Security update for the Linux Kernel
Announcement ID: | SUSE-SU-2019:0148-1 |
---|---|
Rating: | important |
References: |
|
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves 10 vulnerabilities and has 94 security fixes can now be installed.
Description:
The SUSE Linux Enterprise 12 SP3 kernel for Azure was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic was uninitialized (bnc#1116841).
- CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).
- CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4 (bnc#1087082).
- CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which made a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks) (bnc#1093158).
- CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702).
- CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).
- CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).
- CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1118319).
- CVE-2018-16862: A security flaw was found in the way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186).
- CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).
The following non-security bugs were fixed:
- 9p: clear dangling pointers in p9stat_free (bnc#1012382).
- 9p locks: fix glock.client_id leak in do_lock (bnc#1012382).
- 9p/net: put a lower bound on msize (bnc#1012382).
- ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized pointer value (bsc#1121239).
- ACPI/LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers (bnc#1012382).
- ACPI/nfit, x86/mce: Handle only uncorrectable machine checks (bsc#1114648).
- ACPI/nfit, x86/mce: Validate a MCE's address before using it (bsc#1114648).
- ACPI/platform: Add SMB0001 HID to forbidden_id_list (bnc#1012382).
- af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers (bnc#1012382).
- ahci: do not ignore result code of ahci_reset_controller() (bnc#1012382).
- aio: fix spectre gadget in lookup_ioctx (bnc#1012382).
- aio: hold an extra file reference over AIO read/write operations (bsc#1116027).
- ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write (bnc#1012382).
- ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops (bnc#1012382).
- ALSA: control: Fix race between adding and removing a user element (bnc#1012382).
- ALSA: cs46xx: Potential NULL dereference in probe (bnc#1012382).
- ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- ALSA: emux: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) (bnc#1012382).
- ALSA: hda: add mute LED support for HP EliteBook 840 G4 (bnc#1012382).
- ALSA: hda: Add support for AMD Stoney Ridge (bnc#1012382).
- ALSA: hda: Check the non-cached stream buffers more explicitly (bnc#1012382).
- ALSA: hda/tegra: clear pending irq handlers (bnc#1012382).
- ALSA: isa/wavefront: prevent some out of bound writes (bnc#1012382).
- ALSA: pcm: Call snd_pcm_unlink() conditionally at closing (bnc#1012382).
- ALSA: pcm: Fix interval evaluation with openmin/max (bnc#1012382).
- ALSA: pcm: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ALSA: pcm: Fix starvation on down_write_nonblock() (bnc#1012382).
- ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command (bnc#1012382).
- ALSA: rme9652: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ALSA: sparc: Fix invalid snd_free_pages() at error path (bnc#1012382).
- ALSA: timer: Fix zero-division by continue of uninitialized instance (bnc#1012382).
- ALSA: trident: Suppress gcc string warning (bnc#1012382).
- ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() (bnc#1012382).
- ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks (bnc#1012382).
- ALSA: wss: Fix invalid snd_free_pages() at error path (bnc#1012382).
- amd/iommu: Fix Guest Virtual APIC Log Tail Address Register (bsc#1106105).
- ARC: change defconfig defaults to ARCv2 (bnc#1012382).
- ARC: [devboards] Add support of NFSv3 ACL (bnc#1012382).
- arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 (bnc#1012382).
- ARC: io.h: Implement reads{x}()/writes{x}() (bnc#1012382).
- ARM64: Disable asm-operand-width warning for clang (bnc#1012382).
- ARM64: dts: stratix10: Correct System Manager register size (bnc#1012382).
- ARM64: Enabled ENA (Amazon network driver)
- ARM64: hardcode rodata_enabled=true earlier in the series (bsc#1114763).
- ARM64: PCI: ACPI support for legacy IRQs parsing and consolidation with DT code.
- ARM64: percpu: Initialize ret in the default case (bnc#1012382).
