SUSE-SU-2016:2105-1

The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.62 to receive various security and bugfixes.

The following security bugs were fixed: - CVE-2014-9904: The sndcompresscheckinput function in sound/core/compressoffload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRVCOMPRESSSETPARAMS ioctl call (bnc#986811). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2015-8551: The PCI backend driver in Xen, when running on an x86 system and using Linux as the driver domain, allowed local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XENPCIOP* operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8552: The PCI backend driver in Xen, when running on an x86 system and using Linux as the driver domain, allowed local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XENPCIOPenablemsi operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8845: The tmreclaimthread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms did not ensure that TM suspend mode exists before proceeding with a tmreclaim call, which allowed local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application (bnc#975533). - CVE-2016-0758: Integer overflow in lib/asn1decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bnc#979867). - CVE-2016-1583: The ecryptfsprivilegedopen function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bsc#983143). - CVE-2016-2053: The asn1berdecoder function in lib/asn1decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the publickeyverifysignature function in crypto/asymmetrickeys/publickey.c (bnc#963762). - CVE-2016-3672: The archpickmmaplayout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDRNORANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308). - CVE-2016-4470: The keyrejectandlink function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-4482: The procconnectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFSCONNECTINFO ioctl call (bsc#978401). - CVE-2016-4486: The rtnlfilllinkifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-4569: The sndtimeruserparams function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bsc#979213). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) sndtimeruserccallback and (2) sndtimerusertinterrupt functions (bnc#979879). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/pppgeneric.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the pppregisternetchannel and pppunregisterchannel functions (bnc#980371). - CVE-2016-4997: The compat IPTSOSETREPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bsc#986362). - CVE-2016-4998: The IPTSOSETREPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bsc#986365). - CVE-2016-5244: The rdsincinfocopy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-5828: The startthread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms mishandled transactional state, which allowed local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction an exec system call (bsc#986569). - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddevioctlusage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572).

The following non-security bugs were fixed: - ALSA: hrtimer: Handle start/stop more properly (bsc#973378). - Add waiteventcmd() (bsc#953048). - Btrfs: be more precise on errors when getting an inode from disk (bsc#981038). - Btrfs: do not use src fd for printk (bsc#980348). - Btrfs: improve performance on fsync against new inode after rename/unlink (bsc#981038). - Btrfs: qgroup: Fix qgroup accounting when creating snapshot (bsc#972933). - Btrfs: serialize subvolume mounts with potentially mismatching rw flags (bsc#951844). - Disable btrfs patch (bsc#981597) - EDAC, sbedac: Add support for duplicate device IDs (bsc#979521). - EDAC, sbedac: Fix TAD presence check for sbridgemcibinddevs() (bsc#979521). - EDAC, sbedac: Fix rank lookup on Broadwell (bsc#979521). - EDAC/sbedac: Fix computation of channel address (bsc#979521). - EDAC: Correct channel count limit (bsc#979521). - EDAC: Remove arbitrary limit on number of channels (bsc#979521). - EDAC: Use static attribute groups for managing sysfs entries (bsc#979521). - MM: increase safety margin provided by PFLESSTHROTTLE (bsc#956491). - PCI/AER: Clear error status registers during enumeration and restore (bsc#985978). - RAID5: batch adjacent full stripe write (bsc#953048). - RAID5: checkreshape() shouldn't call mddevsuspend (bsc#953048). - RAID5: revert e9e4c377e2f563 to fix a livelock (bsc#953048). - Restore copying of SKBs with head exceeding page size (bsc#978469). - SCSI: Increase REPORTLUNS timeout (bsc#982282). - USB: xhci: Add broken streams quirk for Frescologic device id 1009 (bnc#982698). - Update patches.drivers/0001-nvme-fix-maxsegments-integer-truncation.patch (bsc#979419). Fix reference. - Update patches.drivers/nvme-0106-init-nvme-queue-before-enabling-irq.patch (bsc#962742). Fix incorrect bugzilla referece. - VSOCK: Fix lockdep issue (bsc#977417). - VSOCK: sockput wasn't safe to call in interrupt context (bsc#977417). - base: make modulecreatedriversdir race-free (bnc#983977). - cdcncm: workaround for EM7455 'silent' data interface (bnc#988552). - ceph: tolerate bad isize for symlink inode (bsc#985232). - drm/mgag200: Add support for a new G200eW3 chipset (bsc#983904). - drm/mgag200: Add support for a new rev of G200e (bsc#983904). - drm/mgag200: Black screen fix for G200e rev 4 (bsc#983904). - drm/mgag200: remove unused variables (bsc#983904). - drm: qxl: Workaround for buggy user-space (bsc#981344). - efifb: Add support for 64-bit frame buffer addresses (bsc#973499). - efifb: Fix 16 color palette entry calculation (bsc#983318). - efifb: Fix KABI of screeninfo struct (bsc#973499). - ehci-pci: enable interrupt on BayTrail (bnc#947337). - enic: set netdev->vlanfeatures (bsc#966245). - fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681) - hid-elo: kill not flush the work (bnc#982354). - iommu/vt-d: Enable QI on all IOMMUs before setting root entry (bsc#975772). - ipvs: count pre-established TCP states as active (bsc#970114). - kabi/severities: Added raw3270* PASS to allow IBM LTC changes (bnc#979922, LTC#141736) - kabi: prevent spurious modversion changes after bsc#982544 fix (bsc#982544). - kvm: Guest does not show the cpu flag nonstoptsc (bsc#971770) - md/raid56: Do not perform reads to support writes until stripe is ready. - md/raid5: Ensure a batch member is not handled prematurely (bsc#953048). - md/raid5: For stripe with R5ReadNoMerge, we replace REQFLUSH with REQNOMERGE. - md/raid5: add handleflags arg to breakstripebatchlist (bsc#953048). - md/raid5: allow the stripecache to grow and shrink (bsc#953048). - md/raid5: always set conf->prevchunksectors and ->prevalgo (bsc#953048). - md/raid5: avoid races when changing cache size (bsc#953048). - md/raid5: avoid reading parity blocks for full-stripe write to degraded array (bsc#953048). - md/raid5: be more selective about distributing flags across batch (bsc#953048). - md/raid5: break stripe-batches when the array has failed (bsc#953048). - md/raid5: call breakstripebatchlist from handlestripecleanevent (bsc#953048). - md/raid5: change ->inactiveblocked to a bit-flag (bsc#953048). - md/raid5: clear R5NeedReplace when no longer needed (bsc#953048). - md/raid5: close race between STRIPEBITDELAY and batching (bsc#953048). - md/raid5: close recently introduced race in stripehead management. - md/raid5: consider updating reshapeposition at start of reshape (bsc#953048). - md/raid5: deadlock between retryalignedread with barrier io (bsc#953048). - md/raid5: do not do chunk aligned read on degraded array (bsc#953048). - md/raid5: do not index beyond end of array in needthisblock() (bsc#953048). - md/raid5: do not let shrinkslab shrink too far (bsc#953048). - md/raid5: duplicate some more handlestripecleanevent code in breakstripebatchlist (bsc#953048). - md/raid5: ensure device failure recorded before write request returns (bsc#953048). - md/raid5: ensure whole batch is delayed for all required bitmap updates (bsc#953048). - md/raid5: fix allocation of 'scribble' array (bsc#953048). - md/raid5: fix another livelock caused by non-aligned writes (bsc#953048). - md/raid5: fix handling of degraded stripes in batches (bsc#953048). - md/raid5: fix initstripe() inconsistencies (bsc#953048). - md/raid5: fix locking in handlestripecleanevent() (bsc#953048). - md/raid5: fix newly-broken locking in getactivestripe. - md/raid5: handle possible race as reshape completes (bsc#953048). - md/raid5: ignore releasedstripes check (bsc#953048). - md/raid5: more incorrect BUGON in handlestripefill (bsc#953048). - md/raid5: move maxnrstripes management into growonestripe and droponestripe (bsc#953048). - md/raid5: needthisblock: start simplifying the last two conditions (bsc#953048). - md/raid5: needthisblock: tidy/fix last condition (bsc#953048). - md/raid5: new allocstripe() to allocate an initialize a stripe (bsc#953048). - md/raid5: pass gfpt arg to growonestripe() (bsc#953048). - md/raid5: per hash value and exclusive waitforstripe (bsc#953048). - md/raid5: preserve STRIPEPREREADACTIVE in breakstripebatchlist. - md/raid5: remove condition test from checkbreakstripebatchlist (bsc#953048). - md/raid5: remove incorrect 'mint()' when calculating writepos (bsc#953048). - md/raid5: remove redundant check in stripeaddtobatchlist() (bsc#953048). - md/raid5: separate large if clause out of fetchblock() (bsc#953048). - md/raid5: separate out the easy conditions in needthisblock (bsc#953048). - md/raid5: split waitforstripe and introduce waitforquiescent (bsc#953048). - md/raid5: strengthen check on reshapeposition at run (bsc#953048). - md/raid5: switch to use conf->chunksectors