SUSE-SU-2017:2908-1

The SUSE Linux Enterprise 12 SP1 LTS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2017-15649: net/packet/afpacket.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packetfanout data structures, because of a race condition (involving fanoutadd and packetdo_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388).
• CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667).
• CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327).
• CVE-2017-15265: Use-after-free vulnerability in the Linux kernel allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520).
• CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMITSTACK/RLIMINFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354).
• CVE-2017-12153: A security flaw was discovered in the nl80211setrekeydata() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAPNET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410).
• CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507).
• CVE-2017-14106: The tcpdisconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (tcpselectwindow divide-by-zero error and system crash) by triggering a disconnect within a certain tcprecvmsg code path (bnc#1056982).
• CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179).
• CVE-2017-14051: An integer overflow in the qla2x00sysfswriteoptromctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588).
• CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152).
• CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148).
• CVE-2017-8831: The saa7164busget function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994).
• CVE-2017-7482: A potential memory corruption was fixed in decoding of krb5 principals in the kernels kerberos handling. (bnc#1046107).
• CVE-2017-7542: The ip6find1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882).
• CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275).
• CVE-2017-7541: The brcmfcfg80211mgmttx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211CMD_FRAME Netlink packet (bnc#1049645).
• CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922).
• CVE-2017-8924: The edgebulkincallback function in drivers/usb/serial/ioti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182 bsc#1038982).
• CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1037183 bsc#1038981).
• CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents might have been disclosed when a read and an ioctl happen at the same time (bnc#1044125).
• CVE-2017-9242: The _ip6appenddata function in net/ipv6/ip6output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431).
• CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parportptr integer is static, a 'secure boot' kernel command line adversary (could happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) could overflow the parportnr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line (bnc#1039456).
• CVE-2017-9076: The dccpv6requestrecvsock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885).
• CVE-2017-9077: The tcpv6synrecvsock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069).
• CVE-2017-9075: The sctpv6createacceptsk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883).
• CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882).
• CVE-2017-7487: The ipxitfioctl function in net/ipx/afipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879).
• CVE-2017-8890: The inetcskclonelock function in net/ipv4/inetconnection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544).
• CVE-2017-7889: The mm subsystem in the Linux kernel did not properly enforce the CONFIGSTRICTDEVMEM protection mechanism, which allowed local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405).

The following new features were implemented: - the r8152 network driver was updated to support Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (fate#321482)

The following non-security bugs were fixed:

• blkback/blktap: do not leak stack data via response ring (bsc#1042863 XSA-216).
• btrfs: Add WARN_ON for qgroup reserved underflow (bsc#1031515).
• btrfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
• btrfs: Check qgroup level in kernel qgroup assign (bsc#1001459).
• btrfs: qgroup: allow to remove qgroup which has parent but no child (bsc#1001459).
• btrfs: quota: Automatically update related qgroups or mark INCONSISTENT flags when assigning/deleting a qgroup relations (bsc#1001459).
• ceph: Correctly return NXIO errors from ceph_llseek (git-fixes).
• ceph: fix file open flags on ppc64 (git-fixes).
• ceph: check i_nlink while converting a file handle to dentry (bsc#1039864).
• drivers/net: delete non-required instances of include <linux/init.h> (bsc#993099).
• drivers/net/usb: add device id for NVIDIA Tegra USB 3.0 Ethernet (bsc#993099).
• drivers/net/usb: Add support for 'Lenovo OneLink Pro Dock' (bsc#993099).
• enic: set skb->hash type properly (bsc#922871).
• ext2: Do not clear SGID when inheriting ACLs (bsc#1030552).
• ext4: Do not clear SGID when inheriting ACLs (bsc#1030552).
• firmware: dmiscan: Fix ordering of productuuid (bsc#1030531).
• fm10k: correctly check if interface is removed (bsc#922855).
• fs/blockdev: always invalidate cleancache in invalidatebdev() (git-fixes).
• fs: fix data invalidation in the cleancache during direct IO (git-fixes).
• fs/xattr.c: zero out memory copied to userspace in getxattr (git-fixes).
• hv: vmbus: Raise retry/wait limits in vmbuspostmsg() (bsc#1023287, bsc#1028217, bsc#1048788).
