SUSE-SU-2016:1690-1

The SUSE Linux Enterprise 12 kernel was updated to 3.12.60 to receive various security and bugfixes.

The following security bugs were fixed: - CVE-2014-9717: fs/namespace.c in the Linux kernel processes MNTDETACH umount2 system called without verifying that the MNTLOCKED flag is unset, which allowed local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace (bnc#928547). - CVE-2015-8816: The hubactivate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010). - CVE-2015-8845: The tmreclaimthread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms did not ensure that TM suspend mode exists before proceeding with a tmreclaim call, which allowed local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application (bnc#975533). - CVE-2016-0758: Fix ASN.1 indefinite length object parsing (bsc#979867). - CVE-2016-2053: The asn1berdecoder function in lib/asn1decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the publickeyverifysignature function in crypto/asymmetrickeys/publickey.c (bnc#963762). - CVE-2016-2143: The fork implementation in the Linux kernel on s390 platforms mishandled the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmucontext.h and arch/s390/include/asm/pgalloc.h. (bnc#970504) - CVE-2016-2184: The createfixedstreamquirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-2185: The atiremote2probe function in drivers/input/misc/atiremote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-2186: The powermateprobe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2188: The iowarriorprobe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-2782: The treoattach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPTSOSETREPLACE setsockopt call (bnc#971126). - CVE-2016-3136: The mctu232msrtostate function in drivers/usb/serial/mctu232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955). - CVE-2016-3137: drivers/usb/serial/cypressm8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypressgenericportprobe and cypressopen functions (bnc#970970). - CVE-2016-3138: The acmprobe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911). - CVE-2016-3139: The wacomprobe function in drivers/input/tablet/wacomsys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909). - CVE-2016-3140: The digiportinit function in drivers/usb/serial/digiacceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandled destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-3672: The archpickmmaplayout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDRNORANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308). - CVE-2016-3689: The imspcuparsecdcdata function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface (bnc#971628). - CVE-2016-3951: Double free vulnerability in drivers/net/usb/cdcncm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor (bnc#974418). - CVE-2016-4482: The procconnectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFSCONNECTINFO ioctl call (bnc#978401). - CVE-2016-4486: The rtnlfilllinkifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-4569: The sndtimeruserparams function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) sndtimeruserccallback and (2) sndtimerusertinterrupt functions (bnc#979879). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/pppgeneric.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the pppregisternetchannel and pppunregisterchannel functions (bnc#980371). - CVE-2016-5244: Fixed an infoleak in rdsincinfocopy (bsc#983213).

