Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2018:0834-1
Rating:	important
References:	bsc#1010470 bsc#1012382 bsc#1045330 bsc#1062568 bsc#1063416 bsc#1066001 bsc#1067118 bsc#1068032 bsc#1072689 bsc#1072865 bsc#1074488 bsc#1075617 bsc#1075621 bsc#1077560 bsc#1078669 bsc#1078672 bsc#1078673 bsc#1078674 bsc#1080255 bsc#1080464 bsc#1080757 bsc#1082299 bsc#1083244 bsc#1083483 bsc#1083494 bsc#1083640 bsc#1084323 bsc#1085107 bsc#1085114 bsc#1085279 bsc#1085447
Cross-References:	CVE-2016-7915 CVE-2017-12190 CVE-2017-13166 CVE-2017-15299 CVE-2017-16644 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017 CVE-2017-18204 CVE-2017-18208 CVE-2017-18221 CVE-2018-1066 CVE-2018-1068 CVE-2018-5332 CVE-2018-5333 CVE-2018-6927 CVE-2018-7566
CVSS scores:	CVE-2016-7915 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2017-12190 ( SUSE ): 6.2 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2017-12190 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-13166 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-13166 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-15299 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-15299 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-16644 ( SUSE ): 4.6 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16644 ( NVD ): 6.6 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-16911 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2017-16911 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2017-16912 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16912 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16913 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16913 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16914 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2017-16914 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-18017 ( SUSE ): 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2017-18017 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-18017 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-18204 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2017-18204 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-18208 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-18208 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-18221 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-18221 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-1066 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-1066 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-1068 ( SUSE ): 8.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-1068 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2018-1068 ( NVD ): 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2018-5332 ( SUSE ): 3.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2018-5332 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-5332 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-5333 ( SUSE ): 2.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-5333 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-6927 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-6927 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-7566 ( SUSE ): 7.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2018-7566 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Public Cloud Module 12 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves 19 vulnerabilities and has 12 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107).
• CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls (bnc#1084323).
• CVE-2018-1066: Prevent NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled during session recovery (bnc#1083640).
• CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel v4l2 video driver (bnc#1072865).
• CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation required that a USB device was attached over IP (bnc#1078674).
• CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that already exists but is uninstantiated, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (bnc#1063416).
• CVE-2017-18208: The madvise_willneed function kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
• CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user could have reset the pool size manually via ioctl concurrently, which may have lead UAF or out-of-bound access (bsc#1083483).
• CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a denial of service (deadlock) via DIO requests (bnc#1083244).
• CVE-2017-16644: The hdpvr_probe function allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118).
• CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757).
• CVE-2017-16914: The "stub_send_ret_submit()" function allowed attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet (bnc#1078669).
• CVE-2016-7915: The hid_input_field function allowed physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device (bnc#1010470).
• CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did unbalanced refcounting when a SCSI I/O vector had small consecutive buffers belonging to the same page. The bio_add_pc_page function merged them into one, but the page reference was never dropped. This caused a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (bnc#1062568).
• CVE-2017-16912: The "get_pipe()" function allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673).
• CVE-2017-16913: The "stub_recv_cmd_submit()" function when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672).
• CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621).
• CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617).
• CVE-2017-18017: The tcpmss_mangle_packet function allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488).

The following non-security bugs were fixed:

• Fix build on arm64 by defining empty gmb() (bnc#1068032).
• KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
• KEYS: fix writing past end of user-supplied buffer in keyring_read() (bsc#1066001).
• KEYS: return full count in keyring_read() if buffer is too small (bsc#1066001).
• include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header (bsc#1077560).
• ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
• ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
• ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
• x86/kaiser: use trampoline stack for kernel entry (bsc#1077560)
• leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
• livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow variables support (bsc#1082299).
• livepatch: introduce shadow variable API. Shadow variables support (bsc#1082299)
• media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382).
• media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382).
• media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382).
• media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382).
• media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382).
• media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382).
• media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382).
• media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382).
• media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382).
• media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382).
• netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107).
• netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107).
• packet: only call dev_add_pack() on freshly allocated fanout instances
• pipe: cap initial pipe capacity according to pipe-max-size limit (bsc#1045330).
• x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Public Cloud Module 12
  zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-558=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2018-558=1

Package List:

