Security update for the Linux Kernel

Announcement ID: SUSE-SU-2019:0196-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2018-12232 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-12232 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-14625 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
  • CVE-2018-14625 ( NVD ): 5.3 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
  • CVE-2018-16862 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
  • CVE-2018-16862 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2018-16884 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-16884 ( NVD ): 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-16884 ( NVD ): 6.5 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H
  • CVE-2018-18397 ( SUSE ): 6.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
  • CVE-2018-18397 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • CVE-2018-19407 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-19407 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-19854 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2018-19854 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2018-19985 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2018-19985 ( NVD ): 4.6 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2018-20169 ( SUSE ): 6.3 CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-20169 ( NVD ): 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-20169 ( NVD ): 6.8 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-9568 ( SUSE ): 7.4 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-9568 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-9568 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise Desktop 12 SP4
  • SUSE Linux Enterprise High Availability Extension 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise Live Patching 12-SP4
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP4
  • SUSE Linux Enterprise Software Development Kit 12 SP4
  • SUSE Linux Enterprise Workstation Extension 12 12-SP4

An update that solves 10 vulnerabilities and has 136 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).
  • CVE-2018-12232: In net/socket.c in the there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat did not increment the file descriptor reference count, which allowed close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash (bnc#1097593).
  • CVE-2018-14625: A flaw was found where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients (bnc#1106615).
  • CVE-2018-16862: A security flaw was found in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186).
  • CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).
  • CVE-2018-18397: The userfaultfd implementation mishandled access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c (bnc#1117656).
  • CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).
  • CVE-2018-19854: An issue was discovered in the crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker did not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option) (bnc#1118428).
  • CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).
  • CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).

The following non-security bugs were fixed:

  • acpi / CPPC: Check for valid PCC subspace only if PCC is used (bsc#1117115).
  • acpi / CPPC: Update all pr_(debug/err) messages to log the susbspace id (bsc#1117115).
  • aio: fix spectre gadget in lookup_ioctx (bsc#1120594).
  • alsa: cs46xx: Potential NULL dereference in probe (bsc#1051510).
  • alsa: emu10k1: Fix potential Spectre v1 vulnerabilities (bsc#1051510).
  • alsa: emux: Fix potential Spectre v1 vulnerabilities (bsc#1051510).
  • alsa: fireface: fix for state to fetch PCM frames (bsc#1051510).
  • alsa: fireface: fix reference to wrong register for clock configuration (bsc#1051510).
  • alsa: firewire-lib: fix wrong assignment for 'out_packet_without_header' tracepoint (bsc#1051510).
  • alsa: firewire-lib: fix wrong handling payload_length as payload_quadlet (bsc#1051510).
  • alsa: firewire-lib: use the same print format for 'without_header' tracepoints (bsc#1051510).
  • alsa: hda: add mute LED support for HP EliteBook 840 G4 (bsc#1051510).
  • alsa: hda: Add support for AMD Stoney Ridge (bsc#1051510).
  • alsa: hda/ca0132 - make pci_iounmap() call conditional (bsc#1051510).
  • alsa: hda: fix front speakers on Huawei MBXP (bsc#1051510).
  • alsa: hda/realtek - Add support for Acer Aspire C24-860 headset mic (bsc#1051510).
  • alsa: hda/realtek - Add unplug function into unplug state of Headset Mode for ALC225 (bsc#1051510).
  • alsa: hda/realtek: ALC286 mic and headset-mode fixups for Acer Aspire U27-880 (bsc#1051510).
  • alsa: hda/realtek: ALC294 mic and headset-mode fixups for ASUS X542UN (bsc#1051510).
  • alsa: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 (bsc#1051510).
  • alsa: hda/realtek: Enable audio jacks of ASUS UX391UA with ALC294 (bsc#1051510).
  • alsa: hda/realtek: Enable audio jacks of ASUS UX433FN/UX333FA with ALC294 (bsc#1051510).
  • alsa: hda/realtek: Enable audio jacks of ASUS UX533FD with ALC294 (bsc#1051510).
  • alsa: hda/realtek: Enable the headset mic auto detection for ASUS laptops (bsc#1051510).
  • alsa: hda/realtek - Fixed headphone issue for ALC700 (bsc#1051510).
  • alsa: hda/realtek: Fix mic issue on Acer AIO Veriton Z4660G (bsc#1051510).
  • alsa: hda/realtek: Fix mic issue on Acer AIO Veriton Z4860G/Z6860G (bsc#1051510).
  • alsa: hda/realtek - Fix speaker output regression on Thinkpad T570 (bsc#1051510).
  • alsa: hda/realtek - Fix the mute LED regresion on Lenovo X1 Carbon (bsc#1051510).