The following non-security bugs were fixed: - ALSA: hrtimer: Handle start/stop more properly (bsc#973378). - ALSA: timer: Call notifier in the same spinlock (bsc#973378). - ALSA: timer: Protect the whole sndtimerclose() with open race (bsc#973378). - ALSA: timer: Sync timer deletion at closing the system timer (bsc#973378). - ALSA: timer: Use modtimer() for rearming the system timer (bsc#973378). - Btrfs-8394-qgroup-Account-data-space-in-more-proper-timin.patch: (bsc#963193). - Btrfs: do not collect ordered extents when logging that inode exists (bsc#977685). - Btrfs: do not use src fd for printk (bsc#980348). - Btrfs: fix deadlock between direct IO reads and buffered writes (bsc#973855). - Btrfs: fix empty symlink after creating symlink and fsync parent dir (bsc#977685). - Btrfs: fix file loss on log replay after renaming a file and fsync (bsc#977685). - Btrfs: fix file/data loss caused by fsync after rename and new inode (bsc#977685). - Btrfs: fix for incorrect directory entries after fsync log replay (bsc#957805, bsc#977685). - Btrfs: fix loading of orphan roots leading to BUGON (bsc#972844). - Btrfs: fix race between fsync and lockless direct IO writes (bsc#977685). - Btrfs: fix unreplayable log after snapshot delete + parent dir fsync (bsc#977685). - Btrfs: handle non-fatal errors in btrfsqgroupinherit() (bsc#972951). - Btrfs: qgroup: Fix dead judgement on qgrouprescanleaf() return value (bsc#969439). - Btrfs: qgroup: Fix qgroup accounting when creating snapshot (bsc#972933). - Btrfs: qgroup: return EINVAL if level of parent is not higher than child's (bsc#972951). - Btrfs: teach backref walking about backrefs with underflowed offset values (bsc#975371). - CacheFiles: Fix incorrect test for in-memory object collision (bsc#971049). - CacheFiles: Handle object being killed before being set up (bsc#971049). - Ceph: Remove racey watch/notify event infrastructure (bsc#964727) - Driver: Vmxnet3: set CHECKSUMUNNECESSARY for IPv6 packets (bsc#976739). - FS-Cache: Add missing initialization of ret in cachefileswritepage() (bsc#971049). - FS-Cache: Count culled objects and objects rejected due to lack of space (bsc#971049). - FS-Cache: Fix cancellation of in-progress operation (bsc#971049). - FS-Cache: Handle a new operation submitted against a killed object (bsc#971049). - FS-Cache: Move fscachereportunexpectedsubmission() to make it more available (bsc#971049). - FS-Cache: Out of line fscacheoperationinit() (bsc#971049). - FS-Cache: Permit fscachecancelop() to cancel in-progress operations too (bsc#971049). - FS-Cache: Put an aborted initialised op so that it is accounted correctly (bsc#971049). - FS-Cache: Reduce cookie ref count if submit fails (bsc#971049). - FS-Cache: Synchronise object death state change vs operation submission (bsc#971049). - FS-Cache: The operation cancellation method needs calling in more places (bsc#971049). - FS-Cache: Timeout for releasepage() (bsc#971049). - FS-Cache: When submitting an op, cancel it if the target object is dying (bsc#971049). - FS-Cache: fscacheobjectisdead() has wrong logic, kill it (bsc#971049). - Fix cifsuniqueidtoinot() function for s390x (bsc#944309) - Fix kabi issue (bsc#971049). - Fix kmalloc overflow in LPFC driver at large core count (bsc#969690). - Fix problem with setting ACL on directories (bsc#967251). - Input: i8042 - lower log level for 'no controller' message (bsc#945345). - KVM: SVM: add rdmsr support for AMD event registers (bsc#968448). - MM: increase safety margin provided by PFLESSTHROTTLE (bsc#956491). - NFSv4.1: do not use machine credentials for CLOSE when using 'sec=sys' (bsc#972003). - PCI/AER: Fix aerinject error codes (bsc#931448). - PCI/AER: Log actual error causes in aerinject (bsc#931448). - PCI/AER: Log aerinject error injections (bsc#931448). - PCI/AER: Use devwarn() in aerinject (bsc#931448). - Revert 'libata: Align atadevice's id on a cacheline'. - Revert 'net/ipv6: add sysctl option acceptraminhoplimit'. - USB: quirk to stop runtime PM for Intel 7260 (bnc#984456). - USB: usbip: fix potential out-of-bounds write (bnc#975945). - USB: xhci: Add broken streams quirk for Frescologic device id 1009 (bnc#982698). - Update patches.drivers/0001-nvme-fix-maxsegments-integer-truncation.patch (bsc#979419). Fix reference. - Update patches.drivers/drm-ast-Initialize-data-needed-to-map-fbdev-memory.patch (bnc#880007). Fix refs and upstream status. - Update patches.kernel.org/patch-3.12.55-56 references (add bsc#973570). - Update patches.suse/kgr-0102-add-TAINTKGRAFT.patch (bsc#974406). - acpi: Disable ACPI table override when UEFI Secure Boot is enabled (bsc#970604). - acpi: Disable APEI error injection if securelevel is set (bsc#972891). - cachefiles: perform test on sblocksize when opening cache file (bsc#971049). - cpuset: Fix potential deadlock w/ setmemsallowed (bsc#960857, bsc#974646). - dmapi: fix dmopenbyhandlervp taking an extra ref to mnt (bsc#967292). - drm/core: Preserve the framebuffer after removing it (bsc#968812). - drm/mgag200: Add support for a new G200eW3 chipset (bsc#983904). - drm/mgag200: Add support for a new rev of G200e (bsc#983904). - drm/mgag200: Black screen fix for G200e rev 4 (bsc#983904). - drm/mgag200: remove unused variables (bsc#983904). - drm/radeon: fix-up some float to fixed conversion thinkos (bsc#968813). - drm/radeon: use HDPMEMCOHERENCYFLUSHCNTL for sdma as well (bsc#968813). - drm: qxl: Workaround for buggy user-space (bsc#981344). - efifb: Fix 16 color palette entry calculation (bsc#983318). - ehci-pci: enable interrupt on BayTrail (bnc#947337). - enic: set netdev->vlanfeatures (bsc#966245). - ext4: fix races between page faults and hole punching (bsc#972174). - ext4: fix races of writeback with punch hole and zero range (bsc#972174). - fix: print ext4 mountopt dataerr=abort correctly (bsc#969735). - fs, seqfile: fallback to vmalloc instead of oom kill processes (bnc#968687). - fs, seqfile: always allow oom killer (bnc#968687). - fs/pipe.c: skip fileupdatetime on frozen fs (bsc#975488). - hid-elo: kill not flush the work (bnc#982354). - ibmvscsi: Remove unsupported host config MAD (bsc#973556). - ipv6: make fib6 serial number per namespace (bsc#965319). - ipv6: mld: fix addgrhead skboverpanic for devs with large MTUs (bsc#956852). - ipv6: per netns FIB garbage collection (bsc#965319). - ipv6: per netns fib6 walkers (bsc#965319). - ipv6: replace global gcargs with local variable (bsc#965319). - ipvs: count pre-established TCP states as active (bsc#970114). - kABI: kgr: fix subtle race with kgrmoduleinit(), going notifier and kgrmodifykernel(). - kABI: protect enum enclosurecomponenttype. - kABI: protect function fileopenroot. - kABI: protect include in evm. - kABI: protect struct dmexceptionstoretype. - kABI: protect struct fibnhexception. - kABI: protect struct module. - kABI: protect struct rq. - kABI: protect struct schedclass. - kABI: protect struct scmcreds. - kABI: protect struct userstruct. - kABI: protect struct userstruct. - kabi fix for patches.fixes/reduce-mstart-cost (bsc#966573). - kabi/severities: Whitelist libceph and rbd (bsc#964727). - kabi: kgr, add reserved fields - kabi: protect struct fcrportpriv (bsc#953233, bsc#962846). - kabi: protect struct netnsipv6 after FIB6 GC series (bsc#965319). - kgr: add TAINTKGRAFT - kgr: add kgraft annotation to hwrng kthread. - kgr: add kgraft annotations to kthreads' waiteventfreezable() API calls. - kgr: add objname to kgrpatchfun struct. - kgr: add sympos and objname to error and debug messages. - kgr: add sympos as disambiguator field to kgrpatchfun structure. - kgr: add sympos to sysfs. - kgr: call kgrinitftraceops() only for loaded objects. - kgr: change to kallsymsoneachsymbol iterator. - kgr: define prfmt and modify all pr* messages. - kgr: do not print error for !abortifmissing symbols (bnc#943989). - kgr: do not return and print an error only if the object is not loaded. - kgr: do not use WQMEMRECLAIM workqueue (bnc#963572). - kgr: fix an asymmetric dealing with delayed module loading. - kgr: fix redirection on s390x arch (bsc#903279). - kgr: fix