- ARM64: remove no-op -p linker flag (bnc#1012382).
- ARM: 8799/1: mm: fix pci_ioremap_io() offset check (bnc#1012382).
- ARM: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address handling (bnc#1012382).
- ARM: dts: apq8064: add ahci ports-implemented mask (bnc#1012382).
- ARM: dts: imx53-qsb: disable 1.2GHz OPP (bnc#1012382).
- ARM: fix mis-applied iommu identity check (bsc#1116924).
- ARM: imx: update the cpu power up timing setting on i.mx6sx (bnc#1012382).
- ARM: kvm: fix building with gcc-8 (bsc#1121241).
- ARM: OMAP1: ams-delta: Fix possible use of uninitialized field (bnc#1012382).
- ARM: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup (bnc#1012382).
- asix: Check for supported Wake-on-LAN modes (bnc#1012382).
- ASoC: ak4613: Enable cache usage to fix crashes on resume (bnc#1012382).
- ASoC: dapm: Recalculate audio map forcely when card instantiated (bnc#1012382).
- ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE (bnc#1012382).
- ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE (bnc#1012382).
- ASoC: spear: fix error return code in spdif_in_probe() (bnc#1012382).
- ASoC: wm8940: Enable cache usage to fix crashes on resume (bnc#1012382).
- ataflop: fix error handling during setup (bnc#1012382).
- ath10k: fix kernel panic due to race in accessing arvif list (bnc#1012382).
- ath10k: schedule hardware restart if WMI command times out (bnc#1012382).
- ax25: fix a use-after-free in ax25_fillin_cb() (bnc#1012382).
- ax88179_178a: Check for supported Wake-on-LAN modes (bnc#1012382).
- b43: Fix error in cordic routine (bnc#1012382).
- batman-adv: Expand merged fragment buffer for full packet (bnc#1012382).
- bcache: fix miss key refill->end in writeback (bnc#1012382).
- bfs: add sanity check at bfs_fill_super() (bnc#1012382).
- binfmt_elf: fix calculations for bss padding (bnc#1012382).
- bitops: protect variables in bit_clear_unless() macro (bsc#1116285).
- block: fix inheriting request priority from bio (bsc#1116924).
- block: respect virtual boundary mask in bvecs (bsc#1113412).
- Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth (bnc#1012382).
- Bluetooth: SMP: fix crash in unpairing (bnc#1012382).
- bna: ethtool: Avoid reading past end of buffer (bnc#1012382).
- bnx2x: Assign unique DMAE channel number for FW DMAE transactions (bnc#1012382).
- bonding: fix 802.3ad state sent to partner when unbinding slave (bnc#1012382).
- bpf: fix check of allowed specifiers in bpf_trace_printk (bnc#1012382).
- bpf: generally move prog destruction to RCU deferral (bnc#1012382).
- bpf: support 8-byte metafield access (bnc#1012382).
- bpf, trace: check event type in bpf_perf_event_read (bsc#1119970).
- bpf, trace: use READ_ONCE for retrieving file ptr (bsc#1119967).
- bpf/verifier: Add spi variable to check_stack_write() (bnc#1012382).
- bpf/verifier: Pass instruction index to check_mem_access() and check_xadd() (bnc#1012382).
- bridge: do not add port to router list when receives query with source 0.0.0.0 (bnc#1012382).
- btrfs: Always try all copies when reading extent buffers (bnc#1012382).
- btrfs: do not attempt to trim devices that do not support it (bnc#1012382).
- btrfs: ensure path name is null terminated at btrfs_control_ioctl (bnc#1012382).
- btrfs: fix backport error in submit_stripe_bio (bsc#1114763).
- btrfs: fix data corruption due to cloning of eof block (bnc#1012382).
- btrfs: Fix memory barriers usage with device stats counters.
- btrfs: fix null pointer dereference on compressed write path error (bnc#1012382).
- btrfs: fix pinned underflow after transaction aborted (bnc#1012382).
