Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2016:3069-1
Rating:	important
References:	bsc#1000189 bsc#1001419 bsc#1002165 bsc#1004418 bsc#732582 bsc#839104 bsc#843236 bsc#909994 bsc#911687 bsc#915183 bsc#920016 bsc#934760 bsc#951392 bsc#956514 bsc#960689 bsc#963655 bsc#971975 bsc#971989 bsc#974620 bsc#976867 bsc#977687 bsc#979514 bsc#979595 bsc#979681 bsc#980371 bsc#982218 bsc#982783 bsc#983535 bsc#983619 bsc#984102 bsc#984194 bsc#984992 bsc#985206 bsc#986362 bsc#986365 bsc#986445 bsc#987565 bsc#988440 bsc#989152 bsc#989261 bsc#989779 bsc#991608 bsc#991665 bsc#991923 bsc#992566 bsc#993127 bsc#993890 bsc#993891 bsc#994296 bsc#994436 bsc#994618 bsc#994759 bsc#994926 bsc#996329 bsc#996664 bsc#997708 bsc#998399 bsc#999584 bsc#999600 bsc#999932
Cross-References:	CVE-2013-4312 CVE-2015-7513 CVE-2016-0823 CVE-2016-3841 CVE-2016-4997 CVE-2016-4998 CVE-2016-5195 CVE-2016-5696 CVE-2016-6480 CVE-2016-6828 CVE-2016-7425
CVSS scores:	CVE-2013-4312 ( NVD ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-7513 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2016-0823 ( NVD ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2016-3841 ( NVD ): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2016-4997 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-4997 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-4998 ( NVD ): 7.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2016-5195 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-5195 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-5195 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-5696 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L CVE-2016-5696 ( NVD ): 4.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L CVE-2016-6480 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-6480 ( NVD ): 5.1 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-6828 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-7425 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-7425 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Real Time Extension 11 SP4

An update that solves 11 vulnerabilities and has 49 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various security and bugfixes.

This feature was added:

• Support for the 2017 Intel Purley platform.

The following security bugs were fixed:

• CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004418).
• CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759).
• CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options data, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call (bnc#992566).
• CVE-2016-6828: Use after free in tcp_xmit_retransmit_queue or other tcp_ functions (bsc#994296)
• CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack (bnc#989152)
• CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability (bnc#991608)
• CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362).
• CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689).
• CVE-2013-4312: The Linux kernel allowed local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket closing it, related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104).
• CVE-2016-7425: A buffer overflow in the Linux Kernel in arcmsr_iop_message_xfer() could have caused kernel heap corruption and arbitraty kernel code execution (bsc#999932)

The following non-security bugs were fixed:

• ahci: Order SATA device IDs for codename Lewisburg.
• AHCI: Remove obsolete Intel Lewisburg SATA RAID device IDs.
• ALSA: hda - Add Intel Lewisburg device IDs Audio.
• avoid dentry crash triggered by NFS (bsc#984194).
• blktap2: eliminate deadlock potential from shutdown path (bsc#909994).
• blktap2: eliminate race from deferred work queue handling (bsc#911687).
• bonding: always set recv_probe to bond_arp_rcv in arp monitor (bsc#977687).
• bonding: fix bond_arp_rcv setting and arp validate desync state (bsc#977687).
• btrfs: account for non-CoW'd blocks in btrfs_abort_transaction (bsc#983619).
• btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600).
• cdc-acm: added sanity checking for probe() (bsc#993891).
• cxgb4: Set VPD size so we can read both VPD structures (bsc#976867).
• Delete patches.fixes/net-fix-crash-due-to-wrong-dev-in-calling.patch. (bsc#979514)
• fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681)
• fs/select: add vmalloc fallback for select(2) (bsc#1000189).
• fs/select: introduce SIZE_MAX (bsc#1000189).
• i2c: i801: add Intel Lewisburg device IDs.
• include/linux/mmdebug.h: should include linux/bug.h (bnc#971975 VM performance -- git fixes).
• increase CONFIG_NR_IRQS 512 -> 2048 reportedly irq error with multiple nvme and tg3 in the same machine is resolved by increasing CONFIG_NR_IRQS (bsc#998399)
• kabi, unix: properly account for FDs passed over unix sockets (bnc#839104).
• kaweth: fix firmware download (bsc#993890).
• kaweth: fix oops upon failed memory allocation (bsc#993890).
• KVM: x86: SYSENTER emulation is broken (bsc#994618).
• libfc: sanity check cpu number extracted from xid (bsc#988440).
• lpfc: call lpfc_sli_validate_fcp_iocb() with the hbalock held (bsc#951392).
• md: lockless I/O submission for RAID1 (bsc#982783).
• mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED (VM Functionality, bnc#986445).
• mpt2sas, mpt3sas: Fix panic when aer correct error occurred (bsc#997708).
• net: add pfmemalloc check in sk_add_backlog() (bnc#920016).
• netback: fix flipping mode (bsc#996664).
• nfs: Do not drop directory dentry which is in use (bsc#993127).
• nfs: Don't disconnect open-owner on NFS4ERR_BAD_SEQID (bsc#989261).
• nfs: Don't write enable new pages while an invalidation is proceeding (bsc#999584).
• nfs: Fix a regression in the read() syscall (bsc#999584).
• nfs: Fix races in nfs_revalidate_mapping (bsc#999584).
• nfs: fix the handling of NFS_INO_INVALID_DATA flag in nfs_revalidate_mapping (bsc#999584).
• nfs: Fix writeback performance issue on cache invalidation (bsc#999584).
• nfs: Refresh open-owner id when server says SEQID is bad (bsc#989261).
• nfsv4: do not check MAY_WRITE access bit in OPEN (bsc#985206).
• nfsv4: fix broken patch relating to v4 read delegations (bsc#956514, bsc#989261, bsc#979595).
• nfsv4: Fix range checking in __nfs4_get_acl_uncached and __nfs4_proc_set_acl (bsc#982218).
• pci: Add pci_set_vpd_size() to set VPD size (bsc#976867).
• pciback: fix conf_space read/write overlap check.
• powerpc: add kernel parameter iommu_alloc_quiet (bsc#994926).
• ppp: defer netns reference release for ppp channel (bsc#980371).
• random32: add prandom_u32_max (bsc#989152).
• rpm/constraints.in: Bump x86 disk space requirement to 20GB Clamav tends to run out of space nowadays.
• s390/dasd: fix hanging device after clear subchannel (bnc#994436).
• sata: Adding Intel Lewisburg device IDs for SATA.
• sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule() (bnc#1001419).
• sched/core: Fix a race between try_to_wake_up() and a woken up task (bnc#1002165).
• sched: Fix possible divide by zero in avg_atom() calculation (bsc#996329).
• scsi_dh_rdac: retry inquiry for UNIT ATTENTION (bsc#934760).
• scsi: do not print "reservation conflict" for TEST UNIT READY (bsc#984102).
• scsi: ibmvfc: add FC Class 3 Error Recovery support (bsc#984992).
• scsi: ibmvfc: Fix I/O hang when port is not mapped (bsc#971989)
• scsi: ibmvfc: Set READ FCP_XFER_READY DISABLED bit in PRLI (bsc#984992).
• scsi_scan: Send TEST UNIT READY to LUN0 before LUN scanning (bnc#843236,bsc#989779).
• tmpfs: change final i_blocks BUG to WARNING (bsc#991923).
• Update patches.drivers/fcoe-0102-fcoe-ensure-that-skb-placed-on-the-fip_recv_list-are.patch (add bsc#732582 reference).
• USB: fix typo in wMaxPacketSize validation (bsc#991665).
• USB: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665).
• vlan: don't deliver frames for unknown vlans to protocols (bsc#979514).
• vlan: mask vlan prio bits (bsc#979514).
• xenbus: inspect the correct type in xenbus_dev_request_and_reply().
• xen: x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620).
• xfs: Avoid grabbing ilock when file size is not changed (bsc#983535).
• xfs: Silence warnings in xfs_vm_releasepage() (bnc#915183 bsc#987565).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Real Time Extension 11 SP4
  zypper in -t patch slertesp4-kernel-source-12880=1

Package List:

• SUSE Linux Enterprise Real Time Extension 11 SP4 (nosrc x86_64)
  • kernel-rt_trace-3.0.101.rt130-65.1
  • kernel-rt-3.0.101.rt130-65.1
• SUSE Linux Enterprise Real Time Extension 11 SP4 (x86_64)
  • kernel-rt_trace-devel-3.0.101.rt130-65.1
  • kernel-syms-rt-3.0.101.rt130-65.1
  • kernel-rt_trace-base-3.0.101.rt130-65.1
  • kernel-source-rt-3.0.101.rt130-65.1
  • kernel-rt-base-3.0.101.rt130-65.1
  • kernel-rt-devel-3.0.101.rt130-65.1

References:

• https://www.suse.com/security/cve/CVE-2013-4312.html
• https://www.suse.com/security/cve/CVE-2015-7513.html
• https://www.suse.com/security/cve/CVE-2016-0823.html
• https://www.suse.com/security/cve/CVE-2016-3841.html
• https://www.suse.com/security/cve/CVE-2016-4997.html
• https://www.suse.com/security/cve/CVE-2016-4998.html
• https://www.suse.com/security/cve/CVE-2016-5195.html
• https://www.suse.com/security/cve/CVE-2016-5696.html
• https://www.suse.com/security/cve/CVE-2016-6480.html
• https://www.suse.com/security/cve/CVE-2016-6828.html
• https://www.suse.com/security/cve/CVE-2016-7425.html
• https://bugzilla.suse.com/show_bug.cgi?id=1000189
• https://bugzilla.suse.com/show_bug.cgi?id=1001419
• https://bugzilla.suse.com/show_bug.cgi?id=1002165
• https://bugzilla.suse.com/show_bug.cgi?id=1004418
• https://bugzilla.suse.com/show_bug.cgi?id=732582
• https://bugzilla.suse.com/show_bug.cgi?id=839104
• https://bugzilla.suse.com/show_bug.cgi?id=843236
• https://bugzilla.suse.com/show_bug.cgi?id=909994
• https://bugzilla.suse.com/show_bug.cgi?id=911687
• https://bugzilla.suse.com/show_bug.cgi?id=915183
• https://bugzilla.suse.com/show_bug.cgi?id=920016
• https://bugzilla.suse.com/show_bug.cgi?id=934760
• https://bugzilla.suse.com/show_bug.cgi?id=951392
• https://bugzilla.suse.com/show_bug.cgi?id=956514
• https://bugzilla.suse.com/show_bug.cgi?id=960689
• https://bugzilla.suse.com/show_bug.cgi?id=963655
• https://bugzilla.suse.com/show_bug.cgi?id=971975
• https://bugzilla.suse.com/show_bug.cgi?id=971989
• https://bugzilla.suse.com/show_bug.cgi?id=974620
• https://bugzilla.suse.com/show_bug.cgi?id=976867
• https://bugzilla.suse.com/show_bug.cgi?id=977687
• https://bugzilla.suse.com/show_bug.cgi?id=979514
• https://bugzilla.suse.com/show_bug.cgi?id=979595
• https://bugzilla.suse.com/show_bug.cgi?id=979681
• https://bugzilla.suse.com/show_bug.cgi?id=980371
• https://bugzilla.suse.com/show_bug.cgi?id=982218
• https://bugzilla.suse.com/show_bug.cgi?id=982783
• https://bugzilla.suse.com/show_bug.cgi?id=983535
• https://bugzilla.suse.com/show_bug.cgi?id=983619
• https://bugzilla.suse.com/show_bug.cgi?id=984102
• https://bugzilla.suse.com/show_bug.cgi?id=984194
• https://bugzilla.suse.com/show_bug.cgi?id=984992
• https://bugzilla.suse.com/show_bug.cgi?id=985206
• https://bugzilla.suse.com/show_bug.cgi?id=986362
• https://bugzilla.suse.com/show_bug.cgi?id=986365
• https://bugzilla.suse.com/show_bug.cgi?id=986445
• https://bugzilla.suse.com/show_bug.cgi?id=987565
• https://bugzilla.suse.com/show_bug.cgi?id=988440
• https://bugzilla.suse.com/show_bug.cgi?id=989152
• https://bugzilla.suse.com/show_bug.cgi?id=989261
• https://bugzilla.suse.com/show_bug.cgi?id=989779
• https://bugzilla.suse.com/show_bug.cgi?id=991608
• https://bugzilla.suse.com/show_bug.cgi?id=991665
• https://bugzilla.suse.com/show_bug.cgi?id=991923
• https://bugzilla.suse.com/show_bug.cgi?id=992566
• https://bugzilla.suse.com/show_bug.cgi?id=993127
• https://bugzilla.suse.com/show_bug.cgi?id=993890
• https://bugzilla.suse.com/show_bug.cgi?id=993891
• https://bugzilla.suse.com/show_bug.cgi?id=994296
• https://bugzilla.suse.com/show_bug.cgi?id=994436
• https://bugzilla.suse.com/show_bug.cgi?id=994618
• https://bugzilla.suse.com/show_bug.cgi?id=994759
• https://bugzilla.suse.com/show_bug.cgi?id=994926
• https://bugzilla.suse.com/show_bug.cgi?id=996329
• https://bugzilla.suse.com/show_bug.cgi?id=996664
• https://bugzilla.suse.com/show_bug.cgi?id=997708
• https://bugzilla.suse.com/show_bug.cgi?id=998399
• https://bugzilla.suse.com/show_bug.cgi?id=999584
• https://bugzilla.suse.com/show_bug.cgi?id=999600
• https://bugzilla.suse.com/show_bug.cgi?id=999932