SUSE-SU-2017:0471-1

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to 3.12.61 to receive various security and bugfixes.

The following feature was implemented:

• The ext2 filesystem got reenabled and supported to allow support for 'XIP' (Execute In Place) (FATE#320805).

The following security bugs were fixed:

• CVE-2017-5551: The tmpfs filesystem implementation in the Linux kernel preserved the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bsc#1021258).
• CVE-2016-7097: The filesystem implementation in the Linux kernel preserved the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968).
• CVE-2017-2583: A Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support was vulnerable to an incorrect segment selector(SS) value error. A user/process inside guest could have used this flaw to crash the guest resulting in DoS or potentially escalate their privileges inside guest. (bsc#1020602).
• CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt (bnc#1019851).
• CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710).
• CVE-2016-8645: The TCP stack in the Linux kernel mishandled skb truncation, which allowed local users to cause a denial of service (system crash) via a crafted application that made sendto system calls, related to net/ipv4/tcpipv4.c and net/ipv6/tcpipv6.c (bnc#1009969).
• CVE-2016-8399: An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and current compiler optimizations restrict access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31349935 (bnc#1014746).
• CVE-2016-9806: Race condition in the netlinkdump function in net/netlink/afnetlink.c in the Linux kernel allowed local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that made sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated (bnc#1013540).
• CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not properly initialize Code Segment (CS) in certain error cases, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application (bnc#1013038).
• CVE-2016-9793: The socksetsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sksndbuf and skrcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAPNETADMIN capability for a crafted setsockopt system call with the (1) SOSNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531).
• CVE-2016-7910: Use-after-free vulnerability in the diskseqfstop function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed (bnc#1010716).
• CVE-2015-8962: Double free vulnerability in the sgcommonwrite function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call (bnc#1010501).
• CVE-2016-7913: The xc2028setconfig function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure (bnc#1010478).
• CVE-2016-7911: Race condition in the gettaskioprio function in block/ioprio.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call (bnc#1010711).
• CVE-2015-8964: The ttysettermiosldisc function in drivers/tty/ttyldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507).
• CVE-2015-8963: Race condition in kernel/events/core.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect handling of an swevent data structure during a CPU unplug operation (bnc#1010502).
• CVE-2016-7914: The assocarrayinsertintoterminalnode function in lib/assocarray.c in the Linux kernel did not check whether a slot is a leaf, which allowed local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures, as demonstrated by the keyutils test suite (bnc#1010475).
• CVE-2016-8633: drivers/firewire/net.c in the Linux kernel allowed remote attackers to execute arbitrary code via crafted fragmented packets (bnc#1008833).
• CVE-2016-9083: drivers/vfio/pci/vfiopci.c in the Linux kernel allowed local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIODEVICESETIRQS ioctl call, aka a 'state machine confusion bug (bnc#1007197).
• CVE-2016-9084: drivers/vfio/pci/vfiopciintrs.c in the Linux kernel misused the kzalloc function, which allowed local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file (bnc#1007197).
• CVE-2016-7042: The prockeysshow function in security/keys/proc.c in the Linux kernel uses an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517).
• CVE-2015-8956: The rfcommsockbind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925).
• CVE-2016-8658: Stack-based buffer overflow in the brcmfcfg80211start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket (bnc#1004462).
• CVE-2016-7425: The arcmsriopmessagexfer function in drivers/scsi/arcmsr/arcmsrhba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSRMESSAGEWRITE_WQBUFFER control code (bnc#999932).
• CVE-2016-6327: drivers/infiniband/ulp/srpt/ibsrpt.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORTTASK command to abort a device write operation (bnc#994748).
• CVE-2016-6828: The tcpchecksendhead function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcpxmitretransmitqueue use-after-free and system crash) via a crafted SACK option (bnc#994296).
• CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for remote attackers to hijack TCP sessions via a blind in-window attack (bnc#989152).
• CVE-2016-6130: Race condition in the sclpctlioctlsccb function in drivers/s390/char/sclpctl.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by changing a certain length value, aka a 'double fetch' vulnerability (bnc#987542).
• CVE-2016-6480: Race condition in the ioctlsendfib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability (bnc#991608).
• CVE-2016-4998: The IPTSOSET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986362 bnc#986365).
• CVE-2016-5828: The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms mishandled transactional state, which allowed local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call (bnc#986569).
• CVE-2014-9904: The sndcompresscheckinput function in sound/core/compressoffload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRVCOMPRESSSET_PARAMS ioctl call (bnc#986811).
• CVE-2016-5829: Multiple heap-based buffer overflows in the hiddevioctlusage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572).
• CVE-2016-4470: The keyrejectand_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755).

