Security update for the Linux Kernel

SUSE Security Update: Security update for the Linux Kernel

---

Announcement ID:	SUSE-SU-2016:0168-1
Rating:	important
References:	#758040 #902606 #924919 #935087 #937261 #943959 #945649 #949440 #951155 #951199 #951392 #951615 #951638 #952579 #952976 #956708 #956801 #956876 #957395 #957546 #957988 #957990 #958463 #958504 #958510 #958647 #958886 #958951 #959190 #959364 #959399 #959436 #959705 #960300
Affected Products:	SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise Desktop 12

---

An update that solves 8 vulnerabilities and has 26 fixes is now available.

Description:

The SUSE Linux Enterprise 12 kernel was updated to receive various
security and bugfixes.

Following security bugs were fixed:
- CVE-2015-7550: A local user could have triggered a race between read and
revoke in keyctl (bnc#958951).
- CVE-2015-8539: A negatively instantiated user key could have been used
by a local user to leverage privileges (bnc#958463).
- CVE-2015-8543: The networking implementation in the Linux kernel did not
validate protocol identifiers for certain protocol families, which
allowed local users to cause a denial of service (NULL function pointer
dereference and system crash) or possibly gain privileges by leveraging
CLONE_NEWUSER support to execute a crafted SOCK_RAW application
(bnc#958886).
- CVE-2015-8550: Compiler optimizations in the XEN PV backend drivers
could have lead to double fetch vulnerabilities, causing denial of
service or arbitrary code execution (depending on the configuration)
(bsc#957988).
- CVE-2015-8551, CVE-2015-8552: xen/pciback: For
XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled
(bsc#957990).
- CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in
drivers/net/ppp/pptp.c in the Linux kernel did not verify an address
length, which allowed local users to obtain sensitive information from
kernel memory and bypass the KASLR protection mechanism via a crafted
application (bnc#959190).
- CVE-2015-8575: Validate socket address length in sco_sock_bind() to
prevent information leak (bsc#959399).

