Security update for the Linux Kernel
Announcement ID: | SUSE-SU-2018:3659-1 |
---|---|
Rating: | important |
References: |
|
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves 10 vulnerabilities and has 104 security fixes can now be installed.
Description:
The SUSE Linux Enterprise 12 SP3 RT kernel was updated to 4.4.162 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863).
- CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).
- CVE-2018-14613: There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c (bnc#1102896).
- CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870).
- CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).
- CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095).
- CVE-2018-16597: Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem (bnc#1106512).
- CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399).
- CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
- CVE-2018-9516: A lack of certain checks in the hid_debug_events_read() function in the drivers/hid/hid-debug.c file might have resulted in receiving userspace buffer overflow and an out-of-bounds write or to the infinite loop. (bnc#1108498).
The following non-security bugs were fixed:
- 6lowpan: iphc: reset mac_header after decompress to fix panic (bnc#1012382).
- alsa: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping (bnc#1012382).
- alsa: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO (bnc#1012382).
- alsa: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge (bnc#1012382).
- alsa: hda - Fix cancel_work_sync() stall from jackpoll work (bnc#1012382).
- alsa: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 (bnc#1012382).
- alsa: msnd: Fix the default sample sizes (bnc#1012382).
- alsa: pcm: Fix snd_interval_refine first/last with open min/max (bnc#1012382).
- alsa: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro (bnc#1012382).
- apparmor: remove no-op permission check in policy_unpack (git-fixes).
- arc: build: Get rid of toolchain check (bnc#1012382).
- arc: clone syscall to setp r25 as thread pointer (bnc#1012382).
- arch/hexagon: fix kernel/dma.c build warning (bnc#1012382).
- arc: [plat-axs*]: Enable SWAP (bnc#1012382).
- arm64: bpf: jit JMP_JSET_{X,K} (bsc#1110613).
- arm64: Correct type for PUD macros (bsc#1110600).
- arm64: cpufeature: Track 32bit EL0 support (bnc#1012382).
- arm64: dts: qcom: db410c: Fix Bluetooth LED trigger (bnc#1012382).
- arm64: fix erroneous __raw_read_system_reg() cases (bsc#1110606).
- arm64: Fix potential race with hardware DBM in ptep_set_access_flags() (bsc#1110605).
- arm64: fpsimd: Avoid FPSIMD context leakage for the init task (bsc#1110603).
- arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto" (bnc#1012382).
- arm64: kasan: avoid bad virt_to_pfn() (bsc#1110612).
- arm64: kasan: avoid pfn_to_nid() before page array is initialized (bsc#1110619).
- arm64/kasan: do not allocate extra shadow memory (bsc#1110611).
- arm64: kernel: Update kerneldoc for cpu_suspend() rename (bsc#1110602).
- arm64: kgdb: handle read-only text / modules (bsc#1110604).
- arm64: kvm: Sanitize PSTATE.M when being set from userspace (bnc#1012382).
- arm64: kvm: Tighten guest core register access from userspace (bnc#1012382).
- arm64/mm/kasan: do not use vmemmap_populate() to initialize shadow (bsc#1110618).
- arm64: ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails (bsc#1110601).
- arm64: supported.conf: mark armmmci as not supported
- arm64 Update config files. (bsc#1110468) Set MMC_QCOM_DML to build-in and delete driver from supported.conf
- arm64: vdso: fix clock_getres for 4GiB-aligned res (bsc#1110614).
- arm: dts: at91: add new compatibility string for macb on sama5d3 (bnc#1012382).
- arm: dts: dra7: fix DCAN node addresses (bnc#1012382).
- arm: exynos: Clear global variable on init error path (bnc#1012382).
- arm: hisi: check of_iomap and fix missing of_node_put (bnc#1012382).
- arm: hisi: fix error handling and missing of_node_put (bnc#1012382).
- arm: hisi: handle of_iomap and fix missing of_node_put (bnc#1012382).
- arm: mvebu: declare asm symbols as character arrays in pmsu.c (bnc#1012382).
- asm/sections: add helpers to check for section data (bsc#1063026).
- asoc: cs4265: fix MMTLR Data switch control (bnc#1012382).
- asoc: dapm: Fix potential DAI widget pointer deref when linking DAIs (bnc#1012382).