- btrfs: fix use-after-free when dumping free space (bnc#1012382).
- btrfs: fix wrong dentries after fsync of file that got its parent replaced (bnc#1012382).
- btrfs: Handle error from btrfs_uuid_tree_rem call in _btrfs_ioctl_set_received_subvol.
- btrfs: Handle owner mismatch gracefully when walking up tree (bnc#1012382).
- btrfs: iterate all devices during trim, instead of fs_devices::alloc_list (bnc#1012382).
- btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock (bnc#1012382).
- btrfs: make sure we create all new block groups (bnc#1012382).
- btrfs: qgroup: Dirty all qgroups before rescan (bnc#1012382).
- btrfs: release metadata before running delayed refs (bnc#1012382).
- btrfs: reset max_extent_size on clear in a bitmap (bnc#1012382).
- btrfs: send, fix infinite loop due to directory rename dependencies (bnc#1012382).
- btrfs: set max_extent_size properly (bnc#1012382).
- btrfs: wait on caching when putting the bg cache (bnc#1012382).
- cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) (bnc#1012382).
- can: dev: __can_get_echo_skb(): Do not crash the kernel if can_priv::echo_skb is accessed out of bounds (bnc#1012382).
- can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() (bnc#1012382).
- can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb (bnc#1012382).
- can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length (bnc#1012382).
- can: rcar_can: Fix erroneous registration (bnc#1012382).
- cdc-acm: correct counting of UART states in serial state notification (bnc#1012382).
- cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader (bnc#1012382).
- ceph: call setattr_prepare from ceph_setattr instead of inode_change_ok (bsc#1114763).
- ceph: do not update importing cap's mseq when handing cap export (bsc#1121275).
- ceph: fix dentry leak in ceph_readdir_prepopulate (bsc#1114839).
- ceph: quota: fix null pointer dereference in quota check (bsc#1114839).
- cfg80211: reg: Init wiphy_idx in regulatory_hint_core() (bnc#1012382).
- checkstack.pl: fix for aarch64 (bnc#1012382).
- CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem (bnc#1012382).
- CIFS: Fix separator when building path from dentry (bnc#1012382).
- CIFS: handle guest access errors to Windows shares (bnc#1012382).
- CIFS: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs) (bnc#1012382).
- clk: mmp: Off by one in mmp_clk_add() (bnc#1012382).
- clk: s2mps11: Add used attribute to s2mps11_dt_match.
- clk: s2mps11: Fix matching when built as module and DT node contains compatible (bnc#1012382).
- clk: samsung: exynos5420: Enable PERIS clocks for suspend (bnc#1012382).
- clockevents/drivers/i8253: Add support for PIT shutdown quirk (bnc#1012382).
- configfs: replace strncpy with memcpy (bnc#1012382).
- cpufeature: avoid warning when compiling with clang.
- cpufreq: imx6q: add return value check for voltage scale (bnc#1012382).
- cpuidle: Do not access cpuidle_devices when !CONFIG_CPU_IDLE (bnc#1012382).
- Cramfs: fix abad comparison when wrap-arounds occur (bnc#1012382).
- crypto: arm64/sha - avoid non-standard inline asm tricks (bnc#1012382).
- crypto: lrw - Fix out-of bounds access on counter overflow (bnc#1012382).
- crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned (bnc#1012382).
- crypto, x86: aesni - fix token pasting for clang (bnc#1012382).
- crypto: x86/chacha20 - avoid sleeping with preemption disabled (bnc#1012382).
- cw1200: Do not leak memory if krealloc failes (bnc#1012382).
- cxgb4: Add support for new flash parts (bsc#1102439).
- cxgb4: assume flash part size to be 4MB, if it can't be determined (bsc#1102439).
- cxgb4: Fix FW flash errors (bsc#1102439).
- cxgb4: fix missing break in switch and indent return statements (bsc#1102439).
- cxgb4: support new ISSI flash parts (bsc#1102439).
- debugobjects: avoid recursive calls with kmemleak (bnc#1012382).
- disable stringop truncation warnings for now (bnc#1012382).
- dlm: fixed memory leaks after failed ls_remove_names allocation (bnc#1012382).
- dlm: lost put_lkb on error path in receive_convert() and receive_unlock() (bnc#1012382).
- dlm: memory leaks on error path in dlm_user_request() (bnc#1012382).
- dlm: possible memory leak on error path in create_lkb() (bnc#1012382).
- dmaengine: at_hdmac: fix memory leak in at_dma_xlate() (bnc#1012382).
- dmaengine: at_hdmac: fix module unloading (bnc#1012382).
- dmaengine: dma-jz4780: Return error if not probed from DT (bnc#1012382).
- dm cache metadata: ignore hints array being too small during resize.
- dm ioctl: harden copy_params()'s copy_from_user() from malicious users (bnc#1012382).
- dm-multipath: do not assign cmd_flags in setup_clone() (bsc#1103156).
- dm raid: stop using BUG() in __rdev_sectors() (bsc#1046264).
- dm thin: stop no_space_timeout worker when switching to write-mode.
- dpaa_eth: fix dpaa_get_stats64 to match prototype (bsc#1114763).
- driver/dma/ioat: Call del_timer_sync() without holding prep_lock (bnc#1012382).
- drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() (bsc#1104098).
- drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels (bnc#1012382).
- drivers/misc/sgi-gru: fix Spectre v1 vulnerability (bnc#1012382).
- drivers/sbus/char: add of_node_put() (bnc#1012382).
- drivers/tty: add missing of_node_put() (bnc#1012382).
- drm/ast: change resolution may cause screen blurred (bnc#1012382).
- drm/ast: fixed cursor may disappear sometimes (bnc#1012382).
- drm/ast: fixed reading monitor EDID not stable issue (bnc#1012382).
- drm/ast: Fix incorrect free on ioregs (bsc#1106929)
- drm/ast: Remove existing framebuffers before loading driver (boo#1112963)
- drm/dp_mst: Check if primary mstb is null (bnc#1012382).
- drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock (bsc#1106929)
- drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values (bnc#1012382).
- drm/ioctl: Fix Spectre v1 vulnerabilities (bnc#1012382).
- drm/msm: Grab a vblank reference when waiting for commit_done (bnc#1012382).
- drm/nouveau/fbcon: fix oops without fbdev emulation (bnc#1012382).
- drm/omap: fix memory barrier bug in DMM driver (bnc#1012382).
- drm: rcar-du: Fix external clock error checks (bsc#1106929)
- drm: rcar-du: Fix vblank initialization (bsc#1106929)
- drm/rockchip: Allow driver to be shutdown on reboot/kexec (bnc#1012382).
- e1000: avoid null pointer dereference on invalid stat type (bnc#1012382).
- e1000: fix race condition between e1000_down() and e1000_watchdog (bnc#1012382).
- efi/libstub/arm64: Force 'hidden' visibility for section markers (bnc#1012382).
- efi/libstub/arm64: Set -fpie when building the EFI stub (bnc#1012382).
- exec: avoid gcc-8 warning for get_task_comm (bnc#1012382).
- exportfs: do not read dentry after free (bnc#1012382).
- ext2: fix potential use after free (bnc#1012382).
- ext4: add missing brelse() add_new_gdb_meta_bg()'s error path (bnc#1012382).
- ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path (bnc#1012382).
- ext4: add missing brelse() update_backups()'s error path (bnc#1012382).
- ext4: avoid buffer leak in ext4_orphan_add() after prior errors (bnc#1012382).
- ext4: avoid possible double brelse() in add_new_gdb() on error path (bnc#1012382).
- ext4: avoid potential extra brelse in setup_new_flex_group_blocks() (bnc#1012382).
