SuSE: 2017:3267-1: important: the Linux Kernel
Summary
The SUSE Linux Enterprise 12 SP2 Realtime kernel was updated to 4.4.95 to
receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-12153: A security flaw was discovered in the
nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux
kernel This function did not check whether the required attributes are
present in a Netlink request. This request can be issued by a user with
the CAP_NET_ADMIN capability and may result in a NULL pointer
dereference and system crash (bnc#1058410 1058624).
- CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed
reinstallation of the Group Temporal Key (GTK) during the group key
handshake, allowing an attacker within radio range to replay frames from
access points to clients (bnc#1063667).
- CVE-2017-14489: The iscsi_if_rx function in
drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local
users to cause a denial of service (panic) by leveraging incorrect
length validation (bnc#1059051).
- CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel
allowed local users to cause a denial of service (use-after-free) or
possibly have unspecified other impact via crafted /dev/snd/seq ioctl
calls, related to sound/core/seq/seq_clientmgr.c and
sound/core/seq/seq_ports.c (bnc#1062520).
- CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local
users to gain privileges via crafted system calls that trigger
mishandling of packet_fanout data structures, because of a race
condition (involving fanout_add and packet_do_bind) that leads to a
use-after-free, a different vulnerability than CVE-2017-6346
(bnc#1064388).
The following non-security bugs were fixed:
- alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382).
- alsa: caiaq: Fix stray URB at probe error path (bnc#1012382).
- alsa: compress: Remove unused variable (bnc#1012382).
- alsa: hda: Remove superfluous '-' added by printk conversion
(bnc#1012382).
- alsa: line6: Fix leftover URB at error-path during probe (bnc#1012382).
- alsa: seq: Enable 'use' locking in all configurations (bnc#1012382).
- alsa: seq: Fix copy_from_user() call inside lock (bnc#1012382).
- alsa: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital
(bnc#1012382).
- alsa: usb-audio: Check out-of-bounds access by corrupted buffer
descriptor (bnc#1012382).
- alsa: usb-audio: Kill stray URB at exiting (bnc#1012382).
- alsa: usx2y: Suppress kernel warning at page allocation failures
(bnc#1012382).
- arc: Re-enable MMU upon Machine Check exception (bnc#1012382).
- arm64: fault: Route pte translation faults via do_translation_fault
(bnc#1012382).
- arm64: Make sure SPsel is always set (bnc#1012382).
- arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM (bnc#1012382).
- arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes
(bnc#1012382).
- arm: pxa: add the number of DMA requestor lines (bnc#1012382).
- arm: pxa: fix the number of DMA requestor lines (bnc#1012382).
- arm: remove duplicate 'const' annotations' (bnc#1012382).
- asoc: dapm: fix some pointer error handling (bnc#1012382).
- asoc: dapm: handle probe deferrals (bnc#1012382).
- audit: log 32-bit socketcalls (bnc#1012382).
- bcache: correct cache_dirty_target in __update_writeback_rate()
(bnc#1012382).
- bcache: Correct return value for sysfs attach errors (bnc#1012382).
- bcache: do not subtract sectors_to_gc for bypassed IO (bnc#1012382).
- bcache: fix bch_hprint crash and improve output (bnc#1012382).
- bcache: fix for gc and write-back race (bnc#1012382).
- bcache: Fix leak of bdev reference (bnc#1012382).
- bcache: initialize dirty stripes in flash_dev_run() (bnc#1012382).
- blacklist.conf: blacklisted 16af97dc5a89 (bnc#1053919)
- block: Relax a check in blk_start_queue() (bnc#1012382).
- bpf: one perf event close won't free bpf program attached by another
perf event (bnc#1012382).
- bpf/verifier: reject BPF_ALU64|BPF_END (bnc#1012382).
- brcmfmac: add length check in brcmf_cfg80211_escan_handler()
(bnc#1012382).
- brcmfmac: setup passive scan if requested by user-space (bnc#1012382).
- brcmsmac: make some local variables 'static const' to reduce stack size
(bnc#1012382).
- bridge: netlink: register netdevice before executing changelink
(bnc#1012382).
- bsg-lib: do not free job in bsg_prepare_job (bnc#1012382).
- btrfs: add a node counter to each of the rbtrees (bsc#974590 bsc#1030061
bsc#1022914 bsc#1017461).