• jhash: Update jhash_[321]words functions to use correct initval (git-fixes).
• kABI: mask an include (bsc#994364).
• md: ensure md devices are freed before module is unloaded (git-fixes).
• md/raid0: apply base queue limits before diskstacklimits (git-fixes).
• md/raid0: update queue parameter in a safer location (git-fixes).
• md/raid1: do not clear bitmap bit when bad-block-list write fails (git-fixes).
• md/raid10: do not clear bitmap bit when bad-block-list write fails (git-fixes).
• md/raid10: ensure device failure recorded before write request returns (git-fixes).
• mlock: fix mlock count can not decrease in race condition (VM Functionality, bsc#1042696).
• mlx: Revert the mlx5etxnotify_hw() changes.(bsc#1033960)
• mm/hugememory: replace VMNOTHP VMBUG_ON with actual VMA check (VM Functionality, bsc#1042832).
• mm: hugetlb: call hugeptealloc() only if ptep is null (VM Functionality, bsc#1042832).
• mm/mmap.c: do not blow on PROTNONE MAPFIXED holes in the stack (bnc#1039348).
• netfilter: bridge: Fix the build when IPV6 is disabled (bsc#1027149).
• net: get rid of SETETHTOOLOPS (bsc#993099).
• net/usb/r8152: add device id for Lenovo TP USB 3.0 Ethernet (bsc#993099).
• netvsc: get rid of completion timeouts (bsc#1048788).
• nfs v4.1: Fix Oopsable condition in server callback races (git-fixes).
• ocfs2: Do not clear SGID when inheriting ACLs (bsc#1030552).
• pidns: Sleep in TASKINTERRUPTIBLE in zappidns_processes (bnc#1012985).
• powerpc: Add missing error check to promfindboot_cpu() (bnc#856774).
• powerpc/book3s: Fix MCE console messages for unrecoverable MCE (bnc#878240).
• powerpc/bpf/jit: Disable classic BPF JIT on ppc64le (bsc#1041429, [2017-05-29] Pending SUSE Kernel Fixes).
• powerpc: Fix bad inline asm constraint in createzeromask() (bnc#856774).
• powerpc/64: Fix flush(d|i)cacherange() called from modules (bnc#863764).
• printk: prevent userland from spoofing kernel messages (bsc#1039721).
• reiserfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
• rtl8152: correct speed testing (bsc#993099).
• r8152: add functions to set EEE (bsc#993099).
• r8152: add MODULE_VERSION (bsc#993099).
• r8152: add mutex for hw settings (bsc#993099).
• r8152: add prereset and postreset (bsc#993099).
• r8152: add reset_resume function (bsc#993099).
• r8152: add rtl_ops (bsc#993099).
• r8152: add skbcowhead (bsc#993099).
• r8152: add three functions (bsc#993099).
• r8152: adjust ALDPS function (bsc#993099).
• r8152: adjust lpm timer (bsc#993099).
• r8152: adjust rtlstartrx (bsc#993099).
• r8152: adjust rx_bottom (bsc#993099).
• r8152: adjust r8152submitrx (bsc#993099).
• r8152: adjust the line feed for hw_features (bsc#993099).
• r8152: adjust usbautopmxxx (bsc#993099).
• r8152: autoresume before setting feature (bsc#993099).
• r8152: autoresume before setting MAC address (bsc#993099).
• r8152: calculate the dropped packets for rx (bsc#993099).
• r8152: call rtlstartrx after netifcarrieron (bsc#993099).
• r8152: clear BMCR_PDOWN (bsc#993099).
• r8152: clear LINKOFFWAKE_EN after autoresume (bsc#993099).
• r8152: clear SELECTIVE_SUSPEND when autoresuming (bsc#993099).
• r8152: clear the flag of SCHEDULE_TASKLET in tasklet (bsc#993099).
• r8152: combine PHY reset with set_speed (bsc#993099).
• r8152: constify ethtool_ops structures (bsc#993099).
• r8152: correct some messages (bsc#993099).
• r8152: correct the rx early size (bsc#993099).
• r8152: deal with the empty line and space (bsc#993099).
• r8152: disable ALDPS and EEE before setting PHY (bsc#993099).
• r8152: disable ALDPS (bsc#993099).