The following non-security bugs were fixed:

• base: make modulecreatedrivers_dir race-free (bnc#983977).
• btrfs-8448-improve-performance-on-fsync-against-new-inode.patch: Disable (bsc#981597).
• btrfs: account for non-CoW'd blocks in btrfsaborttransaction (bsc#983619).
• btrfs: be more precise on errors when getting an inode from disk (bsc#981038).
• btrfs: do not create or leak aliased root while cleaning up orphans (bsc#994881).
• btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600).
• btrfs: fix relocation incorrectly dropping data references (bsc#990384).
• btrfs: handle quota reserve failure properly (bsc#1005666).
• btrfs: improve performance on fsync against new inode after rename/unlink (bsc#981038).
• btrfs: increment ctx->pos for every emitted or skipped dirent in readdir (bsc#981709).
• btrfs: remove old treeroot dirent processing in btrfsreal_readdir() (bsc#981709).
• cdc-acm: added sanity checking for probe() (bsc#993891).
• ext2: Enable ext2 driver in config files (bsc#976195, fate#320805)
• ext4: Add parameter for tuning handling of ext2 (bsc#976195).
• ext4: Fixup handling for custom configs in tuning.
• ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it (bsc#984419).
• ipv6: Fix improper use or RCU in patches.kabi/ipv6-add-complete-rcu-protection-around-np-opt.kabi.patch. (bsc#961257)
• ipv6: KABI workaround for ipv6: add complete rcu protection around np->opt.
• kabi: prevent spurious modversion changes after bsc#982544 fix (bsc#982544).
• kabi: reintroduce sk_filter (kabi).
• kaweth: fix firmware download (bsc#993890).
• kaweth: fix oops upon failed memory allocation (bsc#993890).
• kgraft/iscsi-target: Do not block kGraft in iscsi_np kthread (bsc#1010612, fate#313296).
• kgraft/xen: Do not block kGraft in xenbus kthread (bsc#1017410, fate#313296).
• kgr: ignore zombie tasks during the patching (bnc#1008979).
• mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721).
• mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED (VM Functionality, bnc#986445).
• modsign: Print appropriate status message when accessing UEFI variable (bsc#958606).
• mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (bsc#1011820).
• mpt3sas: Fix panic when aer correct error occurred (bsc#997708, bsc#999943).
• netfilter: allow logging fron non-init netns (bsc#970083).
• netfilter: bridge: do not leak skb in error paths (bsc#982544).
• netfilter: bridge: forward IPv6 fragmented packets (bsc#982544).
• netfilter: bridge: Use _in6devget rather than in6devget in brvalidate_ipv6 (bsc#982544).
• nfs: Do not write enable new pages while an invalidation is proceeding (bsc#999584).
• nfs: Fix a regression in the read() syscall (bsc#999584).
• pci/aer: Clear error status registers during enumeration and restore (bsc#985978).
• ppp: defer netns reference release for ppp channel (bsc#980371).
• reiserfs: fix race in prealloc discard (bsc#987576).
• scsi: ibmvfc: Fix I/O hang when port is not mapped (bsc#971989)
• scsi: Increase REPORT_LUNS timeout (bsc#982282).
• series.conf: move stray netfilter patches to the right section
• squashfs3: properly handle dir_emit() failures (bsc#998795).
• supported.conf: Add ext2
• timers: Use proper base migration in addtimeron() (bnc#993392).
• tty: audit: Fix audit source (bsc#1016482).
• tty: Prevent ldisc drivers from re-using stale tty fields (bnc#1010507).
• usb: fix typo in wMaxPacketSize validation (bsc#991665).
• usb: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665).
• xen: Fix refcnt regression in xen netback introduced by changes made for bug#881008 (bnc#978094)
• xfs: allow lazy sb counter sync during filesystem freeze sequence (bsc#980560).
• xfs: fixed signedness of error code in xfsinodebuf_verify (bsc#1003153).
• xfs: fix premature enospc on inode allocation (bsc#984148).
• xfs: get rid of XFSIALLOCBLOCKS macros (bsc#984148).
• xfs: get rid of XFSINODECLUSTER_SIZE macros (bsc#984148).
• xfs: refactor xlogrecoverprocess_data() (bsc#1019300).
• xfs: Silence warnings in xfsvmreleasepage() (bnc#915183 bsc#987565).
• xhci: silence warnings in switch (bnc#991665).