- btrfs: add cond_resched() calls when resolving backrefs (bsc#974590
bsc#1030061 bsc#1022914 bsc#1017461).
- btrfs: allow backref search checks for shared extents (bsc#974590
bsc#1030061 bsc#1022914 bsc#1017461).
- btrfs: backref, add tracepoints for prelim_ref insertion and merging
(bsc#974590 bsc#1030061 bsc#1022914 bsc#1017461).
- btrfs: backref, add unode_aux_to_inode_list helper (bsc#974590
bsc#1030061 bsc#1022914 bsc#1017461).
- btrfs: backref, cleanup __ namespace abuse (bsc#974590 bsc#1030061
bsc#1022914 bsc#1017461).
- btrfs: backref, constify some arguments (bsc#974590 bsc#1030061
bsc#1022914 bsc#1017461).
- btrfs: btrfs_check_shared should manage its own transaction (bsc#974590
bsc#1030061 bsc#1022914 bsc#1017461).
- btrfs: change how we decide to commit transactions during flushing
(bsc#1060197).
- btrfs: clean up extraneous computations in add_delayed_refs (bsc#974590
bsc#1030061 bsc#1022914 bsc#1017461).
- btrfs: constify tracepoint arguments (bsc#974590 bsc#1030061 bsc#1022914
bsc#1017461).
- btrfs: convert prelimary reference tracking to use rbtrees (bsc#974590
bsc#1030061 bsc#1022914 bsc#1017461).
- btrfs: fix leak and use-after-free in resolve_indirect_refs (bsc#974590
bsc#1030061 bsc#1022914 bsc#1017461).
- btrfs: fix NULL pointer dereference from free_reloc_roots()
(bnc#1012382).
- btrfs: prevent to set invalid default subvolid (bnc#1012382).
- btrfs: propagate error to btrfs_cmp_data_prepare caller (bnc#1012382).
- btrfs: qgroup: move noisy underflow warning to debugging build
(bsc#1055755).
- btrfs: remove ref_tree implementation from backref.c (bsc#974590
bsc#1030061 bsc#1022914 bsc#1017461).
- btrfs: struct-funcs, constify readers (bsc#974590 bsc#1030061
bsc#1022914 bsc#1017461).
- bus: mbus: fix window size calculation for 4GB windows (bnc#1012382).
- can: esd_usb2: Fix can_dlc value for received RTR, frames (bnc#1012382).
- can: gs_usb: fix busy loop if no more TX context is available
(bnc#1012382).
- ceph: avoid panic in create_session_open_msg() if utsname() returns NULL
(bsc#1061451).
- ceph: check negative offsets in ceph_llseek() (bsc#1061451).
- ceph: clean up unsafe d_parent accesses in build_dentry_path
(bnc#1012382).
- cifs: fix circular locking dependency (bsc#1064701).
- cifs: Fix SMB3.1.1 guest authentication to Samba (bnc#1012382).
- cifs: Reconnect expired SMB sessions (bnc#1012382).
- cifs: release auth_key.response for reconnect (bnc#1012382).
- clockevents/drivers/cs5535: Improve resilience to spurious interrupts
(bnc#1012382).
- cpufreq: CPPC: add ACPI_PROCESSOR dependency (bnc#1012382).
- crypto: AF_ALG - remove SGL terminator indicator when chaining
(bnc#1012382).
- crypto: shash - Fix zero-length shash ahash digest crash (bnc#1012382).
- crypto: talitos - Do not provide setkey for non hmac hashing algs
(bnc#1012382).
- crypto: talitos - fix sha224 (bnc#1012382).
- crypto: xts - Add ECB dependency (bnc#1012382).
- cxl: Fix driver use count (bnc#1012382).
- direct-io: Prevent NULL pointer access in submit_page_section
(bnc#1012382).
- dmaengine: edma: Align the memcpy acnt array size with the transfer
(bnc#1012382).
- dmaengine: mmp-pdma: add number of requestors (bnc#1012382).
- driver core: platform: Do not read past the end of "driver_override"
buffer (bnc#1012382).
- drivers: firmware: psci: drop duplicate const from psci_of_match
(bnc#1012382).
- drivers: hv: fcopy: restore correct transfer length (bnc#1012382).
