[security-announce] SUSE-SU-2017:1301-1: important: Security update for the Linux Kernel

[news 28]

SUSE Security Update: Security update for the Linux Kernel

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2017:1301-1

Rating: important

References: #1005651 #1008374 #1008893 #1013018 #1013070

#1013800 #1013862 #1016489 #1017143 #1018263

#1018446 #1019168 #1020229 #1021256 #1021913

#1022971 #1023014 #1023163 #1023888 #1024508

#1024788 #1024938 #1025235 #1025702 #1026024

#1026260 #1026722 #1026914 #1027066 #1027101

#1027178 #1028415 #1028880 #1029212 #1029770

#1030213 #1030573 #1031003 #1031052 #1031440

#1031579 #1032141 #1033336 #1033771 #1033794

#1033804 #1033816 #1034026 #909486 #911105

#931620 #979021 #982783 #983212 #985561 #988065

#989056 #995542 #999245

Cross-References: CVE-2015-3288 CVE-2015-8970 CVE-2016-10200

CVE-2016-5243 CVE-2017-2671 CVE-2017-5669

CVE-2017-5970 CVE-2017-5986 CVE-2017-6074

CVE-2017-6214 CVE-2017-6348 CVE-2017-6353

CVE-2017-7184 CVE-2017-7187 CVE-2017-7261

CVE-2017-7294 CVE-2017-7308 CVE-2017-7616

 

Affected Products:

SUSE Linux Enterprise Software Development Kit 11-SP4

SUSE Linux Enterprise Server 11-SP4

SUSE Linux Enterprise Server 11-EXTRA

SUSE Linux Enterprise Debuginfo 11-SP4

______________________________________________________________________________

 

An update that solves 18 vulnerabilities and has 41 fixes

is now available.

 

Description:

 

 

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various

security and bugfixes.

 

Notable new features:

 

- Toleration of newer crypto hardware for z Systems

- USB 2.0 Link power management for Haswell-ULT

 

The following security bugs were fixed:

 

- CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in

the Linux kernel did not properly validate certain block-size data,

which allowed local users to cause a denial of service (overflow) or

possibly have unspecified other impact via crafted system calls

(bnc#1031579)

- CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux

kernel was too late in obtaining a certain lock and consequently could

not ensure that disconnect function calls are safe, which allowed local

users to cause a denial of service (panic) by leveraging access to the

protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003)

- CVE-2017-7184: The xfrm_replay_verify_len function in

net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size

data after an XFRM_MSG_NEWAE update, which allowed local users to obtain

root privileges or cause a denial of service (heap-based out-of-bounds

access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573).

- CVE-2017-5970: The ipv4_pktinfo_prepare function in

net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a

denial of service (system crash) via (1) an application that made

crafted system calls or possibly (2) IPv4 traffic with invalid IP

options (bsc#1024938).

- CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind

compat syscalls in mm/mempolicy.c in the Linux kernel allowed local

users to obtain sensitive information from uninitialized stack data by

triggering failure of a certain bitmap operation (bsc#1033336).

- CVE-2017-7294: The vmw_surface_define_ioctl function in

drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not

validate addition of certain levels data, which allowed local users to

trigger an integer overflow and out-of-bounds write, and cause a denial

of service (system hang or crash) or possibly gain privileges, via a

crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440)

- CVE-2017-7261: The vmw_surface_define_ioctl function in

drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not

check for a zero value of certain levels data, which allowed local users

to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and

possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device

(bnc#1031052)

- CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux

kernel allowed local users to cause a denial of service (stack-based

buffer overflow) or possibly have unspecified other impact via a large

command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds

write access in the sg_write function (bnc#1030213)

- CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the

Linux kernel improperly managed lock dropping, which allowed local users

to cause a denial of service (deadlock) via crafted operations on IrDA

devices (bnc#1027178)

- CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel

did not restrict the address calculated by a certain rounding operation,

which allowed local users to map page zero, and consequently bypass a

protection mechanism that exists for the mmap system call, by making

crafted shmget and shmat system calls in a privileged context

(bnc#1026914)

- CVE-2015-3288: mm/memory.c in the Linux kernel mishandled anonymous

pages, which allowed local users to gain privileges or cause a denial of

service (page tainting) via a crafted application that triggers writing

to page zero (bsc#979021).

- CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in

the Linux kernel allowed local users to gain privileges or cause a

denial of service (use-after-free) by making multiple bind system calls

without properly ascertaining whether a socket has the SOCK_ZAPPED

status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c

(bnc#1028415)

- CVE-2016-5243: The tipc_nl_compat_link_dump function in

net/tipc/netlink_compat.c in the Linux kernel did not properly copy a

certain string, which allowed local users to obtain sensitive

information from kernel stack memory by reading a Netlink message

(bnc#983212)

- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly

restrict association peel-off operations during certain wait states,

which allowed local users to cause a denial of service (invalid unlock

and double free) via a multithreaded application (bnc#1027066)

- CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the

Linux kernel allowed remote attackers to cause a denial of service

(infinite loop and soft lockup) via vectors involving a TCP packet with

the URG flag (bnc#1026722)

- CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c

in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures

in the LISTEN state, which allowed local users to obtain root privileges

or cause a denial of service (double free) via an application that made

an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024)

- CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in

net/sctp/socket.c in the Linux kernel allowed local users to cause a

denial of service (assertion failure and panic) via a multithreaded

application that peels off an association in a certain buffer-full state

(bsc#1025235)

- CVE-2015-8970: crypto/algif_skcipher.c in the Linux kernel did not

verify that a setkey operation has been performed on an AF_ALG socket an

accept system call is processed, which allowed local users to cause a

denial of service (NULL pointer dereference and system crash) via a

crafted application that does not supply a key, related to the lrw_crypt

function in crypto/lrw.c (bsc#1008374).

 

The following non-security bugs were fixed:

 

- NFSD: do not risk using duplicate owner/file/delegation ids

(bsc#1029212).

- RAID1: avoid unnecessary spin locks in I/O barrier code (bsc#982783,

bsc#1026260).

- SUNRPC: Clean up the slot table allocation (bsc#1013862).

- SUNRPC: Initalise the struct xprt upon allocation (bsc#1013862).

- USB: cdc-acm: fix broken runtime suspend (bsc#1033771).

- USB: cdc-acm: fix open and suspend race (bsc#1033771).

- USB: cdc-acm: fix potential urb leak and PM imbalance in write

(bsc#1033771).

- USB: cdc-acm: fix runtime PM for control messages (bsc#1033771).

- USB: cdc-acm: fix runtime PM imbalance at shutdown (bsc#1033771).

- USB: cdc-acm: fix shutdown and suspend race (bsc#1033771).

- USB: cdc-acm: fix write and resume race (bsc#1033771).

- USB: cdc-acm: fix write and suspend race (bsc#1033771).

- USB: hub: Fix crash after failure to read BOS descriptor

- USB: serial: iuu_phoenix: fix NULL-deref at open (bsc#1033794).

- USB: serial: kl5kusb105: fix line-state error handling (bsc#1021256).

- USB: serial: mos7720: fix NULL-deref at open (bsc#1033816).

- USB: serial: mos7720: fix parallel probe (bsc#1033816).

- USB: serial: mos7720: fix parport use-after-free on probe errors

(bsc#1033816).

- USB: serial: mos7720: fix use-after-free on probe errors (bsc#1033816).

- USB: serial: mos7840: fix NULL-deref at open (bsc#1034026).

- USB: xhci-mem: use passed in GFP flags instead of GFP_KERNEL

(bsc#1023014).

- Update metadata for serial fixes (bsc#1013070)

- Use PF_LESS_THROTTLE in loop device thread (bsc#1027101).

- clocksource: Remove "weak" from clocksource_default_clock() declaration

(bnc#1013018).

- dlm: backport "fix lvb invalidation conditions" (bsc#1005651).

- drm/mgag200: Add support for G200e rev 4 (bnc#995542, comment #81)

- enic: set skb->hash type properly (bsc#911105).

- ext4: fix mballoc breakage with 64k block size (bsc#1013018).

- ext4: fix stack memory corruption with 64k block size (bsc#1013018).

- ext4: reject inodes with negative size (bsc#1013018).

- fuse: initialize fc->release before calling it (bsc#1013018).

- i40e/i40evf: Break up xmit_descriptor_count from maybe_stop_tx

(bsc#985561).

- i40e/i40evf: Fix mixed size frags and linearization (bsc#985561).

