Security update for the Linux Kernel
Announcement ID: | SUSE-SU-2020:2107-1 |
---|---|
Rating: | important |
References: |
|
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves 16 vulnerabilities and has 82 security fixes can now be installed.
Description:
The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-15780: A lockdown bypass for loading unsigned modules using ACPI table injection was fixed. (bsc#1173573)
- CVE-2020-15393: Fixed a memory leak in usbtest_disconnect (bnc#1173514).
- CVE-2020-12771: An issue was discovered in btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails (bnc#1171732).
- CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868).
- CVE-2020-10773: Fixed a memory leak on s390/s390x, in the cmm_timeout_hander in file arch/s390/mm/cmm.c (bnc#1172999).
- CVE-2020-14416: Fixed a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).
- CVE-2020-10768: Fixed an issue with the prctl() function, where indirect branch speculation could be enabled even though it was diabled before (bnc#1172783).
- CVE-2020-10766: Fixed an issue which allowed an attacker with a local account to disable SSBD protection (bnc#1172781).
- CVE-2020-10767: Fixed an issue where Indirect Branch Prediction Barrier was disabled in certain circumstances, leaving the system open to a spectre v2 style attack (bnc#1172782).
- CVE-2020-13974: Fixed a integer overflow in drivers/tty/vt/keyboard.c, if k_ascii is called several times in a row (bnc#1172775).
- CVE-2020-0305: Fixed a possible use-after-free due to a race condition incdev_get of char_dev.c. This could lead to local escalation of privilege. User interaction is not needed for exploitation (bnc#1174462).
- CVE-2020-10769: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. This flaw allowed a local attacker with user privileges to cause a denial of service (bnc#1173265).
- CVE-2020-10781: Fixed a denial of service issue in the ZRAM implementation (bnc#1173074).
- CVE-2019-20908: Fixed incorrect access permissions for the efivar_ssdt ACPI variable, which could be used by attackers to bypass lockdown or secure boot restrictions (bnc#1173567).
- CVE-2019-20810: Fixed a memory leak in go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c because it did not call snd_card_free for a failure path (bnc#1172458).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c, related to invalid length checks for variable elements in a beacon head (bnc#1152107).
The following non-security bugs were fixed:
- ACPI: GED: add support for _Exx / _Lxx handler methods (bsc#1111666).
- ACPI: GED: use correct trigger type field in _Exx / _Lxx handling (bsc#1111666).
- ACPI: NFIT: Fix unlock on error in scrub_show() (bsc#1171753).
- ACPI: PM: Avoid using power resources if there are none for D0 (bsc#1051510).
- ACPI: sysfs: Fix pm_profile_attr type (bsc#1111666).
- ACPI: video: Use native backlight on Acer Aspire 5783z (bsc#1111666).
- ACPI: video: Use native backlight on Acer TravelMate 5735Z (bsc#1111666).
- ALSA: es1688: Add the missed snd_card_free() (bsc#1051510).
- ALSA: hda: Add ElkhartLake HDMI codec vid (bsc#1111666).
- ALSA: hda: add sienna_cichlid audio asic id for sienna_cichlid up (bsc#1111666).
- ALSA: hda/hdmi - enable runtime pm for newer AMD display audio (bsc#1111666).
- ALSA: hda - let hs_mic be picked ahead of hp_mic (bsc#1111666).
- ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines (bsc#1111666).
- ALSA: hda/realtek - Add LED class support for micmute LED (bsc#1111666).
- ALSA: hda/realtek - Enable micmute LED on and HP system (bsc#1111666).
- ALSA: hda/realtek - Enable Speaker for ASUS UX533 and UX534 (bsc#1111666).
- ALSA: hda/realtek - Fix unused variable warning w/o CONFIG_LEDS_TRIGGER_AUDIO (bsc#1111666).
- ALSA: hda/realtek - Introduce polarity for micmute LED GPIO (bsc#1111666).
- ALSA: lx6464es - add support for LX6464ESe pci express variant (bsc#1111666).
- ALSA: opl3: fix infoleak in opl3 (bsc#1111666).