- drm: Add driver-private objects to atomic state (bsc#1055493).
- drm/amdkfd: fix improper return value on error (bnc#1012382).
- drm: bridge: add DT bindings for TI ths8135 (bnc#1012382).
- drm/dp: Introduce MST topology state to track available link bandwidth
(bsc#1055493).
- drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define (bnc#1012382).
- drm/i915/bios: ignore HDMI on port A (bnc#1012382).
- drm/nouveau/bsp/g92: disable by default (bnc#1012382).
- drm/nouveau/mmu: flush tlbs before deleting page tables (bnc#1012382).
- ext4: do not allow encrypted operations without keys (bnc#1012382).
- ext4: fix incorrect quotaoff if the quota feature is enabled
(bnc#1012382).
- ext4: fix quota inconsistency during orphan cleanup for read-only mounts
(bnc#1012382).
- ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets
(bnc#1012382).
- extcon: axp288: Use vbus-valid instead of -present to determine cable
presence (bnc#1012382).
- exynos-gsc: Do not swap cb/cr for semi planar formats (bnc#1012382).
- f2fs: check hot_data for roll-forward recovery (bnc#1012382).
- f2fs crypto: add missing locking for keyring_key access (bnc#1012382).
- f2fs crypto: replace some BUG_ON()'s with error checks (bnc#1012382).
- f2fs: do not wait for writeback in write_begin (bnc#1012382).
- fix unbalanced page refcounting in bio_map_user_iov (bnc#1012382).
- fix whitespace according to upstream commit
- fix xen_swiotlb_dma_mmap prototype (bnc#1012382).
- fs-cache: fix dereference of NULL user_key_payload (bnc#1012382).
- fscrypt: fix dereference of NULL user_key_payload (bnc#1012382).
- fscrypto: require write access to mount to set encryption policy
(bnc#1012382).
- fs/epoll: cache leftmost node (bsc#1056427).
- ftrace: Fix kmemleak in unregister_ftrace_graph (bnc#1012382).
- ftrace: Fix memleak when unregistering dynamic ops when tracing disabled
(bnc#1012382).
- ftrace: Fix selftest goto location on error (bnc#1012382).
- genirq: Fix for_each_action_of_desc() macro (bsc#1061064).
- getcwd: Close race with d_move called by lustre (bsc#1052593).
- gfs2: Fix debugfs glocks dump (bnc#1012382).
- gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next (bnc#1012382).
- gianfar: Fix Tx flow control deactivation (bnc#1012382).
- hid: i2c-hid: allocate hid buffers for real worst case (bnc#1012382).
- hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM switch
(bnc#1022967).
- hid: usbhid: fix out-of-bounds bug (bnc#1012382).
- hpsa: correct lun data caching bitmap definition (bsc#1028971).
- hwmon: (gl520sm) Fix overflows and crash seen when writing into limit
attributes (bnc#1012382).
- i2c: at91: ensure state is restored after suspending (bnc#1012382).
- i2c: ismt: Separate I2C block read from SMBus block read (bnc#1012382).
- i2c: meson: fix wrong variable usage in meson_i2c_put_data (bnc#1012382).
- i40e: Initialize 64-bit statistics TX ring seqcount (bsc#969476
FATE#319648 bsc#969477 FATE#319816).
- i40iw: Add missing memory barriers (bsc#969476 FATE#319648 bsc#969477
FATE#319816).
- i40iw: Fix port number for query QP (bsc#969476 FATE#319648 bsc#969477
FATE#319816).
- ib/core: Fix for core panic (bsc#1022595 FATE#322350).
- ib/core: Fix the validations of a multicast LID in attach or detach
operations (bsc#1022595 FATE#322350).
- ib/i40iw: Fix error code in i40iw_create_cq() (bsc#969476 FATE#319648
bsc#969477 FATE#319816).
- ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382).
- ib/ipoib: Replace list_del of the neigh->list with list_del_init
(bnc#1012382).
- ib/ipoib: rtnl_unlock can not come after free_netdev (bnc#1012382).
- ib/mlx5: Fix Raw Packet QP event handler assignment (bsc#966170
FATE#320225 bsc#966172 FATE#320226).
- ibmvnic: Set state UP (bsc#1062962).
