SUSE SLED11 / SLES11 Security Update : kernel-source (SUSE-SU-2015:1678-1)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
security and bugfixes.

Following security bugs were fixed :

- CVE-2015-6252: Possible file descriptor leak for each
VHOST_SET_LOG_FDcommand issued, this could eventually
wasting available system resources and creating a denial
of service (bsc#942367).

- CVE-2015-5707: Possible integer overflow in the
calculation of total number of pages in
bio_map_user_iov() (bsc#940338).

- CVE-2015-5364: The (1) udp_recvmsg and (2) udpv6_recvmsg
functions in the Linux kernel before 4.0.6 do not
properly consider yielding a processor, which allowed
remote attackers to cause a denial of service (system
hang) via incorrect checksums within a UDP packet flood
(bsc#936831).

- CVE-2015-5366: The (1) udp_recvmsg and (2) udpv6_recvmsg
functions in the Linux kernel before 4.0.6 provide
inappropriate -EAGAIN return values, which allowed
remote attackers to cause a denial of service (EPOLLET
epoll application read outage) via an incorrect checksum
in a UDP packet, a different vulnerability than
CVE-2015-5364 (bsc#936831).

- CVE-2015-1420: Race condition in the handle_to_path
function in fs/fhandle.c in the Linux kernel through
3.19.1 allowed local users to bypass intended size
restrictions and trigger read operations on additional
memory locations by changing the handle_bytes value of a
file handle during the execution of this function
(bsc#915517).

- CVE-2015-1805: The (1) pipe_read and (2) pipe_write
implementations in fs/pipe.c in the Linux kernel before
3.16 do not properly consider the side effects of failed
__copy_to_user_inatomic and __copy_from_user_inatomic
calls, which allows local users to cause a denial of
service (system crash) or possibly gain privileges via a
crafted application, aka an 'I/O' vector array overrun.
(bsc#933429)

- CVE-2015-2150: Xen 3.3.x through 4.5.x and the Linux
kernel through 3.19.1 do not properly restrict access to
PCI command registers, which might allow local guest
users to cause a denial of service (non-maskable
interrupt and host crash) by disabling the (1) memory or
(2) I/O decoding for a PCI Express device and then
accessing the device, which triggers an Unsupported
Request (UR) response. (bsc#919463)

- CVE-2015-2830: arch/x86/kernel/entry_64.S in the Linux
kernel before 3.19.2 does not prevent the TS_COMPAT flag
from reaching a user-mode task, which might allow local
users to bypass the seccomp or audit protection
mechanism via a crafted application that uses the (1)
fork or (2) close system call, as demonstrated by an
attack against seccomp before 3.16. (bsc#926240)

- CVE-2015-4700: The bpf_int_jit_compile function in
arch/x86/net/bpf_jit_comp.c in the Linux kernel before
4.0.6 allowed local users to cause a denial of service
(system crash) by creating a packet filter and then
loading crafted BPF instructions that trigger late
convergence by the JIT compiler (bsc#935705).

- CVE-2015-4167: The udf_read_inode function in
fs/udf/inode.c in the Linux kernel before 3.19.1 did not
validate certain length values, which allowed local
users to cause a denial of service (incorrect data
representation or integer overflow, and OOPS) via a
crafted UDF filesystem (bsc#933907).

- CVE-2015-0777: drivers/xen/usbback/usbback.c in
linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support
patches for the Linux kernel 2.6.18), as used in the
Linux kernel 2.6.x and 3.x in SUSE Linux distributions,
allows guest OS users to obtain sensitive information
from uninitialized locations in host OS kernel memory
via unspecified vectors. (bsc#917830)

- CVE-2014-9728: The UDF filesystem implementation in the
Linux kernel before 3.18.2 did not validate certain
lengths, which allowed local users to cause a denial of
service (buffer over-read and system crash) via a
crafted filesystem image, related to fs/udf/inode.c and
fs/udf/symlink.c (bsc#933904).

- CVE-2014-9730: The udf_pc_to_char function in
fs/udf/symlink.c in the Linux kernel before 3.18.2
relies on component lengths that are unused, which
allowed local users to cause a denial of service (system
crash) via a crafted UDF filesystem image (bsc#933904).