- ext4: fix argument checking in EXT4_IOC_MOVE_EXT (bnc#1012382).
- ext4: fix buffer leak in __ext4_read_dirblock() on error path (bnc#1012382).
- ext4: fix buffer leak in ext4_xattr_move_to_block() on error path (bnc#1012382).
- ext4: fix EXT4_IOC_GROUP_ADD ioctl (bnc#1012382).
- ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing (bnc#1012382).
- ext4: fix possible inode leak in the retry loop of ext4_resize_fs() (bnc#1012382).
- ext4: fix possible leak of sbi->s_group_desc_leak in error path (bnc#1012382).
- ext4: fix possible use after free in ext4_quota_enable (bnc#1012382).
- ext4: force inode writes when nfsd calls commit_metadata() (bnc#1012382).
- ext4: initialize retries variable in ext4_da_write_inline_data_begin() (bnc#1012382).
- ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() (bnc#1012382).
- ext4: release bs.bh before re-using in ext4_xattr_block_find() (bnc#1012382).
- fbdev: fbcon: Fix unregister crash when more than one framebuffer (bsc#1106929)
- fbdev: fbmem: behave better with small rotated displays and many CPUs (bsc#1106929)
- fcoe: remove duplicate debugging message in fcoe_ctlr_vn_add (bsc#1114763).
- Fix kABI for "Ensure we commit after writeback is complete" (bsc#1111809).
- floppy: fix race condition in __floppy_read_block_0().
- flow_dissector: do not dissect l4 ports for fragments (bnc#1012382).
- fork: record start_time late (bnc#1012382).
- fscache, cachefiles: remove redundant variable 'cache' (bnc#1012382).
- fscache: fix race between enablement and dropping of object (bsc#1107385).
- fscache: Fix race in fscache_op_complete() due to split atomic_sub & read .
- fscache: Pass the correct cancelled indications to fscache_op_complete().
- fs, elf: make sure to page align bss in load_elf_library (bnc#1012382).
- fs/exofs: fix potential memory leak in mount option parsing (bnc#1012382).
- fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() (bnc#1012382).
- fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for async_dio (bnc#1012382).
- fuse: fix blocked_waitq wakeup (bnc#1012382).
- fuse: fix leaked notify reply (bnc#1012382).
- fuse: Fix use-after-free in fuse_dev_do_read() (bnc#1012382).
- fuse: Fix use-after-free in fuse_dev_do_write() (bnc#1012382).
- fuse: set FR_SENT while locked (bnc#1012382).
- genirq: Fix race on spurious interrupt detection (bnc#1012382).
- genwqe: Fix size check (bnc#1012382).
- gfs2: Do not leave s_fs_info pointing to freed memory in init_sbd (bnc#1012382).
- gfs2: Fix loop in gfs2_rbm_find (bnc#1012382).
- gfs2_meta: ->mount() can get NULL dev_name (bnc#1012382).
- gfs2: Put bitmap buffers in put_super (bnc#1012382).
- git_sort.py: Remove non-existent remote tj/libata
- gpio: max7301: fix driver for use with CONFIG_VMAP_STACK (bnc#1012382).
- gpio: msic: fix error return code in platform_msic_gpio_probe() (bnc#1012382).
- gpu: host1x: fix error return code in host1x_probe() (bnc#1012382).
- gro_cell: add napi_disable in gro_cells_destroy (bnc#1012382).
- hfs: do not free node before using (bnc#1012382).
- hfsplus: do not free node before using (bnc#1012382).
- hfsplus: prevent btree data loss on root split (bnc#1012382).
- hfs: prevent btree data loss on root split (bnc#1012382).
- HID: hiddev: fix potential Spectre v1 (bnc#1012382).
- HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges (bnc#1012382).
- hpwdt add dynamic debugging (bsc#1114417).
- hpwdt calculate reload value on each use (bsc#1114417).
- hugetlbfs: dirty pages as they are added to pagecache (bnc#1