- ib/qib: fix false-postive maybe-uninitialized warning (bnc#1012382).
- igb: re-assign hw address pointer on reset after PCI error (bnc#1012382).
- iio: ad7793: Fix the serial interface reset (bnc#1012382).
- iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register
modifications (bnc#1012382).
- iio: adc: hx711: Add DT binding for avia,hx711 (bnc#1012382).
- iio: adc: mcp320x: Fix oops on module unload (bnc#1012382).
- iio: adc: mcp320x: Fix readout of negative voltages (bnc#1012382).
- iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling
path of 'twl4030_madc_probe()' (bnc#1012382).
- iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'
(bnc#1012382).
- iio: adc: xilinx: Fix error handling (bnc#1012382).
- iio: ad_sigma_delta: Implement a dedicated reset function (bnc#1012382).
- iio: core: Return error for failed read_reg (bnc#1012382).
- input: i8042 - add Gigabyte P57 to the keyboard reset table
(bnc#1012382).
- iommu/amd: Finish TLB flush in amd_iommu_unmap() (bnc#1012382).
- iommu/io-pgtable-arm: Check for leaf entry before dereferencing it
(bnc#1012382).
- iommu/vt-d: Avoid calling virt_to_phys() on null pointer (bsc#1061067).
- ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
(bnc#1012382).
- ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
(bnc#1012382).
- ipv6: add rcu grace period before freeing fib6_node (bnc#1012382).
- ipv6: fix memory leak with multiple tables during netns destruction
(bnc#1012382).
- ipv6: fix sparse warning on rt6i_node (bnc#1012382).
- ipv6: fix typo in fib6_net_exit() (bnc#1012382).
- irqchip/crossbar: Fix incorrect type of local variables (bnc#1012382).
- isdn/i4l: fetch the ppp_write buffer in one shot (bnc#1012382).
- iwlwifi: add workaround to disable wide channels in 5GHz (bnc#1012382).
- iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD (bnc#1012382).
- ixgbe: Fix incorrect bitwise operations of PTP Rx timestamp flags
(bsc#969474 FATE#319812 bsc#969475 FATE#319814).
- kABI: protect struct l2tp_tunnel (kabi).
- kABI: protect struct rm_data_op (kabi).
- kABI: protect struct sdio_func (kabi).
- keys: do not let add_key() update an uninstantiated key (bnc#1012382).
- keys: encrypted: fix dereference of NULL user_key_payload (bnc#1012382).
- keys: Fix race between updating and finding a negative key (bnc#1012382).
- keys: fix writing past end of user-supplied buffer in keyring_read()
(bnc#1012382).
- keys: prevent creating a different user's keyrings (bnc#1012382).
- keys: prevent KEYCTL_READ on negative key (bnc#1012382).
- kvm: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready"
exceptions simultaneously (bsc#1061017).
- kvm: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
(bnc#1012382).
- kvm: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
(bnc#1012382).
- kvm: SVM: Add a missing 'break' statement (bsc#1061017).
- kvm: VMX: do not change SN bit in vmx_update_pi_irte() (bsc#1061017).
- kvm: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
(bsc#1061017).
- kvm: VMX: use cmpxchg64 (bnc#1012382).
- l2tp: Avoid schedule while atomic in exit_net (bnc#1012382).
- l2tp: fix race condition in l2tp_tunnel_delete (bnc#1012382).
- libata: transport: Remove circular dependency at free time (bnc#1012382).
- lib/digsig: fix dereference of NULL user_key_payload (bnc#1012382).
- locking/lockdep: Add nest_lock integrity test (bnc#1012382).
- lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
(bnc#1012382).
- mac80211: fix power saving clients handling in iwlwifi (bnc#1012382).
- mac80211: flush hw_roc_start work before cancelling the ROC
(bnc#1012382).
- mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length (bnc#1012382).
- md/bitmap: disable bitmap_resize for file-backed bitmaps (bsc#1061172).
- md/linear: shutup lockdep warnning (bnc#1012382).
- md/raid10: submit bio directly to replacement disk (bnc#1012382).
- md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
(bnc#1012382).
- md/raid5: release/flush io in raid5_do_work() (bnc#1012382).
- media: uvcvideo: Prevent heap overflow when accessing mapped controls
(bnc#1012382).
