Security update for Linux kernel (important)

2013-09-21T00:04:17
ID SUSE-SU-2013:1473-1
Type suse
Reporter Suse
Modified 2013-09-21T00:04:17

Description

The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to version 3.0.93 and to fix various bugs and security issues.

The following features have been added:

  • NFS: Now supports a "nosharetransport" option (bnc#807502, bnc#828192, FATE#315593).
  • ALSA: virtuoso: Xonar DSX support was added (FATE#316016).

The following security issues have been fixed:

*

CVE-2013-2148: The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor.

*

CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.

*

CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.

*

CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. CVE-2013-4162: The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel made an incorrect function call for pending data, which allowed local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.

*

CVE-2013-1059: net/ceph/auth_none.c in the Linux kernel allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation.

*

CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.

*

CVE-2013-2851: Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name.

*

CVE-2013-4163: The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel did not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allowed local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.

*

CVE-2013-1929: Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure.

*

CVE-2013-1819: The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel did not validate block numbers, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the ability to mount an XFS filesystem containing a metadata inode with an invalid extent map.

Also the following non-security bugs have been fixed:

  • ACPI / APEI: Force fatal AER severity when component has been reset (bnc#828886 bnc#824568).
  • PCI/AER: Move AER severity defines to aer.h (bnc#828886 bnc#824568).
  • PCI/AER: Set dev->__aer_firmware_first only for matching devices (bnc#828886 bnc#824568).
  • PCI/AER: Factor out HEST device type matching (bnc#828886 bnc#824568).
  • PCI/AER: Do not parse HEST table for non-PCIe devices (bnc#828886 bnc#824568). *

PCI/AER: Reset link for devices below Root Port or Downstream Port (bnc#828886 bnc#824568).

*

zfcp: fix lock imbalance by reworking request queue locking (bnc#835175, LTC#96825).

*

qeth: Fix crash on initial MTU size change (bnc#835175, LTC#96809).

*

qeth: change default standard blkt settings for OSA Express (bnc#835175, LTC#96808).

*

x86: Add workaround to NMI iret woes (bnc#831949).

*

x86: Do not schedule while still in NMI context (bnc#831949).

*

drm/i915: no longer call drm_helper_resume_force_mode (bnc#831424,bnc#800875).

*

bnx2x: protect different statistics flows (bnc#814336).

  • bnx2x: Avoid sending multiple statistics queries (bnc#814336). *

bnx2x: protect different statistics flows (bnc#814336).

*

ALSA: hda - Fix unbalanced runtime pm refount (bnc#834742).

*

xhci: directly calling _PS3 on suspend (bnc#833148).

*

futex: Take hugepages into account when generating futex_key.

*

e1000e: workaround DMA unit hang on I218 (bnc#834647).

  • e1000e: unexpected "Reset adapter" message when cable pulled (bnc#834647).
  • e1000e: 82577: workaround for link drop issue (bnc#834647).
  • e1000e: helper functions for accessing EMI registers (bnc#834647).
  • e1000e: workaround DMA unit hang on I218 (bnc#834647).
  • e1000e: unexpected "Reset adapter" message when cable pulled (bnc#834647).
  • e1000e: 82577: workaround for link drop issue (bnc#834647). *

e1000e: helper functions for accessing EMI registers (bnc#834647).

*

Drivers: hv: util: Fix a bug in version negotiation code for util services (bnc#828714).

*

printk: Add NMI ringbuffer (bnc#831949).

  • printk: extract ringbuffer handling from vprintk (bnc#831949).
  • printk: NMI safe printk (bnc#831949).
  • printk: Make NMI ringbuffer size independent on log_buf_len (bnc#831949).
  • printk: Do not call console_unlock from nmi context (bnc#831949). *

printk: Do not use printk_cpu from finish_printk (bnc#831949).

*

zfcp: fix schedule-inside-lock in scsi_device list loops (bnc#833073, LTC#94937).

*

uvc: increase number of buffers (bnc#822164, bnc#805804).

*

drm/i915: Adding more reserved PCI IDs for Haswell (bnc#834116).

