Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various
security and bugfixes.

The following security bugs were fixed:

• CVE-2015-1350: The VFS subsystem in the Linux kernel provided an
  incomplete set of requirements for setattr operations that
  underspecifies removing extended privilege attributes, which allowed
  local users to cause a denial of service (capability stripping) via a
  failed invocation of a system call, as demonstrated by using chown to
  remove a capability from the ping or Wireshark dumpcap program
  (bnc#914939).
• CVE-2016-2117: The atl2_probe function in
  drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly
  enabled scatter/gather I/O, which allowed remote attackers to obtain
  sensitive information from kernel memory by reading packet data
  (bnc#968697).
• CVE-2016-3070: The trace_writeback_dirty_page implementation in
  include/trace/events/writeback.h in the Linux kernel improperly
  interacted with mm/migrate.c, which allowed local users to cause a
  denial of service (NULL pointer dereference and system crash) or
  possibly have unspecified other impact by triggering a certain page move
  (bnc#979215).
• CVE-2016-5243: The tipc_nl_compat_link_dump function in
  net/tipc/netlink_compat.c in the Linux kernel did not properly copy a
  certain string, which allowed local users to obtain sensitive
  information from kernel stack memory by reading a Netlink message
  (bnc#983212).
• CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg
  function in net/socket.c in the Linux kernel allowed remote attackers to
  execute arbitrary code via vectors involving a recvmmsg system call that
  is mishandled during error processing (bnc#1003077).
• CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanages the #BP
  and #OF exceptions, which allowed guest OS users to cause a denial of
  service (guest OS crash) by declining to handle an exception thrown by
  an L2 guest (bnc#1015703).
• CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel
  did not properly restrict execute access, which made it easier for local
  users to bypass intended SELinux W^X policy restrictions, and
  consequently gain privileges, via an io_setup system call (bnc#1023992).
• CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in
  the Linux kernel allowed local users to gain privileges or cause a
  denial of service (use-after-free) by making multiple bind system calls
  without properly ascertaining whether a socket has the SOCK_ZAPPED
  status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c
  (bnc#1028415).
• CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the
  Linux kernel did not properly validate meta block groups, which allowed
  physically proximate attackers to cause a denial of service
  (out-of-bounds read and system crash) via a crafted ext4 image
  (bnc#1023377).
• CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux
  kernel is too late in obtaining a certain lock and consequently cannot
  ensure that disconnect function calls are safe, which allowed local
  users to cause a denial of service (panic) by leveraging access to the
  protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003).
• CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel
  did not restrict the address calculated by a certain rounding operation,
  which allowed local users to map page zero, and consequently bypass a
  protection mechanism that exists for the mmap system call, by making
  crafted shmget and shmat system calls in a privileged context
  (bnc#1026914).
• CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the
  Linux kernel allowed remote attackers to have unspecified impact via
  vectors involving GRE flags in an IPv6 packet, which trigger an
  out-of-bounds access (bnc#1023762).
• CVE-2017-5970: The ipv4_pktinfo_prepare function in
  net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a
  denial of service (system crash) via (1) an application that made
  crafted system calls or possibly (2) IPv4 traffic with invalid IP
  options (bnc#1024938).
• CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in
  net/sctp/socket.c in the Linux kernel allowed local users to cause a
  denial of service (assertion failure and panic) via a multithreaded
  application that peels off an association in a certain buffer-full state
  (bnc#1025235).
• CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c
  in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures
  in the LISTEN state, which allowed local users to obtain root privileges
  or cause a denial of service (double free) via an application that made
  an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024).
• CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the
  Linux kernel allowed remote attackers to cause a denial of service
  (infinite loop and soft lockup) via vectors involving a TCP packet with
  the URG flag (bnc#1026722).
• CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that
  a certain destructor exists in required circumstances, which allowed
  local users to cause a denial of service (BUG_ON) or possibly have
  unspecified other impact via crafted system calls (bnc#1027190).
• CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux
  kernel allowed local users to cause a denial of service (use-after-free)
  or possibly have unspecified other impact via a multithreaded
  application that made PACKET_FANOUT setsockopt system calls
  (bnc#1027189).
• CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the
  Linux kernel improperly managed lock dropping, which allowed local users
  to cause a denial of service (deadlock) via crafted operations on IrDA
  devices (bnc#1027178).
• CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly
  restrict association peel-off operations during certain wait states,
  which allowed local users to cause a denial of service (invalid unlock
  and double free) via a multithreaded application. NOTE: this
  vulnerability exists because of an incorrect fix for CVE-2017-5986
  (bnc#1027066).
• CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux
  kernel allowed local users to cause a denial of service (stack-based
  buffer overflow) or possibly have unspecified other impact via a large
  command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds
  write access in the sg_write function (bnc#1030213).
• CVE-2017-7261: The vmw_surface_define_ioctl function in
  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not
  check for a zero value of certain levels data, which allowed local users
  to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and
  possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device
  (bnc#1031052).
• CVE-2017-7294: The vmw_surface_define_ioctl function in
  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not
  validate addition of certain levels data, which allowed local users to
  trigger an integer overflow and out-of-bounds write, and cause a denial
  of service (system hang or crash) or possibly gain privileges, via a
  crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440).
• CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in
  the Linux kernel did not properly validate certain block-size data,
  which allowed local users to cause a denial of service (overflow) or
  possibly have unspecified other impact via crafted system calls
  (bnc#1031579).
• CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind
  compat syscalls in mm/mempolicy.c in the Linux kernel allowed local
  users to obtain sensitive information from uninitialized stack data by
  triggering failure of a certain bitmap operation (bnc#1033336).

The following non-security bugs were fixed:

• ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).
• hwrng: virtio - ensure reads happen after successful probe (bsc#954763
  bsc#1032344).
• kgr/module: make a taint flag module-specific (fate#313296).
• l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).
• l2tp: fix lookup for sockets not bound to a device in l2tp_ip
  (bsc#1028415).
• l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()
  (bsc#1028415).
• l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
  (bsc#1028415).
• l2tp: hold tunnel socket when handling control frames in l2tp_ip and
  l2tp_ip6 (bsc#1028415).
• l2tp: lock socket before checking flags in connect() (bsc#1028415).
• mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118).
• module: move add_taint_module() to a header file (fate#313296).
• netfilter: bridge: Fix the build when IPV6 is disabled (bsc#1027149).
• nfs: flush out dirty data on file fput() (bsc#1021762).
• powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).
• powerpc: Reject binutils 2.24 when building little endian (boo#1028895).
• revert "procfs: mark thread stack correctly in proc/<pid>/maps"
  (bnc#1030901).
• taint/module: Clean up global and module taint flags handling
  (fate#313296).
• usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256).
• xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056).
• xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056).