[Ksplice][Ubuntu-16.10-Updates] New Ksplice updates for Ubuntu 16.10 Yakkety (USN-3190-1)

[Oracle Ksplice]

Synopsis: USN-3190-1 can now be patched using Ksplice
CVEs: CVE-2016-10147 CVE-2016-8399 CVE-2016-8632 CVE-2016-8650 CVE-2016-9576 CVE-2016-9777

Systems running Ubuntu 16.10 Yakkety can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3190-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.10
Yakkety install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Out-of-bound memory access in APIC virtualization.

An unsanitized array offset in APIC virtualization subsystem resulted in
out-of-bound array access. An unprivileged user can send a specially
crafted interrupt and corrupt kernel memory.


* CVE-2016-9777: Out-of-bounds memory write in KVM.

An incorrect array size could cause an out-of-bounds memory write when
sending RTC interrupt acknowledgements. A malicious local user could
potentially use this to cause denial of service or elevate privileges.


* General protection fault in KVM interrupt controller.

A missing check in KVM x86 interrupt controller resulted in NULL pointer
dereference. An attacker with KVM_CAP_IRQ_ROUTING capability can exploit
this to cause denial-of-service.


* Out-of-bound memory access in perf.

A missing end-of-array marker in a look up table allows for out-of-bound
memory access in perf sampling profiler subsystem, which may lead to
undefined behavior. An attacker can exploit this to control kernel
execution flow.


* CVE-2016-8650: NULL pointer dereference in the key management subsystem.

A missing check in the Multiprecision maths library used to implement
RSA digital signature verification could lead to a NULL pointer
dereference. A local user could use this flaw to cause a denial-of-service.


* Denial-of-service in X.509 certificate parser.

A double-free in X.509 certificate parser can lead to kernel panic. A
remote attacker can send an intentionally malformed X.509 certificate to
exploit this vulnerability.


* Denial-of-service in direct memory access subsystem.

A missing return value check in the driver allowed a userspace program
with direct access to persistent memory to crash the kernel.


* Denial-of-service in Transparent Huge Page remapping.

Incorrect logic in the Transparent Huge Page unlocking could allow a
local user to cause an assertion failure in the kernel.


* Denial-of-service during zram hot removal.

Failure to a check a return value can cause a zram device to remain
available after unloading the zram module. Attempting the mount the
remaining device after the module has been unloaded can cause an
assertion failure in the kernel.


* NULL pointer dereference in memory cgroup controller.

A race condition between memory reclamation and the memory cgroup can
cause a NULL pointer dereference.


* Information leak in mwifiex driver.

Incorrect logging of SSID strings in the mwifiex driver can leak kernel
stack information to userspace. A local attacker could use this flaw to
gain information about the running kernel.


* NULL pointer dereference in i915 DMA error handling.

Failing to handle a DMA mapping error in the i915 driver can cause a
NULL pointer dereference.


* Use-after-free in KVM device creation.

Incorrect ordering when creating a KVM device can result in a
use-after-free. A local user could use this flaw to cause an assertion
failure in the kernel.


* Out-of-bounds memory access in perf callchain processing.

An incomplete optimization to perf user stack walking can result in the
kernel attempting to access invalid memory.


* Denial-of-service when creating L2TP sockets using concurrent thread.

A missing check when creating L2TP socket could lead to a use-after-free
if a concurrent thread modify socket's flag while creating it. An attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service on information dump of an rtnetlink socket.

An incorrect logic when dumping interface information of an rtnetlink
socket could lead to an infinite loop. An attacker could use this flaw
to cause a denial-of-service.


* Denial-of-service when receiving packet with packet editing enabled.

A missing argument validation when receiving malformed packet while
packet editing is enabled could lead to a memory overflow. A remote
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when checking DCCP packet validity.

Incorrect logic when checking the validity of a received DCCP packet
header could lead to a use-after-free. A remote attacker could use this
flaw to cause denial of service.


* Denial-of-service when handling GSO segment of a socket buffer.

Missing checks when handling GSO (Generic Segmentation Offload) of a
received packet could lead to a use-after-free or NULL pointer
dereference. An attacker could use this flaw to cause a
denial-of-service.


* CVE-2016-8632: Denial-of-service when using TIPC and too short MTU.

Missing checks when checking TIPC (Transparent Inter Process
Communication) header could lead to a buffer overflow if device MTU is
too short. An attacker with ability to configure MTU could use this flaw
to cause a denial-of-service.


* Denial-of-service when sending socket buffer through GENEVE interface.

A missing check when sending socket buffer through GENEVE (Generic
Network Virtualization Encapsulation) interface could lead to a
use-after-free of socket buffer data. An attacker could use this flaw
to cause a denial-of-service.


* CVE-2016-8399: Information leak using ICMP protocol.

A missing check on ICMP header length could cause an out-of-bounds read
of stack. A user could use this flaw to leak information about
kernel memory and facilitate an attack.


* CVE-2016-9576: Use-after-free in SCSI device interface.

Incorrect validation of sendfile arguments can cause a use-after-free in
the SCSI subsystem. A local user with access to /dev/sg* devices could
use this flaw to read kernel memory or escalate privileges.


* Missing privilege check in zram device initialization.

Incorrect privilege logic could allow a non-root user to create
uninitialized zram devices on the system. This could potentially
allow privileged memory access or a denial-of-service.


* Three-way race condition in rtmutex causes lock corruption.

A race condition between three concurrent threads could cause corruption
of the associated rtmutex, causing the mutex to potentially be granted
to the wrong waiter. This would likely lead to a kernel panic and
denial-of-service.


* CVE-2016-10147: Denial-of-service in mcryptd when using incompatible algorithm.

If mcryptd is provided a cryptographic algorithm it is not compatible
with, the kernel will panic. An unprivileged user could use this flaw
to cause a denial-of-service.


* Denial-of-service in PEAK USB/CAN adapter driver.

A use-after-free of memory in the PEAK USB-to-CAN driver could cause a
kernel oops and denial-of-service.


* Invalid memory access when failing allocation in BATMAN driver.

Failing to check whether memory allocation succeeded in the BATMAN
network driver could cause already-allocated memory to be returned,
potentially exposing kernel memory.


* Denial-of-service in BTRFS subvolume delayed work.

An unprivileged user with access to a btrfs volume can cause the system
to allocate unbounded amounts of memory, eventually causing a
denial-of-service.


* Incorrect error checking in btrfs_mark_buffer_dirty causes spurious BUG.

Overzealous error checking in btrfs_mark_buffer_dirty can cause a BUG
and denial-of-service when the system was in fact operating correctly.


* Logic error in btrfs log tree causes deadlock.

Incorrect logic could cause a lock order reversal while traversing nodes
in the btrfs log tree, potentially deadlocking the system and causing a
denial-of-service.


* Denial-of-service in BTRFS during multi-delete replay.

Incorrect logic when replaying a delete of directory entries could cause
an out-of-bounds access, potentially causing a denial-of-service or
exposing privileged memory.


* Overzealous error checking in btrfs dirty buffer check causes spurious BUG.

When btrfs integrity checking is enabled, it can spuriously trigger a
BUG call when walking a relocation tree extent buffer, causing a
denial-of-service.


* Denial-of-service in BTRFS concurrent block reading.

A race condition between between an automatic read-ahead and
a user-initiated read of the same block can leak memory, causing
system performance degradation and an eventual denial-of-service.


* Denial-of-service in BTRFS extent tree walking.

A missing free in the btrfs extent tree do_walk_down function leaks
memory, causing performance degradation and an eventual
denial-of-service.


* Deadlock in btrfs unmount due to incorrect mutex logic.

Incorrect mutex ordering could cause a deadlock and denial-of-service
while unmounting a btrfs volume.


* Race condition in generic block device code causes spurious BUG.

An incorrect condition when attempting to exclusively lock a block
device could cause error checking code to erroneously fire, causing a
BUG and denial-of-service.


* Denial-of-service in EXT4 filesystems with 64K block size.

Utilizing an ext4 filesystem with block size greater than 64k can cause
memory corruption, potentially causing a denial-of-service.


* Denial-of-service in EXT4 filesystems with negative sized inodes.

A maliciously formed EXT4 filesystem could trigger an integer overflow
in the virtual filesystem layer, leading to a kernel crash. An attacker
could use this flaw to cause a denial-of-service.


* Race condition when completing queued block device transaction causes corruption.

A missing lock in block device request completion could cause the
completion to race with another request being queued, causing corruption
of the queue and a possible denial-of-service.


* Memory corruption in SMB2 client when reacquiring lost locks.

When attempting to require locks lost after a session break, an
incorrectly sized buffer could be used for the lock structure,
corrupting memory and potentially causing a denial-of-service.


* Denial-of-service in driver core glue directory creation.

Failing to hold a mutex reference through the full usage of its
associated object when cleaning up the glue directory for a device could
cause the cleanup to race with the creation of another device,
potentially causing memory corruption and a denial-of-service.


* Denial-of-service in BTRFS when dropping a snapshot.

Incorrect error checking when dropping a btrfs snapshot could cause a
spurious BUG call in some cases, causing a denial-of-service.


* Permission bypass in close-on-exec file descriptors.

A race condition in setup_new_exec could allow reading a process's file
descriptors via /proc if they were opened with O_CLOEXEC.


* Information leak when ptracing an unreadable executable.

A missing check when ptracing a process could allow an unprivileged
user to read an unreadable executable code from outside the user
namespace. An attacker could use this flaw to leak information.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.