in place of mddev->chunksectors where possible (bsc#953048). - md/raid5: use ->lock to protect accessing raid5 sysfs attributes (bsc#953048). - md/raid5: use biolist for the list of bios to return (bsc#953048). - md: be careful when testing resyncmax against currresynccompleted (bsc#953048). - md: doreleasestripe(): No need to call mdwakeupthread() twice (bsc#953048). - md: make sure MDRECOVERYDONE is clear before starting recovery/resync (bsc#953048). - md: remove unwanted white space from md.c (bsc#953048). - md: use setbit/clearbit instead of shift/mask for biflags changes (bsc#953048). - mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721). - net/qlge: Avoids recursive EEH error (bsc#954847). - net: Account for all vlan headers in skbmacgsosegment (bsc#968667). - net: Start with correct maclen in skbnetworkprotocol (bsc#968667). - net: disable fragment reassembly if highthresh is set to zero (bsc#970506). - net: fix wrong maclen calculation for vlans (bsc#968667). - netfilter: bridge: Use _in6devget rather than in6devget in brvalidateipv6 (bsc#982544). - netfilter: bridge: do not leak skb in error paths (bsc#982544). - netfilter: bridge: forward IPv6 fragmented packets (bsc#982544). - nvme: don't poll the CQ from the kthread (bsc#975788, bsc#965087). - perf/rapl: Fix sysfsshow() initialization for RAPL PMU (bsc#979489). - perf/x86/intel: Add Intel RAPL PP1 energy counter support (bsc#979489). - ppp: defer netns reference release for ppp channel (bsc#980371). - qeth: delete napi struct when removing a qeth device (bnc#988215, LTC#143590). - raid5: Retry R5ReadNoMerge flag when hit a read error. - raid5: add a new flag to track if a stripe can be batched (bsc#953048). - raid5: add an option to avoid copy data from bio to stripe cache (bsc#953048). - raid5: avoid release list until last reference of the stripe (bsc#953048). - raid5: check faulty flag for array status during recovery (bsc#953048). - raid5: fix a race of stripe count check. - raid5: fix broken async operation chain (bsc#953048). - raid5: getactivestripe avoids devicelock. - raid5: handle expansion/resync case with stripe batching (bsc#953048). - raid5: handle io error of batch list (bsc#953048). - raid5: makerequest does less prepare wait. - raid5: relieve lock contention in getactivestripe(). - raid5: relieve lock contention in getactivestripe(). - raid5: speedup syncrequest processing (bsc#953048). - raid5: track overwrite disk count (bsc#953048). - raid5: update analysis state for failed stripe (bsc#953048). - raid5: use flexarray for scribble data (bsc#953048). - s390/3270: add missing ttykrefput (bnc#979922, LTC#141736). - s390/3270: avoid endless I/O loop with disconnected 3270 terminals (bnc#979922, LTC#141736). - s390/3270: fix garbled output on 3270 tty view (bnc#979922, LTC#141736). - s390/3270: fix view reference counting (bnc#979922, LTC#141736). - s390/3270: handle reconnect of a tty with a different size (bnc#979922, LTC#141736). - s390/3270: hangup the 3270 tty after a disconnect (bnc#979922, LTC#141736). - s390/mm: fix ascebits handling with dynamic pagetable levels (bnc#979922, LTC#141456). - s390/spinlock: avoid yield to non existent cpu (bnc#979922, LTC#141106). - s390: fix testfpctl inline assembly contraints (bnc#988215, LTC#143138). - sbedac: Fix a typo and a thinko in address handling for Haswell (bsc#979521). - sbedac: Fix support for systems with two home agents per socket (bsc#979521). - sbedac: correctly fetch DIMM width on Ivy Bridge and Haswell (bsc#979521). - sbedac: look harder for DDRIO on Haswell systems (bsc#979521). - sbedac: support for Broadwell -EP and -EX (bsc#979521). - sched/cputime: Fix clocknanosleep()/clockgettime() inconsistency (bnc#988498). - sched/cputime: Fix cputimersamplegroup() double accounting (bnc#988498). - sched/x86: Fix up typo in topology detection (bsc#974165). - sched: Provide updatecurr callbacks for stop/idle scheduling classes (bnc#988498). - target/rbd: do not put snapcontext twice (bsc#981143). - target/rbd: remove cawmutex usage (bsc#981143). - usb: quirk to stop runtime PM for Intel 7260 (bnc#984456). - wait: introduce waiteventexclusivecmd (bsc#953048). - x86 EDAC, sbedac.c: Repair damage introduced when 'fixing' channel address (bsc#979521). - x86 EDAC, sbedac.c: Take account of channel hashing when needed (bsc#979521). - x86, sched: Add new topology for multi-NUMA-node CPUs (bsc#974165). - x86/efi: parseefisetup() build fix (bsc#979485). - x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620). - x86: Removed the free memblock of hibernat keys to avoid memory corruption (bsc#990058). - x86: standardize mmaprnd() usage (bnc#974308). - xfs: fix premature enospc on inode allocation (bsc#984148). - xfs: get rid of XFSIALLOCBLOCKS macros (bsc#984148). - xfs: get rid of XFSINODECLUSTERSIZE macros (bsc#984148).