker to read out-of-bounds memory when attempting to
parse it, leaking information.


* CVE-2017-9075: Denial of service when using SCTP protocol with IPV6.

A missing structure initialization could lead to a double free when
creating a new socket. A local unprivileged attacker could use this flaw
to cause a denial-of-service.


* CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.

A missing check when sending messages over IPV6 sockets could lead to an
out-of-bound access. A local user could use this flaw to cause a
denial-of-service.


* Denial-of-service due to corrupted F2FS filesystem.

A failure to validate the segment count when mounting an F2FS
filesystem can result in undefined behaviour when accessing the
filesystem. This could result in a kernel crash, leading of a
denial-of-service.


* Denial-of-service when getting mount information about CIFS filesystem.

Missing check of a private data pointer when getting CIFS mount
information could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* Information leak in multiple debug prints of USB core driver.

Multiple debug prints in USB core driver when transferring USB packets
could leak memory addresses from the running kernel. A local attacker
could use this flaw to get information about running kernel and
facilitate an attack.


* Denial-of-service when accessing TPM security chip.

A missing check on input value when reading/writing from/to TPM security
chip could lead to out-of-bound accesses. A local attacker could use
this flaw to cause a denial-of-service.


* Denial of service when resolving ipv6 address over Infiniband.

A logic error when trying to resolve ipv6 address over Infiniband,
whereas kernel ipv6 module is not loaded, could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when growing raid5 device.

A logic error when growing size of raid5 device could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Denial of service when setting reserved bits of specific KVM X86 registers.

A missing check on payload value from userspace when setting MXCSR X86
register could lead to paging request failure. A local attacker could
use this flaw to cause a denial-of-service.


* Information leak when accessing X86 Timer from guest.

A logic error when accessing Programmable Interval Timer (PIT) from a
guest could leak information about host's kernel. A local attacker could
use this flaw to leak information about host's kernel and facilitate an
attack.


* Denial-of-service when mapping end of physical address space.

A missing check when mapping end of physical address space that wrap
around the end could lead to a kernel BUG. An attacker could use this flaw
to cause a denial-of-service.


* Use-after-free of XC2028 TV tuner driver name string.

The priv->ctrl.fname string containing the firmware name can be freed
twice, potentially causing memory corruption and a kernel panic or other
exploitable behavior.


* Improved fix to CVE-2017-1000364 to allow stack expansion close to userspace guard.

Some userspace applications like the Java Virtual Machine are trying to
implement a stack guard area manually by using a fixed mapping which,
together with the original Ubuntu fix for CVE-2017-1000364, prevents stack
expansion when it shouldn't have.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.