- CVE-2014-9729: The udf_read_inode function in
fs/udf/inode.c in the Linux kernel before 3.18.2 did not
ensure a certain data-structure size consistency, which
allowed local users to cause a denial of service (system
crash) via a crafted UDF filesystem image (bsc#933904).

- CVE-2014-9731: The UDF filesystem implementation in the
Linux kernel before 3.18.2 did not ensure that space is
available for storing a symlink target's name along with
a trailing \0 character, which allowed local users to
obtain sensitive information via a crafted filesystem
image, related to fs/udf/symlink.c and fs/udf/unicode.c
(bsc#933896).

The following non-security bugs were fixed :

- Btrfs: be aware of btree inode write errors to avoid fs
corruption (bnc#942350).

- Btrfs: be aware of btree inode write errors to avoid fs
corruption (bnc#942404).

- Btrfs: check if previous transaction aborted to avoid fs
corruption (bnc#942350).

- Btrfs: check if previous transaction aborted to avoid fs
corruption (bnc#942404).

- Btrfs: deal with convert_extent_bit errors to avoid fs
corruption (bnc#942350).

- Btrfs: deal with convert_extent_bit errors to avoid fs
corruption (bnc#942404).

- Btrfs: fix hang when failing to submit bio of directIO
(bnc#942688).

- Btrfs: fix memory corruption on failure to submit bio
for direct IO (bnc#942688).

- Btrfs: fix put dio bio twice when we submit dio bio fail
(bnc#942688).

- DRM/I915: Add enum hpd_pin to intel_encoder
(bsc#942938).

- DRM/i915: Convert HPD interrupts to make use of HPD pin
assignment in encoders (v2) (bsc#942938).

- DRM/i915: Get rid of the 'hotplug_supported_mask' in
struct drm_i915_private (bsc#942938).

- DRM/i915: Remove i965_hpd_irq_setup (bsc#942938).

- DRM/i915: Remove valleyview_hpd_irq_setup (bsc#942938).

- Ext4: handle SEEK_HOLE/SEEK_DATA generically
(bsc#934944).

- IB/core: Fix mismatch between locked and pinned pages
(bnc#937855).

- IB/iser: Add Discovery support (bsc#923002).

- IB/iser: Move informational messages from error to info
level (bsc#923002).

- NFS: never queue requests with rq_cong set on the
sending queue (bsc#932458).

- NFSD: Fix nfsv4 opcode decoding error (bsc#935906).

- NFSv4: Minor cleanups for nfs4_handle_exception and
nfs4_async_handle_error (bsc#939910).

- PCI: Disable Bus Master only on kexec reboot
(bsc#920110).

- PCI: Disable Bus Master unconditionally in
pci_device_shutdown() (bsc#920110).

- PCI: Do not try to disable Bus Master on disconnected
PCI devices (bsc#920110).

- PCI: Lock down register access when trusted_kernel is
true (fate#314486, bnc#884333)(bsc#923431).

- PCI: disable Bus Master on PCI device shutdown
(bsc#920110).

- USB: xhci: Reset a halted endpoint immediately when we
encounter a stall (bnc#933721).

- USB: xhci: do not start a halted endpoint before its new
dequeue is set (bnc#933721).

- Apparmor: fix file_permission if profile is updated
(bsc#917968).

- block: Discard bios do not have data (bsc#928988).

- cifs: Fix missing crypto allocation (bnc#937402).

- drm/cirrus: do not attempt to acquire a reservation
while in an interrupt handler (bsc#935572).

- drm/i915: (re)init HPD interrupt storm statistics
(bsc#942938).

- drm/i915: Add HPD IRQ storm detection (v5) (bsc#942938).

- drm/i915: Add Reenable Timer to turn Hotplug Detection
back on (v4) (bsc#942938).

- drm/i915: Add bit field to record which pins have
received HPD events (v3) (bsc#942938).

- drm/i915: Add messages useful for HPD storm detection
debugging (v2) (bsc#942938).

