Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive various
security and bugfixes.

The following security bugs were fixed:

• CVE-2016-5243: The tipc_nl_compat_link_dump function in
  net/tipc/netlink_compat.c in the Linux kernel did not properly copy a
  certain string, which allowed local users to obtain sensitive
  information from kernel stack memory by reading a Netlink message
  (bnc#983212)
• CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in
  the Linux kernel allowed local users to gain privileges or cause a
  denial of service (use-after-free) by making multiple bind system calls
  without properly ascertaining whether a socket has the SOCK_ZAPPED
  status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c
  (bnc#1028415)
• CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local
  users to gain privileges or cause a denial of service (NULL pointer
  dereference and system crash) via vectors involving a NULL value for a
  certain match field, related to the keyring_search_iterator function in
  keyring.c (bsc#1030593).
• CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux
  kernel was too late in obtaining a certain lock and consequently could
  not ensure that disconnect function calls are safe, which allowed local
  users to cause a denial of service (panic) by leveraging access to the
  protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003)
• CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel
  did not restrict the address calculated by a certain rounding operation,
  which allowed local users to map page zero, and consequently bypass a
  protection mechanism that exists for the mmap system call, by making
  crafted shmget and shmat system calls in a privileged context
  (bnc#1026914)
• CVE-2017-5970: The ipv4_pktinfo_prepare function in
  net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a
  denial of service (system crash) via (1) an application that made
  crafted system calls or possibly (2) IPv4 traffic with invalid IP
  options (bsc#1024938)
• CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in
  net/sctp/socket.c in the Linux kernel allowed local users to cause a
  denial of service (assertion failure and panic) via a multithreaded
  application that peels off an association in a certain buffer-full state
  (bsc#1025235)
• CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c
  in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures
  in the LISTEN state, which allowed local users to obtain root privileges
  or cause a denial of service (double free) via an application that made
  an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024)
• CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the
  Linux kernel allowed remote attackers to cause a denial of service
  (infinite loop and soft lockup) via vectors involving a TCP packet with
  the URG flag (bnc#1026722)
• CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the
  Linux kernel improperly managed lock dropping, which allowed local users
  to cause a denial of service (deadlock) via crafted operations on IrDA
  devices (bnc#1027178)
• CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly
  restrict association peel-off operations during certain wait states,
  which allowed local users to cause a denial of service (invalid unlock
  and double free) via a multithreaded application. NOTE: this
  vulnerability exists because of an incorrect fix for CVE-2017-5986
  (bnc#1027066)
• CVE-2017-6951: The keyring_search_aux function in
  security/keys/keyring.c in the Linux kernel allowed local users to cause
  a denial of service (NULL pointer dereference and OOPS) via a
  request_key system call for the "dead" type (bsc#1029850).
• CVE-2017-7184: The xfrm_replay_verify_len function in
  net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size
  data after an XFRM_MSG_NEWAE update, which allowed local users to obtain
  root privileges or cause a denial of service (heap-based out-of-bounds
  access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573)
• CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux
  kernel allowed local users to cause a denial of service (stack-based
  buffer overflow) or possibly have unspecified other impact via a large
  command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds
  write access in the sg_write function (bnc#1030213)
• CVE-2017-7261: The vmw_surface_define_ioctl function in
  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not
  check for a zero value of certain levels data, which allowed local users
  to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and
  possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device
  (bnc#1031052)
• CVE-2017-7294: The vmw_surface_define_ioctl function in
  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not
  validate addition of certain levels data, which allowed local users to
  trigger an integer overflow and out-of-bounds write, and cause a denial
  of service (system hang or crash) or possibly gain privileges, via a
  crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440)
• CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in
  the Linux kernel did not properly validate certain block-size data,
  which allowed local users to cause a denial of service (overflow) or
  possibly have unspecified other impact via crafted system calls
  (bnc#1031579)
• CVE-2017-7482: Several missing length checks ticket decode allowing for
  information leak or potentially code execution (bsc#1046107).
• CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the
  Linux kernel mishandled reference counts, which allowed local users to
  cause a denial of service (use-after-free) or possibly have unspecified
  other impact via a failed SIOCGIFADDR ioctl call for an IPX interface
  (bsc#1038879).
• CVE-2017-7533: Race condition in the fsnotify implementation in the
  Linux kernel allowed local users to gain privileges or cause a denial of
  service (memory corruption) via a crafted application that leverages
  simultaneous execution of the inotify_handle_event and vfs_rename
  functions (bnc#1049483 1050677 ).
• CVE-2017-7542: The ip6_find_1stfragopt function in
  net/ipv6/output_core.c in the Linux kernel allowed local users to cause
  a denial of service (integer overflow and infinite loop) by leveraging
  the ability to open a raw socket (bnc#1049882).
• CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind
  compat syscalls in mm/mempolicy.c in the Linux kernel allowed local
  users to obtain sensitive information from uninitialized stack data by
  triggering failure of a certain bitmap operation (bsc#1033336)
• CVE-2017-8831: The saa7164_bus_get function in
  drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed
  local users to cause a denial of service (out-of-bounds array access) or
  possibly have unspecified other impact by changing a certain
  sequence-number value, aka a "double fetch" vulnerability. This requires
  a malicious PCI Card. (bnc#1037994).
• CVE-2017-8890: The inet_csk_clone_lock function in
  net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to
  cause a denial of service (double free) or possibly have unspecified
  other impact by leveraging use of the accept system call (bsc#1038544).
• CVE-2017-8924: The edge_bulk_in_callback function in
  drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to
  obtain sensitive information (in the dmesg ringbuffer and syslog) from
  uninitialized kernel memory by using a crafted USB device (posing as an
  io_ti USB serial device) to trigger an integer underflow (bnc#1037182).
• CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c
  in the Linux kernel allowed local users to cause a denial of service
  (tty exhaustion) by leveraging reference count mishandling (bnc#1038981).
• CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel
  did not consider that the nexthdr field may be associated with an
  invalid option, which allowed local users to cause a denial of service
  (out-of-bounds read and BUG) or possibly have unspecified other impact
  via crafted socket and send system calls (bnc#1039882).
• CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c
  in the Linux kernel mishandled inheritance, which allowed local users to
  cause a denial of service or possibly have unspecified other impact via
  crafted system calls, a related issue to CVE-2017-8890 (bsc#1039883).
• CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c
  in the Linux kernel mishandled inheritance, which allowed local users to
  cause a denial of service or possibly have unspecified other impact via
  crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885).
• CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c
  in the Linux kernel mishandled inheritance, which allowed local users to
  cause a denial of service or possibly have unspecified other impact via
  crafted system calls, a related issue to CVE-2017-8890 (bsc#1040069).
• CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c
  in the Linux kernel was too late in checking whether an overwrite of an
  skb data structure may occur, which allowed local users to cause a
  denial of service (system crash) via crafted system calls (bnc#1041431).
• CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel
  allowed local users to gain privileges or cause a denial of service
  (list corruption or use-after-free) via simultaneous file-descriptor
  operations that leverage improper might_cancel queueing (bnc#1053152).
• CVE-2017-11176: The mq_notify function in the Linux kernel did not set
  the sock pointer to NULL upon entry into the retry logic. During a
  user-space close of a Netlink socket, it allowed attackers to cause a
  denial of service (use-after-free) or possibly have unspecified other
  impact (bnc#1048275).
• CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function
  in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users
  to gain privileges via a crafted ACPI table (bnc#1049603).
• CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled
  buffer is copied into a local buffer of constant size using strcpy
  without a length check which can cause a buffer overflow. (bnc#1053148).
• CVE-2017-14051: An integer overflow in the
  qla2x00_sysfs_write_optrom_ctl function in
  drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users
  to cause a denial of service (memory corruption and system crash) by
  leveraging root access (bnc#1056588).
• CVE-2017-1000112: Fixed a race condition in net-packet code that could
  have been exploited by unprivileged users to gain root access.
  (bsc#1052311).
• CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a
  missing bounds check, and the fact that parport_ptr integer is static, a
  ‘secure boot’ kernel command line adversary could have overflowed the
  parport_nr array in the following code (bnc#1039456).
• CVE-2017-1000365: The Linux Kernel imposes a size restriction on the
  arguments and environmental strings passed through
  RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the
  argument and environment pointers into account, which allowed attackers
  to bypass this limitation (bnc#1039354).
• CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable
  to a data race in the ALSA /dev/snd/timer driver resulting in local
  users being able to read information belonging to other users, i.e.,
  uninitialized memory contents may be disclosed when a read and an ioctl
  happen at the same time (bnc#1044125).

The following non-security bugs were fixed:

• acpi: Disable APEI error injection if securelevel is set (bsc#972891,
  bsc#1023051).
• blkback/blktap: do not leak stack data via response ring (bsc#1042863
  XSA-216).
• btrfs: cleanup code of btrfs_balance_delayed_items() (bsc#1034838).
• btrfs: do not run delayed nodes again after all nodes flush
  (bsc#1034838).
• btrfs: remove btrfs_end_transaction_dmeta() (bsc#1034838).
• btrfs: remove residual code in delayed inode async helper (bsc#1034838).
• btrfs: use flags instead of the bool variants in delayed node
  (bsc#1034838).
• cifs: cifs_get_root shouldn’t use path with tree name, alternate fix
  (bsc#963655, bsc#979681, bsc#1027406).
• dentry name snapshots (bsc#1049483).
• firmware: fix directory creation rule matching with make 3.80
  (bsc#1012422).
• firmware: fix directory creation rule matching with make 3.82
  (bsc#1012422).
• Fix vmalloc_fault oops during lazy MMU updates (bsc#948562) (bsc#948562).
• hv: do not lose pending heartbeat vmbus packets (bnc#1006919,
  bnc#1053760).
• jbd: do not wait (forever) for stale tid caused by wraparound
  (bsc#1020229).
• jbd: Fix oops in journal_remove_journal_head() (bsc#1017143).
• kernel-binary.spec: Propagate MAKE_ARGS to %build (bsc#1012422)
• keys: Disallow keyrings beginning with ‘.’ to be joined as session
  keyrings (bnc#1035576).
• nfs: Avoid getting confused by confused server (bsc#1045416).
• nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670).
• nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670).
• nfsd: do not risk using duplicate owner/file/delegation ids
  (bsc#1029212).
• nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670).
• nfs: Make nfs_readdir revalidate less often (bsc#1048232).
• pciback: check PF instead of VF for PCI_COMMAND_MEMORY (bsc#957990).
• pciback: only check PF if actually dealing with a VF (bsc#999245).
• pciback: Save the number of MSI-X entries to be copied later
  (bsc#957988).
• Remove superfluous make flags (bsc#1012422)
• Return short read or 0 at end of a raw device, not EIO (bsc#1039594).
• Revert "fs/cifs: fix wrongly prefixed path to root (bsc#963655,
  bsc#979681)
• scsi: lpfc: avoid double free of resource identifiers (bsc#989896).
• scsi: virtio_scsi: fix memory leak on full queue condition (bsc#1028880).
• sunrpc: Clean up the slot table allocation (bsc#1013862).
• sunrpc: Initalise the struct xprt upon allocation (bsc#1013862).
• usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256).
• usb: wusbcore: fix NULL-deref at probe (bsc#1045487).
• Use make --output-sync feature when available (bsc#1012422).
• Use PF_LESS_THROTTLE in loop device thread (bsc#1027101).
• xen/PCI-MSI: fix sysfs teardown in DomU (bsc#986924).