SUSE-SU-2016:0168-1

Description

Security update for the Linux Kernel The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes. Following security bugs were fixed: - CVE-2015-7550: A local user could have triggered a race between read and revoke in keyctl (bnc#958951). - CVE-2015-8539: A negatively instantiated user key could have been used by a local user to leverage privileges (bnc#958463). - CVE-2015-8543: The networking implementation in the Linux kernel did not validate protocol identifiers for certain protocol families, which allowed local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (bnc#958886). - CVE-2015-8550: Compiler optimizations in the XEN PV backend drivers could have lead to double fetch vulnerabilities, causing denial of service or arbitrary code execution (depending on the configuration) (bsc#957988). - CVE-2015-8551, CVE-2015-8552: xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled (bsc#957990). - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959190). - CVE-2015-8575: Validate socket address length in sco_sock_bind() to prevent information leak (bsc#959399). The following non-security bugs were fixed: - ACPICA: Correctly cleanup after a ACPI table load failure (bnc#937261). - ALSA: hda - Fix noise problems on Thinkpad T440s (boo#958504). - Input: aiptek - fix crash on detecting device without endpoints (bnc#956708). - Re-add copy_page_vector_to_user() - Refresh patches.xen/xen3-patch-3.12.46-47 (bsc#959705). - Refresh patches.xen/xen3-patch-3.9 (bsc#951155). - Update patches.suse/btrfs-8361-Btrfs-keep-dropped-roots-in-cache-until-transaction-.patch (bnc#935087, bnc#945649, bnc#951615). - bcache: Add btree_insert_node() (bnc#951638). - bcache: Add explicit keylist arg to btree_insert() (bnc#951638). - bcache: Clean up keylist code (bnc#951638). - bcache: Convert btree_insert_check_key() to btree_insert_node() (bnc#951638). - bcache: Convert bucket_wait to wait_queue_head_t (bnc#951638). - bcache: Convert try_wait to wait_queue_head_t (bnc#951638). - bcache: Explicitly track btree node's parent (bnc#951638). - bcache: Fix a bug when detaching (bsc#951638). - bcache: Fix a lockdep splat in an error path (bnc#951638). - bcache: Fix a shutdown bug (bsc#951638). - bcache: Fix more early shutdown bugs (bsc#951638). - bcache: Fix sysfs splat on shutdown with flash only devs (bsc#951638). - bcache: Insert multiple keys at a time (bnc#951638). - bcache: Refactor journalling flow control (bnc#951638). - bcache: Refactor request_write() (bnc#951638). - bcache: Use blkdev_issue_discard() (bnc#951638). - bcache: backing device set to clean after finishing detach (bsc#951638). - bcache: kill closure locking usage (bnc#951638). - blktap: also call blkif_disconnect() when frontend switched to closed (bsc#952976). - blktap: refine mm tracking (bsc#952976). - block: Always check queue limits for cloned requests (bsc#902606). - btrfs: Add qgroup tracing (bnc#935087, bnc#945649). - btrfs: Adjust commit-transaction condition to avoid NO_SPACE more (bsc#958647). - btrfs: Fix out-of-space bug (bsc#958647). - btrfs: Fix tail space processing in find_free_dev_extent() (bsc#958647). - btrfs: Set relative data on clear btrfs_block_group_cache->pinned (bsc#958647). - btrfs: Update btrfs qgroup status item when rescan is done (bnc#960300). - btrfs: backref: Add special time_seq == (u64)-1 case for btrfs_find_all_roots() (bnc#935087, bnc#945649). - btrfs: backref: Do not merge refs which are not for same block (bnc#935087, bnc#945649). - btrfs: cleanup: remove no-used alloc_chunk in btrfs_check_data_free_space() (bsc#958647). - btrfs: delayed-ref: Cleanup the unneeded functions (bnc#935087, bnc#945649). - btrfs: delayed-ref: Use list to replace the ref_root in ref_head (bnc#935087, bnc#945649). - btrfs: extent-tree: Use ref_node to replace unneeded parameters in __inc_extent_ref() and __free_extent() (bnc#935087, bnc#945649). - btrfs: fix comp_oper to get right order (bnc#935087, bnc#945649). - btrfs: fix condition of commit transaction (bsc#958647). - btrfs: fix leak in qgroup_subtree_accounting() error path (bnc#935087, bnc#945649). - btrfs: fix order by which delayed references are run (bnc#949440). - btrfs: fix qgroup sanity tests (bnc#951615). - btrfs: fix race waiting for qgroup rescan worker (bnc#960300). - btrfs: fix regression running delayed references when using qgroups (bnc#951615). - btrfs: fix regression when running delayed references (bnc#951615). - btrfs: fix sleeping inside atomic context in qgroup rescan worker (bnc#960300). - btrfs: fix the number of transaction units needed to remove a block group (bsc#958647). - btrfs: keep dropped roots in cache until transaction commit (bnc#935087, bnc#945649). - btrfs: qgroup: Add function qgroup_update_counters() (bnc#935087, bnc#945649). - btrfs: qgroup: Add function qgroup_update_refcnt() (bnc#935087, bnc#945649). - btrfs: qgroup: Add new function to record old_roots (bnc#935087, bnc#945649). - btrfs: qgroup: Add new qgroup calculation function btrfs_qgroup_account_extents() (bnc#935087, bnc#945649). - btrfs: qgroup: Add the ability to skip given qgroup for old/new_roots (bnc#935087, bnc#945649). - btrfs: qgroup: Cleanup open-coded old/new_refcnt update and read (bnc#935087, bnc#945649). - btrfs: qgroup: Cleanup the old ref_node-oriented mechanism (bnc#935087, bnc#945649). - btrfs: qgroup: Do not copy extent buffer to do qgroup rescan (bnc#960300). - btrfs: qgroup: Fix a regression in qgroup reserved space (bnc#935087, bnc#945649). - btrfs: qgroup: Make snapshot accounting work with new extent-oriented qgroup (bnc#935087, bnc#945649). - btrfs: qgroup: Record possible quota-related extent for qgroup (bnc#935087, bnc#945649). - btrfs: qgroup: Switch rescan to new mechanism (bnc#935087, bnc#945649). - btrfs: qgroup: Switch self test to extent-oriented qgroup mechanism (bnc#935087, bnc#945649). - btrfs: qgroup: Switch to new extent-oriented qgroup mechanism (bnc#935087, bnc#945649). - btrfs: qgroup: account shared subtree during snapshot delete (bnc#935087, bnc#945649). - btrfs: qgroup: clear STATUS_FLAG_ON in disabling quota (bnc#960300). - btrfs: qgroup: exit the rescan worker during umount (bnc#960300). - btrfs: qgroup: fix quota disable during rescan (bnc#960300). - btrfs: qgroup: move WARN_ON() to the correct location (bnc#935087, bnc#945649). - btrfs: remove transaction from send (bnc#935087, bnc#945649). - btrfs: ulist: Add ulist_del() function (bnc#935087, bnc#945649). - btrfs: use btrfs_get_fs_root in resolve_indirect_ref (bnc#935087, bnc#945649). - btrfs: use global reserve when deleting unused block group after ENOSPC (bsc#958647). - cache: Fix sysfs splat on shutdown with flash only devs (bsc#951638). - cpusets, isolcpus: exclude isolcpus from load balancing in cpusets (bsc#957395). - drm/i915: Fix SRC_COPY width on 830/845g (bsc#758040). - drm: Allocate new master object when client becomes master (bsc#956876, bsc#956801). - drm: Fix KABI of 'struct drm_file' (bsc#956876, bsc#956801). - e1000e: Do not read ICR in Other interrupt (bsc#924919). - e1000e: Do not write lsc to ics in msi-x mode (bsc#924919). - e1000e: Fix msi-x interrupt automask (bsc#924919). - e1000e: Remove unreachable code (bsc#924919). - genksyms: Handle string literals with spaces in reference files (bsc#958510). - ipv6: fix tunnel error handling (bsc#952579). - lpfc: Fix null ndlp dereference in target_reset_handler (bsc#951392). - mm/mempolicy.c: convert the shared_policy lock to a rwlock (bnc#959436). - mm: remove PG_waiters from PAGE_FLAGS_CHECK_AT_FREE (bnc#943959). - pm, hinernate: use put_page in release_swap_writer (bnc#943959). - sched, isolcpu: make cpu_isolated_map visible outside scheduler (bsc#957395). - udp: properly support MSG_PEEK with truncated buffers (bsc#951199 bsc#959364). - xhci: Workaround to get Intel xHCI reset working more reliably (bnc#957546).

