SUSE-SU-2017:2694-1

The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2017-1000251: The native Bluetooth stack was vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in remote code execution in kernel space (bnc#1057389).
• CVE-2017-14340: The XFSISREALTIMEINODE macro in fs/xfs/xfslinux.h did not verify that a filesystem has a realtime device, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory (bnc#1058524).
• CVE-2017-14140: The move_pages system call in mm/migrate.c did not check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179).
• CVE-2017-14051: An integer overflow in the qla2x00sysfswriteoptromctl function in drivers/scsi/qla2xxx/qla_attr.c allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588).
• CVE-2017-10661: Race condition in fs/timerfd.c allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152).
• CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c a user-controlled buffer was copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow (bnc#1053148).
• CVE-2017-8831: The saa7164busget function allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994).
• CVE-2017-1000112: Prevent race condition in net-packet code that could have been exploited by unprivileged users to gain root access.(bnc#1052311).

The following non-security bugs were fixed:

• ALSA: Fix Lewisburg audio issue
• Drop commit 96234ae:kvmiobusunregisterdev() should never fail (bsc#1055680)
• Fixup build warnings in drivers/scsi/scsi.c (bsc#1031358)
• NFS: Cache aggressively when file is open for writing (bsc#1053933).
• NFS: Do drop directory dentry when error clearly requires it (bsc#1051932).
• NFS: Do not flush caches for a getattr that races with writeback (bsc#1053933).
• NFS: Optimize fallocate by refreshing mapping when needed (bsc#1053933).
• NFS: invalidate file size when taking a lock (bsc#1053933).
• PCI: fix hotplug related issues (bnc#1054247).
• afkey: do not use GFPKERNEL in atomic contexts (bsc#1054093).
• avoid deadlock in xenbus (bnc#1047523).
• blacklist 9754d45e9970 tpm: read burstcount from TPM_STS in one 32-bit transaction
• blkback/blktap: do not leak stack data via response ring (bsc#1042863 XSA-216).
• cx231xx-audio: fix NULL-deref at probe (bsc#1050431).
• cx82310eth: use skbcow_head() to deal with cloned skbs (bsc#1045154).
• fuse: do not use iocb after it may have been freed (bsc#1054706).
• fuse: fix fusewriteend() if zero bytes were copied (bsc#1054706).
• fuse: fsync() did not return IO errors (bsc#1054076).
• fuse: fuse_flush must check mapping->flags for errors (bsc#1054706).
• gspca: konica: add missing endpoint sanity check (bsc#1050431).
• kabi/severities: Ignore zpci symbol changes (bsc#1054247)
• lib/mpi: mpireadraw_data(): fix nbits calculation
• media: platform: davinci: return -EINVAL for VPFECMDSCCDCRAW_PARAMS ioctl (bsc#1050431).
• net: Fix RCU splat in af_key (bsc#1054093).
• powerpc/fadump: add reschedule point while releasing memory (bsc#1040609 bsc#1024450).
• powerpc/fadump: avoid duplicates in crash memory ranges (bsc#1037669 bsc#1037667).
• powerpc/fadump: provide a helpful error message (bsc#1037669 bsc#1037667).
• powerpc/prom: Increase minimum RMA size to 512MB (bsc#984530, bsc#1052370).
• powerpc/slb: Force a full SLB flush when we insert for a bad EA (bsc#1054070).
• reiserfs: fix race in readdir (bsc#1039803).
• s390/pci: do not cleanup in archsetupmsi_irqs (bnc#1054247).
• s390/pci: fix handling of PEC 306 (bnc#1054247).
• s390/pci: improve error handling during fmb (de)registration (bnc#1054247).
• s390/pci: improve error handling during interrupt deregistration (bnc#1054247).
• s390/pci: improve pci hotplug (bnc#1054247).
• s390/pci: improve unreg_ioat error handling (bnc#1054247).
• s390/pci: introduce clpgetstate (bnc#1054247).
• s390/pci: provide more debug information (bnc#1054247).
• scsi: avoid system stall due to host_busy race (bsc#1031358).
• scsi: close race when updating blocked counters (bsc#1031358).
• ser_gigaset: return -ENOMEM on error instead of success (bsc#1037441).
• supported.conf: clear mistaken external support flag for cifs.ko (bsc#1053802).
• tpm: fix a kernel memory leak in tpm-sysfs.c (bsc#1050381).
• uwb: fix device quirk on big-endian hosts (bsc#1036629).
• xfs: fix inobt inode allocation search optimization (bsc#1013018).