SUSE Security Update: Security update for kernel-source ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1727-1 Rating: important References: #856382 #886785 #898159 #907973 #908950 #912183 #914818 #916543 #920016 #922071 #924722 #929092 #929871 #930813 #932285 #932350 #934430 #934942 #934962 #936556 #936773 #937609 #937612 #937613 #937616 #938550 #938706 #938891 #938892 #938893 #939145 #939266 #939716 #939834 #939994 #940398 #940545 #940679 #940776 #940912 #940925 #940965 #941098 #941305 #941908 #941951 #942160 #942204 #942307 #942367 #948536 Cross-References: CVE-2015-5156 CVE-2015-5157 CVE-2015-5283 CVE-2015-5697 CVE-2015-6252 CVE-2015-6937 CVE-2015-7613 Affected Products: SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has 44 fixes is now available. Description: The SUSE Linux Enterprise 12 kernel was updated to 3.12.48-52.27 to receive various security and bugfixes. Following security bugs were fixed: * CVE-2015-7613: A flaw was found in the Linux kernel IPC code that could lead to arbitrary code execution. The ipc_addid() function initialized a shared object that has unset uid/gid values. Since the fields are not initialized, the check can falsely succeed. (bsc#948536) * CVE-2015-5156: When a guests KVM network devices is in a bridge configuration the kernel can create a situation in which packets are fragmented in an unexpected fashion. The GRO functionality can create a situation in which multiple SKB's are chained together in a single packets fraglist (by design). (bsc#940776) * CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI (bsc#938706). * CVE-2015-6252: A flaw was found in the way the Linux kernel's vhost driver treated userspace provided log file descriptor when processing the VHOST_SET_LOG_FD ioctl command. The file descriptor was never released and continued to consume kernel memory. A privileged local user with access to the /dev/vhost-net files could use this flaw to create a denial-of-service attack (bsc#942367). * CVE-2015-5697: The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory via a GET_BITMAP_FILE ioctl call. (bnc#939994) * CVE-2015-6937: A NULL pointer dereference flaw was found in the Reliable Datagram Sockets (RDS) implementation allowing a local user to cause system DoS. A verification was missing that the underlying transport exists when a connection was created. (bsc#945825) * CVE-2015-5283: A NULL pointer dereference flaw was found in SCTP implementation allowing a local user to cause system DoS. Creation of multiple sockets in parallel when system doesn't have SCTP module loaded can lead to kernel panic. (bsc#947155) The following non-security bugs were fixed: - ALSA: hda - Abort the probe without i915 binding for HSW/BDW (bsc#936556). - Btrfs: Backport subvolume mount option handling (bsc#934962) - Btrfs: Handle unaligned length in extent_same (bsc#937609). - Btrfs: advertise which crc32c implementation is being used on mount (bsc#946057). - Btrfs: allow mounting btrfs subvolumes with different ro/rw options. - Btrfs: check if previous transaction aborted to avoid fs corruption (bnc#942509). - Btrfs: clean up error handling in mount_subvol() (bsc#934962). - Btrfs: cleanup orphans while looking up default subvolume (bsc#914818). - Btrfs: do not update mtime/ctime on deduped inodes (bsc#937616). - Btrfs: fail on mismatched subvol and subvolid mount options (bsc#934962). - Btrfs: fix chunk allocation regression leading to transaction abort (bnc#938550). - Btrfs: fix clone / extent-same deadlocks (bsc#937612). - Btrfs: fix crash on close_ctree() if cleaner starts new transaction (bnc#938891). - Btrfs: fix deadlock with extent-same and readpage (bsc#937612). - Btrfs: fix file corruption after