  • alsa: hda/realtek - Support Dell headset mode for New AIO platform (bsc#1051510).
  • alsa: hda/tegra: clear pending irq handlers (bsc#1051510).
  • alsa: pcm: Call snd_pcm_unlink() conditionally at closing (bsc#1051510).
  • alsa: pcm: Fix interval evaluation with openmin/max (bsc#1051510).
  • alsa: pcm: Fix potential Spectre v1 vulnerability (bsc#1051510).
  • alsa: pcm: Fix starvation on down_write_nonblock() (bsc#1051510).
  • alsa: rme9652: Fix potential Spectre v1 vulnerability (bsc#1051510).
  • alsa: trident: Suppress gcc string warning (bsc#1051510).
  • alsa: usb-audio: Add SMSL D1 to quirks for native DSD support (bsc#1051510).
  • alsa: usb-audio: Add support for Encore mDSD USB DAC (bsc#1051510).
  • alsa: usb-audio: Avoid access before bLength check in build_audio_procunit() (bsc#1051510).
  • alsa: usb-audio: Fix an out-of-bound read in create_composite_quirks (bsc#1051510).
  • alsa: x86: Fix runtime PM for hdmi-lpe-audio (bsc#1051510).
  • apparmor: do not try to replace stale label in ptrace access check (git-fixes).
  • apparmor: do not try to replace stale label in ptraceme check (git-fixes).
  • apparmor: Fix uninitialized value in aa_split_fqname (git-fixes).
  • arm64: Add work around for Arm Cortex-A55 Erratum 1024718 (bsc#1120612).
  • arm64: atomics: Remove '&' from '+&' asm constraint in lse atomics (bsc#1120613).
  • arm64: cpu_errata: include required headers (bsc#1120615).
  • arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing (bsc#1120633).
  • arm64: Fix /proc/iomem for reserved but not memory regions (bsc#1120632).
  • arm64: lse: Add early clobbers to some input/output asm operands (bsc#1120614).
  • arm64: lse: remove -fcall-used-x0 flag (bsc#1120618).
  • arm64: mm: always enable CONFIG_HOLES_IN_ZONE (bsc#1120617).
  • arm64/numa: Report correct memblock range for the dummy node (bsc#1120620).
  • arm64/numa: Unify common error path in numa_init() (bsc#1120621).
  • arm64: remove no-op -p linker flag (bsc#1120616).
  • ASoC: dapm: Recalculate audio map forcely when card instantiated (bsc#1051510).
  • ASoC: intel: cht_bsw_max98090_ti: Add pmc_plt_clk_0 quirk for Chromebook Clapper (bsc#1051510).
  • ASoC: intel: cht_bsw_max98090_ti: Add pmc_plt_clk_0 quirk for Chromebook Gnawty (bsc#1051510).
  • ASoC: Intel: mrfld: fix uninitialized variable access (bsc#1051510).
  • ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred probing (bsc#1051510).
  • ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE (bsc#1051510).
  • ASoC: omap-mcbsp: Fix latency value calculation for pm_qos (bsc#1051510).
  • ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE (bsc#1051510).
  • ASoC: rsnd: fixup clock start checker (bsc#1051510).
  • ASoC: wm_adsp: Fix dma-unsafe read of scratch registers (bsc#1051510).
  • ath10k: do not assume this is a PCI dev in generic code (bsc#1051510).
  • ath6kl: Only use match sets when firmware supports it (bsc#1051510).
  • b43: Fix error in cordic routine (bsc#1051510).
  • bcache: fix miss key refill->end in writeback (Git-fixes).
  • bcache: trace missed reading by cache_missed (Git-fixes).
  • Blacklist 5182f26f6f74 crypto: ccp - Make function sev_get_firmware() static
  • blk-mq: remove synchronize_rcu() from blk_mq_del_queue_tag_set() (Git-fixes).
  • block: allow max_discard_segments to be stacked (Git-fixes).
  • block: blk_init_allocated_queue() set q->fq as NULL in the fail case (Git-fixes).
  • block: really disable runtime-pm for blk-mq (Git-fixes).
  • block: reset bi_iter.bi_done after splitting bio (Git-fixes).
  • block/swim: Fix array bounds check (Git-fixes).
  • bnxt_en: do not try to offload VLAN 'modify' action (bsc#1050242 ).
  • bnxt_en: Fix enables field in HWRM_QUEUE_COS2BW_CFG request (bsc#1086282).
  • bnxt_en: Fix VNIC reservations on the PF (bsc#1086282 ).
  • bnxt_en: get the reduced max_irqs by the ones used by RDMA (bsc#1050242).
  • bpf: fix check of allowed specifiers in bpf_trace_printk (bsc#1083647).
  • bpf: use per htab salt for bucket hash (git-fixes).
