SUSE-SU-2016:1985-1

The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed: - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddevioctlusage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). - CVE-2016-4997: The compat IPTSOSETREPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-4470: The keyrejectandlink function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-5244: The rdsincinfocopy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-1583: The ecryptfsprivilegedopen function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bnc#983143). - CVE-2016-4913: The getrockridgefilename function in fs/isofs/rock.c in the Linux kernel mishandled NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25negotiatefacilities function in net/x25/x25facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/pppgeneric.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the pppregisternetchannel and pppunregisterchannel functions (bnc#980371). - CVE-2016-0758: Integer overflow in lib/asn1decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bnc#979867). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2016-3707: The icmpchecksysrq function in net/ipv4/icmp.c in the kernel.org projects/rt patches for the Linux kernel, allowed remote attackers to execute SysRq commands via crafted ICMP Echo Request packets, as demonstrated by a brute-force attack to discover a cookie, or an attack that occurs after reading the local icmpechosysrq file (bnc#980246). - CVE-2016-2187: The gtcoprobe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971944). - CVE-2016-4482: The procconnectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFSCONNECTINFO ioctl call (bnc#978401). - CVE-2016-2053: The asn1berdecoder function in lib/asn1decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the publickeyverifysignature function in crypto/asymmetrickeys/publickey.c (bnc#963762). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-4485: The llccmsgrcv function in net/llc/afllc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) sndtimeruserccallback and (2) sndtimerusertinterrupt functions (bnc#979879). - CVE-2016-4569: The sndtimeruserparams function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-4486: The rtnlfilllinkifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPTSOSET_REPLACE setsockopt call (bnc#971126).

The following non-security bugs were fixed: - ALSA: hrtimer: Handle start/stop more properly (bsc#973378). - ALSA: oxygen: add Xonar DGX support (bsc#982691). - Assign correct ->canqueue value in hvstorvsc (bnc#969391) - Delete patches.drivers/nvme-0165-Split-header-file-into-user-visible-and-kernel-.patch. SLE11-SP4 does not have uapi headers so move everything back to the original header (bnc#981231) - Driver: Vmxnet3: set CHECKSUMUNNECESSARY for IPv6 packets (bsc#976739). - Fix cifsuniqueidtoinot() function for s390x (bsc#944309) - KVM: x86: fix maintenance of guest/host xcr0 state (bsc#961518). - MM: increase safety margin provided by PFLESSTHROTTLE (bsc#956491). - NFS: Do not attempt to decode missing directory entries (bsc#980931). - NFS: avoid deadlocks with loop-back mounted NFS filesystems (bsc#956491). - NFS: avoid waiting at all in nfsreleasepage when congested (bsc#956491). - NFS: fix memory corruption rooted in getihname pointer math (bsc#984107). - NFS: reduce access cache shrinker locking (bnc#866130). - NFSv4: Ensure that we do not drop a state owner more than once (bsc#979595). - NFSv4: OPEN must handle the NFS4ERRIO return code correctly (bsc#979595). - NVMe: Unify controller probe and resume (bsc#979347). - RDMA/cxgb4: Configure 0B MRs to match HW implementation (bsc#909589). - RDMA/cxgb4: Do not hang threads forever waiting on WR replies (bsc#909589). - RDMA/cxgb4: Fix locking issue in processmparequest (bsc#909589). - RDMA/cxgb4: Handle NETXMIT return codes (bsc#909589). - RDMA/cxgb4: Increase epd buff size for debug interface (bsc#909589). - RDMA/cxgb4: Limit MRs to less than 8GB for T4/T5 devices (bsc#909589). - RDMA/cxgb4: Serialize CQ event upcalls with CQ destruction (bsc#909589). - RDMA/cxgb4: Wake up waiters after flushing the qp (bsc#909589). - SCSI: Increase REPORTLUNS timeout (bsc#971989). - Update patches.drivers/nvme-0265-fix-maxsegments-integer-truncation.patch (bsc#979419). Fix reference. - Update patches.fixes/bnx2x-Alloc-4k-fragment-for-each-rx-ring-buffer-elem.patch (bsc#953369 bsc#975358). - bridge: superfluous skb->nfct check in brnfdevqueuexmit (bsc#982544). - cgroups: do not attach task to subsystem if migration failed (bnc#979274). - cgroups: more safe tasklist locking in cgroupattachproc (bnc#979274). - cpuset: Fix potential deadlock w/ setmemsallowed (bsc#960857, bsc#974646). - dasd: fix hanging system after LCU changes (bnc#968500, LTC#136671). - enic: set netdev->vlanfeatures (bsc#966245). - fcoe: fix reset of fip selection time (bsc#974787). - hid-elo: kill not flush the work (bnc#982532). - ipc,sem: fix use after free on IPCRMID after a task using same semaphore set exits (bsc#967914). - ipv4/fib: do not warn when primary address is missing if indev is dead (bsc#971360). - ipv4: fix ineffective source address selection (bsc#980788). - ipvs: count pre-established TCP states as active (bsc#970114). - iucv: call skblinearize() when needed (bnc#979915, LTC#141240). - kabi: prevent spurious modversion changes after bsc#982544 fix (bsc#982544). - mm/hugetlb.c: correct missing private flag clearing (VM Functionality, bnc#971446). - mm/hugetlb: fix backport of upstream commit 07443a85ad (VM Functionality, bnc#971446). - mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721). - mm/vmscan.c: avoid throttling reclaim for loop-back nfsd threads (bsc#956491). - mm: Fix DIF failures on ext3 filesystems (bsc#971030). - net/qlge: Avoids recursive EEH error (bsc#954847). - netfilter: bridge: Use _in6devget rather than in6devget in brvalidateipv6 (bsc#982544). - netfilter: bridge: do not leak skb in error paths (bsc#982544). - netfilter: bridge: forward IPv6 fragmented packets (bsc#982544). - nvme: fix maxsegments integer truncation (bsc#676471). - ocfs2: do not set fs read-only if rec[0] is empty while committing truncate (bnc#971947). - ocfs2: extend enough credits for freeing one truncate record while replaying truncate records (bnc#971947). - ocfs2: extend transaction for ocfs2removerightmostpath() and ocfs2updateedgelengths() before to avoid inconsistency between inode and et (bnc#971947). - qeth: delete napi struct when removing a qeth device (bnc#979915, LTC#143590). - rpm/modprobe-xen.conf: Revert comment change to allow parallel install (bsc#957986). This reverts commit 855c7ce885fd412ce2a25ccc12a46e565c83f235. - s390/dasd: prevent incorrect length error under z/VM after PAV changes (bnc#968500, LTC#136670). - s390/mm: fix ascebits handling with dynamic pagetable levels (bnc#979915, LTC#141456). - s390/pci: add extra padding to function measurement block (bnc#968500, LTC#139445). - s390/pci: enforce fmb page boundary rule (bnc#968500, LTC#139445). - s390/pci: extract software counters from fmb (bnc#968500, LTC#139445). - s390/pci: fix use after free in dmainit (bnc#979915, LTC#141626). - s390/pci: remove pdev pointer from arch data (bnc#968500, LTC#139444). - s390/pcidma: fix DMA table corruption with > 4 TB main memory (bnc#968500, LTC#139401). - s390/pcidma: handle dma table failures (bnc#968500, LTC#139442). - s390/pcidma: improve debugging of errors during dma map (bnc#968500, LTC#139442). - s390/pcidma: unify label of invalid translation table entries (bnc#968500, LTC#139442). - s390/spinlock: avoid yield to non existent cpu (bnc#968500, LTC#141106). - s390: fix testfpctl inline assembly contraints (bnc#979915, LTC#143138). - sched/cputime: Fix clocknanosleep()/clockgettime() inconsistency (bnc#988498). - sched/cputime: Fix cputimersamplegroup() double accounting (bnc#988498). - sched: Provide updatecurr callbacks for stop/idle scheduling classes (bnc#988498). - veth: do not modify ipsummed (bsc#969149). - vgaarb: Add more context to error messages (bsc#976868). - virtioscsi: Implement ehtimedout callback (bsc#936530). - x86, kvm: fix kvm's usage of kernelfpubegin/end() (bsc#961518). - x86, kvm: use kernelfpubegin/end() in kvmload/putguestfpu() (bsc#961518). - x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620).