- i40e/i40evf: Limit TSO to 7 descriptors for payload instead of 8 per

packet (bsc#985561).

- i40e/i40evf: Rewrite logic for 8 descriptor per packet check

(bsc#985561).

- i40e: Fix TSO with more than 8 frags per segment issue (bsc#985561).

- i40e: Impose a lower limit on gso size (bsc#985561).

- i40e: Limit TX descriptor count in cases where frag size is greater than

16K (bsc#985561).

- i40e: avoid null pointer dereference (bsc#909486).

- jbd: Fix oops in journal_remove_journal_head() (bsc#1017143).

- jbd: do not wait (forever) for stale tid caused by wraparound

(bsc#1020229).

- kABI: mask struct xfs_icdinode change (bsc#1024788).

- kabi: Protect xfs_mount and xfs_buftarg (bsc#1024508).

- kabi: fix (bsc#1008893).

- lockd: use init_utsname for id encoding (bsc#1033804).

- lockd: use rpc client's cl_nodename for id encoding (bsc#1033804).

- md linear: fix a race between linear_add() and linear_congested()

(bsc#1018446).

- md/linear: shutup lockdep warnning (bsc#1018446).

- mm/mempolicy.c: do not put mempolicy before using its nodemask

(bnc#931620).

- ocfs2: do not write error flag to user structure we cannot copy from/to

(bsc#1013018).

- ocfs2: fix crash caused by stale lvb with fsdlm plugin (bsc#1013800).

- ocfs2: fix error return code in ocfs2_info_handle_freefrag()

(bsc#1013018).

- ocfs2: null deref on allocation error (bsc#1013018).

- pciback: only check PF if actually dealing with a VF (bsc#999245).

- pciback: use pci_physfn() (bsc#999245).

- posix-timers: Fix stack info leak in timer_create() (bnc#1013018).

- powerpc,cpuidle: Dont toggle CPUIDLE_FLAG_IGNORE while setting

smt_snooze_delay (bsc#1023163).

- powerpc/fadump: Fix the race in crash_fadump() (bsc#1022971).

- powerpc/fadump: Reserve memory at an offset closer to bottom of RAM

(bsc#1032141).

- powerpc/fadump: Update fadump documentation (bsc#1032141).

- powerpc/nvram: Fix an incorrect partition merge (bsc#1016489).

- powerpc/vdso64: Use double word compare on pointers (bsc#1016489).

- rcu: Call out dangers of expedited RCU primitives (bsc#1008893).

- rcu: Direct algorithmic SRCU implementation (bsc#1008893).

- rcu: Flip ->completed only once per SRCU grace period (bsc#1008893).

- rcu: Implement a variant of Peter's SRCU algorithm (bsc#1008893).

- rcu: Increment upper bit only for srcu_read_lock() (bsc#1008893).

- rcu: Remove fast check path from __synchronize_srcu() (bsc#1008893).

- s390/kmsg: add missing kmsg descriptions (bnc#1025702).

- s390/vmlogrdr: fix IUCV buffer allocation (bnc#1025702).

- s390/zcrypt: Introduce CEX6 toleration

- sched/core: Fix TASK_DEAD race in finish_task_switch() (bnc#1013018).

- sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded

systems (bnc#1013018).

- scsi: zfcp: do not trace pure benign residual HBA responses at default

level (bnc#1025702).

- scsi: zfcp: fix rport unblock race with LUN recovery (bnc#1025702).

- scsi: zfcp: fix use-after-"free" in FC ingress path after TMF

(bnc#1025702).

- scsi: zfcp: fix use-after-free by not tracing WKA port open/close on

failed send (bnc#1025702).

- sfc: reduce severity of PIO buffer alloc failures (bsc#1019168).

- tcp: abort orphan sockets stalling on zero window probes (bsc#1021913).

- vfs: split generic splice code from i_mutex locking (bsc#1024788).

- virtio_scsi: fix memory leak on full queue condition (bsc#1028880).

- vmxnet3: segCnt can be 1 for LRO packets (bsc#988065, bsc#1029770).

- xen-blkfront: correct maximum segment accounting (bsc#1018263).

- xen-blkfront: do not call talk_to_blkback when already connected to

blkback.

- xen-blkfront: free resources if xlvbd_alloc_gendisk fails.