- asoc: sigmadsp: safeload should not have lower byte limit (bnc#1012382).
- asoc: wm8804: Add ACPI support (bnc#1012382).
- asoc: wm8994: Fix missing break in switch (bnc#1012382).
- ata: libahci: Correct setting of DEVSLP register (bnc#1012382).
- ath10k: disable bundle mgmt tx completion event support (bnc#1012382).
- ath10k: fix scan crash due to incorrect length calculation (bnc#1012382).
- ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait (bnc#1012382).
- ath10k: prevent active scans on potential unusable channels (bnc#1012382).
- ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock (bnc#1012382).
- audit: fix use-after-free in audit_add_watch (bnc#1012382).
- autofs: fix autofs_sbi() does not check super block type (bnc#1012382).
- binfmt_elf: Respect error return from `regset->active' (bnc#1012382).
- block: bvec_nr_vecs() returns value for wrong slab (bsc#1082979).
- bluetooth: Add a new Realtek 8723DE ID 0bda:b009 (bnc#1012382).
- bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV (bnc#1012382).
- bluetooth: hidp: Fix handling of strncpy for hid->name information (bnc#1012382).
- bnxt_en: Fix TX timeout during netpoll (bnc#1012382).
- bonding: avoid possible dead-lock (bnc#1012382).
- bpf: fix cb access in socket filter programs on tail calls (bsc#1012382).
- bpf: fix map not being uncharged during map creation failure (bsc#1012382).
- bpf: fix overflow in prog accounting (bsc#1012382).
- bpf, s390: fix potential memleak when later bpf_jit_prog fails (git-fixes).
- bpf, s390x: do not reload skb pointers in non-skb context (git-fixes).
- btrfs: Add checker for EXTENT_CSUM (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: add missing initialization in btrfs_check_shared (Git-fixes bsc#1112262).
- btrfs: Add sanity check for EXTENT_DATA when reading out leaf (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Check if item pointer overlaps with the item itself (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Check that each block group has corresponding chunk at mount time (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: fix error handling in btrfs_dev_replace_start (bsc#1107535).
- btrfs: fix missing error return in btrfs_drop_snapshot (Git-fixes bsc#1109919).
- btrfs: Fix race condition between delayed refs and blockgroup removal (Git-fixes bsc#1112263).
- btrfs: Introduce mount time chunk <-> dev extent mapping check (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Move leaf and node validation checker to tree-checker.c (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized (bnc#1012382).
- btrfs: replace: Reset on-disk dev stats value after replace (bnc#1012382).
- btrfs: scrub: Do not use inode page cache in scrub_handle_errored_block() (bsc#1108096).
- btrfs: tree-checker: Add checker for dir item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Detect invalid and empty essential trees (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance btrfs_check_node output (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for btrfs_check_leaf (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for check_csum_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for check_extent_data_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Fix false panic for sanity test (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Replace root parameter with fs_info (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: use %zu format string for size_t (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: use %zu format string for size_t (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Verify block_group_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: use correct compare function of dirty_metadata_bytes (bnc#1012382).
- btrfs: Verify that every chunk has corresponding block group at mount time (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- ceph: avoid a use-after-free in ceph_destroy_options() (bsc#1112007).
- cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() (bnc#1012382).
- cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE (bnc#1012382).
- cfq: Give a chance for arming slice idle timer in case of group_idle (bnc#1012382).
- cgroup: Fix deadlock in cpu hotplug path (bnc#1012382).
- cifs: check if SMB2 PDU size has been padded and suppress the warning (bnc#1012382).
- cifs: connect to servername instead of IP for IPC$ share (bsc#1106359).
- cifs: fix wrapping bugs in num_entries() (bnc#1012382).
- cifs: integer overflow in in SMB2_ioctl() (bsc#1012382).
- cifs: prevent integer overflow in nxt_dir_entry() (bnc#1012382).
- cifs: read overflow in is_valid_oplock_break() (bnc#1012382).
- clk: imx6ul: fix missing of_node_put() (bnc#1012382).
- clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs (bnc#1012382).
- config.sh: set BUGZILLA_PRODUCT for SLE12-SP3
- coresight: Handle errors in finding input/output ports (bnc#1012382).
- coresight: tpiu: Fix disabling timeouts (bnc#1012382).
- cpu/hotplug: Fix SMT supported evaluation (bsc#1089343).
- crypto: clarify licensing of OpenSSL asm code ().
- crypto: mxs-dcp - Fix wait logic on chan threads (bnc#1012382).
- crypto: sharah - Unregister correct algorithms for SAHARA 3 (bnc#1012382).
- crypto: skcipher - Fix -Wstringop-truncation warnings (bnc#1012382).
- crypto: vmx - Remove overly verbose printk from AES XTS init (git-fixes).
- debugobjects: Make stack check warning more informative (bnc#1012382).
- define early_radix_enabled() (bsc#1094244).
- dmaengine: pl330: fix irq race with terminate_all (bnc#1012382).
- dm cache: fix resize crash if user does not reload cache table (bnc#1012382).
- dm kcopyd: avoid softlockup in run_complete_job (bnc#1012382).
- dm-mpath: do not try to access NULL rq (bsc#1110337).
- dm-mpath: finally fixup cmd_flags (bsc#1110930).
- dm thin metadata: fix __udivdi3 undefined on 32-bit (bnc#1012382).
- dm thin metadata: try to avoid ever aborting transactions (bnc#1012382).
- drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config (bnc#1012382).
- drivers: net: cpsw: fix segfault in case of bad phy-handle (bnc#1012382).
- drivers/tty: add error handling for pcmcia_loop_config (bnc#1012382).
- drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7 (bnc#1012382).
- drm/amdkfd: Fix error codes in kfd_get_process (bnc#1012382).
- drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect() (bnc#1012382).
- drm/nouveau/TBDdevinit: do not fail when PMU/PRE_OS is missing from VBIOS (bnc#1012382).
- drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping (bnc#1012382).
- e1000: check on netif_running() before calling e1000_up() (bnc#1012382).
- e1000: ensure to free old tx/rx rings in set_ringparam() (bnc#1012382).
- ebtables: arpreply: Add the standard target sanity check (bnc#1012382).
- edac: Fix memleak in module init error path (bsc#1109441).
- edac, i7core: Fix memleaks and use-after-free on probe and remove (1109441).
- ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle (bnc#1012382).
- ethtool: Remove trailing semicolon for static inline (bnc#1012382).
- ext4: avoid divide by zero fault when deleting corrupted inline directories (bnc#1012382).
- ext4: do not mark mmp buffer head dirty (bnc#1012382).
- ext4: fix online resize's handling of a too-small final block group (bnc#1012382).
- ext4: fix online resizing for bigalloc file systems with a 1k block size (bnc#1012382).
- ext4: recalucate superblock checksum after updating free blocks/inodes (bnc#1012382).
- f2fs: do not set free of current section (bnc#1012382).
- f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize (bnc#1012382).
- fat: validate ->i_start before using (bnc#1012382).
- fbdev: Distinguish between interlaced and progressive modes (bnc#1012382).
- fbdev/omapfb: fix omapfb_memory_read infoleak (bnc#1012382).
- fbdev/via: fix defined but not used warning (bnc#1012382).
- fixes: Commit cdbf92675fad ("mm: numa: avoid waiting on freed migrated pages") (bnc#1012382).
- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (bnc#1012382).
- follow-up fix for patches.arch/01-jump_label-reduce-the-size-of-struct-static_key-kabi.patch. (bsc#1108803)
- fork: do not copy inconsistent signal handler state to child (bnc#1012382).
- fs/cifs: do not translate SFM_SLASH (U+F026) to backslash (bnc#1012382).
- fs/cifs: suppress a string overflow warning (bnc#1012382).
- fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() (bnc#1012382).
- fs/eventpoll: loosen irq-safety when possible (bsc#1096052).
- genirq: Delay incrementing interrupt count if it's disabled/pending (bnc#1012382).
- gfs2: Special-case rindex for gfs2_grow (bnc#1012382).
- gpio: adp5588: Fix sleep-in-atomic-context bug (bnc#1012382).
- gpiolib: Mark gpio_suffixes array with __maybe_unused (bnc#1012382).
- gpio: ml-ioh: Fix buffer underwrite on probe error path (bnc#1012382).
- gpio: tegra: Move driver registration to subsys_init level (bnc#1012382).
- gso_segment: Reset skb->mac_len after modifying network header (bnc#1012382).
- hexagon: modify ffs() and fls() to return int (bnc#1012382).
- hfsplus: do not return 0 when fill_super() failed (bnc#1012382).
- hfs: prevent crash on exit from failed search (bnc#1012382).
- hid: hid-ntrig: add error handling for sysfs_create_group (bnc#1012382).
- hid: sony: Support DS4 dongle (bnc#1012382).
- hid: sony: Update device ids (bnc#1012382).
- hv: avoid crash in vmbus sysfs files (bnc#1108377).
- hwmon: (adt7475) Make adt7475_read_word() return errors (bnc#1012382).
- hwmon: (ina2xx) fix sysfs shunt resistor read access (bnc#1012382).
- i2c: i2c-scmi: fix for i2c_smbus_write_block_data (bnc#1012382).
- i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus (bnc#1012382).
- i2c: i801: fix DNV's SMBCTRL register offset (bnc#1012382).
- i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP (bnc#1012382).
- i2c: uniphier: issue STOP only for last message or I2C_M_STOP (bnc#1012382).
- i2c: xiic: Make the start and the byte count write atomic (bnc#1012382).
- i2c: xlp9xx: Add support for SMBAlert (bsc#1103308).
- i2c: xlp9xx: Fix case where SSIF read transaction completes early (bsc#1103308).
- i2c: xlp9xx: Fix issue seen when updating receive length (bsc#1103308).
- i2c: xlp9xx: Make sure the transfer size is not more than I2C_SMBUS_BLOCK_SIZE (bsc#1103308).
- ib/ipoib: Avoid a race condition between start_xmit and cm_rep_handler (bnc#1012382).
- ib/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop (bnc#1012382).
- ib_srp: Remove WARN_ON in srp_terminate_io() (bsc#1094562).
- input: atakbd - fix Atari CapsLock behaviour (bnc#1012382).
- input: atakbd - fix Atari keymap (bnc#1012382).
- input: atmel_mxt_ts - only use first T9 instance (bnc#1012382).
- input: elantech - enable middle button of touchpad on ThinkPad P72 (bnc#1012382).
- iommu/amd: Return devid as alias for ACPI HID devices (bsc#1106105).
- iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register (bnc#1012382).
- iommu/ipmmu-vmsa: Fix allocation in atomic context (bnc#1012382).
- ip6_tunnel: be careful when accessing the inner header (bnc#1012382).
- ipmi:ssif: Add support for multi-part transmit messages > 2 parts (bsc#1103308).
- ip_tunnel: be careful when accessing the inner header (bnc#1012382).
- ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() (bnc#1012382).
- ipv6: fix possible use-after-free in ip6_xmit() (bnc#1012382).
- ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() (bnc#1012382).
- irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP (bnc#1012382).
- irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar() (bnc#1012382).
- iw_cxgb4: only allow 1 flush on user qps (bnc#1012382).
- ixgbe: pci_set_drvdata must be called before register_netdev (Git-fixes bsc#1109923).
- jffs2: return -ERANGE when xattr buffer is too small (bnc#1012382).
- kabi: move the new handler to end of machdep_calls and hide it from genksyms (bsc#1094244).
- kabi protect hnae_ae_ops (bsc#1107924).
- kABI: protect struct hnae_desc_cb (kabi).
- kbuild: add .DELETE_ON_ERROR special target (bnc#1012382).
- kbuild: make missing $DEPMOD a Warning instead of an Error (bnc#1012382).
- kernel/params.c: downgrade warning for unsafe parameters (bsc#1050549).
- kprobes/x86: Release insn_slot in failure path (bsc#1110006).
- kthread: fix boot hang (regression) on MIPS/OpenRISC (bnc#1012382).
- kthread: Fix use-after-free if kthread fork fails (bnc#1012382).
- kvm: nVMX: Do not expose MPX VMX controls when guest MPX disabled (bsc#1106240).
- kvm: nVMX: Do not flush TLB when vmcs12 uses VPID (bsc#1106240).
- kvm: PPC: Book3S HV: Do not truncate HPTE index in xlate function (bnc#1012382).
- kvm: x86: Do not re-{try,execute} after failed emulation in L2 (bsc#1106240).
- kvm: x86: Do not use kvm_x86_ops->mpx_supported() directly (bsc#1106240).