[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (4.4.0-78.99)

Tue May 16 10:16:24 PDT 2017

Synopsis: 4.4.0-78.99 can now be patched using Ksplice
CVEs: CVE-2017-7187 CVE-2017-7261 CVE-2017-7294 CVE-2017-7616

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.4.0-78.99.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2017-7187: Denial-of-service in SCSI driver ioctl handler.

The ioctl handler function in SCSI driver allows local users to cause a
denial of service (stack-based buffer overflow) or possibly have
unspecified other impact via a large command size in an SG_NEXT_CMD_LEN
ioctl call, leading to out-of-bounds write access in the sg_write
function.

* Use-after-free in ALSA sequencer buffer resizing.

A race condition when resizing a FIFO in the ALSA sequencer
implementation can lead to a use-after-free. A local attacker with
access to an ALSA sequencer device could use this flaw to crash the
kernel.

* Denial-of-service in USB URB submission.

A flaw in the error handling of sending URB packets can result in
memory corruption. A local attacker with access to USB devices could use
this flaw to crash the kernel.

* Use-after-free in KVM bus registration handling.

A failure to correctly handle unregistering devices from the KVM bus can
result in a use-after-free. A local attacker with access to virtual
machine management could use this flaw to crash the kernel or escalate
privileges.

* Denial-of-service in parallel data subsystem.

A race condition in the pdata subsystem can result in a kernel crash
when under heavy usage. A local attacker could use this flaw to cause a
denial-of-service.

* Malicious code injection in VMWare virtual GPU fence object.

Fence objects in the VMWare virtual GPU system were not properly
type-checked from userspace, potentially allowing a user to inject
malicious code.

* CVE-2017-7261: Denial-of-service when creating surface using DRM driver for VMware Virtual GPU.

A missing parameter check when using "surface define" ioctl of DRM
driver for VMware Virtual GPU could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.

* Information leak in VMWare virtual GPU capability sysctl.

A missing size check in the VMWare virtual GPU vmw_get_cap_3d_ioctl()
call could potentially expose kernel memory to userspace.

* CVE-2017-7294: Denial-of-service when defining surface using DRM driver for VMware Virtual GPU.

A missing parameter check when using "create surface" ioctl of DRM
driver for VMware Virtual GPU could lead to an integer overflow. A local
attacker could use this flaw to cause a denial-of-service.

* Denial-of-service/information leak due to incorrect error handling in sysfs.

Incorrectly sanitizing error output from sysfs could cause the next
sysfs read or write to run out of bounds, potentially exposing kernel
memory or causing a denial-of-service.

* Denial-of-service due to race condition in ptrace state.

A race condition in the ptrace signal handling can cause memory
corruption in the kernel, causing a kernel panic and denial-of-service.

* CVE-2017-7616: Information leak via set_mempolicy() and mbind().

Incorrect error handling in the set_mempolicy() and mbind() syscalls
allows local users to obtain sensitive information from uninitialized
stack data by triggering failure of a certain bitmap operation.

* Denial-of-service in hugetlb page manipulation.

A race condition in hugetlb page management in response to madvise hints
can result in a kernel crash. A local attacker with access to huge pages
could use this flaw to cause a denial-of-service.

* Denial-of-service in block device life-cycle handling.

A race condition between block device open and shutdown can result in a
kernel crash. A local attacker with permission to open block devices
could use this flaw to cause a denial-of-service.

* Denial-of-service in block device reference counting.

A logic failure in the block cgroup handler can result in a module
reference count leak, preventing unload of block device modules. A local
attacker could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.