- drm/i915: Avoid race of intel_crt_detect_hotplug() with
HPD interrupt (bsc#942938).

- drm/i915: Disable HPD interrupt on pin when irq storm is
detected (v3) (bsc#942938).

- drm/i915: Do not WARN nor handle unexpected hpd
interrupts on gmch platforms (bsc#942938).

- drm/i915: Enable hotplug interrupts after querying hw
capabilities (bsc#942938).

- drm/i915: Fix hotplug interrupt enabling for SDVOC
(bsc#942938).

- drm/i915: Fix up sdvo hpd pins for i965g/gm
(bsc#942938).

- drm/i915: Make hpd arrays big enough to avoid out of
bounds access (bsc#942938).

- drm/i915: Mask out the HPD irq bits before setting them
individually (bsc#942938).

- drm/i915: Only print hotplug event message when hotplug
bit is set (bsc#942938).

- drm/i915: Only reprobe display on encoder which has
received an HPD event (v2) (bsc#942938).

- drm/i915: Queue reenable timer also when
enable_hotplug_processing is false (bsc#942938).

- drm/i915: Remove pch_rq_mask from struct
drm_i915_private (bsc#942938).

- drm/i915: Use an interrupt save spinlock in
intel_hpd_irq_handler() (bsc#942938).

- drm/i915: WARN_ONCE() about unexpected interrupts for
all chipsets (bsc#942938).

- drm/i915: assert_spin_locked for pipestat interrupt
enable/disable (bsc#942938).

- drm/i915: clear crt hotplug compare voltage field before
setting (bsc#942938).

- drm/i915: close tiny race in the ilk pcu even interrupt
setup (bsc#942938).

- drm/i915: fix hotplug event bit tracking (bsc#942938).

- drm/i915: fix hpd interrupt register locking
(bsc#942938).

- drm/i915: fix hpd work vs. flush_work in the pageflip
code deadlock (bsc#942938).

- drm/i915: fix locking around
ironlake_enable|disable_display_irq (bsc#942938).

- drm/i915: fold the hpd_irq_setup call into
intel_hpd_irq_handler (bsc#942938).

- drm/i915: fold the no-irq check into
intel_hpd_irq_handler (bsc#942938).

- drm/i915: fold the queue_work into intel_hpd_irq_handler
(bsc#942938).

- drm/i915: implement ibx_hpd_irq_setup (bsc#942938).

- drm/i915:
s/hotplug_irq_storm_detect/intel_hpd_irq_handler/
(bsc#942938).

- drm/mgag200: Do not do full cleanup if
mgag200_device_init fails (FATE#317582).

- drm/mgag200: do not attempt to acquire a reservation
while in an interrupt handler (FATE#317582).

- drm: ast,cirrus,mgag200: use drm_can_sleep (FATE#317582,
bnc#883380, bsc#935572).

- ehci-pci: enable interrupt on BayTrail (bnc926007).

- exec: kill the unnecessary mm->def_flags setting in
load_elf_binary() (fate#317831,bnc#891116)).

- ext3: Fix data corruption in inodes with journalled data
(bsc#936637).

- fanotify: Fix deadlock with permission events
(bsc#935053).

- fork: reset mm->pinned_vm (bnc#937855).

- hrtimer: prevent timer interrupt DoS (bnc#886785).

- hugetlb, kabi: do not account hugetlb pages as
NR_FILE_PAGES (bnc#930092).

- hugetlb: do not account hugetlb pages as NR_FILE_PAGES
(bnc#930092).

- hv_storvsc: use small sg_tablesize on x86 (bnc#937256).

- ibmveth: Add GRO support (bsc#935055).

- ibmveth: Add support for Large Receive Offload
(bsc#935055).

- ibmveth: Add support for TSO (bsc#935055).

- ibmveth: add support for TSO6.

- ibmveth: change rx buffer default allocation for CMO
(bsc#935055).

- igb: do not reuse pages with pfmemalloc flag fix
(bnc#920016).

- inotify: Fix nested sleeps in inotify_read()
(bsc#940925).

- iommu/amd: Fix memory leak in free_pagetable
(bsc#935866).

