MGASA-2016-0232

This kernel-linus update provides an upgrade to the upstream 4.4 longterm kernel series, currently based on 4.4.13 and resolves at least the following security issues:

The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (CVE-2013-4312).

drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted USB device (CVE-2015-5257).

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (CVE-2015-5307).

An out-of-bounds memory read was found, affecting kernels from 4.3-rc1 onwards. This vulnerability was caused by incorrect X.509 time validation in x509decodetime() function in x509certparser.c (CVE-2015-5327).

The _rdsconn_create function in net/rds/connection.c in the Linux kernel through 4.2.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (CVE-2015-6937).

The keyctlreadkey function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not properly use a semaphore, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctlrevoke and keyctlread calls (CVE-2015-7550).

The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 does not ensure that certain slot numbers are valid, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (CVE-2015-7799).

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (CVE-2015-8104).

The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONENEWUSER support to execute a crafted SOCKRAW application (CVE-2015-8543).

The evmverifyhmac function in security/integrity/evm/evm_main.c in the Linux kernel before 4.5 does not properly copy data, which makes it easier for local users to forge MAC values via a timing side-channel attack (CVE-2016-2085).

The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data (CVE-2016-2117).

The mctu232msrtostate function in drivers/usb/serial/mct_u232.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (CVE-2016-3136).

drivers/usb/serial/cypressm8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypressgenericportprobe and cypress_open functions (CVE-2016-3137).

Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) with variable Memory Type Range Registers(MTRR) support is vulnerable to an out-of-bounds r/w access issue. It could occur while accessing processors MTRRs via ioctl(2) calls. A privileged user inside guest could use this flaw to manipulate host kernels memory bytes leading to information disclosure OR potentially crashing the kernel resulting in DoS (CVE-2016-3713).

Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area (CVE-2016-3961).

This update also provides better support for various newer hardware.

For other changes in this update, see the referenced changelogs.