- ALSA: pcm: disallow linking stream to itself (bsc#1111666).
- ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback (bsc#1111666).
- ALSA: usb-audio: Add Pioneer DJ DJM-900NXS2 support (bsc#1111666).
- ALSA: usb-audio: add quirk for MacroSilicon MS2109 (bsc#1111666).
- ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock (bsc#1111666).
- ALSA: usb-audio: Clean up quirk entries with macros (bsc#1111666).
- ALSA: usb-audio: Fix inconsistent card PM state after resume (bsc#1111666).
- ALSA: usb-audio: Fix packet size calculation (bsc#1111666).
- ALSA: usb-audio: Fix racy list management in output queue (bsc#1111666).
- ALSA: usb-audio: Improve frames size computation (bsc#1111666).
- ALSA: usb-audio: Manage auto-pm of all bundled interfaces (bsc#1111666).
- ALSA: usb-audio: Use the new macro for HP Dock rename quirks (bsc#1111666).
- amdgpu: a NULL ->mm does not mean a thread is a kthread (git-fixes).
- arm64: map FDT as RW for early_init_dt_scan() (jsc#SLE-12423).
- ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb (bsc#1111666).
- ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx (bsc#1111666).
- ath9k: Fix use-after-free Write in ath9k_htc_rx_msg (bsc#1111666).
- ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb (bsc#1111666).
- ax25: fix setsockopt(SO_BINDTODEVICE) (networking-stable-20_05_27).
- b43: Fix connection problem with WPA3 (bsc#1111666).
- b43_legacy: Fix connection problem with WPA3 (bsc#1111666).
- bcache: Fix an error code in bch_dump_read() (git fixes (block drivers)).
- be2net: fix link failure after ethtool offline test (git-fixes).
- block: nr_sects_write(): Disable preemption on seqcount write (bsc#1173818).
- block: remove QUEUE_FLAG_STACKABLE (git fixes (block drivers)).
- block: sed-opal: fix sparse warning: convert __be64 data (git fixes (block drivers)).
- Bluetooth: Add SCO fallback for invalid LMP parameters error (bsc#1111666).
- bnxt_en: Fix AER reset logic on 57500 chips (git-fixes).
- bnxt_en: Fix ethtool selftest crash under error conditions (git-fixes).
- bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails (git-fixes).
- bnxt_en: Fix ipv6 RFS filter matching logic (git-fixes).
- bnxt_en: fix NULL dereference in case SR-IOV configuration fails (git-fixes).
- bnxt_en: Fix VF anti-spoof filter setup (networking-stable-20_05_12).
- bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() (networking-stable-20_05_12).
- bnxt_en: Improve AER slot reset (networking-stable-20_05_12).
- brcmfmac: fix wrong location to get firmware feature (bsc#1111666).
- brcmfmac: Transform compatible string for FW loading (bsc#1169771).
- btrfs: add assertions for tree == inode->io_tree to extent IO helpers (bsc#1174438).
- btrfs: add new helper btrfs_lock_and_flush_ordered_range (bsc#1174438).
- btrfs: Always use a cached extent_state in btrfs_lock_and_flush_ordered_range (bsc#1174438).
- btrfs: do not zero f_bavail if we have available space (bsc#1168081).
- btrfs: do not zero f_bavail if we have available space (bsc#1168081).
- btrfs: drop argument tree from btrfs_lock_and_flush_ordered_range (bsc#1174438).
- btrfs: fix extent_state leak in btrfs_lock_and_flush_ordered_range (bsc#1174438).
- btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof (bsc#1174438).
- btrfs: fix hang on snapshot creation after RWF_NOWAIT write (bsc#1174438).
- btrfs: fix RWF_NOWAIT write not failling when we need to cow (bsc#1174438).
- btrfs: fix RWF_NOWAIT writes blocking on extent locks and waiting for IO (bsc#1174438).
- btrfs: qgroup: Fix a bug that prevents qgroup to be re-enabled after disable (bsc#1172247).
- btrfs: Return EAGAIN if we can't start no snpashot write in check_can_nocow (bsc#1174438).
- btrfs: use correct count in btrfs_file_write_iter() (bsc#1174438).
