Security update for the Linux Kernel

SUSE Security Update: Security update for the Linux Kernel

---

Announcement ID:	SUSE-SU-2017:1247-1
Rating:	important
References:	#1003077 #1015703 #1021256 #1021762 #1023377 #1023762 #1023992 #1024938 #1025235 #1026024 #1026722 #1026914 #1027066 #1027149 #1027178 #1027189 #1027190 #1028415 #1028895 #1029986 #1030118 #1030213 #1030901 #1031003 #1031052 #1031440 #1031579 #1032344 #1033336 #914939 #954763 #968697 #979215 #983212 #989056
Affected Products:	SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Module for Public Cloud 12

---

An update that solves 25 vulnerabilities and has 10 fixes is now available.

Description:

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various
security and bugfixes.

The following security bugs were fixed:

- CVE-2015-1350: The VFS subsystem in the Linux kernel provided an
incomplete set of requirements for setattr operations that
underspecifies removing extended privilege attributes, which allowed
local users to cause a denial of service (capability stripping) via a
failed invocation of a system call, as demonstrated by using chown to
remove a capability from the ping or Wireshark dumpcap program
(bnc#914939).
- CVE-2016-2117: The atl2_probe function in
drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly
enabled scatter/gather I/O, which allowed remote attackers to obtain
sensitive information from kernel memory by reading packet data
(bnc#968697).
- CVE-2016-3070: The trace_writeback_dirty_page implementation in
include/trace/events/writeback.h in the Linux kernel improperly
interacted with mm/migrate.c, which allowed local users to cause a
denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by triggering a certain page move
(bnc#979215).
- CVE-2016-5243: The tipc_nl_compat_link_dump function in
net/tipc/netlink_compat.c in the Linux kernel did not properly copy a
certain string, which allowed local users to obtain sensitive
information from kernel stack memory by reading a Netlink message
(bnc#983212).
- CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg
function in net/socket.c in the Linux kernel allowed remote attackers to
execute arbitrary code via vectors involving a recvmmsg system call that
is mishandled during error processing (bnc#1003077).
- CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanages the #BP
and #OF exceptions, which allowed guest OS users to cause a denial of
service (guest OS crash) by declining to handle an exception thrown by
an L2 guest (bnc#1015703).
- CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel
did not properly restrict execute access, which made it easier for local
users to bypass intended SELinux W^X policy restrictions, and
consequently gain privileges, via an io_setup system call (bnc#1023992).
- CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in
the Linux kernel allowed local users to gain privileges or cause a
denial of service (use-after-free) by making multiple bind system calls
without properly ascertaining whether a socket has the SOCK_ZAPPED
status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c
(bnc#1028415).
- CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the
Linux kernel did not properly validate meta block groups, which allowed
physically proximate attackers to cause a denial of service
(out-of-bounds read and system crash) via a crafted ext4 image
(bnc#1023377).
- CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux
kernel is too late in obtaining a certain lock and consequently cannot
ensure that disconnect function calls are safe, which allowed local
users to cause a denial of service (panic) by leveraging access to the
protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003).
- CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel
did not restrict the address calculated by a certain rounding operation,
which allowed local users to map page zero, and consequently bypass a
protection mechanism that exists for the mmap system call, by making
crafted shmget and shmat system calls in a privileged context
(bnc#1026914).
- CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the
Linux kernel allowed remote attackers to have unspecified impact via
vectors involving GRE flags in an IPv6 packet, which trigger an
out-of-bounds access (bnc#1023762).
- CVE-2017-5970: The ipv4_pktinfo_prepare function in
net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a
denial of service (system crash) via (1) an application that made
crafted system calls or possibly (2) IPv4 traffic with invalid IP
options (bnc#1024938).
- CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in
net/sctp/socket.c in the Linux kernel allowed local users to cause a
denial of service (assertion failure and panic) via a multithreaded
application that peels off an association in a certain buffer-full state
(bnc#1025235).
- CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c
in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures
in the LISTEN state, which allowed local users to obtain root privileges
or cause a denial of service (double free) via an application that made
an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024).
- CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the
Linux kernel allowed remote attackers to cause a denial of service
(infinite loop and soft lockup) via vectors involving a TCP packet with
the URG flag (bnc#1026722).
- CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that
a certain destructor exists in required circumstances, which allowed
local users to cause a denial of service (BUG_ON) or possibly have
unspecified other impact via crafted system calls (bnc#1027190).
- CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux
kernel allowed local users to cause a denial of service (use-after-free)
or possibly have unspecified other impact via a multithreaded
application that made PACKET_FANOUT setsockopt system calls
(bnc#1027189).
- CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the
Linux kernel improperly managed lock dropping, which allowed local users
to cause a denial of service (deadlock) via crafted operations on IrDA
devices (bnc#1027178).
- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly
restrict association peel-off operations during certain wait states,
which allowed local users to cause a denial of service (invalid unlock
and double free) via a multithreaded application. NOTE: this
vulnerability exists because of an incorrect fix for CVE-2017-5986
(bnc#1027066).
- CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux
kernel allowed local users to cause a denial of service (stack-based
buffer overflow) or possibly have unspecified other impact via a large
command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds
write access in the sg_write function (bnc#1030213).
- CVE-2017-7261: The vmw_surface_define_ioctl function in
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not
check for a zero value of certain levels data, which allowed local users
to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and
possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device
(bnc#1031052).
- CVE-2017-7294: The vmw_surface_define_ioctl function in
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not
validate addition of certain levels data, which allowed local users to
trigger an integer overflow and out-of-bounds write, and cause a denial
of service (system hang or crash) or possibly gain privileges, via a
crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440).
- CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in
the Linux kernel did not properly validate certain block-size data,
which allowed local users to cause a denial of service (overflow) or
possibly have unspecified other impact via crafted system calls
(bnc#1031579).
- CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind
compat syscalls in mm/mempolicy.c in the Linux kernel allowed local
users to obtain sensitive information from uninitialized stack data by
triggering failure of a certain bitmap operation (bnc#1033336).

