Security update for the Linux Kernel

Announcement ID: SUSE-SU-2020:2107-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2019-16746 ( SUSE ): 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVE-2019-16746 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-20810 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2019-20810 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-20908 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
  • CVE-2019-20908 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-0305 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-0305 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-10766 ( SUSE ): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2020-10766 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2020-10767 ( SUSE ): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
  • CVE-2020-10767 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2020-10768 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2020-10768 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2020-10769 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-10769 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-10773 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2020-10773 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
  • CVE-2020-10781 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-10781 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-12771 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-12771 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-12888 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
  • CVE-2020-12888 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
  • CVE-2020-13974 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-13974 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-14416 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-14416 ( NVD ): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
  • CVE-2020-15393 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-15393 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-15780 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
  • CVE-2020-15780 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • Basesystem Module 15-SP1
  • Development Tools Module 15-SP1
  • Legacy Module 15-SP1
  • SUSE Linux Enterprise Desktop 15 SP1
  • SUSE Linux Enterprise High Availability Extension 15 SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise Live Patching 15-SP1
  • SUSE Linux Enterprise Real Time 15 SP1
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Linux Enterprise Workstation Extension 15 SP1
  • SUSE Manager Proxy 4.0
  • SUSE Manager Retail Branch Server 4.0
  • SUSE Manager Server 4.0

An update that solves 16 vulnerabilities and has 82 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2020-15780: A lockdown bypass for loading unsigned modules using ACPI table injection was fixed. (bsc#1173573)
  • CVE-2020-15393: Fixed a memory leak in usbtest_disconnect (bnc#1173514).
  • CVE-2020-12771: An issue was discovered in btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails (bnc#1171732).
  • CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868).
  • CVE-2020-10773: Fixed a memory leak on s390/s390x, in the cmm_timeout_hander in file arch/s390/mm/cmm.c (bnc#1172999).
  • CVE-2020-14416: Fixed a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).
  • CVE-2020-10768: Fixed an issue with the prctl() function, where indirect branch speculation could be enabled even though it was diabled before (bnc#1172783).
  • CVE-2020-10766: Fixed an issue which allowed an attacker with a local account to disable SSBD protection (bnc#1172781).
  • CVE-2020-10767: Fixed an issue where Indirect Branch Prediction Barrier was disabled in certain circumstances, leaving the system open to a spectre v2 style attack (bnc#1172782).
  • CVE-2020-13974: Fixed a integer overflow in drivers/tty/vt/keyboard.c, if k_ascii is called several times in a row (bnc#1172775).
  • CVE-2020-0305: Fixed a possible use-after-free due to a race condition incdev_get of char_dev.c. This could lead to local escalation of privilege. User interaction is not needed for exploitation (bnc#1174462).
  • CVE-2020-10769: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. This flaw allowed a local attacker with user privileges to cause a denial of service (bnc#1173265).
  • CVE-2020-10781: Fixed a denial of service issue in the ZRAM implementation (bnc#1173074).
  • CVE-2019-20908: Fixed incorrect access permissions for the efivar_ssdt ACPI variable, which could be used by attackers to bypass lockdown or secure boot restrictions (bnc#1173567).
  • CVE-2019-20810: Fixed a memory leak in go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c because it did not call snd_card_free for a failure path (bnc#1172458).
  • CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c, related to invalid length checks for variable elements in a beacon head (bnc#1152107).

The following non-security bugs were fixed:

  • ACPI: GED: add support for _Exx / _Lxx handler methods (bsc#1111666).
  • ACPI: GED: use correct trigger type field in _Exx / _Lxx handling (bsc#1111666).
  • ACPI: NFIT: Fix unlock on error in scrub_show() (bsc#1171753).
  • ACPI: PM: Avoid using power resources if there are none for D0 (bsc#1051510).
  • ACPI: sysfs: Fix pm_profile_attr type (bsc#1111666).
  • ACPI: video: Use native backlight on Acer Aspire 5783z (bsc#1111666).
  • ACPI: video: Use native backlight on Acer TravelMate 5735Z (bsc#1111666).
  • ALSA: es1688: Add the missed snd_card_free() (bsc#1051510).
  • ALSA: hda: Add ElkhartLake HDMI codec vid (bsc#1111666).
  • ALSA: hda: add sienna_cichlid audio asic id for sienna_cichlid up (bsc#1111666).
  • ALSA: hda/hdmi - enable runtime pm for newer AMD display audio (bsc#1111666).
  • ALSA: hda - let hs_mic be picked ahead of hp_mic (bsc#1111666).
  • ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines (bsc#1111666).
  • ALSA: hda/realtek - Add LED class support for micmute LED (bsc#1111666).
  • ALSA: hda/realtek - Enable micmute LED on and HP system (bsc#1111666).
  • ALSA: hda/realtek - Enable Speaker for ASUS UX533 and UX534 (bsc#1111666).
  • ALSA: hda/realtek - Fix unused variable warning w/o CONFIG_LEDS_TRIGGER_AUDIO (bsc#1111666).
  • ALSA: hda/realtek - Introduce polarity for micmute LED GPIO (bsc#1111666).
  • ALSA: lx6464es - add support for LX6464ESe pci express variant (bsc#1111666).
  • ALSA: opl3: fix infoleak in opl3 (bsc#1111666).
  • ALSA: pcm: disallow linking stream to itself (bsc#1111666).
  • ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback (bsc#1111666).
  • ALSA: usb-audio: Add Pioneer DJ DJM-900NXS2 support (bsc#1111666).
  • ALSA: usb-audio: add quirk for MacroSilicon MS2109 (bsc#1111666).
  • ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock (bsc#1111666).
  • ALSA: usb-audio: Clean up quirk entries with macros (bsc#1111666).
  • ALSA: usb-audio: Fix inconsistent card PM state after resume (bsc#1111666).
  • ALSA: usb-audio: Fix packet size calculation (bsc#1111666).
  • ALSA: usb-audio: Fix racy list management in output queue (bsc#1111666).
  • ALSA: usb-audio: Improve frames size computation (bsc#1111666).
  • ALSA: usb-audio: Manage auto-pm of all bundled interfaces (bsc#1111666).
  • ALSA: usb-audio: Use the new macro for HP Dock rename quirks (bsc#1111666).
  • amdgpu: a NULL ->mm does not mean a thread is a kthread (git-fixes).
  • arm64: map FDT as RW for early_init_dt_scan() (jsc#SLE-12423).
  • ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb (bsc#1111666).
  • ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx (bsc#1111666).
  • ath9k: Fix use-after-free Write in ath9k_htc_rx_msg (bsc#1111666).
  • ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb (bsc#1111666).
  • ax25: fix setsockopt(SO_BINDTODEVICE) (networking-stable-20_05_27).
  • b43: Fix connection problem with WPA3 (bsc#1111666).
  • b43_legacy: Fix connection problem with WPA3 (bsc#1111666).
  • bcache: Fix an error code in bch_dump_read() (git fixes (block drivers)).
  • be2net: fix link failure after ethtool offline test (git-fixes).
  • block: nr_sects_write(): Disable preemption on seqcount write (bsc#1173818).
  • block: remove QUEUE_FLAG_STACKABLE (git fixes (block drivers)).
  • block: sed-opal: fix sparse warning: convert __be64 data (git fixes (block drivers)).
  • Bluetooth: Add SCO fallback for invalid LMP parameters error (bsc#1111666).
  • bnxt_en: Fix AER reset logic on 57500 chips (git-fixes).
  • bnxt_en: Fix ethtool selftest crash under error conditions (git-fixes).
  • bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails (git-fixes).
  • bnxt_en: Fix ipv6 RFS filter matching logic (git-fixes).
  • bnxt_en: fix NULL dereference in case SR-IOV configuration fails (git-fixes).
  • bnxt_en: Fix VF anti-spoof filter setup (networking-stable-20_05_12).
  • bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() (networking-stable-20_05_12).
  • bnxt_en: Improve AER slot reset (networking-stable-20_05_12).
  • brcmfmac: fix wrong location to get firmware feature (bsc#1111666).
  • brcmfmac: Transform compatible string for FW loading (bsc#1169771).
  • btrfs: add assertions for tree == inode->io_tree to extent IO helpers (bsc#1174438).
  • btrfs: add new helper btrfs_lock_and_flush_ordered_range (bsc#1174438).
  • btrfs: Always use a cached extent_state in btrfs_lock_and_flush_ordered_range (bsc#1174438).
  • btrfs: do not zero f_bavail if we have available space (bsc#1168081).
  • btrfs: do not zero f_bavail if we have available space (bsc#1168081).
  • btrfs: drop argument tree from btrfs_lock_and_flush_ordered_range (bsc#1174438).
  • btrfs: fix extent_state leak in btrfs_lock_and_flush_ordered_range (bsc#1174438).
  • btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof (bsc#1174438).
