Security update for the Linux Kernel
| Announcement ID: | SUSE-SU-2016:1764-1 |
|---|---|
| Rating: | important |
| References: |
|
| Cross-References: |
|
| CVSS scores: |
|
| Affected Products: |
|
An update that solves 26 vulnerabilities and has 95 security fixes can now be installed.
Description:
The SUSE Linux Enterprise 12 SP1 Realtime kernel was updated to 3.12.58 to receive various security and bugfixes.
The following security bugs were fixed: - CVE-2015-7566: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#961512). - CVE-2015-8550: Xen, when used on a system providing PV backends, allowed local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability (bsc#957988). - CVE-2015-8551: The PCI backend driver in Xen, when running on an x86 system, allowed local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_ operations, aka "Linux pciback missing sanity checks (bsc#957990). - CVE-2015-8551: The pci backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allowed local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_ operations, aka "Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8552: The PCI backend driver in Xen, when running on an x86 system, allowed local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks (bsc#957990). - CVE-2015-8552: The pci backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allowed local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8709: DISPUTED kernel/ptrace.c in the Linux kernel mishandles uid and gid mappings, which allowed local users to gain privileges by establishing a user namespace, waiting for a root process to enter that namespace with an unsafe uid or gid, and then using the ptrace system call. Upstream states that there is no kernel bug here (bnc#960561). - CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c allowed local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov (bsc#963765). - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c did not properly identify error conditions, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets (bsc#966437). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bsc#968010). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010). - CVE-2016-0723: Race condition in the tty_ioctl function in drivers/tty/tty_io.c allowed local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call (bsc#961500). - CVE-2016-2143: The fork implementation in the Linux kernel on s390 platforms mishandles the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h. (bnc#970504) - CVE-2016-2143: The fork implementation on s390 platforms mishandles the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h (bsc#970504). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bsc#971125). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bsc#971124). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bsc#970958). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bsc#970956). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-2384: Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c allowed physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor (bsc#966693). - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bsc#968670). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bsc#970955). - CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bsc#970970). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bsc#970911). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911). - CVE-2016-3139: The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bsc#970892). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-3156: The IPv4 implementation mishandled destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bsc#971360). - CVE-2016-3689: The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c allowed physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface (bsc#971628). - CVE-2016-3689: The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface (bnc#971628). - CVE-2016-3707: A ICMP echo feature hooked to sysrq was removed, which could have allowed remote attackers to reboot / halt the machine. - CVE-2016-3951: Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor (bnc#974418).