- btrfs: Use newly introduced btrfs_lock_and_flush_ordered_range (bsc#1174438).
- btrfs: volumes: Remove ENOSPC-prone btrfs_can_relocate() (bsc#1171124).
- bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads (bsc#1111666).
- carl9170: remove P2P_GO support (bsc#1111666).
- CDC-ACM: heed quirk also in error handling (git-fixes).
- ceph: convert mdsc->cap_dirty to a per-session list (bsc#1167104).
- ceph: request expedited service on session's last cap flush (bsc#1167104).
- cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages (bsc#1173857).
- char/random: Add a newline at the end of the file (jsc#SLE-12423).
- cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#1144333).
- cifs: handle hostnames that resolve to same ip in failover (bsc#1144333 bsc#1161016).
- cifs: set up next DFS target before generic_ip_connect() (bsc#1144333 bsc#1161016).
- clk: bcm2835: Fix return type of bcm2835_register_gate (bsc#1051510).
- clk: clk-flexgen: fix clock-critical handling (bsc#1051510).
- clk: sunxi: Fix incorrect usage of round_down() (bsc#1051510).
- clocksource: dw_apb_timer: Make CPU-affiliation being optional (bsc#1111666).
- compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE (git fixes (block drivers)).
- compat_ioctl: block: handle Persistent Reservations (git fixes (block drivers)).
- copy_{to,from}_user(): consolidate object size checks (git fixes).
- crypto: algboss - do not wait during notifier callback (bsc#1111666).
- crypto: algif_skcipher - Cap recv SG list at ctx->used (bsc#1111666).
- crypto: caam - update xts sector size for large input length (bsc#1111666).
- crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is fully iterated (bsc#1111666).
- crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is fully iterated (git-fixes).
- Crypto/chcr: fix for ccm(aes) failed test (bsc#1111666).
- crypto: chelsio/chtls: properly set tp->lsndtime (bsc#1111666).
- crypto: talitos - fix IPsec cipher in length (git-fixes).
- crypto: talitos - reorder code in talitos_edesc_alloc() (git-fixes).
- debugfs: Check module state before warning in {full/open}_proxy_open() (bsc#1173746).
- devinet: fix memleak in inetdev_init() (networking-stable-20_06_07).
- dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' (bsc#1111666).
- dm btree: increase rebalance threshold in __rebalance2() (git fixes (block drivers)).
- dm cache: fix a crash due to incorrect work item cancelling (git fixes (block drivers)).
- dm crypt: fix benbi IV constructor crash if used in authenticated mode (git fixes (block drivers)).
- dm: fix potential for q->make_request_fn NULL pointer (git fixes (block drivers)).
- dm space map common: fix to ensure new block isn't already in use (git fixes (block drivers)).
- dm: various cleanups to md->queue initialization code (git fixes).
- dm verity fec: fix hash block number in verity_fec_decode (git fixes (block drivers)).
- dm verity fec: fix memory leak in verity_fec_dtr (git fixes (block drivers)).
- dpaa_eth: fix usage as DSA master, try 3 (networking-stable-20_05_27).
- driver-core, libnvdimm: Let device subsystems add local lockdep coverage (bsc#1171753).
- Drivers: hv: Change flag to write log level in panic msg to false (bsc#1170617, bsc#1170618).
- drivers: soc: ti: knav_qmss_queue: Make knav_gp_range_ops static (bsc#1051510).
- drm: amd/display: fix Kconfig help text (bsc#1113956) * only fix DEBUG_KERNEL_DC
- drm: bridge: adv7511: Extend list of audio sample rates (bsc#1111666).
- drm/dp_mst: Increase ACT retry timeout to 3s (bsc#1113956) * context changes
- drm: encoder_slave: fix refcouting error for modules (bsc#1111666).
- drm: encoder_slave: fix refcouting error for modules (bsc#1114279)
- drm/i915/icl+: Fix hotplug interrupt disabling after storm detection (bsc#1112178)
- drm/i915: Whitelist context-local timestamp in the gen9 cmdparser (bsc#1111666).