*

Refresh patches.xen/xen-netback-generalize (bnc#827378).

*

Update Xen patches to 3.0.87.

*

mlx4_en: Adding 40gb speed report for ethtool (bnc#831410).

*

drm/i915: Retry DP aux_ch communications with a different clock after failure (bnc#831422).

  • drm/i915: split aux_clock_divider logic in a separated function for reuse (bnc#831422).
  • drm/i915: dp: increase probe retries (bnc#831422).
  • drm/i915: Only clear write-domains after a successful wait-seqno (bnc#831422).
  • drm/i915: Fix write-read race with multiple rings (bnc#831422).
  • drm/i915: Retry DP aux_ch communications with a different clock after failure (bnc#831422).
  • drm/i915: split aux_clock_divider logic in a separated function for reuse (bnc#831422).
  • drm/i915: dp: increase probe retries (bnc#831422).
  • drm/i915: Only clear write-domains after a successful wait-seqno (bnc#831422). *

drm/i915: Fix write-read race with multiple rings (bnc#831422).

*

xhci: Add xhci_disable_ports boot option (bnc#822164).

*

xhci: set device to D3Cold on shutdown (bnc#833097).

*

reiserfs: Fixed double unlock in reiserfs_setattr failure path.

  • reiserfs: locking, release lock around quota operations (bnc#815320).
  • reiserfs: locking, push write lock out of xattr code (bnc#815320).
  • reiserfs: locking, handle nested locks properly (bnc#815320).
  • reiserfs: do not lock journal_init() (bnc#815320). *

reiserfs: delay reiserfs lock until journal initialization (bnc#815320).

*

NFS: support "nosharetransport" option (bnc#807502, bnc#828192, FATE#315593).

*

HID: hyperv: convert alloc+memcpy to memdup.

  • Drivers: hv: vmbus: Implement multi-channel support (fate#316098).
  • Drivers: hv: Add the GUID fot synthetic fibre channel device (fate#316098).
  • tools: hv: Check return value of setsockopt call.
  • tools: hv: Check return value of poll call.
  • tools: hv: Check retrun value of strchr call.
  • tools: hv: Fix file descriptor leaks.
  • tools: hv: Improve error logging in KVP daemon.
  • drivers: hv: switch to use mb() instead of smp_mb().
  • drivers: hv: check interrupt mask before read_index.
  • drivers: hv: allocate synic structures before hv_synic_init().
  • storvsc: Increase the value of scsi timeout for storvsc devices (fate#316098).
  • storvsc: Update the storage protocol to win8 level (fate#316098).
  • storvsc: Implement multi-channel support (fate#316098).
  • storvsc: Support FC devices (fate#316098).
  • storvsc: Increase the value of STORVSC_MAX_IO_REQUESTS (fate#316098).
  • hyperv: Fix the NETIF_F_SG flag setting in netvsc.
  • Drivers: hv: vmbus: incorrect device name is printed when child device is unregistered. *

Tools: hv: KVP: Fix a bug in IPV6 subnet enumeration (bnc#828714).

*

ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size (bnc#831055, CVE-2013-4163).

*

ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size (bnc#831055, CVE-2013-4163).

*

dm mpath: add retain_attached_hw_handler feature (bnc#760407).

*

scsi_dh: add scsi_dh_attached_handler_name (bnc#760407).

*

af_key: fix info leaks in notify messages (bnc#827749 CVE-2013-2234).

*

af_key: initialize satype in key_notify_policy_flush() (bnc#828119 CVE-2013-2237).

*

ipv6: call udp_push_pending_frames when uncorking a socket with (bnc#831058, CVE-2013-4162).

*

tg3: fix length overflow in VPD firmware parsing (bnc#813733 CVE-2013-1929).

*

xfs: fix _xfs_buf_find oops on blocks beyond the filesystem end (CVE-2013-1819 bnc#807471).

*

ipv6: ip6_sk_dst_check() must not assume ipv6 dst (bnc#827750, CVE-2013-2232).

*

dasd: fix hanging devices after path events (bnc#831623, LTC#96336).