cloning inline extents (bnc#942512). - Btrfs: fix file read corruption after extent cloning and fsync (bnc#946902). - Btrfs: fix find_free_dev_extent() malfunction in case device tree has hole (bnc#938550). - Btrfs: fix hang when failing to submit bio of directIO (bnc#942685). - Btrfs: fix list transaction->pending_ordered corruption (bnc#938893). - Btrfs: fix memory corruption on failure to submit bio for direct IO (bnc#942685). - Btrfs: fix memory leak in the extent_same ioctl (bsc#937613). - Btrfs: fix put dio bio twice when we submit dio bio fail (bnc#942685). - Btrfs: fix race between balance and unused block group deletion (bnc#938892). - Btrfs: fix range cloning when same inode used as source and destination (bnc#942511). - Btrfs: fix read corruption of compressed and shared extents (bnc#946906). - Btrfs: fix uninit variable in clone ioctl (bnc#942511). - Btrfs: fix use-after-free in mount_subvol(). - Btrfs: fix wrong check for btrfs_force_chunk_alloc() (bnc#938550). - Btrfs: lock superblock before remounting for rw subvol (bsc#934962). - Btrfs: pass unaligned length to btrfs_cmp_data() (bsc#937609). - Btrfs: remove all subvol options before mounting top-level (bsc#934962). - Btrfs: show subvol= and subvolid= in /proc/mounts (bsc#934962). - Btrfs: unify subvol= and subvolid= mounting (bsc#934962). - Btrfs: fill ->last_trans for delayed inode in btrfs_fill_inode (bnc#942925). - Btrfs: fix metadata inconsistencies after directory fsync (bnc#942925). - Btrfs: fix stale dir entries after removing a link and fsync (bnc#942925). - Btrfs: fix stale dir entries after unlink, inode eviction and fsync (bnc#942925). - Btrfs: fix stale directory entries after fsync log replay (bnc#942925). - Btrfs: make btrfs_search_forward return with nodes unlocked (bnc#942925). - Btrfs: support NFSv2 export (bnc#929871). - Btrfs: update fix for read corruption of compressed and shared extents (bsc#948256). - Drivers: hv: do not do hypercalls when hypercall_page is NULL. - Drivers: hv: vmbus: add special crash handler. - Drivers: hv: vmbus: add special kexec handler. - Drivers: hv: vmbus: remove hv_synic_free_cpu() call from hv_synic_cleanup(). - Input: evdev - do not report errors form flush() (bsc#939834). - Input: synaptics - do not retrieve the board id on old firmwares (bsc#929092). - Input: synaptics - log queried and quirked dimension values (bsc#929092). - Input: synaptics - query min dimensions for fw v8.1. - Input: synaptics - remove X1 Carbon 3rd gen from the topbuttonpad list (bsc#929092). - Input: synaptics - remove X250 from the topbuttonpad list. - Input: synaptics - remove obsolete min/max quirk for X240 (bsc#929092). - Input: synaptics - skip quirks when post-2013 dimensions (bsc#929092). - Input: synaptics - split synaptics_resolution(), query first (bsc#929092). - Input: synaptics - support min/max board id in min_max_pnpid_table (bsc#929092). - NFS: Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309). - NFSv4: do not set SETATTR for O_RDONLY|O_EXCL (bsc#939716). - PCI: Move MPS configuration check to pci_configure_device() (bsc#943313). - PCI: Set MPS to match upstream bridge (bsc#943313). - SCSI: fix regression in scsi_send_eh_cmnd() (bsc#930813). - SCSI: fix scsi_error_handler vs. scsi_host_dev_release race (bnc#942204). - SCSI: vmw_pvscsi: Fix pvscsi_abort() function (bnc#940398). - UAS: fixup for remaining use of dead_list (bnc#934942). - USB: storage: use %*ph specifier to dump small buffers (bnc#934942). - aio: fix reqs_available handling (bsc#943378). - audit: do not generate loginuid log when audit disabled (bsc#941098). - blk-merge: do not compute bi_phys_segments from bi_vcnt for cloned bio (bnc#934430). - blk-merge: fix