Bug 1012754 - (CVE-2016-8655) VUL-0: CVE-2016-8655: kernel: Local root privilege packet_set_ring/timer_list
(CVE-2016-8655)
VUL-0: CVE-2016-8655: kernel: Local root privilege packet_set_ring/timer_list
Status: RESOLVED FIXED
: 1013822 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-8655:6.6:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-30 07:50 UTC by Alexander Bergmann
Modified: 2018-07-03 18:11 UTC (History)
19 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
chocobo_root.c (19.63 KB, text/plain)
2016-12-07 07:59 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 7 Marcus Meissner 2016-11-30 10:52:05 UTC
TPACKET_V3 is not in 3.0.101 and older kernels. Also user namespaces did not support packet sockets before 3.8.

SLE11 and older products are not affected by this problem.
Comment 9 Marcus Meissner 2016-11-30 15:39:15 UTC
CVE-2016-8655
Comment 10 Marcus Meissner 2016-12-01 08:42:59 UTC
patch was posted to linux-netdev, but currently without specific security description


http://marc.info/?l=linux-netdev&m=148054660230570&w=2
Comment 13 Michal Kubeček 2016-12-02 18:45:12 UTC
In net tree now as

  84ac7260236a  packet: fix race condition in packet_set_ring

(the commit should be preserved when merged into mainline).
Comment 15 Marcus Meissner 2016-12-06 06:37:00 UTC
is public now.

Date: Tue, 6 Dec 2016 11:50:57 +0900
From: Philip Pettersson <philip.pettersson@gmail.com>
Subject: [oss-security] CVE-2016-8655 Linux af_packet.c race condition (local root)

Hello,

This is an announcement about CVE-2016-8655 which is a race-condition
I found in Linux (net/packet/af_packet.c). It can be exploited to gain
kernel code execution from unprivileged processes.

The bug was introduced on Aug 19, 2011:
https://github.com/torvalds/linux/commit/f6fb8f100b807378fda19e83e5ac6828b638603a

Fixed on Nov 30, 2016:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c

=*=*=*=*=*=*=*=*=   BUG DETAILS  =*=*=*=*=*=*=*=*=

To create AF_PACKET sockets you need CAP_NET_RAW in your network
namespace, which can be acquired by unprivileged processes on
systems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc).
It can be triggered from within containers to compromise the host kernel.
On Android, processes with gid=3004/AID_NET_RAW are able to create
AF_PACKET sockets (mediaserver) and can trigger the bug.

I found the bug by reading code paths that have been opened up by the
emergence of unprivileged namespaces, something I think should be
off by default in all Linux distributions given its history of
security vulnerabilities.

The problem is inside packet_set_ring() and packet_setsockopt().
We can reach packet_set_ring() by calling setsockopt() on the socket
using the PACKET_RX_RING option.

If the version of the packet socket is TPACKET_V3, a timer_list
object will be initialized by packet_set_ring() when it calls
init_prb_bdqc().

...
                switch (po->tp_version) {
                case TPACKET_V3:
                /* Transmit path is not supported. We checked
                 * it above but just being paranoid
                 */
                        if (!tx_ring)
                                init_prb_bdqc(po, rb, pg_vec, req_u);
                        break;
                default:
                        break;
                }
...

The function flow to set up the timer is:
packet_set_ring()->init_prb_bdqc()->prb_setup_retire_blk_timer()->
prb_init_blk_timer()->prb_init_blk_timer()->init_timer()

When the socket is closed, packet_set_ring() is called again
to free the ring buffer and delete the previously initialized
timer if the packet version is > TPACKET_V2:

...
        if (closing && (po->tp_version > TPACKET_V2)) {
                /* Because we don't support block-based V3 on tx-ring */
                if (!tx_ring)
                        prb_shutdown_retire_blk_timer(po, rb_queue);
        }
...

The issue is that we can change the packet version to TPACKET_V1
with packet_setsockopt() after init_prb_bdqc() has been executed
and before packet_set_ring() has returned.

There is an attempt to deny changing socket versions after a ring
buffer has been initialized, but it is insufficient:

...
        case PACKET_VERSION:
        {
...
                if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
                        return -EBUSY;
...

There's plenty of room to race this code path between the calls to
init_prb_bdqc() and swap(rb->pg_vec, pg_vec) in packet_set_ring().

When the socket is closed, packet_set_ring() will not delete the
timer since the socket version is now TPACKET_V1. The struct
timer_list that describes the timer object is located inside the
struct packet_sock for the socket itself however and will be
freed with a call to kfree().

We then have a use-after-free on a timer object that can be
exploited by various poisoning attacks on the SLAB allocator (I find
add_key() to be the most reliable). This will ultimately lead to the
kernel jumping to a manipulated function pointer when the timer expires.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt() when
changing the packet version while also taking the lock at the start
of packet_set_ring().

My exploit defeats SMEP/SMAP and will give a rootshell on Ubuntu 16.04,
I will hold off a day on publishing it so people have some time to update.

New Ubuntu kernels are out so please update as soon as possible.

=*=*=*=*=*=*=*=*=    TIMELINE    =*=*=*=*=*=*=*=*=

2016-11-28: Bug reported to security@kernel.org
2016-11-30: Patch submitted to netdev, notification sent to linux-distros
2016-12-02: Patch committed to mainline kernel
2016-12-06: Public announcement

=*=*=*=*=*=*=*=*=     LINKS      =*=*=*=*=*=*=*=*=

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655
https://github.com/torvalds/linux/commit/f6fb8f100b807378fda19e83e5ac6828b638603a
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c
https://www.ubuntu.com/usn/usn-3151-1/

=*=*=*=*=*=*=*=*=     CREDIT     =*=*=*=*=*=*=*=*=

Philip Pettersson
Comment 16 Marcus Meissner 2016-12-06 06:40:46 UTC
*** Bug 1013822 has been marked as a duplicate of this bug. ***
Comment 17 Marcus Meissner 2016-12-07 07:59:34 UTC
Created attachment 705244 [details]
chocobo_root.c

reproduce from reporter

Attached is a sample exploit for Ubuntu 16.04 x86_64 and some 14.04
kernels, but the same method should work for any distro with unprivileged
user namespace support. I only tested it on 4.4 so there's a high risk
of kernel panic if you run it on anything but 4.4.

It defeats SMEP/SMAP by calling set_memory_rw(Attached is a sample exploit for Ubuntu 16.04 x86_64 and some 14.04
kernels, but the same method should work for any distro with unprivileged
user namespace support. I only tested it on 4.4 so there's a high risk
of kernel panic if you run it on anything but 4.4.

It defeats SMEP/SMAP by calling set_memory_rw() on the vsyscall page,
setting up a fake struct ctl_table in that area and finally calling
register_sysctl_table() to register a world-writable sysctl entry for
modprobe. Since the instruction pointer is hijacked in interrupt
context you have to do this even on non-SMEP/SMAP systems, so the
bypass is more of a by-product.

If you want to execute arbitrary kernel shellcode you can also do:
1. set_memory_rw() on vsyscall page
2. (userland) write shellcode to vsyscall page
3. set_memory_x() on vsyscall page
4. jump to vsyscall page

(However, that requires winning the race three times instead of two.)

You can also run it with "crash" as the first argument to force a panic.

=*=*=*=*=*=*=*=*= SAMPLE OUTPUT =*=*=*=*=*=*=*=*=

user@ubuntu:~$ uname -a
Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu:~$ id
uid=1000(user) gid=1000(user) groups=1000(user)
user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
user@ubuntu:~$ ./chocobo_root
linux AF_PACKET race condition exploit by rebel
kernel version: 4.4.0-51-generic #72
proc_dostring = 0xffffffff81088090
modprobe_path = 0xffffffff81e48f80
register_sysctl_table = 0xffffffff812879a0
set_memory_rw = 0xffffffff8106f320
exploit starting
making vsyscall page writable..

new exploit attempt starting, jumping to 0xffffffff8106f320,
arg=0xffffffffff600000
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 174222, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
please wait up to a few minutes for timer to be executed. if you
ctrl-c now the kernel will hang. so don't do that.
closing socket and verifying.......
vsyscall page altered!


stage 1 completed
registering new sysctl..

new exploit attempt starting, jumping to 0xffffffff812879a0,
arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 133577, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
please wait up to a few minutes for timer to be executed. if you
ctrl-c now the kernel will hang. so don't do that.
closing socket and verifying.......
sysctl added!

stage 2 completed
binary executed by kernel, launching rootshell
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root),1000(user)

setting up a fake struct ctl_table in that area and finally calling
register_sysctl_table() to register a world-writable sysctl entry for
modprobe. Since the instruction pointer is hijacked in interrupt
context you have to do this even on non-SMEP/SMAP systems, so the
bypass is more of a by-product.

If you want to execute arbitrary kernel shellcode you can also do:
1. set_memory_rw() on vsyscall page
2. (userland) write shellcode to vsyscall page
3. set_memory_x() on vsyscall page
4. jump to vsyscall page

(However, that requires winning the race three times instead of two.)

You can also run it with "crash" as the first argument to force a panic.

=*=*=*=*=*=*=*=*= SAMPLE OUTPUT =*=*=*=*=*=*=*=*=

user@ubuntu:~$ uname -a
Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu:~$ id
uid=1000(user) gid=1000(user) groups=1000(user)
user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
user@ubuntu:~$ ./chocobo_root
linux AF_PACKET race condition exploit by rebel
kernel version: 4.4.0-51-generic #72
proc_dostring = 0xffffffff81088090
modprobe_path = 0xffffffff81e48f80
register_sysctl_table = 0xffffffff812879a0
set_memory_rw = 0xffffffff8106f320
exploit starting
making vsyscall page writable..

new exploit attempt starting, jumping to 0xffffffff8106f320,
arg=0xffffffffff600000
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 174222, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
please wait up to a few minutes for timer to be executed. if you
lines 1-49/74 72%
Comment 18 Bernhard Wiedemann 2016-12-07 15:01:05 UTC
This is an autogenerated message for OBS integration:
This bug (1012754) was mentioned in
https://build.opensuse.org/request/show/444666 42.1 / kernel-source
Comment 19 Swamp Workflow Management 2016-12-07 16:09:01 UTC
SUSE-SU-2016:3039-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1008831,1011685,1012754
CVE References: CVE-2016-8632,CVE-2016-8655,CVE-2016-9555
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.67-60.64.21.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.67-60.64.21.3, kernel-obs-build-3.12.67-60.64.21.1
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.67-60.64.21.1, kernel-source-3.12.67-60.64.21.1, kernel-syms-3.12.67-60.64.21.1, kernel-xen-3.12.67-60.64.21.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.67-60.64.21.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_10-1-2.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.67-60.64.21.1, kernel-source-3.12.67-60.64.21.1, kernel-syms-3.12.67-60.64.21.1, kernel-xen-3.12.67-60.64.21.1
Comment 20 Swamp Workflow Management 2016-12-07 22:07:31 UTC
SUSE-SU-2016:3049-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1008831,1011685,1012754
CVE References: CVE-2016-8632,CVE-2016-8655,CVE-2016-9555
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.21-84.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.21-84.3, kernel-obs-build-4.4.21-84.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.21-84.1, kernel-source-4.4.21-84.1, kernel-syms-4.4.21-84.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.21-84.1, kernel-source-4.4.21-84.1, kernel-syms-4.4.21-84.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_2-1-2.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.21-84.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.21-84.1, kernel-source-4.4.21-84.1, kernel-syms-4.4.21-84.1
Comment 21 Swamp Workflow Management 2016-12-08 12:17:39 UTC
openSUSE-SU-2016:3050-1: An update that solves 12 vulnerabilities and has 75 fixes is now available.

Category: security (important)
Bug References: 1000118,1000433,1001171,1001310,1001486,1001888,1003813,1004052,1004365,1004517,1005169,1005666,1005745,1005917,1005921,1005925,1005929,1006175,1006576,1006809,1006827,1006915,1006918,1007197,1007615,1007653,1007955,1008831,1008979,1009062,1009454,1010040,1010158,1010444,1010478,1010507,1010665,1010690,1010970,1011176,1011685,1011913,1012060,1012094,1012452,1012477,1012754,1012767,1012829,1012992,1013479,1013533,1013700,799133,843661,914939,954986,963609,963655,963904,964462,966186,966191,966316,966318,966325,969476,969477,971975,972993,974313,978907,979681,983087,983318,985850,986255,987805,990384,991414,992555,993739,994881,995278,997059,997807,998054
CVE References: CVE-2015-1350,CVE-2015-8964,CVE-2016-7042,CVE-2016-7913,CVE-2016-7917,CVE-2016-8632,CVE-2016-8655,CVE-2016-8666,CVE-2016-9083,CVE-2016-9084,CVE-2016-9555,CVE-2016-9794
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.36-5.1, kernel-default-4.4.36-5.1, kernel-docs-4.4.36-5.3, kernel-obs-build-4.4.36-5.1, kernel-obs-qa-4.4.36-5.1, kernel-source-4.4.36-5.1, kernel-syms-4.4.36-5.1, kernel-vanilla-4.4.36-5.1
Comment 22 Swamp Workflow Management 2016-12-08 14:11:11 UTC
openSUSE-SU-2016:3058-1: An update that solves 16 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1001171,1001486,1003925,1004517,1006580,1007197,1007615,1007653,1008650,1008833,1009222,1010040,1010150,1010478,1010501,1010502,1010507,1010909,1011685,1012754,1012876,1013533,934067,990384,993739,995968,999577,999907
CVE References: CVE-2015-8956,CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-7042,CVE-2016-7097,CVE-2016-7913,CVE-2016-8630,CVE-2016-8633,CVE-2016-8646,CVE-2016-8655,CVE-2016-9083,CVE-2016-9084,CVE-2016-9178,CVE-2016-9555,CVE-2016-9794
Sources used:
openSUSE Leap 42.1 (src):    drbd-8.4.6-12.2, hdjmod-1.28-28.2, ipset-6.25.1-9.2, kernel-debug-4.1.36-38.1, kernel-default-4.1.36-38.1, kernel-docs-4.1.36-38.2, kernel-ec2-4.1.36-38.1, kernel-obs-build-4.1.36-38.2, kernel-obs-qa-4.1.36-38.1, kernel-pae-4.1.36-38.1, kernel-pv-4.1.36-38.1, kernel-source-4.1.36-38.1, kernel-syms-4.1.36-38.1, kernel-vanilla-4.1.36-38.1, kernel-xen-4.1.36-38.1, lttng-modules-2.7.0-6.2, pcfclock-0.44-270.2, vhba-kmp-20140928-9.2
Comment 23 Swamp Workflow Management 2016-12-08 19:09:24 UTC
openSUSE-SU-2016:3061-1: An update that solves 12 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 1001486,1004517,1007615,1008833,1010040,1010150,1010467,1010475,1010478,1010501,1010502,1010711,1010716,1011685,1012754,934067,990384,993739,999577,999907
CVE References: CVE-2015-8962,CVE-2015-8963,CVE-2016-7042,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-7916,CVE-2016-8633,CVE-2016-8646,CVE-2016-8655,CVE-2016-9555
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.26.1, cloop-2.639-14.26.1, crash-7.0.8-26.1, hdjmod-1.28-18.27.1, ipset-6.23-26.1, kernel-debug-3.16.7-53.1, kernel-default-3.16.7-53.1, kernel-desktop-3.16.7-53.1, kernel-docs-3.16.7-53.2, kernel-ec2-3.16.7-53.1, kernel-obs-build-3.16.7-53.2, kernel-obs-qa-3.16.7-53.1, kernel-pae-3.16.7-53.1, kernel-source-3.16.7-53.1, kernel-syms-3.16.7-53.1, kernel-vanilla-3.16.7-53.1, kernel-xen-3.16.7-53.1, pcfclock-0.44-260.26.1, vhba-kmp-20140629-2.26.1, virtualbox-5.0.30-62.1, xen-4.4.4_05-55.1, xtables-addons-2.6-28.1
Comment 24 Swamp Workflow Management 2016-12-09 12:07:46 UTC
SUSE-SU-2016:3063-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1008831,1011685,1012754
CVE References: CVE-2016-8632,CVE-2016-8655,CVE-2016-9555
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    kernel-default-3.12.60-52.60.1, kernel-source-3.12.60-52.60.1, kernel-syms-3.12.60-52.60.1, kernel-xen-3.12.60-52.60.1, kgraft-patch-SLE12_Update_17-1-2.1
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.60-52.60.1, kernel-source-3.12.60-52.60.1, kernel-syms-3.12.60-52.60.1, kernel-xen-3.12.60-52.60.1, kgraft-patch-SLE12_Update_17-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.60-52.60.1
Comment 25 Cristian Rodríguez 2016-12-09 13:38:24 UTC
the exploit uses the vsyscall as a vector..it will be extremely cool if the kernel could be built without vsyscall. last user was glibc and that was fixed 5 years ago. booting a production system with vsyscall=none produces no ill-results as expected.
Comment 26 Swamp Workflow Management 2016-12-10 12:07:31 UTC
openSUSE-SU-2016:3077-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1008831,1011685,1012754
CVE References: CVE-2016-8632,CVE-2016-8655,CVE-2016-9555
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.38.1, crash-7.0.2-2.38.1, hdjmod-1.28-16.38.1, ipset-6.21.1-2.42.1, iscsitarget-1.4.20.3-13.38.1, kernel-debug-3.12.67-61.1, kernel-default-3.12.67-61.1, kernel-desktop-3.12.67-61.1, kernel-docs-3.12.67-61.2, kernel-ec2-3.12.67-61.1, kernel-pae-3.12.67-61.1, kernel-source-3.12.67-61.1, kernel-syms-3.12.67-61.1, kernel-trace-3.12.67-61.1, kernel-vanilla-3.12.67-61.1, kernel-xen-3.12.67-61.1, ndiswrapper-1.58-39.1, openvswitch-1.11.0-0.45.1, pcfclock-0.44-258.39.1, vhba-kmp-20130607-2.38.1, virtualbox-4.2.36-2.70.1, xen-4.3.4_10-71.1, xtables-addons-2.3-2.37.1
Comment 27 Michal Kubeček 2016-12-13 12:01:29 UTC
The fix is now in all relevant branches:

  master (via 4.9.0)
  stable (via 4.8.14 / 4.9.0)
  SLE12-SP2 (via 4.4.38)
  openSUSE-42.1
  openSUSE-13.2
  SLE12-SP1
  SLE12-LTSS

Reassigning back to security team.
Comment 28 Marcus Meissner 2016-12-13 12:17:57 UTC
thanks! all was released
Comment 29 Swamp Workflow Management 2017-02-06 20:12:04 UTC
SUSE-SU-2017:0407-1: An update that solves 24 vulnerabilities and has 56 fixes is now available.

Category: security (important)
Bug References: 1003813,1005666,1007197,1008557,1008567,1008831,1008833,1008876,1008979,1009062,1009969,1010040,1010213,1010294,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1011685,1012060,1012422,1012754,1012917,1012985,1013001,1013038,1013479,1013531,1013533,1013540,1013604,1014410,1014746,1016713,1016725,1016961,1017164,1017170,1017410,1017710,1018100,1019032,1019148,1019260,1019300,1019783,1019851,1020214,1020602,1021258,856380,857394,858727,921338,921778,922052,922056,923036,923037,924381,938963,972993,980560,981709,983087,983348,984194,984419,985850,987192,987576,990384,991273,993739,997807,999101
CVE References: CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8645,CVE-2016-8655,CVE-2016-9083,CVE-2016-9084,CVE-2016-9555,CVE-2016-9576,CVE-2016-9756,CVE-2016-9793,CVE-2016-9794,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP1 (src):    kernel-compute-3.12.69-60.30.1, kernel-compute_debug-3.12.69-60.30.1, kernel-rt-3.12.69-60.30.1, kernel-rt_debug-3.12.69-60.30.1, kernel-source-rt-3.12.69-60.30.1, kernel-syms-rt-3.12.69-60.30.1