- iommu/amd: Handle large pages correctly in
free_pagetable (bsc#935866).

- ipv6: probe routes asynchronous in rt6_probe
(bsc#936118).

- ixgbe: Use pci_vfs_assigned instead of
ixgbe_vfs_are_assigned (bsc#927355).

- kabi: wrapper include file with __GENKSYMS__ check to
avoid kabi change (bsc920110).

- kdump: fix crash_kexec()/smp_send_stop() race in panic()
(bnc#937444).

- kernel: add panic_on_warn.

- kernel: do full redraw of the 3270 screen on reconnect
(bnc#943477, LTC#129509).

- kvm: irqchip: Break up high order allocations of
kvm_irq_routing_table (bnc#926953).

- libata: prevent HSM state change race between ISR and
PIO (bsc#923245).

- libiscsi: Exporting new attrs for iscsi session and
connection in sysfs (bsc#923002).

- md: use kzalloc() when bitmap is disabled (bsc#939994).

- megaraid_sas: Use correct reset sequence in adp_reset()
(bsc#894936).

- megaraid_sas: Use correct reset sequence in adp_reset()
(bsc#938485).

- mlx4: Check for assigned VFs before disabling SR-IOV
(bsc#927355).

- mm, THP: do not hold mmap_sem in khugepaged when
allocating THP (VM Performance).

- mm, mempolicy: remove duplicate code (VM Functionality,
bnc#931620).

- mm, thp: fix collapsing of hugepages on madvise (VM
Functionality).

- mm, thp: only collapse hugepages to nodes with affinity
for zone_reclaim_mode (VM Functionality, bnc#931620).

- mm, thp: really limit transparent hugepage allocation to
local node (VM Performance, bnc#931620).

- mm, thp: respect MPOL_PREFERRED policy with non-local
node (VM Performance, bnc#931620).

- mm/hugetlb: check for pte NULL pointer in
__page_check_address() (bnc#929143).

- mm/mempolicy.c: merge alloc_hugepage_vma to
alloc_pages_vma (VM Performance, bnc#931620).

- mm/thp: allocate transparent hugepages on local node (VM
Performance, bnc#931620).

- mm: make page pfmemalloc check more robust (bnc#920016).

- mm: restrict access to slab files under procfs and sysfs
(bnc#936077).

- mm: thp: khugepaged: add policy for finding target node
(VM Functionality, bnc#931620).

- net/mlx4_core: Do not disable SRIOV if there are active
VFs (bsc#927355).

- net: Fix 'ip rule delete table 256' (bsc#873385).

- net: fib6: fib6_commit_metrics: fix potential NULL
pointer dereference (bsc#867362).

- net: ipv6: fib: do not sleep inside atomic lock
(bsc#867362).

- netfilter: nf_conntrack_proto_sctp: minimal multihoming
support (bsc#932350).

- nfsd: support disabling 64bit dir cookies (bnc#937503).

- pagecache limit: Do not skip over small zones that
easily (bnc#925881).

- pagecache limit: add tracepoints (bnc#924701).

- pagecache limit: export debugging counters via
/proc/vmstat (bnc#924701).

- pagecache limit: fix wrong nr_reclaimed count
(FATE#309111, bnc#924701).

- pagecache limit: reduce starvation due to reclaim
retries (bnc#925903).

- pci: Add SRIOV helper function to determine if VFs are
assigned to guest (bsc#927355).

- pci: Add flag indicating device has been assigned by KVM
(bnc#777565 FATE#313819).

- pci: Add flag indicating device has been assigned by KVM
(bnc#777565 FATE#313819).

- perf, nmi: Fix unknown NMI warning (bsc#929142).

- perf/x86/intel: Move NMI clearing to end of PMI handler
(bsc#929142).

- qlcnic: Fix NULL pointer dereference in
qlcnic_hwmon_show_temp() (bsc#936095).

- r8169: remember WOL preferences on driver load
(bsc#942305).

- s390/dasd: fix kernel panic when alias is set offline
(bnc#940966, LTC#128595).

- sched: fix __sched_setscheduler() vs load balancing race
(bnc#921430)

- scsi: Correctly set the scsi host/msg/status bytes
(bnc#933936).

- scsi: fix scsi_error_handler vs. scsi_host_dev_release
race (bnc#942204).

- scsi: Moved iscsi kabi patch to patches.kabi
(bsc#923002)

- scsi: Set hostbyte status in scsi_check_sense()
(bsc#920733).

- scsi: kabi: allow iscsi disocvery session support
(bsc#923002).

- scsi: vmw_pvscsi: Fix pvscsi_abort() function
(bnc#940398 bsc#930934).

- scsi_error: add missing case statements in
scsi_decide_disposition() (bsc#920733).

- scsi_transport_iscsi: Exporting new attrs for iscsi
session and connection in sysfs (bsc#923002).

- sg_start_req(): make sure that there's not too many
elements in iovec (bsc#940338).

- st: NULL pointer dereference panic caused by use after
kref_put by st_open (bsc#936875).

- supported.conf: enable sch_mqprio (bsc#932882)

- udf: Remove repeated loads blocksize (bsc#933907).

- usb: core: Fix USB 3.0 devices lost in NOTATTACHED state
after a hub port reset (bnc#937641).

- usb: xhci: Prefer endpoint context dequeue pointer over
stopped_trb (bnc#933721).

- usb: xhci: handle Config Error Change (CEC) in xhci
driver (bnc#933721).

- vmxnet3: Bump up driver version number (bsc#936423).

- vmxnet3: Changes for vmxnet3 adapter version 2 (fwd)
(bug#936423).

- vmxnet3: Fix memory leaks in rx path (fwd) (bug#936423).

- vmxnet3: Register shutdown handler for device (fwd)
(bug#936423).

- x86, tls, ldt: Stop checking lm in LDT_empty
(bsc#920250).

- x86, tls: Interpret an all-zero struct user_desc as 'no
segment' (bsc#920250).

- x86-64: Do not apply destructive erratum workaround on
unaffected CPUs (bsc#929076).

- x86/mm: Improve AMD Bulldozer ASLR workaround
(bsc#937032).

- x86/tsc: Change Fast TSC calibration failed from error
to info (bnc#942605).

- xenbus: add proper handling of XS_ERROR from Xenbus for
transactions.

- xfs: fix problem when using md+XFS under high load
(bnc#925705).

- xhci: Allocate correct amount of scratchpad buffers
(bnc#933721).

- xhci: Do not enable/disable RWE on bus suspend/resume
(bnc#933721).

- xhci: Solve full event ring by increasing
TRBS_PER_SEGMENT to 256 (bnc#933721).

- xhci: Treat not finding the event_seg on COMP_STOP the
same as COMP_STOP_INVAL (bnc#933721).

- xhci: Workaround for PME stuck issues in Intel xhci
(bnc#933721).

- xhci: do not report PLC when link is in internal resume
state (bnc#933721).

- xhci: fix reporting of 0-sized URBs in control endpoint
(bnc#933721).

- xhci: report U3 when link is in resume state
(bnc#933721).

- xhci: rework cycle bit checking for new dequeue pointers
(bnc#933721).

