Security update for Linux kernel (important)

The SUSE Linux Enterprise 11 Service Pack 1 kernel was
updated to 2.6.32.43 and fixes various bugs and security
issues.

The following security issues were fixed:

CVE-2011-2496: The normal mmap paths all avoid
creating a mapping where the pgoff inside the mapping could
wrap around due to overflow. However, an expanding mremap()
can take such a non-wrapping mapping and make it bigger and
cause a wrapping condition.

CVE-2011-2491: A local unprivileged user able to
access a NFS filesystem could use file locking to deadlock
parts of an nfs server under some circumstance.

CVE-2011-2183: Fixed a race between ksmd and other
memory management code, which could result in a NULL ptr
dereference and kernel crash.

CVE-2011-2517: In both trigger_scan and sched_scan
operations, we were checking for the SSID length before
assigning the value correctly. Since the memory was just
kzalloced, the check was always failing and SSID with over
32 characters were allowed to go through. This required
CAP_NET_ADMIN privileges to be exploited.

CVE-2011-2213: A malicious user or buggy application
could inject diagnosing byte code and trigger an infinite
loop in inet_diag_bc_audit().

CVE-2011-1017,CVE-2011-1012,CVE-2011-2182: The code
for evaluating LDM partitions (in fs/partitions/ldm.c)
contained bugs that could crash the kernel for certain
corrupted LDM partitions.

CVE-2011-1593: Multiple integer overflows in the
next_pidmap function in kernel/pid.c in the Linux kernel
allowed local users to cause a denial of service (system
crash) via a crafted (1) getdents or (2) readdir system
call.

CVE-2011-1020: The proc filesystem implementation in
the Linux kernel did not restrict access to the /proc
directory tree of a process after this process performs an
exec of a setuid program, which allowed local users to
obtain sensitive information or cause a denial of service
via open, lseek, read, and write system calls.

CVE-2011-1585: When using a setuid root mount.cifs,
local users could hijack password protected mounted CIFS
shares of other local users.

CVE-2011-1160: Kernel information via the TPM devices
could by used by local attackers to read kernel memory.

CVE-2011-1577: The Linux kernel automatically
evaluated partition tables of storage devices. The code for
evaluating EFI GUID partitions (in fs/partitions/efi.c)
contained a bug that causes a kernel oops on certain
corrupted GUID partition tables, which might be used by
local attackers to crash the kernel or potentially execute
code.

CVE-2011-1078: In a bluetooth ioctl, struct
sco_conninfo has one padding byte in the end. Local
variable cinfo of type sco_conninfo was copied to userspace
with this uninizialized one byte, leading to an old stack
contents leak.

CVE-2011-1079: In a bluetooth ioctl, struct ca is
copied from userspace. It was not checked whether the
"device" field was NULL terminated. This potentially leads
to BUG() inside of alloc_netdev_mqs() and/or information
leak by creating a device with a name made of contents of
kernel stack.

CVE-2011-1080: In ebtables rule loading, struct tmp
is copied from userspace. It was not checked whether the
"name" field is NULL terminated. This may have lead to
buffer overflow and passing contents of kernel stack as a
module name to try_then_request_module() and, consequently,
to modprobe commandline. It would be seen by all userspace
processes.

CVE-2011-1173: The econet_sendmsg function in
net/econet/af_econet.c in the Linux kernel on the x86_64
platform allowed remote attackers to obtain potentially
sensitive information from kernel stack memory by reading
uninitialized data in the ah field of an Acorn Universal
Networking (AUN) packet.

CVE-2011-1170: net/ipv4/netfilter/arp_tables.c in the
IPv4 implementation in the Linux kernel did not place the
expected ‘0’ character at the end of string data in the
values of certain structure members, which allowed local
users to obtain potentially sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability to
issue a crafted request, and then reading the argument to
the resulting modprobe process.

CVE-2011-1171: net/ipv4/netfilter/ip_tables.c in the
IPv4 implementation in the Linux kernel did not place the
expected ‘0’ character at the end of string data in the
values of certain structure members, which allowed local
users to obtain potentially sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability to
issue a crafted request, and then reading the argument to
the resulting modprobe process.

CVE-2011-1172: net/ipv6/netfilter/ip6_tables.c in the
IPv6 implementation in the Linux kernel did not place the
expected ‘0’ character at the end of string data in the
values of certain structure members, which allowed local
users to obtain potentially sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability to
issue a crafted request, and then reading the argument to
the resulting modprobe process.

CVE-2011-1746: Multiple integer overflows in the (1)
agp_allocate_memory and (2) agp_create_user_memory
functions in drivers/char/agp/generic.c in the Linux kernel
before allowed local users to trigger buffer overflows, and
consequently cause a denial of service (system crash) or
possibly have unspecified other impact, via vectors related
to calls that specify a large number of memory pages.

CVE-2011-1745: Integer overflow in the
agp_generic_insert_memory function in
drivers/char/agp/generic.c in the Linux kernel allowed
local users to gain privileges or cause a denial of service
(system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl
call.

CVE-2011-1598: The bcm_release function in
net/can/bcm.c in the Linux kernel did not properly validate
a socket data structure, which allowed local users to cause
a denial of service (NULL pointer dereference) or possibly
have unspecified other impact via a crafted release
operation.

CVE-2011-1748: The raw_release function in
net/can/raw.c in the Linux kernel did not properly validate
a socket data structure, which allows local users to cause
a denial of service (NULL pointer dereference) or possibly
have unspecified other impact via a crafted release
operation.