The following non-security bugs were fixed:
- ACPICA: Correctly cleanup after a ACPI table load failure (bnc#937261).
- ALSA: hda - Fix noise problems on Thinkpad T440s (boo#958504).
- Input: aiptek - fix crash on detecting device without endpoints
(bnc#956708).
- Re-add copy_page_vector_to_user()
- Refresh patches.xen/xen3-patch-3.12.46-47 (bsc#959705).
- Refresh patches.xen/xen3-patch-3.9 (bsc#951155).
- Update
patches.suse/btrfs-8361-Btrfs-keep-dropped-roots-in-cache-until-transaction
-.patch (bnc#935087, bnc#945649, bnc#951615).
- bcache: Add btree_insert_node() (bnc#951638).
- bcache: Add explicit keylist arg to btree_insert() (bnc#951638).
- bcache: Clean up keylist code (bnc#951638).
- bcache: Convert btree_insert_check_key() to btree_insert_node()
(bnc#951638).
- bcache: Convert bucket_wait to wait_queue_head_t (bnc#951638).
- bcache: Convert try_wait to wait_queue_head_t (bnc#951638).
- bcache: Explicitly track btree node's parent (bnc#951638).
- bcache: Fix a bug when detaching (bsc#951638).
- bcache: Fix a lockdep splat in an error path (bnc#951638).
- bcache: Fix a shutdown bug (bsc#951638).
- bcache: Fix more early shutdown bugs (bsc#951638).
- bcache: Fix sysfs splat on shutdown with flash only devs (bsc#951638).
- bcache: Insert multiple keys at a time (bnc#951638).
- bcache: Refactor journalling flow control (bnc#951638).
- bcache: Refactor request_write() (bnc#951638).
- bcache: Use blkdev_issue_discard() (bnc#951638).
- bcache: backing device set to clean after finishing detach (bsc#951638).
- bcache: kill closure locking usage (bnc#951638).
- blktap: also call blkif_disconnect() when frontend switched to closed
(bsc#952976).
- blktap: refine mm tracking (bsc#952976).
- block: Always check queue limits for cloned requests (bsc#902606).
- btrfs: Add qgroup tracing (bnc#935087, bnc#945649).
- btrfs: Adjust commit-transaction condition to avoid NO_SPACE more
(bsc#958647).
- btrfs: Fix out-of-space bug (bsc#958647).
- btrfs: Fix tail space processing in find_free_dev_extent() (bsc#958647).
- btrfs: Set relative data on clear btrfs_block_group_cache->pinned
(bsc#958647).
- btrfs: Update btrfs qgroup status item when rescan is done (bnc#960300).
- btrfs: backref: Add special time_seq == (u64)-1 case for
btrfs_find_all_roots() (bnc#935087, bnc#945649).
- btrfs: backref: Do not merge refs which are not for same block
(bnc#935087, bnc#945649).
- btrfs: cleanup: remove no-used alloc_chunk in
btrfs_check_data_free_space() (bsc#958647).
- btrfs: delayed-ref: Cleanup the unneeded functions (bnc#935087,
bnc#945649).
- btrfs: delayed-ref: Use list to replace the ref_root in ref_head
(bnc#935087, bnc#945649).
- btrfs: extent-tree: Use ref_node to replace unneeded parameters in
__inc_extent_ref() and __free_extent() (bnc#935087, bnc#945649).
- btrfs: fix comp_oper to get right order (bnc#935087, bnc#945649).
- btrfs: fix condition of commit transaction (bsc#958647).
- btrfs: fix leak in qgroup_subtree_accounting() error path (bnc#935087,
bnc#945649).
- btrfs: fix order by which delayed references are run (bnc#949440).
- btrfs: fix qgroup sanity tests (bnc#951615).
- btrfs: fix race waiting for qgroup rescan worker (bnc#960300).
- btrfs: fix regression running delayed references when using qgroups
(bnc#951615).
- btrfs: fix regression when running delayed references (bnc#951615).
- btrfs: fix sleeping inside atomic context in qgroup rescan worker
(bnc#960300).
- btrfs: fix the number of transaction units needed to remove a block
group (bsc#958647).
- btrfs: keep dropped roots in cache until transaction commit (bnc#935087,
bnc#945649).
- btrfs: qgroup: Add function qgroup_update_counters() (bnc#935087,