- zcrypt: Fixed reset and interrupt handling of AP queues
(bnc#936921, bnc#936925, LTC#126491).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/777565
https://bugzilla.suse.com/867362
https://bugzilla.suse.com/873385
https://bugzilla.suse.com/883380
https://bugzilla.suse.com/884333
https://bugzilla.suse.com/886785
https://bugzilla.suse.com/891116
https://bugzilla.suse.com/894936
https://bugzilla.suse.com/915517
https://bugzilla.suse.com/917830
https://bugzilla.suse.com/917968
https://bugzilla.suse.com/919463
https://bugzilla.suse.com/920016
https://bugzilla.suse.com/920110
https://bugzilla.suse.com/920250
https://bugzilla.suse.com/920733
https://bugzilla.suse.com/921430
https://bugzilla.suse.com/923002
https://bugzilla.suse.com/923245
https://bugzilla.suse.com/923431
https://bugzilla.suse.com/924701
https://bugzilla.suse.com/925705
https://bugzilla.suse.com/925881
https://bugzilla.suse.com/925903
https://bugzilla.suse.com/926240
https://bugzilla.suse.com/926953
https://bugzilla.suse.com/927355
https://bugzilla.suse.com/928988
https://bugzilla.suse.com/929076
https://bugzilla.suse.com/929142
https://bugzilla.suse.com/929143
https://bugzilla.suse.com/930092
https://bugzilla.suse.com/930934
https://bugzilla.suse.com/931620
https://bugzilla.suse.com/932350
https://bugzilla.suse.com/932458
https://bugzilla.suse.com/932882
https://bugzilla.suse.com/933429
https://bugzilla.suse.com/933721
https://bugzilla.suse.com/933896
https://bugzilla.suse.com/933904
https://bugzilla.suse.com/933907
https://bugzilla.suse.com/933936
https://bugzilla.suse.com/934944
https://bugzilla.suse.com/935053
https://bugzilla.suse.com/935055
https://bugzilla.suse.com/935572
https://bugzilla.suse.com/935705
https://bugzilla.suse.com/935866
https://bugzilla.suse.com/935906
https://bugzilla.suse.com/936077
https://bugzilla.suse.com/936095
https://bugzilla.suse.com/936118
https://bugzilla.suse.com/936423
https://bugzilla.suse.com/936637
https://bugzilla.suse.com/936831
https://bugzilla.suse.com/936875
https://bugzilla.suse.com/936921
https://bugzilla.suse.com/936925
https://bugzilla.suse.com/937032
https://bugzilla.suse.com/937256
https://bugzilla.suse.com/937402
https://bugzilla.suse.com/937444
https://bugzilla.suse.com/937503
https://bugzilla.suse.com/937641
https://bugzilla.suse.com/937855
https://bugzilla.suse.com/938485
https://bugzilla.suse.com/939910
https://bugzilla.suse.com/939994
https://bugzilla.suse.com/940338
https://bugzilla.suse.com/940398
https://bugzilla.suse.com/940925
https://bugzilla.suse.com/940966
https://bugzilla.suse.com/942204
https://bugzilla.suse.com/942305
https://bugzilla.suse.com/942350
https://bugzilla.suse.com/942367
https://bugzilla.suse.com/942404
https://bugzilla.suse.com/942605
https://bugzilla.suse.com/942688
https://bugzilla.suse.com/942938
https://bugzilla.suse.com/943477
https://www.suse.com/security/cve/CVE-2014-9728.html
https://www.suse.com/security/cve/CVE-2014-9729.html
https://www.suse.com/security/cve/CVE-2014-9730.html
https://www.suse.com/security/cve/CVE-2014-9731.html
https://www.suse.com/security/cve/CVE-2015-0777.html
https://www.suse.com/security/cve/CVE-2015-1420.html
https://www.suse.com/security/cve/CVE-2015-1805.html
https://www.suse.com/security/cve/CVE-2015-2150.html
https://www.suse.com/security/cve/CVE-2015-2830.html
https://www.suse.com/security/cve/CVE-2015-4167.html
https://www.suse.com/security/cve/CVE-2015-4700.html
https://www.suse.com/security/cve/CVE-2015-5364.html
https://www.suse.com/security/cve/CVE-2015-5366.html
https://www.suse.com/security/cve/CVE-2015-5707.html
https://www.suse.com/security/cve/CVE-2015-6252.html
http://www.nessus.org/u?9ebdd7b0

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4 :

zypper in -t patch sdksp4-kernel-20150908-12114=1

SUSE Linux Enterprise Server 11-SP4 :

zypper in -t patch slessp4-kernel-20150908-12114=1

SUSE Linux Enterprise Server 11-EXTRA :

zypper in -t patch slexsp3-kernel-20150908-12114=1

SUSE Linux Enterprise Desktop 11-SP4 :

zypper in -t patch sledsp4-kernel-20150908-12114=1

SUSE Linux Enterprise Debuginfo 11-SP4 :

zypper in -t patch dbgsp4-kernel-20150908-12114=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.1
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now