- xfs: Fix lock ordering in splice write (bsc#1024788).

- xfs: Make xfs_icdinode->di_dmstate atomic_t (bsc#1024788).

- xfs: do not assert fail on non-async buffers on ioacct decrement

(bsc#1024508).

- xfs: exclude never-released buffers from buftarg I/O accounting

(bsc#1024508).

- xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056).

- xfs: fix up xfs_swap_extent_forks inline extent handling (bsc#1023888).

- xfs: kill xfs_itruncate_start (bsc#1024788).

- xfs: remove the i_new_size field in struct xfs_inode (bsc#1024788).

- xfs: remove the i_size field in struct xfs_inode (bsc#1024788).

- xfs: remove xfs_itruncate_data (bsc#1024788).

- xfs: replace global xfslogd wq with per-mount wq (bsc#1024508).

- xfs: split xfs_itruncate_finish (bsc#1024788).

- xfs: split xfs_setattr (bsc#1024788).

- xfs: track and serialize in-flight async buffers against unmount

(bsc#1024508).

- xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056).

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Software Development Kit 11-SP4:

 

zypper in -t patch sdksp4-linux-kernel-13105=1

 

- SUSE Linux Enterprise Server 11-SP4:

 

zypper in -t patch slessp4-linux-kernel-13105=1

 

- SUSE Linux Enterprise Server 11-EXTRA:

 

zypper in -t patch slexsp3-linux-kernel-13105=1

 

- SUSE Linux Enterprise Debuginfo 11-SP4:

 

zypper in -t patch dbgsp4-linux-kernel-13105=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Software Development Kit 11-SP4 (noarch):

 

kernel-docs-3.0.101-100.2

 

- SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):

 

kernel-default-3.0.101-100.1

kernel-default-base-3.0.101-100.1

kernel-default-devel-3.0.101-100.1

kernel-source-3.0.101-100.1

kernel-syms-3.0.101-100.1

kernel-trace-3.0.101-100.1

kernel-trace-base-3.0.101-100.1

kernel-trace-devel-3.0.101-100.1

 

- SUSE Linux Enterprise Server 11-SP4 (i586 x86_64):

 

kernel-ec2-3.0.101-100.1

kernel-ec2-base-3.0.101-100.1

kernel-ec2-devel-3.0.101-100.1

kernel-xen-3.0.101-100.1

kernel-xen-base-3.0.101-100.1

kernel-xen-devel-3.0.101-100.1

 

- SUSE Linux Enterprise Server 11-SP4 (ppc64):

 

kernel-bigmem-3.0.101-100.1

kernel-bigmem-base-3.0.101-100.1

kernel-bigmem-devel-3.0.101-100.1

kernel-ppc64-3.0.101-100.1

kernel-ppc64-base-3.0.101-100.1

kernel-ppc64-devel-3.0.101-100.1

 

- SUSE Linux Enterprise Server 11-SP4 (s390x):

 

kernel-default-man-3.0.101-100.1

 

- SUSE Linux Enterprise Server 11-SP4 (i586):

 

kernel-pae-3.0.101-100.1

kernel-pae-base-3.0.101-100.1

kernel-pae-devel-3.0.101-100.1

 

- SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64):

 

kernel-default-extra-3.0.101-100.1

 

- SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64):

 

kernel-xen-extra-3.0.101-100.1

 

- SUSE Linux Enterprise Server 11-EXTRA (x86_64):

 

kernel-trace-extra-3.0.101-100.1

 

- SUSE Linux Enterprise Server 11-EXTRA (ppc64):

 

kernel-ppc64-extra-3.0.101-100.1

 

- SUSE Linux Enterprise Server 11-EXTRA (i586):

 

kernel-pae-extra-3.0.101-100.1

 

- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):

 

kernel-default-debuginfo-3.0.101-100.1

kernel-default-debugsource-3.0.101-100.1

kernel-trace-debuginfo-3.0.101-100.1

kernel-trace-debugsource-3.0.101-100.1

 

- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 s390x x86_64):

 

kernel-default-devel-debuginfo-3.0.101-100.1

kernel-trace-devel-debuginfo-3.0.101-100.1

 

- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64):

 

kernel-ec2-debuginfo-3.0.101-100.1

kernel-ec2-debugsource-3.0.101-100.1

kernel-xen-debuginfo-3.0.101-100.1

kernel-xen-debugsource-3.0.101-100.1

kernel-xen-devel-debuginfo-3.0.101-100.1

 

- SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64):

 

kernel-bigmem-debuginfo-3.0.101-100.1

kernel-bigmem-debugsource-3.0.101-100.1

kernel-ppc64-debuginfo-3.0.101-100.1

kernel-ppc64-debugsource-3.0.101-100.1

 

- SUSE Linux Enterprise Debuginfo 11-SP4 (i586):

 

kernel-pae-debuginfo-3.0.101-100.1

kernel-pae-debugsource-3.0.101-100.1

kernel-pae-devel-debuginfo-3.0.101-100.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2015-3288.html

https://www.suse.com/security/cve/CVE-2015-8970.html

https://www.suse.com/security/cve/CVE-2016-10200.html

https://www.suse.com/security/cve/CVE-2016-5243.html

https://www.suse.com/security/cve/CVE-2017-2671.html

https://www.suse.com/security/cve/CVE-2017-5669.html

https://www.suse.com/security/cve/CVE-2017-5970.html

https://www.suse.com/security/cve/CVE-2017-5986.html

https://www.suse.com/security/cve/CVE-2017-6074.html

https://www.suse.com/security/cve/CVE-2017-6214.html

https://www.suse.com/security/cve/CVE-2017-6348.html

https://www.suse.com/security/cve/CVE-2017-6353.html

https://www.suse.com/security/cve/CVE-2017-7184.html

https://www.suse.com/security/cve/CVE-2017-7187.html

https://www.suse.com/security/cve/CVE-2017-7261.html

https://www.suse.com/security/cve/CVE-2017-7294.html

https://www.suse.com/security/cve/CVE-2017-7308.html

https://www.suse.com/security/cve/CVE-2017-7616.html

https://bugzilla.suse.com/1005651

https://bugzilla.suse.com/1008374

https://bugzilla.suse.com/1008893

https://bugzilla.suse.com/1013018

https://bugzilla.suse.com/1013070

https://bugzilla.suse.com/1013800

https://bugzilla.suse.com/1013862

https://bugzilla.suse.com/1016489

https://bugzilla.suse.com/1017143

https://bugzilla.suse.com/1018263

https://bugzilla.suse.com/1018446

https://bugzilla.suse.com/1019168

https://bugzilla.suse.com/1020229

https://bugzilla.suse.com/1021256

https://bugzilla.suse.com/1021913

https://bugzilla.suse.com/1022971

https://bugzilla.suse.com/1023014

https://bugzilla.suse.com/1023163

https://bugzilla.suse.com/1023888

https://bugzilla.suse.com/1024508

https://bugzilla.suse.com/1024788

https://bugzilla.suse.com/1024938

https://bugzilla.suse.com/1025235

https://bugzilla.suse.com/1025702

https://bugzilla.suse.com/1026024

https://bugzilla.suse.com/1026260

https://bugzilla.suse.com/1026722

https://bugzilla.suse.com/1026914

https://bugzilla.suse.com/1027066

https://bugzilla.suse.com/1027101

https://bugzilla.suse.com/1027178

https://bugzilla.suse.com/1028415

https://bugzilla.suse.com/1028880

https://bugzilla.suse.com/1029212

https://bugzilla.suse.com/1029770

https://bugzilla.suse.com/1030213

https://bugzilla.suse.com/1030573

https://bugzilla.suse.com/1031003

https://bugzilla.suse.com/1031052

https://bugzilla.suse.com/1031440

https://bugzilla.suse.com/1031579

https://bugzilla.suse.com/1032141

https://bugzilla.suse.com/1033336

https://bugzilla.suse.com/1033771

https://bugzilla.suse.com/1033794

https://bugzilla.suse.com/1033804

https://bugzilla.suse.com/1033816

https://bugzilla.suse.com/1034026

https://bugzilla.suse.com/909486

https://bugzilla.suse.com/911105

https://bugzilla.suse.com/931620

https://bugzilla.suse.com/979021

https://bugzilla.suse.com/982783

https://bugzilla.suse.com/983212

https://bugzilla.suse.com/985561

https://bugzilla.suse.com/988065

https://bugzilla.suse.com/989056

https://bugzilla.suse.com/995542

https://bugzilla.suse.com/999245

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org