bnc#945649).
- btrfs: qgroup: Add function qgroup_update_refcnt() (bnc#935087,
bnc#945649).
- btrfs: qgroup: Add new function to record old_roots (bnc#935087,
bnc#945649).
- btrfs: qgroup: Add new qgroup calculation function
btrfs_qgroup_account_extents() (bnc#935087, bnc#945649).
- btrfs: qgroup: Add the ability to skip given qgroup for old/new_roots
(bnc#935087, bnc#945649).
- btrfs: qgroup: Cleanup open-coded old/new_refcnt update and read
(bnc#935087, bnc#945649).
- btrfs: qgroup: Cleanup the old ref_node-oriented mechanism (bnc#935087,
bnc#945649).
- btrfs: qgroup: Do not copy extent buffer to do qgroup rescan
(bnc#960300).
- btrfs: qgroup: Fix a regression in qgroup reserved space (bnc#935087,
bnc#945649).
- btrfs: qgroup: Make snapshot accounting work with new extent-oriented
qgroup (bnc#935087, bnc#945649).
- btrfs: qgroup: Record possible quota-related extent for qgroup
(bnc#935087, bnc#945649).
- btrfs: qgroup: Switch rescan to new mechanism (bnc#935087, bnc#945649).
- btrfs: qgroup: Switch self test to extent-oriented qgroup mechanism
(bnc#935087, bnc#945649).
- btrfs: qgroup: Switch to new extent-oriented qgroup mechanism
(bnc#935087, bnc#945649).
- btrfs: qgroup: account shared subtree during snapshot delete
(bnc#935087, bnc#945649).
- btrfs: qgroup: clear STATUS_FLAG_ON in disabling quota (bnc#960300).
- btrfs: qgroup: exit the rescan worker during umount (bnc#960300).
- btrfs: qgroup: fix quota disable during rescan (bnc#960300).
- btrfs: qgroup: move WARN_ON() to the correct location (bnc#935087,
bnc#945649).
- btrfs: remove transaction from send (bnc#935087, bnc#945649).
- btrfs: ulist: Add ulist_del() function (bnc#935087, bnc#945649).
- btrfs: use btrfs_get_fs_root in resolve_indirect_ref (bnc#935087,
bnc#945649).
- btrfs: use global reserve when deleting unused block group after ENOSPC
(bsc#958647).
- cache: Fix sysfs splat on shutdown with flash only devs (bsc#951638).
- cpusets, isolcpus: exclude isolcpus from load balancing in cpusets
(bsc#957395).
- drm/i915: Fix SRC_COPY width on 830/845g (bsc#758040).
- drm: Allocate new master object when client becomes master (bsc#956876,
bsc#956801).
- drm: Fix KABI of "struct drm_file" (bsc#956876, bsc#956801).
- e1000e: Do not read ICR in Other interrupt (bsc#924919).
- e1000e: Do not write lsc to ics in msi-x mode (bsc#924919).
- e1000e: Fix msi-x interrupt automask (bsc#924919).
- e1000e: Remove unreachable code (bsc#924919).
- genksyms: Handle string literals with spaces in reference files
(bsc#958510).
- ipv6: fix tunnel error handling (bsc#952579).
- lpfc: Fix null ndlp dereference in target_reset_handler (bsc#951392).
- mm/mempolicy.c: convert the shared_policy lock to a rwlock (bnc#959436).
- mm: remove PG_waiters from PAGE_FLAGS_CHECK_AT_FREE (bnc#943959).
- pm, hinernate: use put_page in release_swap_writer (bnc#943959).
- sched, isolcpu: make cpu_isolated_map visible outside scheduler
(bsc#957395).
- udp: properly support MSG_PEEK with truncated buffers (bsc#951199
bsc#959364).
- xhci: Workaround to get Intel xHCI reset working more reliably
(bnc#957546).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 12:
  zypper in -t patch SUSE-SLE-WE-12-2016-107=1
• SUSE Linux Enterprise Software Development Kit 12:
  zypper in -t patch SUSE-SLE-SDK-12-2016-107=1
• SUSE Linux Enterprise Server 12:
  zypper in -t patch SUSE-SLE-SERVER-12-2016-107=1
• SUSE Linux Enterprise Module for Public Cloud 12:
  zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-107=1
• SUSE Linux Enterprise Live Patching 12:
  zypper in -t patch SUSE-SLE-Live-Patching-12-2016-107=1
• SUSE Linux Enterprise Desktop 12:
  zypper in -t patch SUSE-SLE-DESKTOP-12-2016-107=1

