[Ksplice][Ubuntu-16.10-Updates] New Ksplice updates for Ubuntu 16.10 Yakkety (4.8.0-32.34)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Dec 21 00:31:48 PST 2016 

Synopsis: 4.8.0-32.34 can now be patched using Ksplice
CVEs: CVE-2016-6213 CVE-2016-8630 CVE-2016-8633 CVE-2016-8645 CVE-2016-9555 CVE-2016-9919

Systems running Ubuntu 16.10 Yakkety can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.8.0-32.34.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.10
Yakkety install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Multiple errors in GPIOLIB ioctls.

Off-by-one, data leak, out-of-bound access and use-after-free errors
in GPIO_GET_CHIPINFO_IOCTL, GPIO_GET_LINE{HANDLE, EVENT}_IOCTL and
GPIOHANDLE_GET_LINE_VALUES_IOCTL could allow a local user to leak
information about running kernel or cause a denial-of-service.


* Use-after-free in error path when mounting file systems.

An incorrect error handling when mounting filesystem could lead to
use-after-free. A local user with mount permissions could cause a
denial-of-service by using this flaw.


* Denial-of-service when syncing log of BTRFS filesystem.

A locking error when syncing logs of BTRFS could lead to a list
corruption. An attacker could use this flaw to cause a
denial-of-service.


* Infinite loop in getdents() syscall from UBI filesystem.

An incorrect error handling in the getdents() syscall path for UBI
filesystem could lead to an infinite loop in the LIBC. An attacker
could use this flaw to cause a denial-of-service.


* Data leak in TIOCMGET ioctl for CP210X UART to USB bridge.

An incorrect error handling in TIOCMGET ioctl for CP210X driver could
lead to a leakage of 8 bits from the kernel stack. An attacker could
use this flaw to gain information about the running kernel and
facilitate an attack.


* Denial-of-service when resizing a virtual terminal.

Missing check during Virtual Terminal resizing could lead to an
invalid memory access. A local user could use this flaw to cause a
denial-of-service.


* Memory leak when resizing a virtual terminal.

Error in arguments sanitizing during Virtual Terminal resizing could
lead to a memory leak. A local user could use this flaw to exhaust
memory and cause a denial-of-service.


* NULL pointer dereference when destroying a device mapper.

A logic error in DM_DEV_REMOVE and DM_REMOVE_ALL ioctls path could lead
to a NULL pointer dereference. A local user with the capabilities to
use those ioctls could cause a denial-of-service.


* Use-after-free when removing a KVM Virtual Machine.

An incorrect logic while clearing Virtual CPU related data could cause
a use-after-free. An attacker able to load and unload VMs could use
this flaw to cause a denial-of-service.


* Permission bypass in Overlay filesystem when setting POSIX ACLs.

A logic error when setting POSIX ACLs in the Overlay filesystem causes
the set-group-ID to not be cleared.  A local, unprivileged user could
use this flaw to escalate privileges.


* Data corruption during copy-up in Overlay Filesystem.

A missing cache flush after a copy-up in Overlayfs could lead to data
corruption in case of a crash.


* CVE-2016-8633: Multiple error in DM_TABLE_LOAD ioctl of device mapper.

Multiple incorrect error handling in DM_TABLE_LOAD ioctl could lead to
reference count leak or NULL pointer dereference. A local user with
access to this ioctl could use this flaw to cause a denial-of-service.


* Buffer overflow in firewire net driver.

A logic error on incoming packets checks could lead to a rx buffer
overflow. A remote attacker could use this flaw to cause a
denial-of-service.


* Memory leak on setting property in drm_atomic driver.

An incorrect resource handling could lead to a memory leak when using
DRM_IOCTL_MODE_ATOMIC ioctl. A local user with permissions to use this
ioctl could use this flaw to cause a denial-of-service.


* CVE-2016-8630: NULL pointer dereference in KVM instruction decoding.

A missing check during instruction decoding operations could lead to a
NULL pointer dereference. An attacker from a Virtual Machine could
inject instructions with specific properties to cause a
denial-of-service of the host.


* Information leak in Precision Time Protocol (PTP) driver.

Due to the lack of memory initialization, information was leaking to
userspace when making PTP_SYS_OFFSET_PRECISE ioctl call. A local user
who can communicate with the driver can use this to introspect kernel
memory space.


* Denial-of-service when using traffic control.

A null pointer dereference in traffic control classifier action
subsystem could crash the kernel. An attacker can exploit this to cause
denial of service using userspace tools such as tc.


* Use-after-free in TCP stack when IPv6 is used.

Incorrect data manipulation in TCP stack resulted in use-after-free when
using IPv6. An attacker can exploit this to execute arbitrary code in
kernel mode.


* Memory corruption in Mellanox driver.

Because of a race in Mellanox driver, some ethernet ring configuration may
lead to memory corruption. An attacker can exploit this to cause denial of
service.


* Denial of service when processing ARP requests on VLAN devices.

A bug in core networking code led to an infinite loop inside the kernel,
resulting in denial of service.


* Denial of service in IPv4 subsystem.

Incorrect locking in the sysctl interface to IPv4 subsystem let to
inconsistent lock state which could cause the kernel to get stuck in a
deadlock.


* Privilege escalation in SCTP getsockopt().

Incorrect integer operation when getting SCTP_EVENTS socket option leads
to undefined behavior. An attacker can use this to execute arbitrary code
in kernel mode.


* Denial-of-service in SCTP routing update.

When sending an SCTP packet, if the route has changed at transport layer
since we last sent a packet, trying to use the old configuration leads to
a kernel panic.


* CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

A missing bound-check in one of the state functions caused memory use
beyond what has been allocated. This could lead to memory corruption and
other undefined behaviors.


* Data loss when passing command to megaraid controller.

A bug in the way SYNCHRONIZE_CACHE command was handled resulted in
cached data not being flushed to disk properly in JBOD mode. This
results in data integrity failure.


* Memory exhaustion in procfs sound info.

A missing argument sanitizing in write() callback of sound infos
procfs entries could lead to an user-controlled memory size allocation.
An attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Use-after-free in Generic SCSI-3 ALUA SCSI Device Handler.

A refcounting error during activation or rescanning of ALUA devices
could lead to a use-after-free. A user with the ability to activate
or rescan such devices through sysfs could cause a denial-of-service.


* Use of uninitialized memory in Intel Management Engine Interface.

A logic error could lead to a uninitialized memory access while enabling
Intel MEI phy. A user with the capability to set an interface using
this phy up, could cause a denial-of-service.


* Memory corruption when sending messages over tcp socket.

An incorrect check on max_skb_frags sysctl value when sending tcp
messages could lead to a memory corruption. An attacker could use this
flaw to cause a denial-of-service.


* NULL pointer dereference when binding DCCP IPv6 socket.

A missing callback in dccp_v6 ops could cause a NULL pointer dereference
when binding a socket. A local user with capabilities to bind dccpv6
socket could use this flaw to cause a denial-of-service.


* Use-after-free when using setsockopt() or connect() on sctp socket.

A race condition in the connect() and setsockopt() syscalls for a sctp
socket could lead to a use-after-free. A local user with capabilities to
use those syscalls could cause a denial-of-service.


* Double-free when unmapping BPF program.

A missing check when destroying BPF maps could lead to a double-free
of memory. A local user with capability to use BPF syscall could use
this flaw to cause a denial-of-service.


* CVE-2016-8645: Denial of service when receiving TCP packet.

When collapsing multiple socket buffers into one, a bug in the code
could result in kernel panic. A remote attacker can trigger this by
sending specially crafted packets and cause denial of service.


* NULL pointer dereference when shutting down a sctp socket.

A logic error when shutting down a sctp socket could lead to a NULL
pointer dereference. A local user could use this flaw to cause a
denial-of-service.


* General protection fault when configuring sunrpc sockets.

A logic error when configuring sunrpc socket could lead to a general
protection fault. An attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when configuring Software RDMA over Ethernet interface.

A missing callback's initialisation during RDMA_RXE socket creation
could lead to a NULL pointer dereference when configuring the interface
using this socket. An attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference in Infiniband MLX5 debug print.

A missing check during Infiniband MLX5 Queue Pairs creation could lead
to a NULL pointer dereference if logging level is set to debug. An
attacker could use this flaw to cause a denial-of-service.


* Memory leak when using InfiniBand userspace driver.

A missing free of Queue Pairs during cleanup when userspace release
the driver could lead to a memory leak. An attacker could use this
flaw to cause a denial-of-service.


* CVE-2016-6213: Denial-of-service when bind mounting filesystems.

A missing limit could cause an overflow of the mount table. A user with
mount permissions could cause a denial-of-service by bind mounting many
filesystems and overflowing the mount table.


* Denial-of-service when mounting a crafted EXT4 image as read-only.

A missing check when mounting a crafted EXT4 image as read-only could
lead to a kernel panic. An attacker with mount capabilities could use
this flaw to cause a denial-of-service.


* CVE-2016-9919: Denial-of-service on fragmented ipv6 traffic.

A missing check when receiving fragmented IPv6 packet could cause a
panic after a timeout. A remote attacker could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.10-updates mailing list