blk_recount_segments (bnc#934430). - blk-merge: recaculate segment if it isn't less than max segments (bnc#934430). - block: add queue flag for disabling SG merging (bnc#934430). - block: blk-merge: fix blk_recount_segments() (bnc#934430). - config: disable CONFIG_TCM_RBD on ppc64le and s390x - cpufreq: intel_pstate: Add CPU ID for Braswell processor. - dlm: fix missing endian conversion of rcom_status flags (bsc#940679). - dm cache mq: fix memory allocation failure for large cache devices (bsc#942707). - drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt (bsc#942938). - drm/i915: Make hpd arrays big enough to avoid out of bounds access (bsc#942938). - drm/i915: Only print hotplug event message when hotplug bit is set (bsc#942938). - drm/i915: Queue reenable timer also when enable_hotplug_processing is false (bsc#942938). - drm/i915: Use an interrupt save spinlock in intel_hpd_irq_handler() (bsc#942938). - drm/radeon: fix hotplug race at startup (bsc#942307). - ethtool, net/mlx4_en: Add 100M, 20G, 56G speeds ethtool reporting support (bsc#945710). - hrtimer: prevent timer interrupt DoS (bnc#886785). - hv: fcopy: add memory barrier to propagate state (bnc#943529). - inotify: Fix nested sleeps in inotify_read() (bsc#940925). - intel_pstate: Add CPU IDs for Broadwell processors. - intel_pstate: Add CPUID for BDW-H CPU. - intel_pstate: Add support for SkyLake. - intel_pstate: Correct BYT VID values (bnc#907973). - intel_pstate: Remove periodic P state boost (bnc#907973). - intel_pstate: add sample time scaling (bnc#907973, bnc#924722, bnc#916543). - intel_pstate: don't touch turbo bit if turbo disabled or unavailable (bnc#907973). - intel_pstate: remove setting P state to MAX on init (bnc#907973). - intel_pstate: remove unneeded sample buffers (bnc#907973). - intel_pstate: set BYT MSR with wrmsrl_on_cpu() (bnc#907973). - ipr: Fix incorrect trace indexing (bsc#940912). - ipr: Fix invalid array indexing for HRRQ (bsc#940912). - iwlwifi: dvm: drop non VO frames when flushing (bsc#940545). - kABI workaround for ieee80211_ops.flush argument change (bsc#940545). - kconfig: Do not print status messages in make -s mode (bnc#942160). - kernel/modsign_uefi.c: Check for EFI_RUNTIME_SERVICES in load_uefi_certs (bsc#856382). - kernel: do full redraw of the 3270 screen on reconnect (bnc#943476, LTC#129509). - kexec: define kexec_in_progress in !CONFIG_KEXEC case. - kvm: Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS (bsc#947537). - lpfc: Fix scsi prep dma buf error (bsc#908950). - mac80211: add vif to flush call (bsc#940545). - md/bitmap: do not abuse i_writecount for bitmap files (bsc#943270). - md/bitmap: protect clearing of ->bitmap by mddev->lock (bnc#912183). - md/raid5: use ->lock to protect accessing raid5 sysfs attributes (bnc#912183). - md: fix problems with freeing private data after ->run failure (bnc#912183). - md: level_store: group all important changes into one place (bnc#912183). - md: move GET_BITMAP_FILE ioctl out from mddev_lock (bsc#943270). - md: protect ->pers changes with mddev->lock (bnc#912183). - md: remove mddev_lock from rdev_attr_show() (bnc#912183). - md: remove mddev_lock() from md_attr_show() (bnc#912183). - md: remove need for mddev_lock() in md_seq_show() (bnc#912183). - md: split detach operation out from ->stop (bnc#912183). - md: tidy up set_bitmap_file (bsc#943270). - megaraid_sas: Handle firmware initialization after fast boot (bsc#922071). - mfd: lpc_ich: Assign subdevice ids automatically (bnc#898159). - mm: filemap: Avoid unnecessary barriers and waitqueue lookups -fix (VM/FS Performance (bnc#941951)). - mm: make page pfmemalloc check more robust (bnc#920016). - mm: numa: disable change protection for vma(VM_HUGETLB) (bnc#943573). - netfilter: nf_conntrack_proto_sctp: minimal multihoming support (bsc#932350). - net/mlx4_core: Add ethernet backplane autoneg device capability (bsc#945710). - net/mlx4_core: Introduce ACCESS_REG CMD and eth_prot_ctrl dev cap (bsc#945710). - net/mlx4_en: Use PTYS register to query ethtool settings (bsc#945710). - net/mlx4_en: Use PTYS register to set ethtool settings (Speed) (bsc#945710). - rcu: Reject memory-order-induced stall-warning false positives (bnc#941908). - s390/dasd: fix kernel panic when alias is set offline (bnc#940965, LTC#128595). - sched: Fix KMALLOC_MAX_SIZE overflow during cpumask allocation (bnc#939266). - sched: Fix cpu_active_mask/cpu_online_mask race (bsc#936773). - sched, numa: do not hint for NUMA balancing on VM_MIXEDMAP mappings (bnc#943573). - uas: Add US_FL_MAX_SECTORS_240 flag (bnc#934942). - uas: Add response iu handling (bnc#934942). - uas: Add uas_get_tag() helper function (bnc#934942). - uas: Check against unexpected completions (bnc#934942). - uas: Cleanup uas_log_cmd_state usage (bnc#934942). - uas: Do not log urb status error on cancellation (bnc#934942). - uas: Do not use scsi_host_find_tag (bnc#934942). - uas: Drop COMMAND_COMPLETED flag (bnc#934942). - uas: Drop all references to a scsi_cmnd once it has been aborted (bnc#934942). - uas: Drop inflight list (bnc#934942). - uas: Fix memleak of non-submitted urbs (bnc#934942). - uas: Fix resetting flag handling (bnc#934942). - uas: Free data urbs on completion (bnc#934942). - uas: Log error codes when logging errors (bnc#934942). - uas: Reduce number of function arguments for uas_alloc_foo functions (bnc#934942). - uas: Remove cmnd reference from the cmd urb (bnc#934942). - uas: Remove support for old sense ui as used in pre-production hardware (bnc#934942). - uas: Remove task-management / abort error handling code (bnc#934942). - uas: Set max_sectors_240 quirk for ASM1053 devices (bnc#934942). - uas: Simplify reset / disconnect handling (bnc#934942). - uas: Simplify unlink of data urbs on error (bnc#934942). - uas: Use scsi_print_command (bnc#934942). - uas: pre_reset and suspend: Fix a few races (bnc#934942). - uas: zap_pending: data urbs should have completed at this time (bnc#934942). - x86/kernel: Do not reserve crashkernel high memory if crashkernel low memory reserving failed (bsc#939145). - x86/smpboot: Check for cpu_active on cpu initialization (bsc#932285). - x86/smpboot: Check for cpu_active on cpu initialization (bsc#936773). - xhci: Workaround for PME stuck issues in Intel xhci (bnc#944028). - xhci: rework cycle bit checking for new dequeue pointers (bnc#944028). - xfs: Fix file type directory corruption for btree directories (bsc#941305). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12: zypper in -t patch SUSE-SLE-WE-12-2015-668=1 - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2015-668=1 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2015-668=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2015-668=1 - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2015-668=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2015-668=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12 (x86_64): kernel-default-debuginfo-3.12.48-52.27.1 kernel-default-debugsource-3.12.48-52.27.1 kernel-default-extra-3.12.48-52.27.1 kernel-default-extra-debuginfo-3.12.48-52.27.1 - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): kernel-obs-build-3.12.48-52.27.1 kernel-obs-build-debugsource-3.12.48-52.27.1 - SUSE Linux Enterprise Software Development Kit 12 (noarch): kernel-docs-3.12.48-52.27.2 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): kernel-default-3.12.48-52.27.1 kernel-default-base-3.12.48-52.27.1 