To bring your system up-to-date, use "zypper patch".

Package List:

• SUSE Linux Enterprise Workstation Extension 12 (x86_64):
  • kernel-default-debuginfo-3.12.51-52.34.1
  • kernel-default-debugsource-3.12.51-52.34.1
  • kernel-default-extra-3.12.51-52.34.1
  • kernel-default-extra-debuginfo-3.12.51-52.34.1
• SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
  • kernel-obs-build-3.12.51-52.34.1
  • kernel-obs-build-debugsource-3.12.51-52.34.1
• SUSE Linux Enterprise Software Development Kit 12 (noarch):
  • kernel-docs-3.12.51-52.34.3
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
  • kernel-default-3.12.51-52.34.1
  • kernel-default-base-3.12.51-52.34.1
  • kernel-default-base-debuginfo-3.12.51-52.34.1
  • kernel-default-debuginfo-3.12.51-52.34.1
  • kernel-default-debugsource-3.12.51-52.34.1
  • kernel-default-devel-3.12.51-52.34.1
  • kernel-syms-3.12.51-52.34.1
• SUSE Linux Enterprise Server 12 (x86_64):
  • kernel-xen-3.12.51-52.34.1
  • kernel-xen-base-3.12.51-52.34.1
  • kernel-xen-base-debuginfo-3.12.51-52.34.1
  • kernel-xen-debuginfo-3.12.51-52.34.1
  • kernel-xen-debugsource-3.12.51-52.34.1
  • kernel-xen-devel-3.12.51-52.34.1
• SUSE Linux Enterprise Server 12 (noarch):
  • kernel-devel-3.12.51-52.34.1
  • kernel-macros-3.12.51-52.34.1
  • kernel-source-3.12.51-52.34.1
• SUSE Linux Enterprise Server 12 (s390x):
  • kernel-default-man-3.12.51-52.34.1
• SUSE Linux Enterprise Module for Public Cloud 12 (x86_64):
  • kernel-ec2-3.12.51-52.34.1
  • kernel-ec2-debuginfo-3.12.51-52.34.1
  • kernel-ec2-debugsource-3.12.51-52.34.1
  • kernel-ec2-devel-3.12.51-52.34.1
  • kernel-ec2-extra-3.12.51-52.34.1
  • kernel-ec2-extra-debuginfo-3.12.51-52.34.1
• SUSE Linux Enterprise Live Patching 12 (x86_64):
  • kgraft-patch-3_12_51-52_34-default-1-2.1
  • kgraft-patch-3_12_51-52_34-xen-1-2.1
• SUSE Linux Enterprise Desktop 12 (x86_64):
  • kernel-default-3.12.51-52.34.1
  • kernel-default-debuginfo-3.12.51-52.34.1
  • kernel-default-debugsource-3.12.51-52.34.1
  • kernel-default-devel-3.12.51-52.34.1
  • kernel-default-extra-3.12.51-52.34.1
  • kernel-default-extra-debuginfo-3.12.51-52.34.1
  • kernel-syms-3.12.51-52.34.1
  • kernel-xen-3.12.51-52.34.1
  • kernel-xen-debuginfo-3.12.51-52.34.1
  • kernel-xen-debugsource-3.12.51-52.34.1
  • kernel-xen-devel-3.12.51-52.34.1
• SUSE Linux Enterprise Desktop 12 (noarch):
  • kernel-devel-3.12.51-52.34.1
  • kernel-macros-3.12.51-52.34.1
  • kernel-source-3.12.51-52.34.1

References:

• https://www.suse.com/security/cve/CVE-2015-7550.html
• https://www.suse.com/security/cve/CVE-2015-8539.html
• https://www.suse.com/security/cve/CVE-2015-8543.html
• https://www.suse.com/security/cve/CVE-2015-8550.html
• https://www.suse.com/security/cve/CVE-2015-8551.html
• https://www.suse.com/security/cve/CVE-2015-8552.html
• https://www.suse.com/security/cve/CVE-2015-8569.html
• https://www.suse.com/security/cve/CVE-2015-8575.html
• https://bugzilla.suse.com/758040
• https://bugzilla.suse.com/902606
• https://bugzilla.suse.com/924919
• https://bugzilla.suse.com/935087
• https://bugzilla.suse.com/937261
• https://bugzilla.suse.com/943959
• https://bugzilla.suse.com/945649
• https://bugzilla.suse.com/949440
• https://bugzilla.suse.com/951155
• https://bugzilla.suse.com/951199
• https://bugzilla.suse.com/951392
• https://bugzilla.suse.com/951615
• https://bugzilla.suse.com/951638
• https://bugzilla.suse.com/952579
• https://bugzilla.suse.com/952976
• https://bugzilla.suse.com/956708
• https://bugzilla.suse.com/956801
• https://bugzilla.suse.com/956876
• https://bugzilla.suse.com/957395
• https://bugzilla.suse.com/957546
• https://bugzilla.suse.com/957988
• https://bugzilla.suse.com/957990
• https://bugzilla.suse.com/958463
• https://bugzilla.suse.com/958504
• https://bugzilla.suse.com/958510
• https://bugzilla.suse.com/958647
• https://bugzilla.suse.com/958886
• https://bugzilla.suse.com/958951
• https://bugzilla.suse.com/959190
• https://bugzilla.suse.com/959364
• https://bugzilla.suse.com/959399
• https://bugzilla.suse.com/959436
• https://bugzilla.suse.com/959705
• https://bugzilla.suse.com/960300