*

kernel: z90crypt module load crash (bnc#831623, LTC#96214).

*

ata: Fix DVD not dectected at some platform with Wellsburg PCH (bnc#822225).

*

drm/i915: edp: add standard modes (bnc#832318).

*

Do not switch camera on yet more HP machines (bnc#822164).

*

Do not switch camera on HP EB 820 G1 (bnc#822164).

*

xhci: Avoid NULL pointer deref when host dies (bnc#827271).

*

bonding: disallow change of MAC if fail_over_mac enabled (bnc#827376).

  • bonding: propagate unicast lists down to slaves (bnc#773255 bnc#827372).
  • net/bonding: emit address change event also in bond_release (bnc#773255 bnc#827372). *

bonding: emit event when bonding changes MAC (bnc#773255 bnc#827372).

*

usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0 (bnc#797909).

*

xhci: fix null pointer dereference on ring_doorbell_for_active_rings (bnc#827271).

*

updated reference for security issue fixed inside (CVE-2013-3301 bnc#815256)

*

qla2xxx: Clear the MBX_INTR_WAIT flag when the mailbox time-out happens (bnc#830478).

*

drm/i915: initialize gt_lock early with other spin locks (bnc#801341).

  • drm/i915: fix up gt init sequence fallout (bnc#801341).
  • drm/i915: initialize gt_lock early with other spin locks (bnc#801341). *

drm/i915: fix up gt init sequence fallout (bnc#801341).

*

timer_list: Correct the iterator for timer_list (bnc#818047).

*

firmware: do not spew errors in normal boot (bnc#831438, fate#314574).

*

ALSA: virtuoso: Xonar DSX support (FATE#316016).

*

SUNRPC: Ensure we release the socket write lock if the rpc_task exits early (bnc#830901).

*

ext4: Re-add config option Building ext4 as the ext4-writeable KMP uses CONFIG_EXT4_FS_RW=y to denote that read-write module should be enabled. This update just defaults allow_rw to true if it is set.

*

e1000: fix vlan processing regression (bnc#830766).

*

ext4: force read-only unless rw=1 module option is used (fate#314864).

*

dm mpath: fix ioctl deadlock when no paths (bnc#808940).

*

HID: fix unused rsize usage (bnc#783475).

*

add reference for b43 format string flaw (bnc#822579 CVE-2013-2852)

*

HID: fix data access in implement() (bnc#783475).

*

xfs: fix deadlock in xfs_rtfree_extent with kernel v3.x (bnc#829622).

*

kernel: sclp console hangs (bnc#830346, LTC#95711).

*

Refresh patches.fixes/rtc-add-an-alarm-disable-quirk.patch.

*

Delete patches.drm/1209-nvc0-fb-shut-up-pmfb-interrupt-after-the-fi rst-occurrence. It was removed from series.conf in 063ed686e5a3cda01a7ddbc49db1499da917fef5 but the file was not deleted.

*

Drivers: hv: balloon: Do not post pressure status if interrupted (bnc#829539).

*

Drivers: hv: balloon: Fix a bug in the hot-add code (bnc#829539).

*

drm/i915: Fix incoherence with fence updates on Sandybridge+ (bnc#809463).

  • drm/i915: merge {i965, sandybridge}_write_fence_reg() (bnc#809463).
  • drm/i915: Fix incoherence with fence updates on Sandybridge+ (bnc#809463). *

drm/i915: merge {i965, sandybridge}_write_fence_reg() (bnc#809463).

*

Refresh patches.fixes/rtc-add-an-alarm-disable-quirk.patch.

*

r8169: allow multicast packets on sub-8168f chipset (bnc#805371).

  • r8169: support new chips of RTL8111F (bnc#805371).
  • r8169: define the early size for 8111evl (bnc#805371).
  • r8169: fix the reset setting for 8111evl (bnc#805371).
  • r8169: add MODULE_FIRMWARE for the firmware of 8111evl (bnc#805371).
  • r8169: fix sticky accepts packet bits in RxConfig (bnc#805371).
  • r8169: adjust the RxConfig settings (bnc#805371).
  • r8169: support RTL8111E-VL (bnc#805371).
  • r8169: add ERI functions (bnc#805371).
  • r8169: modify the flow of the hw reset (bnc#805371).
  • r8169: adjust some registers (bnc#805371).
  • r8169: check firmware content sooner (bnc#805371).
  • r8169: support new firmware format (bnc#805371).
  • r8169: explicit firmware format check (bnc#805371).
  • r8169: move the firmware down into the device private data (bnc#805371).
  • r8169: allow multicast packets on sub-8168f chipset (bnc#805371).
  • r8169: support new chips of RTL8111F (bnc#805371).
  • r8169: define the early size for 8111evl (bnc#805371).
  • r8169: fix the reset setting for 8111evl (bnc#805371).
  • r8169: add MODULE_FIRMWARE for the firmware of 8111evl (bnc#805371).
  • r8169: fix sticky accepts packet bits in RxConfig (bnc#805371).
  • r8169: adjust the RxConfig settings (bnc#805371).
  • r8169: support RTL8111E-VL (bnc#805371).
  • r8169: add ERI functions (bnc#805371).
  • r8169: modify the flow of the hw reset (bnc#805371).
  • r8169: adjust some registers (bnc#805371).
  • r8169: check firmware content sooner (bnc#805371).
  • r8169: support new firmware format (bnc#805371).
  • r8169: explicit firmware format check (bnc#805371). *

r8169: move the firmware down into the device private data (bnc#805371).

*

patches.fixes/mm-link_mem_sections-touch-nmi-watchdog.patch: mm: link_mem_sections make sure nmi watchdog does not trigger while linking memory sections (bnc#820434).

*

drm/i915: fix long-standing SNB regression in power consumption after resume v2 (bnc#801341).

*

RTC: Add an alarm disable quirk (bnc#805740).

*

drm/i915: Fix bogus hotplug warnings at resume (bnc#828087).

  • drm/i915: Serialize all register access (bnc#809463,bnc#812274,bnc#822878,bnc#828914).
  • drm/i915: Resurrect ring kicking for semaphores, selectively (bnc#828087).
  • drm/i915: Fix bogus hotplug warnings at resume (bnc#828087).
  • drm/i915: Serialize all register access (bnc#809463,bnc#812274,bnc#822878,bnc#828914). *

drm/i915: Resurrect ring kicking for semaphores, selectively (bnc#828087).

*

drm/i915: use lower aux clock divider on non-ULT HSW (bnc#800875).

  • drm/i915: preserve the PBC bits of TRANS_CHICKEN2 (bnc#828087).
  • drm/i915: set CPT FDI RX polarity bits based on VBT (bnc#828087).
  • drm/i915: hsw: fix link training for eDP on port-A (bnc#800875).
  • drm/i915: use lower aux clock divider on non-ULT HSW (bnc#800875).
  • drm/i915: preserve the PBC bits of TRANS_CHICKEN2 (bnc#828087).
  • drm/i915: set CPT FDI RX polarity bits based on VBT (bnc#828087). *

drm/i915: hsw: fix link training for eDP on port-A (bnc#800875).

*

patches.arch/s390-66-02-smp-ipi.patch: kernel: lost IPIs on CPU hotplug (bnc#825048, LTC#94784).

*

patches.fixes/iwlwifi-use-correct-supported-firmware-for-603 5-and-.patch: iwlwifi: use correct supported firmware for 6035 and 6000g2 (bnc#825887).

*

patches.fixes/watchdog-update-watchdog_thresh-atomically.pat ch: watchdog: Update watchdog_thresh atomically (bnc#829357).

* patches.fixes/watchdog-update-watchdog_tresh-properly.patch: watchdog: update watchdog_tresh properly (bnc#829357). *

patches.fixes/watchdog-make-disable-enable-hotplug-and-preem pt-save.patch: watchdog-make-disable-enable-hotplug-and-preempt-save.patch (bnc#829357).

*

kabi/severities: Ignore changes in drivers/hv

*

patches.drivers/lpfc-return-correct-error-code-on-bsg_timeou t.patch: lpfc: Return correct error code on bsg_timeout (bnc#816043).

*

patches.fixes/dm-drop-table-reference-on-ioctl-retry.patch: dm-multipath: Drop table when retrying ioctl (bnc#808940).

*

scsi: Do not retry invalid function error (bnc#809122).

*

patches.suse/scsi-do-not-retry-invalid-function-error.patch: scsi: Do not retry invalid function error (bnc#809122).

*

scsi: Always retry internal target error (bnc#745640, bnc#825227).

*

patches.suse/scsi-always-retry-internal-target-error.patch: scsi: Always retry internal target error (bnc#745640, bnc#825227).

*

patches.drivers/drm-edid-Don-t-print-messages-regarding-ster eo-or-csync-by-default.patch: Refresh: add upstream commit ID.

*

patches.suse/acpiphp-match-to-Bochs-dmi-data.patch: Refresh. (bnc#824915).

*

Refresh patches.suse/acpiphp-match-to-Bochs-dmi-data.patch (bnc#824915).

*

Update kabi files.

*

ACPI:remove panic in case hardware has changed after S4 (bnc#829001).

*

ibmvfc: Driver version 1.0.1 (bnc#825142).

  • ibmvfc: Fix for offlining devices during error recovery (bnc#825142).
  • ibmvfc: Properly set cancel flags when cancelling abort (bnc#825142).
  • ibmvfc: Send cancel when link is down (bnc#825142).
  • ibmvfc: Support FAST_IO_FAIL in EH handlers (bnc#825142). *

ibmvfc: Suppress ABTS if target gone (bnc#825142).

*

fs/dcache.c: add cond_resched() to shrink_dcache_parent() (bnc#829082).

*

drivers/cdrom/cdrom.c: use kzalloc() for failing hardware (bnc#824295, CVE-2013-2164).

*

kmsg_dump: do not run on non-error paths by default (bnc#820172).

*

supported.conf: mark tcm_qla2xxx as supported

*

mm: honor min_free_kbytes set by user (bnc#826960).

*

Drivers: hv: util: Fix a bug in version negotiation code for util services (bnc#828714).

*

hyperv: Fix a kernel warning from netvsc_linkstatus_callback() (bnc#828574).

*

RT: Fix up hardening patch to not gripe when avg > available, which lockless access makes possible and happens in -rt kernels running a cpubound ltp realtime testcase. Just keep the output sane in that case.

*

kabi/severities: Add exception for aer_recover_queue() There should not be any user besides ghes.ko.

*

Fix rpm changelog

*

PCI / PM: restore the original behavior of pci_set_power_state() (bnc#827930).

*

fanotify: info leak in copy_event_to_user() (CVE-2013-2148 bnc#823517).

*

usb: xhci: check usb2 port capabilities before adding hw link PM support (bnc#828265).

*

aerdrv: Move cper_print_aer() call out of interrupt context (bnc#822052, bnc#824568).

*

PCI/AER: pci_get_domain_bus_and_slot() call missing required pci_dev_put() (bnc#822052, bnc#824568).

*

patches.fixes/block-do-not-pass-disk-names-as-format-strings .patch: block: do not pass disk names as format strings (bnc#822575 CVE-2013-2851).

*

powerpc: POWER8 cputable entries (bnc#824256).

*

libceph: Fix NULL pointer dereference in auth client code. (CVE-2013-1059, bnc#826350)

*

md/raid10: Fix two bug affecting RAID10 reshape.

*

Allow NFSv4 to run execute-only files (bnc#765523).

*

fs/ocfs2/namei.c: remove unecessary ERROR when removing non-empty directory (bnc#819363).

*

block: Reserve only one queue tag for sync IO if only 3 tags are available (bnc#806396).

*

btrfs: merge contigous regions when loading free space cache

*

btrfs: fix how we deal with the orphan block rsv.

  • btrfs: fix wrong check during log recovery.
  • btrfs: change how we indicate we are adding csums.