- drm/mediatek: Check plane visibility in atomic_update (bsc#1113956) * context changes
- drm/msm/dpu: fix error return code in dpu_encoder_init (bsc#1111666).
- drm: panel-orientation-quirks: Add quirk for Asus T101HA panel (bsc#1111666).
- drm: panel-orientation-quirks: Use generic orientation-data for Acer S1003 (bsc#1111666).
- drm/qxl: Use correct notify port address when creating cursor ring (bsc#1113956)
- drm/radeon: fix double free (bsc#1113956)
- drm/radeon: fix fb_div check in ni_init_smc_spll_table() (bsc#1113956)
- drm/sun4i: hdmi ddc clk: Fix size of m divider (bsc#1111666).
- drm/tegra: hub: Do not enable orphaned window group (bsc#1111666).
- drm/vkms: Hold gem object while still in-use (bsc#1113956) * context changes
- e1000: Distribute switch variables for initialization (bsc#1111666).
- e1000e: Disable TSO for buffer overrun workaround (bsc#1051510).
- e1000e: Do not wake up the system via WOL if device wakeup is disabled (bsc#1051510).
- e1000e: Relax condition to trigger reset for ME workaround (bsc#1111666).
- EDAC/amd64: Read back the scrub rate PCI register on F15h (bsc#1114279).
- efi/random: Increase size of firmware supplied randomness (jsc#SLE-12423).
- efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness (jsc#SLE-12423).
- efi: READ_ONCE rng seed size before munmap (jsc#SLE-12423).
- efi: Reorder pr_notice() with add_device_randomness() call (jsc#SLE-12423).
- evm: Check also if *tfm is an error pointer in init_desc() (bsc#1051510).
- evm: Fix a small race in init_desc() (bsc#1051510).
- ext4: fix a data race at inode->i_blocks (bsc#1171835).
- ext4: fix partial cluster initialization when splitting extent (bsc#1173839).
- ext4: fix race between ext4_sync_parent() and rename() (bsc#1173838).
- ext4, jbd2: ensure panic by fix a race between jbd2 abort and ext4 error handlers (bsc#1173833).
- extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' (bsc#1051510).
- fanotify: fix ignore mask logic for events on child and on dir (bsc#1172719).
- fdt: add support for rng-seed (jsc#SLE-12423).
- fdt: Update CRC check for rng-seed (jsc#SLE-12423).
- firmware: imx: scu: Fix corruption of header (git-fixes).
- firmware: imx: scu: Fix possible memory leak in imx_scu_probe() (bsc#1111666).
- Fix boot crash with MD (bsc#1174343)
- fix multiplication overflow in copy_fdtable() (bsc#1173825).
- fpga: dfl: afu: Corrected error handling levels (git-fixes).
- fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks (networking-stable-20_05_12).
- gpiolib: Document that GPIO line names are not globally unique (bsc#1051510).
- gpu: host1x: Detach driver on unregister (bsc#1111666).
- gpu: ipu-v3: pre: do not trigger update if buffer address does not change (bsc#1111666).
- HID: magicmouse: do not set up autorepeat (git-fixes).
- HID: sony: Fix for broken buttons on DS3 USB dongles (bsc#1051510).
- hv_netvsc: Fix netvsc_start_xmit's return type (git-fixes).
- hwmon: (acpi_power_meter) Fix potential memory leak in acpi_power_meter_add() (bsc#1111666).
- hwmon: (emc2103) fix unable to change fan pwm1_enable attribute (bsc#1111666).
- hwmon: (max6697) Make sure the OVERT mask is set correctly (bsc#1111666).
- i2c: algo-pca: Add 0x78 as SCL stuck low status for PCA9665 (bsc#1111666).
- i2c: eg20t: Load module automatically if ID matches (bsc#1111666).
- i2c: mlxcpld: check correct size of maximum RECV_LEN packet (bsc#1111666).
- i40e: reduce stack usage in i40e_set_fc (git-fixes).
- IB/hfi1: Do not destroy hfi1_wq when the device is shut down (bsc#1174409).
- IB/hfi1: Do not destroy link_wq when the device is shut down (bsc#1174409).
- ibmveth: