[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3265-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon May 1 08:11:11 PDT 2017 

Synopsis: USN-3265-1 can now be patched using Ksplice
CVEs: CVE-2016-10208 CVE-2017-5669 CVE-2017-5897 CVE-2017-5970 CVE-2017-5986 CVE-2017-6214 CVE-2017-6345 CVE-2017-6346 CVE-2017-6347 CVE-2017-6348 CVE-2017-6353 CVE-2017-7374

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3265-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Invalid memory access in IPv6 tunneling subsystem.

A missing check on socket buffer and use of a stale pointer results in
invalid memory accesses inside the IPv6 tunneling subsystem. This may
lead to undefined behavior in the kernel or denial-of-service.


* Denial-of-service when TCP window scaling is not enabled.

A division-by-zero error occurs when selecting the window size for TCP
over IPv4, resulting in denial-of-service.


* CVE-2017-5970: Denial-of-service in ipv4 options field handling.

Incorrect behaviour when ipv4 options are used can result in a kernel
crash.  A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service in CIPSO / IPv4 protocol engine.

Missing length check in CIPSO protocol implementation results in
out-of-bound memory access. An unprivileged local process can exploit
this to read kernel memory or cause denial-of-service.


* CVE-2017-5897: Denial-of-service in IPV6 GRE tunnel error handling.

A logic error in IPV6 GRE error handling could lead to an out of bound
access. A remote attacker could use this flaw and forge a specific IPV6
packet to cause a denial-of-service.


* Use-after-free when processing IPv6 SYN packets.

Incorrect memory management when processing IPv6 SYN packets with IP
options can trigger a use-after-free condition and kernel panic. An
attacker can exploit this to execute arbitrary code in kernel mode.


* CVE-2017-6214: Denial-of-service when splicing from TCP socket.

A specially crafted packet can be queued to trigger an infinite loop in
IPv4 subsystem. This can be exploited by an remote attacker to cause
denial-of-service.


* Data race in virtio network device drivers.

Unprotected reads from shared data structures in macvtap and tun device
drivers allows data race, potentially leading to kernel memory
corruption and denial-of-service.


* CVE-2017-5986: Denial-of-service when using SCTP socket with concurrent thread.

A BUG_ON() could be triggered when queueing data in a full SCTP socket
while another thread disassociates the first thread from the socket. A
local attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in IPv6-over-IPv4 tunnel subsystem.

Failure to reset a flag when initializing an IPv6 over IPv4 tunnel fails
results in a double-free causing denial-of-service.


* Buffer overflow when parsing Link layer headers through TCP socket.

An incorrect length computation when sending packet over TCP socket with
specific header length could lead to a buffer overflow. A local attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service in IPv4 `ping' implementation.

A missing null-pointer check in the ping implementation inside the IPv4
subsystem allows a unprivileged local user to crash the kernel and cause
denial-of-service.


* Denial-of-service when IP encapsulation for L2TP is used.

A bug in SIOCINQ ioctl handler results in kernel crash when plain IP
encapsulation for L2TP frames are used. A userspace process capable of
creating L2TP tunnels can exploit this to cause denial-of-service.


* Denial-of-service in Siano TV receiver driver.

An incorrect use of DMA buffer on the stack when passing USB control
message to Siano USB TV driver could lead to a stack corruption since
CONFIG_VMAP_STACK is enabled. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service when reading and writing from FUSE device.

A race-condition between concurrent read and write operations on a FUSE
device can crash the kernel, leading to denial-of-service.


* Denial-of-service in SCSI Generic driver.

A missing sanity-check when writing to generic SCSI device may lead to
kernel panic. An unprivileged user with write permission to /dev/sg can
exploit this to cause denial-of-service.


* Denial-of-service in Direct Rendering Manager (DRM) subsystem.

An inconsistent control flow when using multiple displays through Direct
Rendering Manager Display Port interface can cause kernel panic, leading
to denial-of-service.


* CVE-2017-6345: Denial of service in 802.2 LLC packet processing.

A logic error when receiving PDUs on an 802.2 LLC network socket can trigger a
kernel panic and denial of service when freeing memory.


* CVE-2017-6346: Use-after-free in AF_PACKET fanout.

Invalid locking when processing the PACKET_FANOUT sockopt for AF_PACKET sockets
can trigger a use-after-free condition and kernel panic. A local user could use
this flaw to elevate privileges.


* CVE-2017-6348: Deadlock in Infrared socket teardown.

Invalid locking in the infrared networking subsystem can trigger a deadlock and
kernel panic when tearing down sockets. A local user can use this flaw to
trigger a denial of service.


* CVE-2017-6347: Denial of service in IPv4 IP_CHECKSUM control message.

A logic error when calculating the checksum of an IPv4 packet can trigger an
out-of-bounds read and kernel panic. A local user could use this flaw to cause
a denial of service.


* Denial of service in Moschip USB serial driver.

A logic error when attaching to a Moschip USB serial device with no
interrupt-in endpoint can trigger a NULL pointer dereference and kernel panic.


* Information leak in USB FTDI serial response parsing.

A logic error when handling short modem-status responses can allow the contents
of kernel memory to be leaked to userspace.


* Information leak in USB SPCP8x5 serial driver.

A logic error when handling short modem-status responses can allow the contents
of kernel memory to be leaked to userspace.


* Information leak in USB ARK Micro 3116 serial driver.

A logic error when handling short register-accessor responses can allow the
contents of kernel memory to be leaked to userspace.


* Kernel panic in generic filesystem writeback subsystem.

Incorrect reference counting when initializing filesystem writeback information
can trigger a double-free and trigger a kernel panic.


* Denial of service in Realtek WiFi interface management.

Incorrect memory management when disabling an Realtek WiFi interface can leak
URBs causing USB communications to stop, causing a denial of service.


* Use after free in 8250 PCI serial driver.

The generic 8250 serial driver for PCI devices does not correctly resuming a
device which can trigger a use after free condition and kernel panic.


* Deadlock when setting ALSA timer with small tickrate.

The ALSA subsystem does not define a lower-bound for tickrates which can allow
a local user to cause deadlocks by setting a small tickrate for timers.


* Kernel panic in Realtek wireless header parsing.

The Realtek wireless driver does not correctly handle truncated wireless frames
which can trigger a NULL pointer dereference and kernel panic.


* Memory corruption when performing IO on anonymous memory mappings.

A logic error when performing IO on anonymous memory mappings can trigger
memory corruption and a kernel panic.


* CVE-2017-5669: Privilege bypass when using shmat() syscall to map page zero.

A logic error when mapping a page using shmat() syscall could allow a
user to map page zero and consequently bypass a protection mechanism
that exists for the mmap() system call.


* Denial of service in loop device SET_STATUS ioctl.

The kernel loopback driver does not drain pending work before changing status
which can later trigger kernel panics.


* Memory corruption when handling EXT4 small group sizes.

A logic error when handling EXT4 filesystems with small group sizes can trigger
an out-of-bounds read and potentially corrupt kernel memory.


* Memory leak in EXT4 inline data writeback.

The EXT4 filesystem driver does not handle errors when writing inline to disk
which can trigger reference counting errors and a kernel memory leak.


* Memory leak when synchronously closing FUSE files.

Incorrect reference counting when synchronously closing files on FUSE
filesystems can trigger a kernel memory leak and subsequent kernel panic.


* Memory leak when attaching one-wire slave devices.

A logic error when an error is encountered attaching one-wire devices can
trigger a kernel memory leak and subsequent kernel panic.


* Denial of service when parsing RDMA iWARP parameters.

The kernel RDMA connection manager does not fully validate iWARP parameters
from userspace which can allow a local user to trigger a NULL pointer
dereference and kernel panic.


* Use-after-free in GFS2 lock management.

A race condition when manipulating locks in the GFS2 filesystem can trigger a
use-after-free condition and kernel panic.


* Denial of service when truncating files on NFS exports.

The kernel NFS server does not correctly handle updating ownership metadata and
filesizes which trigger assertion failures when some filesystems are exported
via NFS.


* Memory leak when opening files via NFSv4 client.

The kernel NFSv4 client does not track memory correctly when opening files on a
remote NFS server which can lead to a memory leak and subsequent kernel panic.


* Denial of service when processing Infiniband SRPs.

The kernel Infiniband driver does not handle duplicate SRP responses which can
trigger a NULL pointer dereference and kernel panic.


* Denial of service in Radeon buffer-object caching.

The Radeon graphics driver does not correctly handle swapping out
buffer-objects which can trigger an assertion failure and kernel panic.


* Denial of service in Digi AccelePort OOB events.

A logic error when parsing truncated OOB events from Digi AccelePort USB
devices can trigger an out-of-bounds read and kernel panic.


* Information leak in safe-serial USB driver.

The safe-serial USB driver does not correctly validate USB frames which can
allow short USB frames to leak the contents of kernel memory to userspace.


* Denial of service in IO Warrior USB endpoint processing.

The IO Warrior USB device driver does not correctly handle malicious USB
devices with missing endpoints which can trigger a NULL pointer dereference and
kernel panic.


* Denial of service in Digi Edgeport TI interrupt processing.

A logic error when handling interrupts from Digi Edgeport USB devices can allow
a malicious device to trigger a NULL pointer dereference and kernel panic.


* Information leak in Digi Edgeport TI callback completion.

An integer underflow in the Digi Edgeport TI USB driver can allow a malicious
USB device to leak the contents of kernel memory to userspace.


* Denial of service when truncating encrypted EXT4 inodes.

A logic error when mounting an EXT4 filesystem can trigger an assertion and
kernel panic when truncating encrypted inodes.


* Denial of service in ext4 extended attribute checksums.

A race condition in the ext4 filesystem driver can cause incorrect checksums to
be calculated for extended attributes which can allow a local user to cause a
denial of service.


* Use after free in L2TP backlog processing.

A logic error when processing backlogged L2TP packets can lead to a packet
being discarded multiple times triggering a use after free condition and kernel
panic.


* Information leak in AF_PACKET socket binding.

A logic error when copying AF_PACKET addresses from userspace can trigger an
out-of-bound read and leak the contents of kernel memory to userspace.


* Denial of service when accepting DCCP connections.

A logic error when accepting a DCCP connection fails can trigger an assertion
failure and kernel panic.


* Denial of service in IPv4 TCP timers.

The TCP subsystem does not correctly handle changing timers on IPv4 TCP sockets
in the LISTEN state which trigger a divide-by-zero and kernel panic.


* Memory corruption when completing network packets.

Incorrect reference counting when network packet transmission has completed can
trigger a use-after-free condition and kernel panic.


* Denial of service when configuring netfilter connection marking.

A logic error when parsing configuration data from userspace can allow a local
user to trigger a NULL pointer dereference and kernel panic.


* Memory corruption in IP packet redirection.

Incorrect reference counting when redirecting IPv4, IPv6 and DCCP packets can
trigger a use-after-free condition and kernel panic.


* Memory leak in DCCP CCID-2 socket teardown.

The DCCP CCID-2 networking subsystem does not free memory when tearing down a
socket which can cause a memory leak and subsequent kernel panic.


* Denial-of-service when setting encryption policy on a directory.

Incorrect locking when setting encryption policy through the
FS_IOC_SET_ENCRYPTION_POLICY ioctl() could lead to trailing unencrypted
files or to memory leaks. A local, unprivileged user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* Memory corruption in futex requeuing.

A logic error when requeuing a PI futex can trigger a use-after-free condition
and kernel memory corruption when changing the owner of the futex.


* Denial-of-service when destroying TCP socket using GFP_ATOMIC.

A logic error when destroying socket could lead to a memory leak if a
TCP socket is using GFP_ATOMIC flag for allocations. A local attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service in AF_UNIX sockets garbage collector.

A logic error in implementation of garbage collector of UNIX sockets
could lead to a kernel BUG(). A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service in Forwarding Information Base of IPV4.

A missing check in Forwarding Information Base (FIB) implementation of
IPV4 could lead to a buffer overflow. A local attacker could use this
flaw to cause a denial-of-service.


* Multiple denial-of-service when plugging malicious USB devices.

Missing checks in multiples USB devices drivers could lead to a NULL
pointer dereference when plugging  malicious USB devices. An attacker
with physical access to the machine could cause a denial-of-service.


* Denial-of-service when performing wireless scan or dump.

A locking error when performing scan or dump on a wireless interface
could lead to a deadlock. A local attacker could use this flaw to cause
a denial-of-service.


* Memory corruption in XFS buffer readahead.

Under memory pressure a logic error in XFS buffer readahead can cause a
double-free and kernel memory corruption. A local user with privileges to mount
filesystems could use this flaw to escalate privileges.


* CVE-2017-6353: Denial-of-service when peeling off a sctp socket.

A logic error when peeling off a sctp socket could lead to a double free
or a deadlock. A local user could use this flaw to cause a
denial-of-service.


* Memory corruption when adding slave device to network bond.

A buffer overflow while copying device address results in stack
corruption. An attacker can exploit this vulnerability to execute
arbitrary code in kernel context.


* Denial-of-service when using ALSA set_client_pool ioctl.

A flag handling error in set_client_pool ioctl path could lead to a
deadlock. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free in SCSI disk driver when checking media events.

A race condition when checking media events in SCSI disk driver results
in use-after-free. An unprivileged local user can exploit this to cause
denial-of-service.


* Data corruption in Hyper-V PCI host controller.

A race condition between ejection of a Hyper-V device and handling newly
added devices results in data corruption. An attacker can exploit this
to cause denial-of-service.


* Denial-of-service in raid10 block I/O operation.

A race condition in raid10 driver results in a deadlock in the kernel. An
unprivileged local user can exploit this to cause denial-of-service.


* CVE-2016-10208: Memory corruption when mounting ext4 block device.

An off-by-one error when mounting ext4 image read-only leads to
out-of-bound reads. An attacker can exploit this to corrupt memory and
cause denial-of-service.


* Data loss when updating raid10 array metadata.

A logic error when updating raid10 array metadata resulted in unsafe
concurrent writes. An attacker can exploit this bug to cause data loss
and corruption.


* Denial-of-service when reading from xfs inode.

Missing validation of user-provided metadata when reading from xfs
filesystem results in out-of-bound reads. An attacker can exploit this
to cause denial-of-service.


* CVE-2017-7374: Denial-of-service when revoking keys used for file system encryption.

A logic error in file system encryption subsystem when revoking keys used
for ext4, f2fs, or ubifs encryption could lead to a use-after-free. A
local attacker could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list