  • btrfs: Always try all copies when reading extent buffers (git-fixes).
  • btrfs: delete dead code in btrfs_orphan_add() (bsc#1111469).
  • btrfs: delete dead code in btrfs_orphan_commit_root() (bsc#1111469).
  • btrfs: do not BUG_ON() in btrfs_truncate_inode_items() (bsc#1111469).
  • btrfs: do not check inode's runtime flags under root->orphan_lock (bsc#1111469).
  • btrfs: do not return ino to ino cache if inode item removal fails (bsc#1111469).
  • btrfs: fix ENOSPC caused by orphan items reservations (bsc#1111469).
  • btrfs: Fix error handling in btrfs_cleanup_ordered_extents (git-fixes).
  • btrfs: fix error handling in btrfs_truncate() (bsc#1111469).
  • btrfs: fix error handling in btrfs_truncate_inode_items() (bsc#1111469).
  • btrfs: fix fsync of files with multiple hard links in new directories (1120173).
  • btrfs: Fix memory barriers usage with device stats counters (git-fixes).
  • btrfs: fix use-after-free on root->orphan_block_rsv (bsc#1111469).
  • btrfs: get rid of BTRFS_INODE_HAS_ORPHAN_ITEM (bsc#1111469).
  • btrfs: get rid of unused orphan infrastructure (bsc#1111469).
  • btrfs: move btrfs_truncate_block out of trans handle (bsc#1111469).
  • btrfs: qgroup: Dirty all qgroups before rescan (bsc#1120036).
  • btrfs: refactor btrfs_evict_inode() reserve refill dance (bsc#1111469).
  • btrfs: renumber BTRFS_INODE_ runtime flags and switch to enums (bsc#1111469).
  • btrfs: reserve space for O_TMPFILE orphan item deletion (bsc#1111469).
  • btrfs: run delayed items before dropping the snapshot (bsc#1121263, bsc#1111188).
  • btrfs: stop creating orphan items for truncate (bsc#1111469).
  • btrfs: tree-checker: Do not check max block group size as current max chunk size limit is unreliable (fixes for bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875).
  • btrfs: update stale comments referencing vmtruncate() (bsc#1111469).
  • can: flexcan: flexcan_irq(): fix indention (bsc#1051510).
  • cdrom: do not attempt to fiddle with cdo->capability (bsc#1051510).
  • ceph: do not update importing cap's mseq when handing cap export (bsc#1121273).
  • char_dev: extend dynamic allocation of majors into a higher range (bsc#1121058).
  • char_dev: Fix off-by-one bugs in find_dynamic_major() (bsc#1121058).
  • clk: mmp: Off by one in mmp_clk_add() (bsc#1051510).
  • clk: mvebu: Off by one bugs in cp110_of_clk_get() (bsc#1051510).
  • compiler-gcc.h: Add attribute((gnu_inline)) to all inline declarations (git-fixes).
  • config: arm64: enable erratum 1024718
  • cpufeature: avoid warning when compiling with clang (Git-fixes).
  • cpufreq / CPPC: Add cpuinfo_cur_freq support for CPPC (bsc#1117115).
  • cpufreq: CPPC: fix build in absence of v3 support (bsc#1117115).
  • cpupower: remove stringop-truncation waring (git-fixes).
  • crypto: bcm - fix normal/non key hash algorithm failure (bsc#1051510).
  • crypto: ccp - Add DOWNLOAD_FIRMWARE SEV command ().
  • crypto: ccp - Add GET_ID SEV command ().
  • crypto: ccp - Add psp enabled message when initialization succeeds ().
  • crypto: ccp - Add support for new CCP/PSP device ID ().
  • crypto: ccp - Allow SEV firmware to be chosen based on Family and Model ().
  • crypto: ccp - Fix static checker warning ().
  • crypto: ccp - Remove unused #defines ().
  • crypto: ccp - Support register differences between PSP devices ().
  • dasd: fix deadlock in dasd_times_out (bsc#1121477, LTC#174111).
  • dax: Check page->mapping isn't NULL (bsc#1120054).
  • dax: Do not access a freed inode (bsc#1120055).
  • device property: Define type of PROPERTY_ENRTY_*() macros (bsc#1051510).
  • device property: fix fwnode_graph_get_next_endpoint() documentation (bsc#1051510).
  • disable stringop truncation warnings for now (git-fixes).
  • dm: allocate struct mapped_device with kvzalloc (Git-fixes).
  • dm cache: destroy migration_cache if cache target registration failed (Git-fixes).
  • dm cache: fix resize crash if user does not reload cache table (Git-fixes).
  • dm cache metadata: ignore hints array being too small during resize (Git-fixes).
  • dm cache metadata: save in-core policy_hint_size