Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP3) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:3314-1 Final 1 1 2017-12-14T14:51:26Z current 2017-12-14T14:51:26Z 2017-12-14T14:51:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP3) This update for the Linux Kernel 4.4.82-6_9 fixes several issues. The following security issues were fixed: - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd() function allowed users to overwrite read-only huge pages (e.g. the zero huge page and sealed shmem files) (bsc#1070307). - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bsc#1069708). This non-security issue was fixed: - bsc#1062847: Enable proper shut down if NIC teaming is enabled The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Live-Patching-12-SP3-2017-2075 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20173314-1/ Link for SUSE-SU-2017:3314-1 https://lists.suse.com/pipermail/sle-security-updates/2017-December/003522.html E-Mail link for SUSE-SU-2017:3314-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1055567 SUSE Bug 1055567 https://bugzilla.suse.com/1062847 SUSE Bug 1062847 https://bugzilla.suse.com/1069708 SUSE Bug 1069708 https://bugzilla.suse.com/1070307 SUSE Bug 1070307 https://www.suse.com/security/cve/CVE-2017-1000405/ SUSE CVE CVE-2017-1000405 page https://www.suse.com/security/cve/CVE-2017-16939/ SUSE CVE CVE-2017-16939 page SUSE Linux Enterprise Live Patching 12 SP3 kgraft-patch-4_4_82-6_9-default-3-2.1 kgraft-patch-4_4_82-6_9-default-3-2.1 as a component of SUSE Linux Enterprise Live Patching 12 SP3 The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp. CVE-2017-1000405 SUSE Linux Enterprise Live Patching 12 SP3:kgraft-patch-4_4_82-6_9-default-3-2.1 important 3.6 AV:L/AC:L/Au:N/C:N/I:P/A:P 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173314-1/ https://www.suse.com/security/cve/CVE-2017-1000405.html CVE-2017-1000405 https://bugzilla.suse.com/1069496 SUSE Bug 1069496 https://bugzilla.suse.com/1070307 SUSE Bug 1070307 The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages. CVE-2017-16939 SUSE Linux Enterprise Live Patching 12 SP3:kgraft-patch-4_4_82-6_9-default-3-2.1 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173314-1/ https://www.suse.com/security/cve/CVE-2017-16939.html CVE-2017-16939 https://bugzilla.suse.com/1069702 SUSE Bug 1069702 https://bugzilla.suse.com/1069708 SUSE Bug 1069708 https://bugzilla.suse.com/1115893 SUSE Bug 1115893 https://bugzilla.suse.com/1120260 SUSE Bug 1120260