Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2018:1172-1
Rating:	important
References:	bsc#1010470 bsc#1039348 bsc#1052943 bsc#1062568 bsc#1062840 bsc#1063416 bsc#1067118 bsc#1072689 bsc#1072865 bsc#1078669 bsc#1078672 bsc#1078673 bsc#1078674 bsc#1080464 bsc#1080757 bsc#1082424 bsc#1083242 bsc#1083483 bsc#1083494 bsc#1084536 bsc#1085331 bsc#1086162 bsc#1087088 bsc#1087209 bsc#1087260 bsc#1087762 bsc#1088147 bsc#1088260 bsc#1089608 bsc#1089752 bsc#940776
Cross-References:	CVE-2015-5156 CVE-2016-7915 CVE-2017-0861 CVE-2017-12190 CVE-2017-13166 CVE-2017-16644 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18203 CVE-2017-18208 CVE-2018-10087 CVE-2018-10124 CVE-2018-1087 CVE-2018-6927 CVE-2018-7566 CVE-2018-7757 CVE-2018-8822 CVE-2018-8897
CVSS scores:	CVE-2016-7915 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2017-0861 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-0861 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-12190 ( SUSE ): 6.2 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2017-12190 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-13166 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-13166 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-16644 ( SUSE ): 4.6 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16644 ( NVD ): 6.6 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-16911 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2017-16911 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2017-16912 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16912 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16913 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16913 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16914 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2017-16914 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-18203 ( SUSE ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-18203 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-18208 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-18208 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-10087 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-10087 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-10124 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-10124 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-1087 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-1087 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-6927 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-6927 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-7566 ( SUSE ): 7.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2018-7566 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-7757 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-7757 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-8822 ( SUSE ): 6.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H CVE-2018-8822 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-8822 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-8897 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-8897 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Point of Service 11 SP3 SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3

An update that solves 20 vulnerabilities and has 11 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2018-1087: And an unprivileged KVM guest user could use this flaw to potentially escalate their privileges inside a guest. (bsc#1087088)
• CVE-2018-8897: An unprivileged system user could use incorrect set up interrupt stacks to crash the Linux kernel resulting in DoS issue. (bsc#1087088)
• CVE-2018-10124: The kill_something_info function in kernel/signal.c might allow local users to cause a denial of service via an INT_MIN argument (bnc#1089752).
• CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value (bnc#1089608).
• CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536 1087209).
• CVE-2018-7566: A Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user was fixed (bnc#1083483).
• CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors (bnc#1088260).
• CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162).
• CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver. (bnc#1072865).
• CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices (bnc#1083242).
• CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP (bnc#1078674).
• CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
• CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118).
• CVE-2018-6927: The futex_requeue function in kernel/futex.c might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757).
• CVE-2017-16914: The "stub_send_ret_submit()" function (drivers/usb/usbip/stub_tx.c) allowed attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet (bnc#1078669).
• CVE-2016-7915: The hid_input_field function in drivers/hid/hid-core.c allowed physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver (bnc#1010470).
• CVE-2015-5156: The virtnet_probe function in drivers/net/virtio_net.c attempted to support a FRAGLIST feature without proper memory allocation, which allowed guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets (bnc#940776).
• CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions in block/bio.c did unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (bnc#1062568).
• CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673).
• CVE-2017-16913: The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672).

The following non-security bugs were fixed:

• Integrate fixes resulting from bsc#1088147 More info in the respective commit messages.
• KABI: x86/kaiser: properly align trampoline stack.
• KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
• ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
• ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
• ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
• kvm/x86: fix icebp instruction handling (bsc#1087088).
• leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
• mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack (bnc#1039348).
• x86-64: Move the "user" vsyscall segment out of the data segment (bsc#1082424).
• x86/entry/64: Do not use IST entry for #BP stack (bsc#1087088).
• x86/kaiser: properly align trampoline stack (bsc#1087260).
• x86/retpoline: do not perform thunk calls in ring3 vsyscall code (bsc#1085331).
• xfs: check for buffer errors before waiting (bsc#1052943).
• xfs: fix allocbt cursor leak in xfs_alloc_ag_vextent_near (bsc#1087762).
• xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near (bsc#1087762).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Point of Service 11 SP3
  zypper in -t patch sleposp3-kernel-source-20180429-13591=1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3
  zypper in -t patch slessp3-kernel-source-20180429-13591=1

Package List:

• SUSE Linux Enterprise Point of Service 11 SP3 (nosrc i586)
  • kernel-xen-3.0.101-0.47.106.22.1
  • kernel-ec2-3.0.101-0.47.106.22.1
  • kernel-pae-3.0.101-0.47.106.22.1
  • kernel-trace-3.0.101-0.47.106.22.1
  • kernel-default-3.0.101-0.47.106.22.1
• SUSE Linux Enterprise Point of Service 11 SP3 (i586)
  • kernel-default-base-3.0.101-0.47.106.22.1
  • kernel-ec2-devel-3.0.101-0.47.106.22.1
  • kernel-default-devel-3.0.101-0.47.106.22.1
  • kernel-ec2-base-3.0.101-0.47.106.22.1
  • kernel-pae-base-3.0.101-0.47.106.22.1
  • kernel-xen-base-3.0.101-0.47.106.22.1
  • kernel-trace-base-3.0.101-0.47.106.22.1
  • kernel-xen-devel-3.0.101-0.47.106.22.1
  • kernel-pae-devel-3.0.101-0.47.106.22.1
  • kernel-trace-devel-3.0.101-0.47.106.22.1
  • kernel-source-3.0.101-0.47.106.22.1
  • kernel-syms-3.0.101-0.47.106.22.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc s390x x86_64 i586)
  • kernel-trace-3.0.101-0.47.106.22.1
  • kernel-default-3.0.101-0.47.106.22.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (s390x x86_64 i586)
  • kernel-default-base-3.0.101-0.47.106.22.1
  • kernel-default-devel-3.0.101-0.47.106.22.1
  • kernel-trace-base-3.0.101-0.47.106.22.1
  • kernel-trace-devel-3.0.101-0.47.106.22.1
  • kernel-source-3.0.101-0.47.106.22.1
  • kernel-syms-3.0.101-0.47.106.22.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc x86_64 i586)
  • kernel-ec2-3.0.101-0.47.106.22.1
  • kernel-xen-3.0.101-0.47.106.22.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (x86_64 i586)
  • kernel-xen-base-3.0.101-0.47.106.22.1
  • kernel-ec2-base-3.0.101-0.47.106.22.1
  • kernel-xen-devel-3.0.101-0.47.106.22.1
  • kernel-ec2-devel-3.0.101-0.47.106.22.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc i586)
  • kernel-pae-3.0.101-0.47.106.22.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (i586)
  • kernel-pae-base-3.0.101-0.47.106.22.1
  • kernel-pae-devel-3.0.101-0.47.106.22.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (s390x)
  • kernel-default-man-3.0.101-0.47.106.22.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc x86_64)
  • kernel-bigsmp-3.0.101-0.47.106.22.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (x86_64)
  • kernel-bigsmp-base-3.0.101-0.47.106.22.1
  • kernel-bigsmp-devel-3.0.101-0.47.106.22.1

References:

• https://www.suse.com/security/cve/CVE-2015-5156.html
• https://www.suse.com/security/cve/CVE-2016-7915.html
• https://www.suse.com/security/cve/CVE-2017-0861.html
• https://www.suse.com/security/cve/CVE-2017-12190.html
• https://www.suse.com/security/cve/CVE-2017-13166.html
• https://www.suse.com/security/cve/CVE-2017-16644.html
• https://www.suse.com/security/cve/CVE-2017-16911.html
• https://www.suse.com/security/cve/CVE-2017-16912.html
• https://www.suse.com/security/cve/CVE-2017-16913.html
• https://www.suse.com/security/cve/CVE-2017-16914.html
• https://www.suse.com/security/cve/CVE-2017-18203.html
• https://www.suse.com/security/cve/CVE-2017-18208.html
• https://www.suse.com/security/cve/CVE-2018-10087.html
• https://www.suse.com/security/cve/CVE-2018-10124.html
• https://www.suse.com/security/cve/CVE-2018-1087.html
• https://www.suse.com/security/cve/CVE-2018-6927.html
• https://www.suse.com/security/cve/CVE-2018-7566.html
• https://www.suse.com/security/cve/CVE-2018-7757.html
• https://www.suse.com/security/cve/CVE-2018-8822.html
• https://www.suse.com/security/cve/CVE-2018-8897.html
• https://bugzilla.suse.com/show_bug.cgi?id=1010470
• https://bugzilla.suse.com/show_bug.cgi?id=1039348
• https://bugzilla.suse.com/show_bug.cgi?id=1052943
• https://bugzilla.suse.com/show_bug.cgi?id=1062568
• https://bugzilla.suse.com/show_bug.cgi?id=1062840
• https://bugzilla.suse.com/show_bug.cgi?id=1063416
• https://bugzilla.suse.com/show_bug.cgi?id=1067118
• https://bugzilla.suse.com/show_bug.cgi?id=1072689
• https://bugzilla.suse.com/show_bug.cgi?id=1072865
• https://bugzilla.suse.com/show_bug.cgi?id=1078669
• https://bugzilla.suse.com/show_bug.cgi?id=1078672
• https://bugzilla.suse.com/show_bug.cgi?id=1078673
• https://bugzilla.suse.com/show_bug.cgi?id=1078674
• https://bugzilla.suse.com/show_bug.cgi?id=1080464
• https://bugzilla.suse.com/show_bug.cgi?id=1080757
• https://bugzilla.suse.com/show_bug.cgi?id=1082424
• https://bugzilla.suse.com/show_bug.cgi?id=1083242
• https://bugzilla.suse.com/show_bug.cgi?id=1083483
• https://bugzilla.suse.com/show_bug.cgi?id=1083494
• https://bugzilla.suse.com/show_bug.cgi?id=1084536
• https://bugzilla.suse.com/show_bug.cgi?id=1085331
• https://bugzilla.suse.com/show_bug.cgi?id=1086162
• https://bugzilla.suse.com/show_bug.cgi?id=1087088
• https://bugzilla.suse.com/show_bug.cgi?id=1087209
• https://bugzilla.suse.com/show_bug.cgi?id=1087260
• https://bugzilla.suse.com/show_bug.cgi?id=1087762
• https://bugzilla.suse.com/show_bug.cgi?id=1088147
• https://bugzilla.suse.com/show_bug.cgi?id=1088260
• https://bugzilla.suse.com/show_bug.cgi?id=1089608
• https://bugzilla.suse.com/show_bug.cgi?id=1089752
• https://bugzilla.suse.com/show_bug.cgi?id=940776