The following non-security bugs were fixed: - acpi: Disable ACPI table override when UEFI Secure Boot is enabled (bsc#970604). - acpi: Disable APEI error injection if securelevel is set (bsc#972891). - alsa: rawmidi: Make snd_rawmidi_transmit() race-free (bsc#968018). - alsa: seq: Fix leak of pool buffer at concurrent writes (bsc#968018). - alsa: timer: Call notifier in the same spinlock (bsc#973378). - alsa: timer: Protect the whole snd_timer_close() with open race (bsc#973378). - alsa: timer: Sync timer deletion at closing the system timer (bsc#973378). - alsa: timer: Use mod_timer() for rearming the system timer (bsc#973378). - apparmor: Skip proc ns files (bsc#959514). - block: xen-blkfront: Fix possible NULL ptr dereference (bsc#957986 fate#320625). - btrfs: Account data space in more proper timin: (bsc#963193). - btrfs: Add handler for invalidate page (bsc#963193). - Btrfs: check prepare_uptodate_page() error code earlier (bnc#966910). - btrfs: delayed_ref: Add new function to record reserved space into delayed ref (bsc#963193). - btrfs: delayed_ref: release and free qgroup reserved at proper timing (bsc#963193). - btrfs: extent_io: Introduce needed structure for recoding set/clear bits (bsc#963193). - btrfs: extent_io: Introduce new function clear_record_extent_bits() (bsc#963193). - btrfs: extent_io: Introduce new function set_record_extent_bits (bsc#963193). - btrfs: extent-tree: Add new version of btrfs_check_data_free_space and btrfs_free_reserved_data_space (bsc#963193). - btrfs: extent-tree: Add new version of btrfs_delalloc_reserve/release_space (bsc#963193). - btrfs: extent-tree: Switch to new check_data_free_space and free_reserved_data_space (bsc#963193). - btrfs: extent-tree: Switch to new delalloc space reserve and release (bsc#963193). - btrfs: fallocate: Add support to accurate qgroup reserve (bsc#963193). - Btrfs: fix deadlock between direct IO reads and buffered writes (bsc#973855). - Btrfs: fix invalid page accesses in extent_same (dedup) ioctl (bnc#968230). - Btrfs: fix loading of orphan roots leading to BUG_ON (bsc#972844). - Btrfs: fix page reading in extent_same ioctl leading to csum errors (bnc#968230). - btrfs: handle non-fatal errors in btrfs_qgroup_inherit() (bsc#972951). - btrfs: qgroup: Add handler for NOCOW and inline (bsc#963193). - btrfs: qgroup: Add new trace point for qgroup data reserve (bsc#963193). - btrfs: qgroup: Avoid calling btrfs_free_reserved_data_space in clear_bit_hook (bsc#963193). - btrfs: qgroup: Check if qgroup reserved space leaked (bsc#963193). - btrfs: qgroup: Cleanup old inaccurate facilities (bsc#963193). - btrfs: qgroup: Fix a race in delayed_ref which leads to abort trans (bsc#963193). - btrfs: qgroup: Fix a rebase bug which will cause qgroup double free (bsc#963193). - btrfs: qgroup: Fix dead judgement on qgroup_rescan_leaf() return value (bsc#969439). - btrfs: qgroup: Introduce btrfs_qgroup_reserve_data function (bsc#963193). - btrfs: qgroup: Introduce functions to release/free qgroup reserve data space (bsc#963193). - btrfs: qgroup: Introduce new functions to reserve/free metadata (bsc#963193). - btrfs: qgroup: return EINVAL if level of parent is not higher than child's (bsc#972951). - btrfs: qgroup: Use new metadata reservation (bsc#963193). - Btrfs: teach backref walking about backrefs with underflowed offset values (bsc#975371). - dasd: fix hanging system after LCU changes (bnc#968497, LTC#136671). - dmapi: fix dm_open_by_handle_rvp taking an extra ref to mnt (bsc#967292). - drivers/base/memory.c: fix kernel warning during memory hotplug on ppc64 (bsc#963827). - drivers: hv: Allow for MMIO claims that span ACPI CRS records (bnc#965924). - drivers: hv: Define the channel type for Hyper-V pci Express pass-through (bnc#965924). - drivers: hv: Export a function that maps Linux CPU num onto Hyper-V proc num (bnc#965924). - drivers: hv: Export the API to invoke a hypercall on Hyper-V (bnc#965924). - drivers: hv: kvp: fix IP Failover. - drivers: pci:hv: New paravirtual pci front-end for Hyper-V VMs (bnc#965924). - drivers: xen-blkfront: move talk_to_blkback to a more suitable place (bsc#957986 fate#320625). - drivers: xen-blkfront: only talk_to_blkback() when in XenbusStateInitialising (bsc#957986 fate#320625). - drm/core: Preserve the framebuffer after removing it (bsc#968812). - drm/i915: do not warn if backlight unexpectedly enabled (boo#972068). - drm/i915: set backlight duty cycle after backlight enable for gen4 (boo#972780). - drm/radeon: fix-up some float to fixed conversion thinkos (bsc#968813). - drm/radeon: use HDP_MEM_COHERENCY_FLUSH_CNTL for sdma as well (bsc#968813). - e1000e: Avoid divi