The following non-security bugs were fixed:

- ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).
- hwrng: virtio - ensure reads happen after successful probe (bsc#954763
bsc#1032344).
- kgr/module: make a taint flag module-specific (fate#313296).
- l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).
- l2tp: fix lookup for sockets not bound to a device in l2tp_ip
(bsc#1028415).
- l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()
(bsc#1028415).
- l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
(bsc#1028415).
- l2tp: hold tunnel socket when handling control frames in l2tp_ip and
l2tp_ip6 (bsc#1028415).
- l2tp: lock socket before checking flags in connect() (bsc#1028415).
- mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118).
- module: move add_taint_module() to a header file (fate#313296).
- netfilter: bridge: Fix the build when IPV6 is disabled (bsc#1027149).
- nfs: flush out dirty data on file fput() (bsc#1021762).
- powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).
- powerpc: Reject binutils 2.24 when building little endian (boo#1028895).
- revert "procfs: mark thread stack correctly in proc//maps"
(bnc#1030901).
- taint/module: Clean up global and module taint flags handling
(fate#313296).
- usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256).
- xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056).
- xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server for SAP 12:
  zypper in -t patch SUSE-SLE-SAP-12-2017-749=1
• SUSE Linux Enterprise Server 12-LTSS:
  zypper in -t patch SUSE-SLE-SERVER-12-2017-749=1
• SUSE Linux Enterprise Module for Public Cloud 12:
  zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-749=1

To bring your system up-to-date, use "zypper patch".

Package List:

• SUSE Linux Enterprise Server for SAP 12 (x86_64):
  • kernel-default-3.12.61-52.72.1
  • kernel-default-base-3.12.61-52.72.1
  • kernel-default-base-debuginfo-3.12.61-52.72.1
  • kernel-default-debuginfo-3.12.61-52.72.1
  • kernel-default-debugsource-3.12.61-52.72.1
  • kernel-default-devel-3.12.61-52.72.1
  • kernel-syms-3.12.61-52.72.1
  • kernel-xen-3.12.61-52.72.1
  • kernel-xen-base-3.12.61-52.72.1
  • kernel-xen-base-debuginfo-3.12.61-52.72.1
  • kernel-xen-debuginfo-3.12.61-52.72.1
  • kernel-xen-debugsource-3.12.61-52.72.1
  • kernel-xen-devel-3.12.61-52.72.1
  • kgraft-patch-3_12_61-52_72-default-1-2.1
  • kgraft-patch-3_12_61-52_72-xen-1-2.1
• SUSE Linux Enterprise Server for SAP 12 (noarch):
  • kernel-devel-3.12.61-52.72.1
  • kernel-macros-3.12.61-52.72.1
  • kernel-source-3.12.61-52.72.1
• SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):
  • kernel-default-3.12.61-52.72.1
  • kernel-default-base-3.12.61-52.72.1
  • kernel-default-base-debuginfo-3.12.61-52.72.1
  • kernel-default-debuginfo-3.12.61-52.72.1
  • kernel-default-debugsource-3.12.61-52.72.1
  • kernel-default-devel-3.12.61-52.72.1
  • kernel-syms-3.12.61-52.72.1
• SUSE Linux Enterprise Server 12-LTSS (noarch):
  • kernel-devel-3.12.61-52.72.1
  • kernel-macros-3.12.61-52.72.1
  • kernel-source-3.12.61-52.72.1
• SUSE Linux Enterprise Server 12-LTSS (x86_64):
  • kernel-xen-3.12.61-52.72.1
  • kernel-xen-base-3.12.61-52.72.1
  • kernel-xen-base-debuginfo-3.12.61-52.72.1
  • kernel-xen-debuginfo-3.12.61-52.72.1
  • kernel-xen-debugsource-3.12.61-52.72.1
  • kernel-xen-devel-3.12.61-52.72.1
  • kgraft-patch-3_12_61-52_72-default-1-2.1
  • kgraft-patch-3_12_61-52_72-xen-1-2.1
• SUSE Linux Enterprise Server 12-LTSS (s390x):
  • kernel-default-man-3.12.61-52.72.1
• SUSE Linux Enterprise Module for Public Cloud 12 (x86_64):
  • kernel-ec2-3.12.61-52.72.1
  • kernel-ec2-debuginfo-3.12.61-52.72.1
  • kernel-ec2-debugsource-3.12.61-52.72.1
  • kernel-ec2-devel-3.12.61-52.72.1
  • kernel-ec2-extra-3.12.61-52.72.1
  • kernel-ec2-extra-debuginfo-3.12.61-52.72.1