  • btrfs: fix hang on snapshot creation after RWF_NOWAIT write (bsc#1174438).
  • btrfs: fix RWF_NOWAIT write not failling when we need to cow (bsc#1174438).
  • btrfs: fix RWF_NOWAIT writes blocking on extent locks and waiting for IO (bsc#1174438).
  • btrfs: qgroup: Fix a bug that prevents qgroup to be re-enabled after disable (bsc#1172247).
  • btrfs: Return EAGAIN if we can't start no snpashot write in check_can_nocow (bsc#1174438).
  • btrfs: use correct count in btrfs_file_write_iter() (bsc#1174438).
  • btrfs: Use newly introduced btrfs_lock_and_flush_ordered_range (bsc#1174438).
  • btrfs: volumes: Remove ENOSPC-prone btrfs_can_relocate() (bsc#1171124).
  • bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads (bsc#1111666).
  • carl9170: remove P2P_GO support (bsc#1111666).
  • CDC-ACM: heed quirk also in error handling (git-fixes).
  • ceph: convert mdsc->cap_dirty to a per-session list (bsc#1167104).
  • ceph: request expedited service on session's last cap flush (bsc#1167104).
  • cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages (bsc#1173857).
  • char/random: Add a newline at the end of the file (jsc#SLE-12423).
  • cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#1144333).
  • cifs: handle hostnames that resolve to same ip in failover (bsc#1144333 bsc#1161016).
  • cifs: set up next DFS target before generic_ip_connect() (bsc#1144333 bsc#1161016).
  • clk: bcm2835: Fix return type of bcm2835_register_gate (bsc#1051510).
  • clk: clk-flexgen: fix clock-critical handling (bsc#1051510).
  • clk: sunxi: Fix incorrect usage of round_down() (bsc#1051510).
  • clocksource: dw_apb_timer: Make CPU-affiliation being optional (bsc#1111666).
  • compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE (git fixes (block drivers)).
  • compat_ioctl: block: handle Persistent Reservations (git fixes (block drivers)).
  • copy_{to,from}_user(): consolidate object size checks (git fixes).
  • crypto: algboss - do not wait during notifier callback (bsc#1111666).
  • crypto: algif_skcipher - Cap recv SG list at ctx->used (bsc#1111666).
  • crypto: caam - update xts sector size for large input length (bsc#1111666).
  • crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is fully iterated (bsc#1111666).
  • crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is fully iterated (git-fixes).
  • Crypto/chcr: fix for ccm(aes) failed test (bsc#1111666).
  • crypto: chelsio/chtls: properly set tp->lsndtime (bsc#1111666).
  • crypto: talitos - fix IPsec cipher in length (git-fixes).
  • crypto: talitos - reorder code in talitos_edesc_alloc() (git-fixes).
  • debugfs: Check module state before warning in {full/open}_proxy_open() (bsc#1173746).
  • devinet: fix memleak in inetdev_init() (networking-stable-20_06_07).
  • dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' (bsc#1111666).
  • dm btree: increase rebalance threshold in __rebalance2() (git fixes (block drivers)).
  • dm cache: fix a crash due to incorrect work item cancelling (git fixes (block drivers)).
  • dm crypt: fix benbi IV constructor crash if used in authenticated mode (git fixes (block drivers)).
  • dm: fix potential for q->make_request_fn NULL pointer (git fixes (block drivers)).
  • dm space map common: fix to ensure new block isn't already in use (git fixes (block drivers)).
  • dm: various cleanups to md->queue initialization code (git fixes).
  • dm verity fec: fix hash block number in verity_fec_decode (git fixes (block drivers)).
  • dm verity fec: fix memory leak in verity_fec_dtr (git fixes (block drivers)).
  • dpaa_eth: fix usage as DSA master, try 3 (networking-stable-20_05_27).
  • driver-core, libnvdimm: Let device subsystems add local lockdep coverage (bsc#1171753).
  • Drivers: hv: Change flag to write log level in panic msg to false (bsc#1170617, bsc#1170618).
  • drivers: soc: ti: knav_qmss_queue: Make knav_gp_range_ops static (bsc#1051510).
  • drm: amd/display: fix Kconfig help text (bsc#1113956) * only fix DEBUG_KERNEL_DC
  • drm: bridge: adv7511: Extend list of audio sample rates (bsc#1111666).
  • drm/dp_mst: Increase ACT retry timeout to 3s (bsc#1113956) * context changes
  • drm: encoder_slave: fix refcouting error for modules (bsc#1111666).
