Bug 911326 (CVE-2014-9419)

Summary: VUL-0: CVE-2014-9419: kernel-source: partial ASLR bypass through TLS base addresses leak
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: E-mail List <kernel-maintainers>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: bpetkov, jslaby, meissner, mhocko, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/111835/
Whiteboard: maint:running:61844:important maint:released:sle11-sp3:61845 maint:released:sle11-sp3:61848 maint:released:sle11-sp3:61849 maint:released:sle11-sp3:61853 maint:released:sle11-sp3:61852 maint:released:sle11-sp3:61909
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: working es test

Description Victor Pereira 2014-12-29 09:27:25 UTC 
CVE-2014-9419

The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel
through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are
loaded before proceeding with other steps, which makes it easier for local users
to bypass the ASLR protection mechanism via a crafted application that reads a
TLS base address.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1177260
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9419
http://www.openwall.com/lists/oss-security/2014/12/25/1
http://www.cvedetails.com/cve/CVE-2014-9419/
https://github.com/torvalds/linux/commit/f647d7c155f069c1a068030255c300663516420e
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f647d7c155f069c1a068030255c300663516420e
Comment 2 Swamp Workflow Management 2014-12-29 23:00:23 UTC 
bugbot adjusting priority
Comment 3 Jiri Slaby 2015-01-08 10:24:22 UTC 
I am confused too. Raised an issue on the stable list (no archive has that yet):
Message-ID: <54AE5930.9050802@suse.cz>
Comment 4 Jiri Slaby 2015-01-09 13:02:25 UTC 
FWIW, I am not taking this one to 3.12 stable...

http://thread.gmane.org/gmane.linux.kernel.stable/119037/focus=119628
Comment 5 Borislav Petkov 2015-01-26 19:31:55 UTC 
Just to hold down a couple of observations from looking at

f647d7c155f0 ("x86_64, switch_to(): Load TLS descriptors before switching DS and ES"):

set_thread_area() is 32-bit only, so kernel has to be built with IA_32
or a 32-bit kernel and on 64-bit that syscall is -ENOSYS.

I.e., es test needs to be compiled with -m32. Also, a couple of includes
are missing, I'm uploading the version which builds here.
Comment 6 Borislav Petkov 2015-01-26 19:32:37 UTC 
Created attachment 620904 [details]
working es test
Comment 7 Borislav Petkov 2015-01-27 16:32:06 UTC 
Ok, let me hold down what the deal is:

So, when you run the es.c test, this is what happens:

     kworker/1:2-363   [001] d..2   255.503106: __switch_to: next(es:1644)->es: 0x2b, prev(kworker/1:2:363)->es: 0x0
     kworker/1:2-363   [001] d..2   255.503107: __switch_to: segment loaded: 0x2b
              es-1644  [001] d..2   255.503119: __switch_to: next(kworker/1:2:363)->es: 0x0, prev(es:1644)->es: 0x2b
              es-1644  [001] d..2   255.503120: __switch_to: segment loaded: 0x0
     kworker/1:2-363   [001] d..2   255.503131: __switch_to: next(es:1644)->es: 0x2b, prev(kworker/1:2:363)->es: 0x0
     kworker/1:2-363   [001] d..2   255.503132: __switch_to: segment loaded: 0x2b

The 0x2b is something TLS-libc whatever segment selector which gets setup.

While es is running, we've written %es with GDT3(idx), i.e. idx=13 which turns
into 0x6b because it goes into the %es segment selector:

              es-1644  [001] d..2   255.503320: __switch_to: next(swapper/1:0)->es: 0x0, prev(es:1644)->es: 0x6b
              es-1644  [001] d..2   255.503321: __switch_to: segment loaded: 0x0

sched out "es", run swapper, time passes...

    kworker/1:1H-315   [001] d..2   255.507604: __switch_to: next(es:1644)->es: 0x6b, prev(kworker/1:1H:315)->es: 0x0
    kworker/1:1H-315   [001] d..2   255.507609: __switch_to: segment loaded: 0x0

when we sched "es" back in, we load 0x6b into %es but the write
doesn't stick because we GP on an invalid segment which we catch in
loadsegment() and write 0 by default.

Now, if 0x6b were a valid segment selector, we would end up with the
respective TLS segment in the hidden portion of %es prepared for the
next task which we sched in.

And next task would then be able to read that TLS segment of prev. Leak.

And yes, only 32-bit processes on 64-bit linux.

The hypothetical problem with a fix like that is this situation has been
the case since forever so if some obscure 32-bit program relies on this
behavior, we'd break it if we backport that fix.

Back to security team for a decision.
Comment 8 Borislav Petkov 2015-01-27 16:33:16 UTC 
Damn bugzilla, copy-paste the above comment into a sane text editor to see the trace lines better.
Comment 9 Marcus Meissner 2015-02-03 08:22:53 UTC 
I understand only half of the above. :(

So aslr would only be bypassable in a 32bit mode (and not on native 32bit)?

Only WINE might feel an impact if at all. I think Wine is not relying on such a behaviour.


(as this is a non default scenario for running services or setuid binaries, we could allow to let it rest unfixed too.)


So ... undecided :/
Comment 10 Borislav Petkov 2015-02-03 10:16:22 UTC 
(In reply to Marcus Meissner from comment #9)
> I understand only half of the above. :(

Ditto :-P

> So aslr would only be bypassable in a 32bit mode (and not on native 32bit)?

Only 32-bit binaries running on 64-bit Linux.

> Only WINE might feel an impact if at all. I think Wine is not relying on
> such a behaviour.

What about some custom customer applications we don't know of?

> (as this is a non default scenario for running services or setuid binaries,
> we could allow to let it rest unfixed too.)
>
>
> So ... undecided :/

So this is the risk from my previous comment augmented with bitness:

The hypothetical problem with a fix like that is this potential leak has
been the case since forever so if some obscure 32-bit program running
on 64-bit relies on this obviously wrong behavior, we'd break it if we
backport that fix.

Better?
Comment 11 Marcus Meissner 2015-02-06 15:09:54 UTC 
I would say do the fix and take the risk.
Comment 12 Borislav Petkov 2015-02-06 15:15:52 UTC 
I feel the same. Ok, backporting...
Comment 13 Borislav Petkov 2015-02-07 19:11:45 UTC 
SLE12: backported
oS13.2: backported
oS13.1: backported
11SP3: backported

Closing.
Comment 14 Swamp Workflow Management 2015-02-26 09:59:38 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-03-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60808
Comment 15 Swamp Workflow Management 2015-03-18 21:11:42 UTC 
SUSE-SU-2015:0529-1: An update that solves 8 vulnerabilities and has 53 fixes is now available.

Category: security (important)
Bug References: 799216,800255,860346,875220,877456,884407,895805,896484,897736,898687,900270,902286,902346,902349,903640,904177,904883,904899,904901,905100,905304,905329,905482,905783,906196,907069,908069,908322,908825,908904,909829,910322,911326,912202,912654,912705,913059,914112,914126,914254,914291,914294,914300,914457,914464,914726,915188,915322,915335,915425,915454,915456,915550,915660,916107,916513,916646,917089,917128,918161,918255
CVE References: CVE-2014-3673,CVE-2014-3687,CVE-2014-7822,CVE-2014-7841,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9584
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.38-44.5, kernel-obs-build-3.12.38-44.1
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_3-1-2.2
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
Comment 16 Swamp Workflow Management 2015-03-24 06:20:06 UTC 
SUSE-SU-2015:0581-1: An update that solves 21 vulnerabilities and has 67 fixes is now available.

Category: security (important)
Bug References: 771619,816099,829110,833588,833820,846656,853040,856760,864401,864404,864409,864411,865419,875051,876086,876594,877593,882470,883948,884817,887597,891277,894213,895841,896484,900279,900644,902232,902349,902351,902675,903096,903640,904053,904242,904659,904671,905304,905312,905799,906586,907196,907338,907551,907611,907818,908069,908163,908393,908550,908551,908572,908825,909077,909078,909088,909092,909093,909095,909264,909565,909740,909846,910013,910150,910159,910321,910322,910517,911181,911325,911326,912171,912705,913059,914355,914423,914726,915209,915322,915335,915791,915826,916515,916982,917839,917884,920250
CVE References: CVE-2013-7263,CVE-2014-0181,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-7822,CVE-2014-7842,CVE-2014-7970,CVE-2014-8133,CVE-2014-8134,CVE-2014-8160,CVE-2014-8369,CVE-2014-8559,CVE-2014-9090,CVE-2014-9322,CVE-2014-9419,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-ec2-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-ppc64-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1, xen-4.2.5_04-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.7, gfs2-2-0.17.1.7, ocfs2-1.6-0.21.1.7
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1, xen-4.2.5_04-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-ppc64-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1
Comment 17 Swamp Workflow Management 2015-04-13 12:11:53 UTC 
openSUSE-SU-2015:0713-1: An update that solves 13 vulnerabilities and has 52 fixes is now available.

Category: security (important)
Bug References: 867199,893428,895797,900811,901925,903589,903640,904899,905681,907039,907818,907988,908582,908588,908589,908592,908593,908594,908596,908598,908603,908604,908605,908606,908608,908610,908612,909077,909078,909477,909634,910150,910322,910440,911311,911325,911326,911356,911438,911578,911835,912061,912202,912429,912705,913059,913466,913695,914175,915425,915454,915456,915577,915858,916608,917830,917839,918954,918970,919463,920581,920604,921313,922542,922944
CVE References: CVE-2014-8134,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9428,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-0777,CVE-2015-1421,CVE-2015-1593,CVE-2015-2150
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.6.6, cloop-2.639-14.6.6, crash-7.0.8-6.6, hdjmod-1.28-18.7.6, ipset-6.23-6.6, kernel-docs-3.16.7-13.2, kernel-obs-build-3.16.7-13.7, kernel-obs-qa-3.16.7-13.1, kernel-obs-qa-xen-3.16.7-13.1, kernel-source-3.16.7-13.1, kernel-syms-3.16.7-13.1, pcfclock-0.44-260.6.2, vhba-kmp-20140629-2.6.2, virtualbox-4.3.20-10.2, xen-4.4.1_08-12.2, xtables-addons-2.6-6.2
Comment 18 Swamp Workflow Management 2015-04-13 12:18:45 UTC 
openSUSE-SU-2015:0714-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 903640,904899,907988,909078,910150,911325,911326,912202,912654,912705,913059,913695,914175,915322,917839,920901
CVE References: CVE-2014-7822,CVE-2014-8134,CVE-2014-8160,CVE-2014-8173,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.19.1, crash-7.0.2-2.19.1, hdjmod-1.28-16.19.1, ipset-6.21.1-2.23.1, iscsitarget-1.4.20.3-13.19.1, kernel-docs-3.11.10-29.2, kernel-source-3.11.10-29.1, kernel-syms-3.11.10-29.1, ndiswrapper-1.58-19.1, pcfclock-0.44-258.19.1, vhba-kmp-20130607-2.20.1, virtualbox-4.2.28-2.28.1, xen-4.3.3_04-37.1, xtables-addons-2.3-2.19.1
Comment 19 Swamp Workflow Management 2015-04-20 19:20:40 UTC 
SUSE-SU-2015:0736-1: An update that solves 21 vulnerabilities and has 69 fixes is now available.

Category: security (important)
Bug References: 771619,816099,829110,833588,833820,846656,853040,856760,864401,864404,864409,864411,865419,875051,876086,876594,877593,882470,883948,884817,887597,891277,894213,895841,896484,900279,900644,902232,902349,902351,902675,903096,903640,904053,904242,904659,904671,905304,905312,905799,906586,907196,907338,907551,907611,907818,908069,908163,908393,908550,908551,908572,908825,909077,909078,909088,909092,909093,909095,909264,909565,909740,909846,910013,910150,910159,910251,910321,910322,910517,911181,911325,911326,912171,912705,913059,914355,914423,914726,915209,915322,915335,915791,915826,916515,916982,917839,917884,920250,924282
CVE References: CVE-2013-7263,CVE-2014-0181,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-7822,CVE-2014-7842,CVE-2014-7970,CVE-2014-8133,CVE-2014-8134,CVE-2014-8160,CVE-2014-8369,CVE-2014-8559,CVE-2014-9090,CVE-2014-9322,CVE-2014-9419,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.14, drbd-kmp-8.4.4-0.23.1.14, iscsitarget-1.4.20-0.39.1.14, kernel-rt-3.0.101.rt130-0.33.36.1, kernel-rt_trace-3.0.101.rt130-0.33.36.1, kernel-source-rt-3.0.101.rt130-0.33.36.1, kernel-syms-rt-3.0.101.rt130-0.33.36.1, lttng-modules-2.1.1-0.12.1.13, ocfs2-1.6-0.21.1.14, ofed-1.5.4.1-0.14.1.14
Comment 20 Swamp Workflow Management 2015-05-29 09:54:04 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61844
Comment 21 Swamp Workflow Management 2015-06-08 12:13:04 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-06-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61904
Comment 22 Swamp Workflow Management 2015-07-02 15:11:47 UTC 
SUSE-SU-2015:1174-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (moderate)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-ec2-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.21, gfs2-2-0.17.1.21, ocfs2-1.6-0.21.1.21
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
Comment 23 Swamp Workflow Management 2015-08-12 17:14:56 UTC 
SUSE-SU-2015:1376-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (important)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.22, drbd-kmp-8.4.4-0.23.1.22, iscsitarget-1.4.20-0.39.1.22, kernel-rt-3.0.101.rt130-0.33.38.1, kernel-rt_trace-3.0.101.rt130-0.33.38.1, kernel-source-rt-3.0.101.rt130-0.33.38.1, kernel-syms-rt-3.0.101.rt130-0.33.38.1, lttng-modules-2.1.1-0.12.1.20, ocfs2-1.6-0.21.1.22, ofed-1.5.4.1-0.14.1.22
Comment 24 Swamp Workflow Management 2016-02-01 15:13:49 UTC 
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1