Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2022:0197-1
Rating:	important
References:	bsc#1071995 bsc#1139944 bsc#1151927 bsc#1152489 bsc#1153275 bsc#1154353 bsc#1154355 bsc#1161907 bsc#1164565 bsc#1166780 bsc#1169514 bsc#1176242 bsc#1176536 bsc#1176544 bsc#1176545 bsc#1176546 bsc#1176548 bsc#1176558 bsc#1176559 bsc#1176940 bsc#1176956 bsc#1177440 bsc#1178270 bsc#1179211 bsc#1179424 bsc#1179426 bsc#1179427 bsc#1179599 bsc#1179960 bsc#1181148 bsc#1181507 bsc#1181710 bsc#1183534 bsc#1183540 bsc#1183897 bsc#1184209 bsc#1185726 bsc#1185902 bsc#1187541 bsc#1189126 bsc#1189158 bsc#1191271 bsc#1191793 bsc#1191876 bsc#1192267 bsc#1192507 bsc#1192511 bsc#1192569 bsc#1192606 bsc#1192845 bsc#1192847 bsc#1192877 bsc#1192946 bsc#1192969 bsc#1192987 bsc#1192990 bsc#1192998 bsc#1193002 bsc#1193042 bsc#1193169 bsc#1193255 bsc#1193306 bsc#1193318 bsc#1193349 bsc#1193440 bsc#1193442 bsc#1193660 bsc#1193669 bsc#1193727 bsc#1193767 bsc#1193901 bsc#1193927 bsc#1194001 bsc#1194087 bsc#1194094 bsc#1194302 bsc#1194516 bsc#1194517 bsc#1194529 bsc#1194888 bsc#1194985
Cross-References:	CVE-2020-27820 CVE-2020-27825 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2021-28714 CVE-2021-28715 CVE-2021-33098 CVE-2021-4001 CVE-2021-4002 CVE-2021-4083 CVE-2021-4135 CVE-2021-4149 CVE-2021-4197 CVE-2021-4202 CVE-2021-43975 CVE-2021-43976 CVE-2021-44733 CVE-2021-45485 CVE-2021-45486 CVE-2022-0185 CVE-2022-0322
CVSS scores:	CVE-2020-27820 ( SUSE ): 3.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L CVE-2020-27820 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27825 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2020-27825 ( NVD ): 5.7 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2021-28711 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28711 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28712 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28712 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28713 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28713 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28714 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-28714 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28715 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-28715 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-33098 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-33098 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-4001 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-4001 ( NVD ): 4.1 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2021-4002 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2021-4002 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2021-4083 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-4083 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-4135 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-4135 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-4149 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-4149 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-4197 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2021-4197 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-4202 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-4202 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-43975 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-43975 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-43976 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-43976 ( NVD ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-44733 ( SUSE ): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVE-2021-44733 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-45485 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-45485 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-45486 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-45486 ( NVD ): 3.5 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-0185 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-0185 ( NVD ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-0322 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-0322 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Enterprise Storage 7 SUSE Linux Enterprise High Availability Extension 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise Live Patching 15-SP2 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1

An update that solves 22 vulnerabilities and has 59 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 SP2 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2022-0185: Incorrect param length parsing in legacy_parse_param which could have led to a local privilege escalation (bsc#1194517).
CVE-2022-0322: Fixed a denial of service in SCTP sctp_addto_chunk (bsc#1194985).
CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel that occured because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object (bnc#1193767).
CVE-2021-4197: Fixed a cgroup issue where lower privileged processes could write to fds of lower privileged ones that could lead to privilege escalation (bsc#1194302).
CVE-2021-4135: Fixed an information leak in the nsim_bpf_map_alloc function (bsc#1193927).
CVE-2021-4202: Fixed a race condition during NFC device remove which could lead to a use-after-free memory corruption (bsc#1194529)
CVE-2021-4083: A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allowed a local user to crash the system or escalate their privileges on the system. (bnc#1193727).
CVE-2021-4149: Fixed a locking condition in btrfs which could lead to system deadlocks (bsc#1194001).
CVE-2021-45485: The IPv6 implementation in net/ipv6/output_core.c had an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses (bnc#1194094).
CVE-2021-45486: The IPv4 implementation in net/ipv4/route.c had an information leak because the hash table is very small (bnc#1194087).
CVE-2021-4001: A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space. (bnc#1192990).
CVE-2021-28715: Guest can force Linux netback driver to hog large amounts of kernel memory. Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There was a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. ()
CVE-2021-28714: Guest can force Linux netback driver to hog large amounts of kernel memory. Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There was a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing (bnc#1193442).
CVE-2021-28713: Rogue backends can cause DoS of guests via high frequency events. Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. (bsc#1193440)
CVE-2021-28712: Rogue backends can cause DoS of guests via high frequency events. Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. (bsc#1193440)
CVE-2021-28711: Rogue backends can cause DoS of guests via high frequency events. Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time (bnc#1193440).
CVE-2020-27825: A use-after-free flaw was found in kernel/trace/ring_buffer.c. There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat (bnc#1179960).
CVE-2021-43975: hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allowed an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value (bnc#1192845).
CVE-2021-33098: Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1192877).
CVE-2021-43976: mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allowed an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic) (bnc#1192847).
CVE-2021-4002: Incorrect TLBs flushing after huge_pmd_unshare could lead to exposing hugepages to other users (bsc#1192946).
CVE-2020-27820: A use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if "unbind" the driver) (bnc#1179599).

The following non-security bugs were fixed:

smb3: print warning once if posix context returned on open (bsc#1164565).
ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses (git-fixes).
ACPI: battery: Accept charges over the design capacity as full (git-fixes).
ACPICA: Avoid evaluating methods too early during system resume (git-fixes).
ALSA: ISA: not for M68K (git-fixes).
ALSA: ctxfi: Fix out-of-range access (git-fixes).
ALSA: gus: fix null pointer dereference on pointer block (git-fixes).
ALSA: hda/realtek: Add a quirk for Acer Spin SP513-54N (git-fixes).
ALSA: hda/realtek: Add quirk for ASUS UX550VE (git-fixes).
ALSA: hda/realtek: Add quirk for Clevo PC70HS (git-fixes).
ALSA: hda/realtek: Add quirk for HP EliteBook 840 G7 mute LED (git-fixes).
ALSA: hda: hdac_ext_stream: fix potential locking issues (git-fixes).
ALSA: hda: hdac_stream: fix potential locking issue in snd_hdac_stream_assign() (git-fixes).
ALSA: synth: missing check for possible NULL after the call to kstrdup (git-fixes).
ALSA: timer: Fix use-after-free problem (git-fixes).
ALSA: timer: Unconditionally unlink slave instances, too (git-fixes).
ALSA: usb-audio: Add registration quirk for JBL Quantum 400 (git-fixes).
ARM: 8970/1: decompressor: increase tag size (git-fixes).
ARM: 8974/1: use SPARSMEM_STATIC when SPARSEMEM is enabled (git-fixes)
ARM: 8986/1: hw_breakpoint: Do not invoke overflow handler on uaccess watchpoints (git-fixes)
ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT (git-fixes)
ARM: 9019/1: kprobes: Avoid fortify_panic() when copying optprobe (git-fixes)
ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores (git-fixes)
ARM: 9064/1: hw_breakpoint: Do not directly check the event's (git-fixes)
ARM: 9071/1: uprobes: Do not hook on thumb instructions (git-fixes)
ARM: 9081/1: fix gcc-10 thumb2-kernel regression (git-fixes)
ARM: 9091/1: Revert "mm: qsd8x50: Fix incorrect permission faults" (git-fixes)
ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned (git-fixes)
ARM: 9134/1: remove duplicate memcpy() definition (git-fixes)
ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype (git-fixes)
ARM: 9141/1: only warn about XIP address when not compile testing (git-fixes)
ARM: 9155/1: fix early early_iounmap() (git-fixes)
ARM: OMAP2+: Fix legacy mode dss_reset (git-fixes)
ARM: OMAP2+: omap_device: fix idling of devices during probe (git-fixes)
ARM: OMAP2+: pm33xx-core: Make am43xx_get_rtc_base_addr static (git-fixes)
ARM: at91: pm: add missing put_device() call in at91_pm_sram_init() (git-fixes)
ARM: at91: pm: of_node_put() after its usage (git-fixes)
ARM: at91: pm: use proper master clock register offset (git-fixes)
ARM: bcm: Select ARM_TIMER_SP804 for ARCH_BCM_NSP (git-fixes)
ARM: dts sunxi: Relax a bit the CMA pool allocation range (git-fixes)
ARM: dts: BCM5301X: Add interrupt properties to GPIO node (git-fixes)
ARM: dts: BCM5301X: Fix I2C controller interrupt (git-fixes)
ARM: dts: BCM5301X: Fixed QSPI compatible string (git-fixes)
ARM: dts: Configure missing thermal interrupt for 4430 (git-fixes)
ARM: dts: Fix dcan driver probe failed on am437x platform (git-fixes)
ARM: dts: Fix duovero smsc interrupt for suspend (git-fixes)
ARM: dts: N900: fix onenand timings (git-fixes).
ARM: dts: NSP: Correct FA2 mailbox node (git-fixes)
ARM: dts: NSP: Disable PL330 by default, add dma-coherent property (git-fixes)
ARM: dts: NSP: Fixed QSPI compatible s