  • drm: encoder_slave: fix refcouting error for modules (bsc#1114279)
  • drm/i915/icl+: Fix hotplug interrupt disabling after storm detection (bsc#1112178)
  • drm/i915: Whitelist context-local timestamp in the gen9 cmdparser (bsc#1111666).
  • drm/mediatek: Check plane visibility in atomic_update (bsc#1113956) * context changes
  • drm/msm/dpu: fix error return code in dpu_encoder_init (bsc#1111666).
  • drm: panel-orientation-quirks: Add quirk for Asus T101HA panel (bsc#1111666).
  • drm: panel-orientation-quirks: Use generic orientation-data for Acer S1003 (bsc#1111666).
  • drm/qxl: Use correct notify port address when creating cursor ring (bsc#1113956)
  • drm/radeon: fix double free (bsc#1113956)
  • drm/radeon: fix fb_div check in ni_init_smc_spll_table() (bsc#1113956)
  • drm/sun4i: hdmi ddc clk: Fix size of m divider (bsc#1111666).
  • drm/tegra: hub: Do not enable orphaned window group (bsc#1111666).
  • drm/vkms: Hold gem object while still in-use (bsc#1113956) * context changes
  • e1000: Distribute switch variables for initialization (bsc#1111666).
  • e1000e: Disable TSO for buffer overrun workaround (bsc#1051510).
  • e1000e: Do not wake up the system via WOL if device wakeup is disabled (bsc#1051510).
  • e1000e: Relax condition to trigger reset for ME workaround (bsc#1111666).
  • EDAC/amd64: Read back the scrub rate PCI register on F15h (bsc#1114279).
  • efi/random: Increase size of firmware supplied randomness (jsc#SLE-12423).
  • efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness (jsc#SLE-12423).
  • efi: READ_ONCE rng seed size before munmap (jsc#SLE-12423).
  • efi: Reorder pr_notice() with add_device_randomness() call (jsc#SLE-12423).
  • evm: Check also if *tfm is an error pointer in init_desc() (bsc#1051510).
  • evm: Fix a small race in init_desc() (bsc#1051510).
  • ext4: fix a data race at inode->i_blocks (bsc#1171835).
  • ext4: fix partial cluster initialization when splitting extent (bsc#1173839).
  • ext4: fix race between ext4_sync_parent() and rename() (bsc#1173838).
  • ext4, jbd2: ensure panic by fix a race between jbd2 abort and ext4 error handlers (bsc#1173833).
  • extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' (bsc#1051510).
  • fanotify: fix ignore mask logic for events on child and on dir (bsc#1172719).
  • fdt: add support for rng-seed (jsc#SLE-12423).
  • fdt: Update CRC check for rng-seed (jsc#SLE-12423).
  • firmware: imx: scu: Fix corruption of header (git-fixes).
  • firmware: imx: scu: Fix possible memory leak in imx_scu_probe() (bsc#1111666).
  • Fix boot crash with MD (bsc#1174343)
  • fix multiplication overflow in copy_fdtable() (bsc#1173825).
  • fpga: dfl: afu: Corrected error handling levels (git-fixes).
  • fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks (networking-stable-20_05_12).
  • gpiolib: Document that GPIO line names are not globally unique (bsc#1051510).
  • gpu: host1x: Detach driver on unregister (bsc#1111666).
  • gpu: ipu-v3: pre: do not trigger update if buffer address does not change (bsc#1111666).
  • HID: magicmouse: do not set up autorepeat (git-fixes).
  • HID: sony: Fix for broken buttons on DS3 USB dongles (bsc#1051510).
  • hv_netvsc: Fix netvsc_start_xmit's return type (git-fixes).
  • hwmon: (acpi_power_meter) Fix potential memory leak in acpi_power_meter_add() (bsc#1111666).
  • hwmon: (emc2103) fix unable to change fan pwm1_enable attribute (bsc#1111666).
  • hwmon: (max6697) Make sure the OVERT mask is set correctly (bsc#1111666).
  • i2c: algo-pca: Add 0x78 as SCL stuck low status for PCA9665 (bsc#1111666).
  • i2c: eg20t: Load module automatically if ID matches (bsc#1111666).
  • i2c: mlxcpld: check correct size of maximum RECV_LEN packet (bsc#1111666).
  • i40e: reduce stack usage in i40e_set_fc (git-fixes).
  • IB/hfi1: Do not destroy hfi1_wq when the device is shut down (bsc#1174409).
  • IB/hfi1: Do not destroy link_wq when the device is shut down (bsc#1174409).
  • ibmveth: