[Ksplice][Ubuntu-16.10-Updates] New Ksplice updates for Ubuntu 16.10 Yakkety (4.8.0-28.30)

[Oracle Ksplice]

Synopsis: 4.8.0-28.30 can now be patched using Ksplice
CVEs: CVE-2016-7097 CVE-2016-7425

Systems running Ubuntu 16.10 Yakkety can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.8.0-28.30.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.10
Yakkety install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Race condition in USB core could cause incorrect data transfer.

A race condition when bulk transferring data to a USB device is
improperly synchronized, potentially allowing access to protected
memory.


* Deadlock in Integrity Management Architecture attribute update.

When updating an attribute on an object in the underlying overlayfs,
the Integrity Management Architecture system accesses the object's
directory entry improperly, potentially deadlocking on the associated
inode and causing a denial of service.


* Data race in Trusted Platform Module 2.0 when unsealing trusted key.

A logic error in the TPM2 code could allow a data race, potentially
breaking or disrupting the chain of trust.


* Missing cancel in Trusted Platform Module 2.0 request callback.

Missing logic to correctly cancel a TPM2 request could cause incorrect
protocol behavior and a break in the chain of trust.


* CVE-2016-7425: Heap corruption in ARECA SATA/SAS RAID host adapter.

Lack of bounds checking when copying data from userspace could lead to heap
corruption.  A local user with the ability to transfer messages to the
ARECA SATA/SAS RAID driver could use this flaw to gain kernel execution.


* Double free in GenWQE PCIe Accelerator driver during ioctl.

Improper error handling in the the GenWQE PCIe Accelerator driver
when allocating DMA memory can lead to a double free if interrupted.


* Buffer overrun in xfs when listing extended attributes.

Incorrect logic when listing extended attributes on xfs could allow
attribute names to overwrite attribute data. A local user could use this
flaw to corrupt kernel memory and gain elevated privileges.


* Use-after-free bug in Intel OPA Gen1 adapter driver.

A refcounting error when removing a Queue Pair (QP) in the Infiniband
driver could lead to a use-after-free and kernel panic.


* Permission bypass in fuse filesystem when changing directory mode.

A flaw in the fuse filesystem could allow a local user to use
previously cached directory modes when they have been changed.
A local user could potentially use this flaw to escalate privileges
or access restricted information.


* Permission bypass in fuse filesystem when using write/truncate/chown.

A flaw in the fuse filesystem causes stalled directory modes to be used
when checking permissions in the write, truncate and chown operations.
A local user could potentially use this flaw to escalate privileges or
access restricted information.


* NULL pointer dereference in Intel XL710 ethernet driver.

A flaw in pci error handling of XL170 ethernet driver could lead to NULL
pointer dereference. A local user with capability to load a module and
to trigger pci errors could cause a denial of service.


* Memory leak in the Broadcom WiFi driver when listing scan results.

A temporary 2KiB buffer is never released when listing the scan results
in the Broadcom WiFi driver.  A local user could use this flaw to exhaust
the memory on the system and cause a denial-of-service.


* Memory corruption in Intel Atom audio driver.

Type confusion when controlling an audio stream leads to memory
corruption and kernel panic. An attacker with the ability to
pause and resume an audio stream multiple times could cause a denial
of service.


* Denial-of-service in reiserfs quota handling on mount.

Incorrect locking when initializing quotas for a reiserfs mount could
lead to a deadlock.  A local user with mount permission could use this
flaw to cause a denial-of-service.


* Denial of service when validating RAID6 syndromes.

A reference on a DMA buffer is never released when validating RAID6
syndromes, leading to a memory leak.  A local user with the ability to
cause a RAID6 sync could use this flaw to exhaust the memory on the
system and cause a denial-of-service.


* Integer overflow in generic file read on 32 bits systems.

Lack of input validation in generic file read syscall could lead to
integer overflow and infinite loop. An unprivileged user could use
this flaw to cause a denial of service.


* Filesystem corruption during online defragmentation in the ext4 filesystem.

Moving extents of encrypted files in the ext4 filesystem is not
supported and leads to filesystem corruption.  A local user with the
ability to trigger an online defragmentation could use this flaw to
cause data loss.


* Metadata corruption of uid/gid on ext4 file system.

A logic error when removing an inode from an Ext4 filesystem could
lead to metadata corruptions and early zeroing of high 16 bits of the
uid/gid bits before the inode deletion had been committed on disk. An
attacker could potentially use this flaw to bypass permission checks
on ext4 filesystem.


* Kernel BUG when releasing unused pages in the ext4 filesystem.

Failure to clear the dirty bit when releasing unused pages in the ext4
filesystem could lead to a kernel BUG assertion to trigger.  A local user
could use this flaw to cause a denial-of-service.


* Memory leak in ext4 while inserting a range.

A path is not released when inserting a range in ext4 filesystem.
A local user could use this flaw to exhaust the memory on the system and
cause a denial of service.


* Data leak when removing data in direct access mode in ext4.

Multiple logic errors in the ext4 filesystem prevent removing data in
file on disk when using direct access mode in ext4, potentially
leading to data leak. An attacker could use this flaw to recover
presumably removed data.


* Use-after-free in Distributed Lock Manager.

A logic error when closing dlm filesystem entries could lead to
use-after-free. A user with ability to close dlm filesystem connection
could generate multiple use-after-free and cause a denial of service.


* Information leak in overlayfs.

Due to a flaw in overlayfs, an attacker could obtain confidential
information stored on the filesystem.


* NULL pointer dereference in the cachefiles filesystem after deleting a file.

A logic error when notifying the cachefilesd daemon of a newly deleted
file could lead to a NULL pointer dereference and kernel panic. A
local user could use this flaw to cause a denial-of-service.


* General protection faults in Intel Pstate driver when hotplugging cpus.

An incorrect logic in Intel Pstate driver when accessing Hardware
Managed Performance MSR during cpu hotplug could lead to general
protection fault. A user with the ability to hotplug CPUs could cause a
denial-of-service.


* Free error in ramoops driver during removal.

A flaw in ramoops driver removal could lead to a segmentation fault by
freeing unwanted memory. A user with capability to load modules could
use this flaw to cause a denial-of-service.


* Use-after-free in device mapper driver when removing dm devices.

A locking error when stopping device mapper queue could lead to a
use-after-free of a work. An attacker could use this flaw to cause a
denial-of-service.


* Use-after-free in device mapper driver when adding dm devices.

A locking error when adding device mapper queue could lead to a
use-after-free of a work. An attacker could use this flaw to cause a
denial-of-service.


* Infinite loop when activating path in device mapper.

An error in condition check when activation path in device mapper
multipathing driver could lead to infinite loop. An attacker with
permissions to use multipath_prepare ioctl could cause a
denial-of-service.


* Kernel information leak in overlayfs directory entry.

A struct dentry address is used as unique id in an overlayfs dir
function. A local attacker could use this to gain information
about the running kernel and facilitate an attack.


* Buffer overflow while copying up xattr in overlayfs.

A check error could cause an overflow while copying up xattrs from
underlying filesystems. An attacker could use this flaw to cause a
denial-of-service.


* Permission bypass in NFS due to inode corruption.

Incorrect usage of inode cache could corrupt inode on the client file
system and imply a mode change. An attacker could use this flaw to
bypass permissions on NFS.


* Permission bypass in NFSv4 during open state recovery.

An incorrect error checking on open state recovery could lead to
unaligned permissions between client and server. An attacker could use
this flaw to bypass permissions.


* Data corruption when writing a pNFS block layout.

An error in inode size computation before writing it leads to incorrect
inode size on the filesystem. As a consequence, data corruption could
happen.


* Use-after-free when probing some scsi devices.

An error in refcounting when probing scsi device could lead to a
use-after-free. A user with the ability to probe scsi devices could
cause a denial-of-service.


* Race condition in super block handling of filesystems.

Due to a race condition when locking and unlocking the file system, a
BUG_ON could be triggered. An attacker could use this race to cause a
denial-of-service.


* Overflow in Cifs credit handling.

A cifs client can get as much credit as requested from the server,
leading to an integer overflow of the credit counter. An attacker
could use this flaw to cause a denial-of-service.


* Multiple memory leak in cifs ioctls.

Missing memory free in copychunk_file and file_clone ioctls of cifs
leads to memory leak. An attacker could use those ioctls to exhaust
the memory and  cause a denial-of-service.


* Incorrect memory free in Ceph Distributed File System.

A logic error in Ceph file read error handling leads to a random oops
because of incorrect memory free. An attacker could use this flaw to
generate a denial-of-service.


* Denial-of-service when setting encryption policy on a directory.

Incorrect locking when setting encryption policy through the
FS_IOC_SET_ENCRYPTION_POLICY ioctl() could lead to trailing unencrypted
files or to memory leaks. A local, unprivileged user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* Reference count leak in target transport layer on scsi command reception.

An error in flag handling could lead to reference count leak when
receiving scsi command. An attacker could use this flaw to cause
a denial-of-service.


* Memory leak in AMD GPU driver on close.

The kernel driver for AMD GPU drivers does not correctly free memory for
the drm mode parameters. A local authenticated user could trigger a
denial-of-service by intentionally closing the driver multiple times.


* Vmalloc exhaustion in VMware virtual gpu driver.

An user submitting command using execbuf ioctl could overflow command
size and cause a vmalloc space exhaustion. A local user could use this
ioctl to cause a denial-of-service.


* CVE-2016-7097: privilege escalation when setting xattr.

A missing clear of SGID bit during a setxattr call could allow a local
user to gain group privileges.


* NULL pointer dereference in Intel Ethernet Controller XL710 family.

An error in condition checks during configuration of Receive Side
Scaling (RSS) of the controller could lead to NULL pointer dereference.
A local user with capability to set RSS could use this flaw to cause a
denial-of-service.


* Out-of-bounds memory access when setting key in crypto gcm.

An error in array declaration while setting gcm key could lead to
out-of-bounds memory access. A local user with ability to set gcm key
could use this flaw to cause a denial-of-service.


* Memory corruption in debugfs of multiple wireless drivers.

Atheros AR9170 and Broadcom 43/43-legacy wireless drivers are not
using correct file operators for debugfs operations, leading to
memory corruption.


* Memory leak on shadow entries handling.

Incorrect logic when freeing a radix tree node for a memory-mapped file
could cause the node and associated memory to be leaked, causing
performance degradation and an eventual denial-of-service.


* Use-after-free in direct rendering manager.

Incorrectly specifying the owner of a dma buffer in the direct rendering
manager could allow the drm driver to be unloaded and the buffer
unmapped while in use, potentially allowing access to protected memory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.