Affected Systems

• suse•kernel-default&distro=SUSE Linux Enterprise Desktop 12

  < 3.12.51-52.34.1

• suse•kernel-default&distro=SUSE Linux Enterprise Server 12

  < 3.12.51-52.34.1

• suse•kernel-default&distro=SUSE Linux Enterprise Server for SAP Applications 12

  < 3.12.51-52.34.1

• suse•kernel-default&distro=SUSE Linux Enterprise Workstation Extension 12

  < 3.12.51-52.34.1

• suse•kernel-docs&distro=SUSE Linux Enterprise Software Development Kit 12

  < 3.12.51-52.34.3

• suse•kernel-ec2&distro=SUSE Linux Enterprise Module for Public Cloud 12

  < 3.12.51-52.34.1

• suse•kernel-obs-build&distro=SUSE Linux Enterprise Software Development Kit 12

  < 3.12.51-52.34.1

• suse•kernel-source&distro=SUSE Linux Enterprise Desktop 12

  < 3.12.51-52.34.1

• suse•kernel-source&distro=SUSE Linux Enterprise Server 12

  < 3.12.51-52.34.1

• suse•kernel-source&distro=SUSE Linux Enterprise Server for SAP Applications 12

  < 3.12.51-52.34.1

• suse•kernel-syms&distro=SUSE Linux Enterprise Desktop 12

  < 3.12.51-52.34.1

• suse•kernel-syms&distro=SUSE Linux Enterprise Server 12

  < 3.12.51-52.34.1

• suse•kernel-syms&distro=SUSE Linux Enterprise Server for SAP Applications 12

  < 3.12.51-52.34.1

• suse•kernel-xen&distro=SUSE Linux Enterprise Desktop 12

  < 3.12.51-52.34.1

• suse•kernel-xen&distro=SUSE Linux Enterprise Server 12

  < 3.12.51-52.34.1

• suse•kernel-xen&distro=SUSE Linux Enterprise Server for SAP Applications 12

  < 3.12.51-52.34.1

• suse•kgraft-patch-SLE12_Update_10&distro=SUSE Linux Enterprise Live Patching 12

  < 1-2.1

References (43)

• https://www.suse.com/support/update/announcement/2016/suse-su-20160168-1/
• https://bugzilla.suse.com/758040
• https://bugzilla.suse.com/902606
• https://bugzilla.suse.com/924919
• https://bugzilla.suse.com/935087
• https://bugzilla.suse.com/937261
• https://bugzilla.suse.com/943959
• https://bugzilla.suse.com/945649
• https://bugzilla.suse.com/949440
• https://bugzilla.suse.com/951155
• https://bugzilla.suse.com/951199
• https://bugzilla.suse.com/951392
• https://bugzilla.suse.com/951615
• https://bugzilla.suse.com/951638
• https://bugzilla.suse.com/952579
• https://bugzilla.suse.com/952976
• https://bugzilla.suse.com/956708
• https://bugzilla.suse.com/956801
• https://bugzilla.suse.com/956876
• https://bugzilla.suse.com/957395
• https://bugzilla.suse.com/957546
• https://bugzilla.suse.com/957988
• https://bugzilla.suse.com/957990
• https://bugzilla.suse.com/958463
• https://bugzilla.suse.com/958504
• https://bugzilla.suse.com/958510
• https://bugzilla.suse.com/958647
• https://bugzilla.suse.com/958886
• https://bugzilla.suse.com/958951
• https://bugzilla.suse.com/959190
• https://bugzilla.suse.com/959364
• https://bugzilla.suse.com/959399
• https://bugzilla.suse.com/959436
• https://bugzilla.suse.com/959705
• https://bugzilla.suse.com/960300
• https://www.suse.com/security/cve/CVE-2015-7550
• https://www.suse.com/security/cve/CVE-2015-8539
• https://www.suse.com/security/cve/CVE-2015-8543
• https://www.suse.com/security/cve/CVE-2015-8550
• https://www.suse.com/security/cve/CVE-2015-8551
• https://www.suse.com/security/cve/CVE-2015-8552
• https://www.suse.com/security/cve/CVE-2015-8569
• https://www.suse.com/security/cve/CVE-2015-8575