kernel-default-base-debuginfo-3.12.48-52.27.1 kernel-default-debuginfo-3.12.48-52.27.1 kernel-default-debugsource-3.12.48-52.27.1 kernel-default-devel-3.12.48-52.27.1 kernel-syms-3.12.48-52.27.1 - SUSE Linux Enterprise Server 12 (x86_64): kernel-xen-3.12.48-52.27.2 kernel-xen-base-3.12.48-52.27.2 kernel-xen-base-debuginfo-3.12.48-52.27.2 kernel-xen-debuginfo-3.12.48-52.27.2 kernel-xen-debugsource-3.12.48-52.27.2 kernel-xen-devel-3.12.48-52.27.2 - SUSE Linux Enterprise Server 12 (noarch): kernel-devel-3.12.48-52.27.1 kernel-macros-3.12.48-52.27.1 kernel-source-3.12.48-52.27.1 - SUSE Linux Enterprise Server 12 (s390x): kernel-default-man-3.12.48-52.27.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.48-52.27.1 kernel-ec2-debuginfo-3.12.48-52.27.1 kernel-ec2-debugsource-3.12.48-52.27.1 kernel-ec2-devel-3.12.48-52.27.1 kernel-ec2-extra-3.12.48-52.27.1 kernel-ec2-extra-debuginfo-3.12.48-52.27.1 - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_48-52_27-default-1-2.6 kgraft-patch-3_12_48-52_27-xen-1-2.6 - SUSE Linux Enterprise Desktop 12 (x86_64): kernel-default-3.12.48-52.27.1 kernel-default-debuginfo-3.12.48-52.27.1 kernel-default-debugsource-3.12.48-52.27.1 kernel-default-devel-3.12.48-52.27.1 kernel-default-extra-3.12.48-52.27.1 kernel-default-extra-debuginfo-3.12.48-52.27.1 kernel-syms-3.12.48-52.27.1 kernel-xen-3.12.48-52.27.2 kernel-xen-debuginfo-3.12.48-52.27.2 kernel-xen-debugsource-3.12.48-52.27.2 kernel-xen-devel-3.12.48-52.27.2 - SUSE Linux Enterprise Desktop 12 (noarch): kernel-devel-3.12.48-52.27.1 kernel-macros-3.12.48-52.27.1 kernel-source-3.12.48-52.27.1 References: https://www.suse.com/security/cve/CVE-2015-5156.html https://www.suse.com/security/cve/CVE-2015-5157.html https://www.suse.com/security/cve/CVE-2015-5283.html https://www.suse.com/security/cve/CVE-2015-5697.html https://www.suse.com/security/cve/CVE-2015-6252.html https://www.suse.com/security/cve/CVE-2015-6937.html https://www.suse.com/security/cve/CVE-2015-7613.html https://bugzilla.suse.com/856382 https://bugzilla.suse.com/886785 https://bugzilla.suse.com/898159 https://bugzilla.suse.com/907973 https://bugzilla.suse.com/908950 https://bugzilla.suse.com/912183 https://bugzilla.suse.com/914818 https://bugzilla.suse.com/916543 https://bugzilla.suse.com/920016 https://bugzilla.suse.com/922071 https://bugzilla.suse.com/924722 https://bugzilla.suse.com/929092 https://bugzilla.suse.com/929871 https://bugzilla.suse.com/930813 https://bugzilla.suse.com/932285 https://bugzilla.suse.com/932350 https://bugzilla.suse.com/934430 https://bugzilla.suse.com/934942 https://bugzilla.suse.com/934962 https://bugzilla.suse.com/936556 https://bugzilla.suse.com/936773 https://bugzilla.suse.com/937609 https://bugzilla.suse.com/937612 https://bugzilla.suse.com/937613 https://bugzilla.suse.com/937616 https://bugzilla.suse.com/938550 https://bugzilla.suse.com/938706 https://bugzilla.suse.com/938891 https://bugzilla.suse.com/938892 https://bugzilla.suse.com/938893 https://bugzilla.suse.com/939145 https://bugzilla.suse.com/939266 https://bugzilla.suse.com/939716 https://bugzilla.suse.com/939834 https://bugzilla.suse.com/939994 https://bugzilla.suse.com/940398 https://bugzilla.suse.com/940545 https://bugzilla.suse.com/940679 https://bugzilla.suse.com/940776 https://bugzilla.suse.com/940912 https://bugzilla.suse.com/940925 https://bugzilla.suse.com/940965 https://bugzilla.suse.com/941098 https://bugzilla.suse.com/941305 https://bugzilla.suse.com/941908 https://bugzilla.suse.com/941951 https://bugzilla.suse.com/942160 https://bugzilla.suse.com/942204 https://bugzilla.suse.com/942307 https://bugzilla.suse.com/942367 https://bugzilla.suse.com/948536 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org