References:

• https://www.suse.com/security/cve/CVE-2015-1350.html
• https://www.suse.com/security/cve/CVE-2016-10044.html
• https://www.suse.com/security/cve/CVE-2016-10200.html
• https://www.suse.com/security/cve/CVE-2016-10208.html
• https://www.suse.com/security/cve/CVE-2016-2117.html
• https://www.suse.com/security/cve/CVE-2016-3070.html
• https://www.suse.com/security/cve/CVE-2016-5243.html
• https://www.suse.com/security/cve/CVE-2016-7117.html
• https://www.suse.com/security/cve/CVE-2016-9588.html
• https://www.suse.com/security/cve/CVE-2017-2671.html
• https://www.suse.com/security/cve/CVE-2017-5669.html
• https://www.suse.com/security/cve/CVE-2017-5897.html
• https://www.suse.com/security/cve/CVE-2017-5970.html
• https://www.suse.com/security/cve/CVE-2017-5986.html
• https://www.suse.com/security/cve/CVE-2017-6074.html
• https://www.suse.com/security/cve/CVE-2017-6214.html
• https://www.suse.com/security/cve/CVE-2017-6345.html
• https://www.suse.com/security/cve/CVE-2017-6346.html
• https://www.suse.com/security/cve/CVE-2017-6348.html
• https://www.suse.com/security/cve/CVE-2017-6353.html
• https://www.suse.com/security/cve/CVE-2017-7187.html
• https://www.suse.com/security/cve/CVE-2017-7261.html
• https://www.suse.com/security/cve/CVE-2017-7294.html
• https://www.suse.com/security/cve/CVE-2017-7308.html
• https://www.suse.com/security/cve/CVE-2017-7616.html
• https://bugzilla.suse.com/1003077
• https://bugzilla.suse.com/1015703
• https://bugzilla.suse.com/1021256
• https://bugzilla.suse.com/1021762
• https://bugzilla.suse.com/1023377
• https://bugzilla.suse.com/1023762
• https://bugzilla.suse.com/1023992
• https://bugzilla.suse.com/1024938
• https://bugzilla.suse.com/1025235
• https://bugzilla.suse.com/1026024
• https://bugzilla.suse.com/1026722
• https://bugzilla.suse.com/1026914
• https://bugzilla.suse.com/1027066
• https://bugzilla.suse.com/1027149
• https://bugzilla.suse.com/1027178
• https://bugzilla.suse.com/1027189
• https://bugzilla.suse.com/1027190
• https://bugzilla.suse.com/1028415
• https://bugzilla.suse.com/1028895
• https://bugzilla.suse.com/1029986
• https://bugzilla.suse.com/1030118
• https://bugzilla.suse.com/1030213
• https://bugzilla.suse.com/1030901
• https://bugzilla.suse.com/1031003
• https://bugzilla.suse.com/1031052
• https://bugzilla.suse.com/1031440
• https://bugzilla.suse.com/1031579
• https://bugzilla.suse.com/1032344
• https://bugzilla.suse.com/1033336
• https://bugzilla.suse.com/914939
• https://bugzilla.suse.com/954763
• https://bugzilla.suse.com/968697
• https://bugzilla.suse.com/979215
• https://bugzilla.suse.com/983212
• https://bugzilla.suse.com/989056