• r8152: disable MAC clock speed down (bsc#993099).
• r8152: disable power cut for RTL8153 (bsc#993099).
• r8152: disable teredo for RTL8152 (bsc#993099).
• r8152: disable the capability of zero length (bsc#993099).
• r8152: disable the ECM mode (bsc#993099).
• r8152: disable the tasklet by default (bsc#993099).
• r8152: do not enable napi before rx ready (bsc#993099).
• r8152: ecm and vendor modes coexist (bsc#993099).
• r8152: fix incorrect type in assignment (bsc#993099).
• r8152: fix lockup when runtime PM is enabled (bsc#993099).
• r8152: fix runtime function for RTL8152 (bsc#993099).
• r8152: fix r8152csumworkaround function (bsc#993099).
• r8152: fix setting RTL8152_UNPLUG (bsc#993099).
• r8152: fix the carrier off when autoresuming (bsc#993099).
• r8152: fix the checking of the usb speed (bsc#993099).
• r8152: fix the issue about U1/U2 (bsc#993099).
• r8152: fix the runtime suspend issues (bsc#993099).
• r8152: fix the submission of the interrupt transfer (bsc#993099).
• r8152: fix the wake event (bsc#993099).
• r8152: fix the warnings and a error from checkpatch.pl (bsc#993099).
• r8152: fix the wrong return value (bsc#993099).
• r8152: fix tx/rx memory overflow (bsc#993099).
• r8152: fix wakeup settings (bsc#993099).
• r8152: change rx early size when the mtu is changed (bsc#993099).
• r8152: change some definitions (bsc#993099).
• r8152: change the descriptor (bsc#993099).
• r8152: change the EEE definition (bsc#993099).
• r8152: change the location of rtl8152setmac_address (bsc#993099).
• r8152: check code with checkpatch.pl (bsc#993099).
• r8152: check linking status with netifcarrierok (bsc#993099).
• r8152: check RTL8152UNPLUG and netifrunning before autoresume (bsc#993099).
• r8152: check RTL8152_UNPLUG (bsc#993099).
• r8152: check RTL8152UNPLUG for rtl8152close (bsc#993099).
• r8152: check the status before submitting rx (bsc#993099).
• r8152: check tx agg list before spin lock (bsc#993099).
• r8152: check WORK_ENABLE in suspend function (bsc#993099).
• r8152: increase the tx timeout (bsc#993099).
• r8152: load the default MAC address (bsc#993099).
• r8152: modify rtlopsinit (bsc#993099).
• r8152: modify the check of the flag of PHYRESET in setspeed function (bsc#993099).
• r8152: modify the method of accessing PHY (bsc#993099).
• r8152: modify the tx flow (bsc#993099).
• r8152: move enabling PHY (bsc#993099).
• r8152: move PHY settings to hwphycfg (bsc#993099).
• r8152: move rtl8152unload and ocpreg_write (bsc#993099).
• r8152: move r8152bgetversion (bsc#993099).
• r8152: move some functions (bsc#993099).
• r8152: move some functions (bsc#993099).
• r8152: move some functions from probe to open (bsc#993099).
• r8152: move the actions of saving the information of the device (bsc#993099).
• r8152: move the setting for the default speed (bsc#993099).
• r8152: move the settings of PHY to a work queue (bsc#993099).
• r8152: nway reset after setting eee (bsc#993099).
• r8152: redefine REALTEKUSBDEVICE (bsc#993099).
• r8152: reduce the frequency of spin_lock (bsc#993099).
• r8152: reduce the number of Tx (bsc#993099).
• r8152: remove a netifcarrieroff in rtl8152_open function (bsc#993099).
• r8152: remove canceldelayedworksync in rtl8152set_speed (bsc#993099).
• r8152: remove clearing bp (bsc#993099).
• r8152: remove genericocpread before writing (bsc#993099).
• r8152: remove rtlphyreset function (bsc#993099).
• r8152: remove rtl8152getstats (bsc#993099).
• r8152: remove r8153enableeee (bsc#993099).
• r8152: remove sram_read (bsc#993099).
• r8152: remove the definitions of the PID (bsc#993099).
• r8152: remove the duplicate init for the list of rx_done (bsc#993099).
• r8152: remove the setting of LANWAKEEN (bsc#993099).
