Security update for Linux kernel (important)

The SUSE Linux Enterprise Server 11 SP2 LTSS kernel received a roll-up
update to fix security and non-security issues.

The following security bugs have been fixed:

   *

     CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation

Offload (UFO) is enabled, does not properly initialize certain data
structures, which allows local users to cause a denial of service (memory
corruption and system crash) or possibly gain privileges via a crafted
application that uses the UDP_CORK option in a setsockopt system call and
sends both short and long packets, related to the ip_ufo_append_data
function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in
net/ipv6/ip6_output.c. (bnc#847672)

   *

     CVE-2013-4579: The ath9k_htc_set_bssid_mask function in

drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through
3.12 uses a BSSID masking approach to determine the set of MAC addresses
on which a Wi-Fi device is listening, which allows remote attackers to
discover the original MAC address after spoofing by sending a series of
packets to MAC addresses with certain bit manipulations. (bnc#851426)

   *

     CVE-2013-6382: Multiple buffer underflows in the XFS implementation

in the Linux kernel through 3.12.1 allow local users to cause a denial of
service (memory corruption) or possibly have unspecified
other impact by leveraging the CAP_SYS_ADMIN capability for a (1)
XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call
with a crafted length value, related to the xfs_attrlist_by_handle
function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle
function in fs/xfs/xfs_ioctl32.c. (bnc#852553)

   *

     CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors

does not properly handle the interaction between locked instructions and
write-combined memory types, which allows local users to cause a denial of
service (system hang) via a crafted application, aka the errata 793 issue.
(bnc#852967)

   *

     CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length

values before ensuring that associated data structures have been
initialized, which allows local users to obtain sensitive information from
kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c,
net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643)

   *

     CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in

the Linux kernel before 3.12.4 updates a certain length value before
ensuring that an associated data structure has been initialized, which
allows local users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
(bnc#857643)

   *

     CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in

the Linux kernel before 3.12.4 updates a certain length value before
ensuring that an associated data structure has been initialized, which
allows local users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
(bnc#857643)

   *

     CVE-2013-7339: The rds_ib_laddr_check function in net/rds/ib.c in

the Linux kernel before 3.12.8 allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly have
unspecified other impact via a bind system call for an RDS socket on a
system that lacks RDS transports. (bnc#869563)

   *

     CVE-2014-0069: The cifs_iovec_write function in fs/cifs/file.c in

the Linux kernel through 3.13.5 does not properly handle uncached write
operations that copy fewer than the requested number of bytes, which
allows local users to obtain sensitive information from kernel memory,
cause a denial of service (memory corruption and system crash), or
possibly gain privileges via a writev system call with a crafted pointer.
(bnc#864025)

   *

     CVE-2014-0101: The sctp_sf_do_5_1D_ce function in

net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not
validate certain auth_enable and auth_capable fields before making an
sctp_sf_authenticate call, which allows remote attackers to cause a denial
of service (NULL pointer dereference and system crash) via an SCTP
handshake with a modified INIT chunk and a crafted AUTH chunk before a
COOKIE_ECHO chunk. (bnc#866102)

   *

     CVE-2014-0196: The n_tty_write function in drivers/tty/n_tty.c in

the Linux kernel through 3.14.3 does not properly manage tty driver access
in the "LECHO & !OPOST" case, which allows local users to cause a denial
of service (memory corruption and system crash) or gain privileges by
triggering a race condition involving read and write operations with long
strings. (bnc#875690)

   *

     CVE-2014-1444: The fst_get_iface function in

drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not
properly initialize a certain data structure, which allows local users to
obtain sensitive information from kernel memory by leveraging the
CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869)

   *

     CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c

in the Linux kernel before 3.11.7 does not properly initialize a certain
data structure, which allows local users to obtain sensitive information
from kernel memory via an ioctl call. (bnc#858870)

   *

     CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c

in the Linux kernel before 3.12.8 does not initialize a certain structure
member, which allows local users to obtain sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability for an
SIOCYAMGCFG ioctl call. (bnc#858872)

   *

     CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c

in the Linux kernel through 3.14.3 does not properly handle error
conditions during processing of an FDRAWCMD ioctl call, which allows local
users to trigger kfree operations and gain privileges by leveraging write
access to a /dev/fd device. (bnc#875798)

   *

     CVE-2014-1738: The raw_cmd_copyout function in

drivers/block/floppy.c in the Linux kernel through 3.14.3 does not
properly restrict access to certain pointers during processing of an
FDRAWCMD ioctl call, which allows local users to obtain sensitive
information from kernel heap memory by leveraging write access to a
/dev/fd device. (bnc#875798)

   *

     CVE-2014-1874: The security_context_to_sid_core function in

security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows
local users to cause a denial of service (system crash) by leveraging the
CAP_MAC_ADMIN capability to set a zero-length security context.
(bnc#863335)

   *

     CVE-2014-2039: arch/s390/kernel/head64.S in the Linux kernel before

3.13.5 on the s390 platform does not properly handle attempted use of the
linkage stack, which allows local users to cause a denial of service
(system crash) by executing a crafted instruction. (bnc#865307)

   *

     CVE-2014-2523: net/netfilter/nf_conntrack_proto_dccp.c in the Linux

kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows
remote attackers to cause a denial of service (system crash)
or possibly execute arbitrary code via a DCCP packet that triggers a
call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.
(bnc#868653)

   *

     CVE-2014-2678: The rds_iw_laddr_check function in net/rds/iw.c in

the Linux kernel through 3.14 allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly have
unspecified other impact via a bind system call for an RDS socket on a
system that lacks RDS transports. (bnc#871561)

   *

     CVE-2014-3122: The try_to_unmap_cluster function in mm/rmap.c in the

Linux kernel before 3.14.3 does not properly consider which pages must be
locked, which allows local users to cause a denial of service (system
crash) by triggering a memory-usage pattern that requires removal of
page-table mappings. (bnc#876102)

Also the following non-security bugs have been fixed:

   * kabi: protect symbols modified by bnc#864833 fix (bnc#864833).
   * arch: Fix incorrect config symbol in #ifdef (bnc#844513).
   * ACPICA: Add a lock to the internal object reference count mechanism
     (bnc#857499).
   * x86/PCI: reduce severity of host bridge window conflict warnings
     (bnc#858534).
   * ia64: Change default PSR.ac from "1" to "0" (Fix erratum #237)
     (bnc#874108).
   * timer: Prevent overflow in apply_slack (bnc#873061).
   * xen: Close a race condition in Xen nested spinlock (bnc#858280,
     bnc#819351).
   * storvsc: NULL pointer dereference fix (bnc#865330).
   * sched: Make scale_rt_power() deal with backward clocks (bnc#865310).
   * sched: Use CPUPRI_NR_PRIORITIES instead of MAX_RT_PRIO in cpupri
     check (bnc#871861).
   *

     sched: update_rq_clock() must skip ONE update (bnc#868528,

bnc#869033).

   *

     md: Change handling of save_raid_disk and metadata update during

recovery (bnc#849364).

   * dm-mpath: Fixup race condition in activate_path() (bnc#708296).
   * dm-mpath: do not detach stale hardware handler (bnc#708296).
   * dm-multipath: Improve logging (bnc#708296).
   * scsi_dh_alua: Simplify state machine (bnc#854025).
   * scsi_dh_alua: endless STPG retries for a failed LUN (bnc#865342).
   *

     scsi_dh_alua: fixup RTPG retry delay miscalculation (bnc#854025).

   *

     vfs,proc: guarantee unique inodes in /proc.

   * FS-Cache: Handle removal of unadded object to the
     fscache_object_list rb tree (bnc#855885).
   * NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure
     (bnc#853455).
   * NFS: Avoid occasional hang with NFS (bnc#852488).
   * NFS: do not try to use lock state when we hold a delegation
     (bnc#831029) - add to series.conf
   * btrfs: do not loop on large offsets in readdir (bnc#863300).
   * btrfs: restrict snapshotting to own subvolumes (bnc#736697).
   * btrfs: fix extent boundary check in bio_readpage_error.
   *

     btrfs: fix extent_map block_len after merging.

   *

     net: add missing bh_unlock_sock() calls (bnc#862429).

   * inet: Pass inetpeer root into inet_getpeer*() interfaces
     (bnc#864833).
   * inet: Hide route peer accesses behind helpers (bnc#864833).
   * inet: Avoid potential NULL peer dereference (bnc#864833).
   * inet: handle rt{,6}_bind_peer() failure correctly (bnc#870801).
   * inetpeer: prevent unlinking from unused list twice (bnc#867953).
   * net/mlx4_en: Fix pages never dma unmapped on rx (bnc#858604).
   * tcp: clear xmit timers in tcp_v4_syn_recv_sock() (bnc#862429).
   * ipv6: fix race condition regarding dst->expires and dst->from
     (bnc#843185).
   *

     ipv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support,

warn about missing CREATE flag (bnc#865783).

   *

     mpt2sas: Do not check DIF for unwritten blocks (bnc#746500,

bnc#836347).

   * mpt2sas: Add a module parameter that permits overriding protection
     capabilities (bnc#746500).
   *

     mpt2sas: Return the correct sense key for DIF errors (bnc#746500).

   *

     s390/cio: Delay scan for newly available I/O devices (bnc#855347,

bnc#814788, bnc#856083).

   * s390/cio: More efficient handling of CHPID availability events
     (bnc#855347, bnc#814788, bnc#856083).
   * s390/cio: Relax subchannel scan loop (bnc#855347, bnc#814788,
     bnc#856083).
   *

     s390/css: stop stsch loop after cc 3 (bnc#855347, bnc#814788,

bnc#856083).

   *

     supported.conf: Driver corgi_bl was renamed to generic_bl in kernel

2.6.29.

   * supported.conf: Add drivers/of/of_mdio That was a missing dependency
     for mdio-gpio on ppc64.
   * supported.conf: Fix mdio-gpio module name Module mdio-ofgpio was
     renamed to mdio-gpio in kernel 2.6.29, this should have been
     reflected in supported.conf.
   * supported.conf: Adjust radio-si470x module names
   * Update config files: re-enable twofish crypto support. (bnc#871325)