- media: v4l2-compat-ioctl32: Fix timespec conversion (bnc#1012382).
- mips: Ensure bss section ends on a long-aligned address (bnc#1012382).
- mips: Fix minimum alignment requirement of IRQ stack (git-fixes).
- mips: IRQ Stack: Unwind IRQ stack onto task stack (bnc#1012382).
- mips: Lantiq: Fix another request_mem_region() return code check
(bnc#1012382).
- mips: math-emu:
References
#1012382 #1017461 #1020645 #1022595 #1022600
#1022914 #1022967 #1025461 #1028971 #1030061
#1034048 #1037890 #1052593 #1053919 #1055493
#1055567 #1055755 #1055896 #1056427 #1058135
#1058410 #1058624 #1059051 #1059465 #1059863
#1060197 #1060985 #1061017 #1061046 #1061064
#1061067 #1061172 #1061451 #1061831 #1061872
#1062520 #1062962 #1063460 #1063475 #1063501
#1063509 #1063520 #1063667 #1063695 #1064206
#1064388 #1064701 #964944 #966170 #966172
#966186 #966191 #966316 #966318 #969474 #969475
#969476 #969477 #971975 #974590 #996376
Cross- CVE-2017-12153 CVE-2017-13080 CVE-2017-14489
CVE-2017-15265 CVE-2017-15649
Affected Products:
SUSE Linux Enterprise Real Time Extension 12-SP2
https://www.suse.com/security/cve/CVE-2017-12153.html
https://www.suse.com/security/cve/CVE-2017-13080.html
https://www.suse.com/security/cve/CVE-2017-14489.html
https://www.suse.com/security/cve/CVE-2017-15265.html
https://www.suse.com/security/cve/CVE-2017-15649.html
https://bugzilla.suse.com/1012382
https://bugzilla.suse.com/1017461
https://bugzilla.suse.com/1020645
https://bugzilla.suse.com/1022595
https://bugzilla.suse.com/1022600
https://bugzilla.suse.com/1022914
https://bugzilla.suse.com/1022967
https://bugzilla.suse.com/1025461
https://bugzilla.suse.com/1028971
https://bugzilla.suse.com/1030061
https://bugzilla.suse.com/1034048
https://bugzilla.suse.com/1037890
https://bugzilla.suse.com/1052593
https://bugzilla.suse.com/1053919
https://bugzilla.suse.com/1055493
https://bugzilla.suse.com/1055567
https://bugzilla.suse.com/1055755
https://bugzilla.suse.com/1055896
https://bugzilla.suse.com/1056427
https://bugzilla.suse.com/1058135
https://bugzilla.suse.com/1058410
https://bugzilla.suse.com/1058624
https://bugzilla.suse.com/1059051
https://bugzilla.suse.com/1059465
https://bugzilla.suse.com/1059863
https://bugzilla.suse.com/1060197
https://bugzilla.suse.com/1060985
https://bugzilla.suse.com/1061017
https://bugzilla.suse.com/1061046
https://bugzilla.suse.com/1061064
https://bugzilla.suse.com/1061067
https://bugzilla.suse.com/1061172
https://bugzilla.suse.com/1061451
https://bugzilla.suse.com/1061831
https://bugzilla.suse.com/1061872
https://bugzilla.suse.com/1062520
https://bugzilla.suse.com/1062962
https://bugzilla.suse.com/1063460
https://bugzilla.suse.com/1063475
https://bugzilla.suse.com/1063501
https://bugzilla.suse.com/1063509
https://bugzilla.suse.com/1063520
https://bugzilla.suse.com/1063667
https://bugzilla.suse.com/1063695
https://bugzilla.suse.com/1064206
https://bugzilla.suse.com/1064388
https://bugzilla.suse.com/1064701
https://bugzilla.suse.com/964944
https://bugzilla.suse.com/966170
https://bugzilla.suse.com/966172
https://bugzilla.suse.com/966186
https://bugzilla.suse.com/966191
https://bugzilla.suse.com/966316
https://bugzilla.suse.com/966318
https://bugzilla.suse.com/969474
https://bugzilla.suse.com/969475
https://bugzilla.suse.com/969476
https://bugzilla.suse.com/969477
https://bugzilla.suse.com/971975
https://bugzilla.suse.com/974590
https://bugzilla.suse.com/996376