• r8152: rename rxbufsz (bsc#993099).
• r8152: rename tx_underun (bsc#993099).
• r8152: replace getprotocol with vlanget_protocol (bsc#993099).
• r8152: replace netdevallocskbipalign with napiallocskb (bsc#993099).
• r8152: replace netifrx with netifreceive_skb (bsc#993099).
• r8152: replace some tabs with spaces (bsc#993099).
• r8152: replace some types from int to bool (bsc#993099).
• r8152: replace spinlockirqsave and spinunlockirqrestore (bsc#993099).
• r8152: replace strncpy with strlcpy (bsc#993099).
• r8152: replace tasklet with NAPI (bsc#993099).
• r8152: replace the return value of rtlopsinit (bsc#993099).
• r8152: replace tp->netdev with netdev (bsc#993099).
• r8152: reset device when tx timeout (bsc#993099).
• r8152: reset the bmu (bsc#993099).
• r8152: reset tp->speed before autoresuming in open function (bsc#993099).
• r8152: restore hw settings (bsc#993099).
• r8152: return -EBUSY for runtime suspend (bsc#993099).
• r8152: save the speed (bsc#993099).
• r8152: separate USBRXEARLY_AGG (bsc#993099).
• r8152: set disablehubinitiated_lpm (bsc#993099).
• r8152: set RTL8152_UNPLUG when finding -ENODEV (bsc#993099).
• r8152: split DRIVER_VERSION (bsc#993099).
• r8152: split rtl8152_enable (bsc#993099).
• r8152: stop submitting intr for -EPROTO (bsc#993099).
• r8152: support dumping the hw counters (bsc#993099).
• r8152: support ethtool eee (bsc#993099).
• r8152: support getmsglevel and setmsglevel (bsc#993099).
• r8152: support IPv6 (bsc#993099).
• r8152: support jumbo frame for RTL8153 (bsc#993099).
• r8152: support nway_reset of ethtool (bsc#993099).
• r8152: support RTL8153 (bsc#993099).
• r8152: support runtime suspend (bsc#993099).
• r8152: support rx checksum (bsc#993099).
• r8152: support setting rx coalesce (bsc#993099).
• r8152: support stopping/waking tx queue (bsc#993099).
• r8152: support the new RTL8153 chip (bsc#993099).
• r8152: support TSO (bsc#993099).
• r8152: support VLAN (bsc#993099).
• r8152: support WOL (bsc#993099).
• r8152: up the priority of the transmission (bsc#993099).
• r8152: use BIT macro (bsc#993099).
• r8152: use ethhwaddr_random (bsc#993099).
• r8152: Use kmemdup instead of kmalloc + memcpy (bsc#993099).
• r8152: use testandclear_bit (bsc#993099).
• r8152: use usleep_range (bsc#993099).
• r8152: wake up the device before dumping the hw counter (bsc#993099).
• scsi: qla2xxx: Get mutex lock before checking optrom_state (bsc#1053317).
• sched/fair: Fix min_vruntime tracking (bnc#1012985).
• sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems (bnc#1012985).
• sched/rt: Fix PI handling vs. sched_setscheduler() (bnc#1012985).
• sunrpc: Update RPCBIND_MAXNETIDLEN (git-fixes).
• syscall: fix dereferencing NULL payload with nonzero length (bsc#1045327, bsc#1062471).
• tcp: do not inherit fastopen_req from parent (bsc#1038544).
• timekeeping: Ignore the bogus sleep time if pm_trace is enabled (bsc#994364).
• tracing/kprobes: Enforce kprobes teardown after testing (bnc#1012985).
• usb: wusbcore: fix NULL-deref at probe (bsc#1045487).
• xen: Linux 3.12.74.
• xen/PCI-MSI: fix sysfs teardown in DomU (bsc#986924).
• xfs: fix a couple error sequence jumps in xfs_mountfs() (bsc#1035531).
• xfs: fix coccinelle warnings (bsc#1035531).
• xfs: handle error if xfsbtreeget_bufs fails (bsc#1059863).
• xfs: use ->b_state to fix buffer I/O accounting release race (bsc#1041160) (bsc#1041160).
• xfs: XFSISREALTIME_INODE() should be false if no rt device present (bsc#1058524).