subtle race with kgrmoduleinit(), going notifier and kgrmodifykernel(). - kgr: handle btrfs kthreads (bnc#889207). - kgr: kmemleak, really mark the kthread safe after an interrupt. - kgr: log when modifying kernel. - kgr: mark some more missed kthreads (bnc#962336). - kgr: remove abortifmissing flag. - kgr: usb/storage: do not emit thread awakened (bnc#899908). - kgraft/gfs2: Do not block livepatching in the log daemon for too long. - kgraft/xen: Do not block livepatching in the XEN blkif kthread. - libfc: replace 'rpmutex' with 'rplock' (bsc#953233, bsc#962846). - memcg: do not hang on OOM when killed by userspace OOM access to memory reserves (bnc#969571). - mld, igmp: Fix reserved tailroom calculation (bsc#956852). - mmc: Allow forward compatibility for eMMC (bnc#966054). - mmc: sdhci: Allow for irq being shared (bnc#977582). - net/qlge: Avoids recursive EEH error (bsc#954847). - net: Account for all vlan headers in skbmacgsosegment (bsc#968667). - net: Start with correct maclen in skbnetworkprotocol (bsc#968667). - net: disable fragment reassembly if highthresh is set to zero (bsc#970506). - net: fix wrong maclen calculation for vlans (bsc#968667). - net: irda: Fix use-after-free in irttyopen() (bnc#967903). - nfs4: treat lock owners as opaque values (bnc#968141). - nfs: fix high load average due to callback thread sleeping (bsc#971170). - nfsd: fix nfsdsetattr return code for HSM (bsc#969992). - nvme: fix maxsegments integer truncation (bsc#676471). - ocfs2: do not set fs read-only if rec[0] is empty while committing truncate (bnc#971947). - ocfs2: extend enough credits for freeing one truncate record while replaying truncate records (bnc#971947). - ocfs2: extend transaction for ocfs2removerightmostpath() and ocfs2updateedgelengths() before to avoid inconsistency between inode and et (bnc#971947). - perf, nmi: Fix unknown NMI warning (bsc#968512). - pipe: limit the per-user amount of pages allocated in pipes (bsc#970948). - rbd: do not log miscompare as an error (bsc#970062). - rbd: handle OBJREQUESTSG types for copyup (bsc#983394). - rbd: report unsupported features to syslog (bsc#979169). - rbd: use GFPNOIO consistently for request allocations (bsc#971159). - reduce mstart() cost.. (bsc#966573). - rpm/modprobe-xen.conf: Revert comment change to allow parallel install (bsc#957986). This reverts commit 6c6d86d3cdc26f7746fe4ba2bef8859b5aeb346c. - s390/pageattr: do a single TLB flush for changepageattr (bsc#940413). - sched/x86: Fix up typo in topology detection (bsc#974165). - scsi: proper state checking and module refcount handling in scsideviceget (boo#966831). - series.conf: move netfilter section at the end of core networking - supported.conf: Add bridge.ko for OpenStack (bsc#971600) - supported.conf: Add isofs to -base (bsc#969655). - supported.conf:Add drivers/infiniband/hw/ocrdma/ocrdma.ko to supported.conf (bsc#964461) - target/rbd: do not put snapcontext twice (bsc#981143). - target/rbd: remove cawmutex usage (bsc#981143). - target: Drop incorrect ABORTTASK put for completed commands (bsc#962872). - target: Fix LUNRESET active I/O handling for ACKKREF (bsc#962872). - target: Fix LUNRESET active TMR descriptor handling (bsc#962872). - target: Fix TAS handling for multi-session senodeacls (bsc#962872). - target: Fix race with SCFSENDDELAYEDTAS handling (bsc#962872). - target: Fix remote-port TMR ABORT + secmd fabric stop (bsc#962872). - vgaarb: Add more context to error messages (bsc#976868). - x86, sched: Add new topology for multi-NUMA-node CPUs (bsc#974165). - x86/efi: parseefisetup() build fix (bsc#979485). - x86: standardize mmaprnd() usage (bnc#974308). - xen/acpi: Disable ACPI table override when UEFI Secure Boot is enabled (bsc#970604). - xfs/dmapi: drop lock over synchronous XFSSEND_DATA events (bsc#969993). - xfs/dmapi: propertly send postcreate event (bsc#967299).