• Public Cloud Module 12 (nosrc x86_64)
  • kernel-ec2-3.12.61-52.125.1
• Public Cloud Module 12 (x86_64)
  • kernel-ec2-extra-3.12.61-52.125.1
  • kernel-ec2-extra-debuginfo-3.12.61-52.125.1
  • kernel-ec2-devel-3.12.61-52.125.1
  • kernel-ec2-debugsource-3.12.61-52.125.1
  • kernel-ec2-debuginfo-3.12.61-52.125.1
• SUSE Linux Enterprise Server 12 LTSS 12 (nosrc ppc64le s390x x86_64)
  • kernel-default-3.12.61-52.125.1
• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • kernel-default-base-debuginfo-3.12.61-52.125.1
  • kernel-default-base-3.12.61-52.125.1
  • kernel-default-debuginfo-3.12.61-52.125.1
  • kernel-default-devel-3.12.61-52.125.1
  • kernel-default-debugsource-3.12.61-52.125.1
  • kernel-syms-3.12.61-52.125.1
• SUSE Linux Enterprise Server 12 LTSS 12 (noarch)
  • kernel-macros-3.12.61-52.125.1
  • kernel-source-3.12.61-52.125.1
  • kernel-devel-3.12.61-52.125.1
• SUSE Linux Enterprise Server 12 LTSS 12 (s390x)
  • kernel-default-man-3.12.61-52.125.1
• SUSE Linux Enterprise Server 12 LTSS 12 (nosrc x86_64)
  • kernel-xen-3.12.61-52.125.1
• SUSE Linux Enterprise Server 12 LTSS 12 (x86_64)
  • kgraft-patch-3_12_61-52_125-default-1-1.3.1
  • kernel-xen-base-3.12.61-52.125.1
  • kgraft-patch-3_12_61-52_125-xen-1-1.3.1
  • kernel-xen-devel-3.12.61-52.125.1
  • kernel-xen-debugsource-3.12.61-52.125.1
  • kernel-xen-base-debuginfo-3.12.61-52.125.1
  • kernel-xen-debuginfo-3.12.61-52.125.1

References:

• https://www.suse.com/security/cve/CVE-2016-7915.html
• https://www.suse.com/security/cve/CVE-2017-12190.html
• https://www.suse.com/security/cve/CVE-2017-13166.html
• https://www.suse.com/security/cve/CVE-2017-15299.html
• https://www.suse.com/security/cve/CVE-2017-16644.html
• https://www.suse.com/security/cve/CVE-2017-16911.html
• https://www.suse.com/security/cve/CVE-2017-16912.html
• https://www.suse.com/security/cve/CVE-2017-16913.html
• https://www.suse.com/security/cve/CVE-2017-16914.html
• https://www.suse.com/security/cve/CVE-2017-18017.html
• https://www.suse.com/security/cve/CVE-2017-18204.html
• https://www.suse.com/security/cve/CVE-2017-18208.html
• https://www.suse.com/security/cve/CVE-2017-18221.html
• https://www.suse.com/security/cve/CVE-2018-1066.html
• https://www.suse.com/security/cve/CVE-2018-1068.html
• https://www.suse.com/security/cve/CVE-2018-5332.html
• https://www.suse.com/security/cve/CVE-2018-5333.html
• https://www.suse.com/security/cve/CVE-2018-6927.html
• https://www.suse.com/security/cve/CVE-2018-7566.html
• https://bugzilla.suse.com/show_bug.cgi?id=1010470
• https://bugzilla.suse.com/show_bug.cgi?id=1012382
• https://bugzilla.suse.com/show_bug.cgi?id=1045330
• https://bugzilla.suse.com/show_bug.cgi?id=1062568
• https://bugzilla.suse.com/show_bug.cgi?id=1063416
• https://bugzilla.suse.com/show_bug.cgi?id=1066001
• https://bugzilla.suse.com/show_bug.cgi?id=1067118
• https://bugzilla.suse.com/show_bug.cgi?id=1068032
• https://bugzilla.suse.com/show_bug.cgi?id=1072689
• https://bugzilla.suse.com/show_bug.cgi?id=1072865
• https://bugzilla.suse.com/show_bug.cgi?id=1074488
• https://bugzilla.suse.com/show_bug.cgi?id=1075617
• https://bugzilla.suse.com/show_bug.cgi?id=1075621
• https://bugzilla.suse.com/show_bug.cgi?id=1077560
• https://bugzilla.suse.com/show_bug.cgi?id=1078669
• https://bugzilla.suse.com/show_bug.cgi?id=1078672
• https://bugzilla.suse.com/show_bug.cgi?id=1078673
• https://bugzilla.suse.com/show_bug.cgi?id=1078674
• https://bugzilla.suse.com/show_bug.cgi?id=1080255
• https://bugzilla.suse.com/show_bug.cgi?id=1080464
• https://bugzilla.suse.com/show_bug.cgi?id=1080757
• https://bugzilla.suse.com/show_bug.cgi?id=1082299
• https://bugzilla.suse.com/show_bug.cgi?id=1083244
• https://bugzilla.suse.com/show_bug.cgi?id=1083483
• https://bugzilla.suse.com/show_bug.cgi?id=1083494
• https://bugzilla.suse.com/show_bug.cgi?id=1083640
• https://bugzilla.suse.com/show_bug.cgi?id=1084323
• https://bugzilla.suse.com/show_bug.cgi?id=1085107
• https://bugzilla.suse.com/show_bug.cgi?id=1085114
• https://bugzilla.suse.com/show_bug.cgi?id=1085279
• https://bugzilla.suse.com/show_bug.cgi?id=1085447