Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2494-1 Final 1 1 2017-09-15T07:49:08Z current 2017-09-15T07:49:08Z 2017-09-15T07:49:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The openSUSE Leap 42.3 kernel was updated to 4.4.87 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel (BlueZ) was vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space (bnc#1057389). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-11472: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel did not flush the operand cache and causes a kernel stack dump, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted ACPI table (bnc#1049580). The following non-security bugs were fixed: - acpica: IORT: Update SMMU models for revision C (bsc#1036060). - acpi/nfit: Fix memory corruption/Unregister mce decoder on failure (bsc#1057047). - ahci: do not use MSI for devices with the silly Intel NVMe remapping scheme (bsc#1048912). - ahci: thunderx2: stop engine fix update (bsc#1057031). - alsa: hda/realtek - Add support headphone Mic for ALC221 of HP platform (bsc#1024405). - arm64: mm: select CONFIG_ARCH_PROC_KCORE_TEXT (bsc#1046529). - arm64: PCI: Fix struct acpi_pci_root_ops allocation failure path (bsc#1056849). - arm64: Update config files. Enable ARCH_PROC_KCORE_TEXT - blacklist.conf: gcc7 compiler warning (bsc#1056849) - bnxt: add a missing rcu synchronization (bnc#1038583). - bnxt: do not busy-poll when link is down (bnc#1038583). - bnxt_en: Enable MRU enables bit when configuring VNIC MRU (bnc#1038583). - bnxt_en: Fix and clarify link_info->advertising (bnc#1038583). - bnxt_en: Fix a VXLAN vs GENEVE issue (bnc#1038583). - bnxt_en: Fix NULL pointer dereference in a failure path during open (bnc#1038583). - bnxt_en: Fix NULL pointer dereference in reopen failure path (bnc#1038583). - bnxt_en: fix pci cleanup in bnxt_init_one() failure path (bnc#1038583). - bnxt_en: Fix ring arithmetic in bnxt_setup_tc() (bnc#1038583). - bnxt_en: Fix TX push operation on ARM64 (bnc#1038583). - bnxt_en: Fix 'uninitialized variable' bug in TPA code path (bnc#1038583). - bnxt_en: Fix VF virtual link state (bnc#1038583). - bnxt_en: initialize rc to zero to avoid returning garbage (bnc#1038583). - bnxt_en: Pad TX packets below 52 bytes (bnc#1038583). - bnxt_en: Refactor TPA code path (bnc#1038583). - ceph: fix readpage from fscache (bsc#1057015). - cifs: add build_path_from_dentry_optional_prefix() (fate#323482). - cifs: add use_ipc flag to SMB2_ioctl() (fate#323482). - cifs: Fix sparse warnings (fate#323482). - cifs: implement get_dfs_refer for SMB2+ (fate#323482). - cifs: let ses->ipc_tid hold smb2 TreeIds (fate#323482). - cifs: move DFS response parsing out of SMB1 code (fate#323482). - cifs: remove any preceding delimiter from prefix_path (fate#323482). - cifs: set signing flag in SMB2+ TreeConnect if needed (fate#323482). - cifs: use DFS pathnames in SMB2+ Create requests (fate#323482). - cpufreq: intel_pstate: Disable energy efficiency optimization (bsc#1054654). - cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox() (bsc#1021424 bsc#1022743). - device-dax: fix cdev leak (bsc#1057047). - dmaengine: mv_xor_v2: do not use descriptors not acked by async_tx (bsc#1056849). - dmaengine: mv_xor_v2: enable XOR engine after its configuration (bsc#1056849). - dmaengine: mv_xor_v2: fix tx_submit() implementation (bsc#1056849). - dmaengine: mv_xor_v2: handle mv_xor_v2_prep_sw_desc() error properly (bsc#1056849). - dmaengine: mv_xor_v2: properly handle wrapping in the array of HW descriptors (bsc#1056849). - dmaengine: mv_xor_v2: remove interrupt coalescing (bsc#1056849). - dmaengine: mv_xor_v2: set DMA mask to 40 bits (bsc#1056849). - drivers: base: cacheinfo: fix boot error message when acpi is enabled (bsc#1057849). - edac, thunderx: Fix a warning during l2c debugfs node creation (bsc#1057038). - edac, thunderx: Fix error handling path in thunderx_lmc_probe() (bsc#1057038). - fs/proc: kcore: use kcore_list type to check for vmalloc/module address (bsc#1046529). - gfs2: Do not clear SGID when inheriting ACLs (bsc#1012829). - ib/hns: checking for IS_ERR() instead of NULL (bsc#1056849). - ibmvnic: Clean up resources on probe failure (fate#323285, bsc#1058116). - ib/rxe: Add dst_clone() in prepare_ipv6_hdr() (bsc#1049361). - ib/rxe: Avoid ICRC errors by copying into the skb first (bsc#1049361). - ib/rxe: Disable completion upcalls when a CQ is destroyed (bsc#1049361). - ib/rxe: Fix destination cache for IPv6 (bsc#1049361). - ib/rxe: Fix up rxe_qp_cleanup() (bsc#1049361). - ib/rxe: Fix up the responder's find_resources() function (bsc#1049361). - ib/rxe: Handle NETDEV_CHANGE events (bsc#1049361). - ib/rxe: Move refcounting earlier in rxe_send() (bsc#1049361). - ib/rxe: Remove dangling prototype (bsc#1049361). - ib/rxe: Remove unneeded initialization in prepare6() (bsc#1049361). - ib/rxe: Set dma_mask and coherent_dma_mask (bsc#1049361). - iommu/arm-smmu-v3, acpi: Add temporary Cavium SMMU-V3 IORT model number definitions (bsc#1036060). - iommu/arm-smmu-v3: Increase CMDQ drain timeout value (bsc#1035479). Refresh patch to mainline version - irqchip/gic-v3-its: Fix command buffer allocation (bsc#1057067). - iwlwifi: mvm: do not send CTDP commands via debugfs if not supported (bsc#1031717). - kernel/*: switch to memdup_user_nul() (bsc#1048893). - lightnvm: remove unused rq parameter of nvme_nvm_rqtocmd() to kill warning (FATE#319466). - md/raid5: fix a race condition in stripe batch (linux-stable). - mmc: sdhci-xenon: add set_power callback (bsc#1057035). - mmc: sdhci-xenon: Fix the work flow in xenon_remove() (bsc#1057035). - mm/page_alloc.c: apply gfp_allowed_mask before the first allocation attempt (bnc#971975 VM -- git fixes). - mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings (bsc#1046529). - new helper: memdup_user_nul() (bsc#1048893). - nfs: flush data when locking a file to ensure cache coherence for mmap (bsc#981309). - pci: rockchip: Handle regulator_get_current_limit() failure correctly (bsc#1056849). - pci: rockchip: Use normal register bank for config accessors (bsc#1056849). - pm / Domains: Fix unsafe iteration over modified list of domains (bsc#1056849). - rtnetlink: fix rtnl_vfinfo_size (bsc#1056261). - scsi: hisi_sas: add missing break in switch statement (bsc#1056849). - sysctl: fix lax sysctl_check_table() sanity check (bsc#1048893). - sysctl: fold sysctl_writes_strict checks into helper (bsc#1048893). - sysctl: kdoc'ify sysctl_writes_strict (bsc#1048893). - sysctl: simplify unsigned int support (bsc#1048893). - ubifs: Correctly evict xattr inodes (bsc#1012829). - ubifs: Do not leak kernel memory to the MTD (bsc#1012829). - xfs: fix inobt inode allocation search optimization (bsc#1012829). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00056.html E-Mail link for openSUSE-SU-2017:2494-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 kernel-debug-4.4.87-25.1 kernel-debug-base-4.4.87-25.1 kernel-debug-devel-4.4.87-25.1 kernel-default-4.4.87-25.1 kernel-default-base-4.4.87-25.1 kernel-default-devel-4.4.87-25.1 kernel-devel-4.4.87-25.1 kernel-docs-4.4.87-25.2 kernel-docs-html-4.4.87-25.2 kernel-docs-pdf-4.4.87-25.2 kernel-macros-4.4.87-25.1 kernel-obs-build-4.4.87-25.1 kernel-obs-qa-4.4.87-25.1 kernel-source-4.4.87-25.1 kernel-source-vanilla-4.4.87-25.1 kernel-syms-4.4.87-25.1 kernel-vanilla-4.4.87-25.1 kernel-vanilla-base-4.4.87-25.1 kernel-vanilla-devel-4.4.87-25.1 kernel-debug-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-debug-base-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-debug-devel-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-default-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-default-base-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-default-devel-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-devel-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-docs-4.4.87-25.2 as a component of openSUSE Leap 42.3 kernel-docs-html-4.4.87-25.2 as a component of openSUSE Leap 42.3 kernel-docs-pdf-4.4.87-25.2 as a component of openSUSE Leap 42.3 kernel-macros-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-obs-build-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-obs-qa-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-source-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-source-vanilla-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-syms-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-vanilla-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-vanilla-base-4.4.87-25.1 as a component of openSUSE Leap 42.3 kernel-vanilla-devel-4.4.87-25.1 as a component of openSUSE Leap 42.3 The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space. CVE-2017-1000251 openSUSE Leap 42.3:kernel-debug-4.4.87-25.1 openSUSE Leap 42.3:kernel-debug-base-4.4.87-25.1 openSUSE Leap 42.3:kernel-debug-devel-4.4.87-25.1 openSUSE Leap 42.3:kernel-default-4.4.87-25.1 openSUSE Leap 42.3:kernel-default-base-4.4.87-25.1 openSUSE Leap 42.3:kernel-default-devel-4.4.87-25.1 openSUSE Leap 42.3:kernel-devel-4.4.87-25.1 openSUSE Leap 42.3:kernel-docs-4.4.87-25.2 openSUSE Leap 42.3:kernel-docs-html-4.4.87-25.2 openSUSE Leap 42.3:kernel-docs-pdf-4.4.87-25.2 openSUSE Leap 42.3:kernel-macros-4.4.87-25.1 openSUSE Leap 42.3:kernel-obs-build-4.4.87-25.1 openSUSE Leap 42.3:kernel-obs-qa-4.4.87-25.1 openSUSE Leap 42.3:kernel-source-4.4.87-25.1 openSUSE Leap 42.3:kernel-source-vanilla-4.4.87-25.1 openSUSE Leap 42.3:kernel-syms-4.4.87-25.1 openSUSE Leap 42.3:kernel-vanilla-4.4.87-25.1 openSUSE Leap 42.3:kernel-vanilla-base-4.4.87-25.1 openSUSE Leap 42.3:kernel-vanilla-devel-4.4.87-25.1 important 7.9 AV:A/AC:M/Au:N/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00056.html https://www.suse.com/security/cve/CVE-2017-1000251.html CVE-2017-1000251 https://bugzilla.suse.com/1057389 SUSE Bug 1057389 https://bugzilla.suse.com/1057950 SUSE Bug 1057950 https://bugzilla.suse.com/1070535 SUSE Bug 1070535 https://bugzilla.suse.com/1120758 SUSE Bug 1120758 The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. CVE-2017-11472 openSUSE Leap 42.3:kernel-debug-4.4.87-25.1 openSUSE Leap 42.3:kernel-debug-base-4.4.87-25.1 openSUSE Leap 42.3:kernel-debug-devel-4.4.87-25.1 openSUSE Leap 42.3:kernel-default-4.4.87-25.1 openSUSE Leap 42.3:kernel-default-base-4.4.87-25.1 openSUSE Leap 42.3:kernel-default-devel-4.4.87-25.1 openSUSE Leap 42.3:kernel-devel-4.4.87-25.1 openSUSE Leap 42.3:kernel-docs-4.4.87-25.2 openSUSE Leap 42.3:kernel-docs-html-4.4.87-25.2 openSUSE Leap 42.3:kernel-docs-pdf-4.4.87-25.2 openSUSE Leap 42.3:kernel-macros-4.4.87-25.1 openSUSE Leap 42.3:kernel-obs-build-4.4.87-25.1 openSUSE Leap 42.3:kernel-obs-qa-4.4.87-25.1 openSUSE Leap 42.3:kernel-source-4.4.87-25.1 openSUSE Leap 42.3:kernel-source-vanilla-4.4.87-25.1 openSUSE Leap 42.3:kernel-syms-4.4.87-25.1 openSUSE Leap 42.3:kernel-vanilla-4.4.87-25.1 openSUSE Leap 42.3:kernel-vanilla-base-4.4.87-25.1 openSUSE Leap 42.3:kernel-vanilla-devel-4.4.87-25.1 low 1.2 AV:L/AC:H/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00056.html https://www.suse.com/security/cve/CVE-2017-11472.html CVE-2017-11472 https://bugzilla.suse.com/1049580 SUSE Bug 1049580 https://bugzilla.suse.com/1087082 SUSE Bug 1087082 The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. CVE-2017-14106 openSUSE Leap 42.3:kernel-debug-4.4.87-25.1 openSUSE Leap 42.3:kernel-debug-base-4.4.87-25.1 openSUSE Leap 42.3:kernel-debug-devel-4.4.87-25.1 openSUSE Leap 42.3:kernel-default-4.4.87-25.1 openSUSE Leap 42.3:kernel-default-base-4.4.87-25.1 openSUSE Leap 42.3:kernel-default-devel-4.4.87-25.1 openSUSE Leap 42.3:kernel-devel-4.4.87-25.1 openSUSE Leap 42.3:kernel-docs-4.4.87-25.2 openSUSE Leap 42.3:kernel-docs-html-4.4.87-25.2 openSUSE Leap 42.3:kernel-docs-pdf-4.4.87-25.2 openSUSE Leap 42.3:kernel-macros-4.4.87-25.1 openSUSE Leap 42.3:kernel-obs-build-4.4.87-25.1 openSUSE Leap 42.3:kernel-obs-qa-4.4.87-25.1 openSUSE Leap 42.3:kernel-source-4.4.87-25.1 openSUSE Leap 42.3:kernel-source-vanilla-4.4.87-25.1 openSUSE Leap 42.3:kernel-syms-4.4.87-25.1 openSUSE Leap 42.3:kernel-vanilla-4.4.87-25.1 openSUSE Leap 42.3:kernel-vanilla-base-4.4.87-25.1 openSUSE Leap 42.3:kernel-vanilla-devel-4.4.87-25.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00056.html https://www.suse.com/security/cve/CVE-2017-14106.html CVE-2017-14106 https://bugzilla.suse.com/1056982 SUSE Bug 1056982