Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2018:0841-1
Rating:	important
References:	bsc#1012382 bsc#1045538 bsc#1048585 bsc#1049128 bsc#1050431 bsc#1054305 bsc#1059174 bsc#1060279 bsc#1060682 bsc#1063544 bsc#1064861 bsc#1068032 bsc#1068984 bsc#1069508 bsc#1070623 bsc#1070781 bsc#1073311 bsc#1074488 bsc#1074621 bsc#1074880 bsc#1075088 bsc#1075091 bsc#1075410 bsc#1075617 bsc#1075621 bsc#1075908 bsc#1075994 bsc#1076017 bsc#1076154 bsc#1076278 bsc#1076437 bsc#1076849 bsc#1077191 bsc#1077355 bsc#1077406 bsc#1077487 bsc#1077560 bsc#1077922 bsc#1078875 bsc#1079917 bsc#1080133 bsc#1080359 bsc#1080363 bsc#1080372 bsc#1080579 bsc#1080685 bsc#1080774 bsc#1081500 bsc#936530 bsc#962257
Cross-References:	CVE-2015-1142857 CVE-2017-13215 CVE-2017-17741 CVE-2017-18017 CVE-2017-18079 CVE-2017-5715 CVE-2018-1000004 CVE-2018-5332 CVE-2018-5333
CVSS scores:	CVE-2015-1142857 ( SUSE ): 4.8 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-13215 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-13215 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-17741 ( SUSE ): 7.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2017-17741 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2017-18017 ( SUSE ): 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2017-18017 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-18017 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-18079 ( SUSE ): 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2017-18079 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-18079 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-5715 ( SUSE ): 7.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2017-5715 ( NVD ): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2017-5715 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-1000004 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-1000004 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-5332 ( SUSE ): 3.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2018-5332 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-5332 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-5333 ( SUSE ): 2.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-5333 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Real Time Extension 11 SP4

An update that solves nine vulnerabilities and has 41 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 11 SP4 Realtime kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032).

The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka "retpolines".

• CVE-2015-1142857: On multiple SR-IOV cars it is possible for VF's assigned to guests to send ethernet flow control pause frames via the PF. This includes Linux kernel ixgbe driver, i40e/i40evf driver and the DPDK, additionally multiple vendor NIC firmware is affected (bnc#1077355).
• CVE-2017-13215: A elevation of privilege vulnerability in the Upstream kernel skcipher. (bnc#1075908).
• CVE-2017-17741: The KVM implementation in the Linux kernel allowed attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h (bnc#1073311).
• CVE-2017-18017: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488).
• CVE-2017-18079: drivers/input/serio/i8042.c in the Linux kernel allowed attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated (bnc#1077922).
• CVE-2018-1000004: In the Linux kernel a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition (bnc#1076017).
• CVE-2018-5332: In the Linux kernel the rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621).
• CVE-2018-5333: In the Linux kernel rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617).

The following non-security bugs were fixed:

• Add proper NX hadnling for !NX-capable systems also to kaiser_add_user_map(). (bsc#1076278).
• alsa: aloop: Fix inconsistent format due to incomplete rule (bsc#1045538).
• alsa: aloop: Fix racy hw constraints adjustment (bsc#1045538).
• alsa: aloop: Release cable upon open error path (bsc#1045538).
• alsa: pcm: Abort properly at pending signal in OSS read/write loops (bsc#1045538).
• alsa: pcm: Add missing error checks in OSS emulation plugin builder (bsc#1045538).
• alsa: pcm: Allow aborting mutex lock at OSS read/write loops (bsc#1045538).
• alsa: pcm: Remove incorrect snd_BUG_ON() usages (bsc#1045538).
• alsa: pcm: Remove yet superfluous WARN_ON() (bsc#1045538).
• btrfs: cleanup unnecessary assignment when cleaning up all the residual transaction (FATE#325056).
• btrfs: copy fsid to super_block s_uuid (bsc#1080774).
• btrfs: do not wait for all the writers circularly during the transaction commit (FATE#325056).
• btrfs: do not WARN() in btrfs_transaction_abort() for IO errors (bsc#1080363).
• btrfs: fix two use-after-free bugs with transaction cleanup (FATE#325056).
• btrfs: make the state of the transaction more readable (FATE#325056).
• btrfs: qgroup: exit the rescan worker during umount (bsc#1080685).
• btrfs: qgroup: Fix dead judgement on qgroup_rescan_leaf() return value (bsc#1080685).
• btrfs: reset intwrite on transaction abort (FATE#325056).
• btrfs: set qgroup_ulist to be null after calling ulist_free() (bsc#1080359).
• btrfs: stop waiting on current trans if we aborted (FATE#325056).
• cdc-acm: apply quirk for card reader (bsc#1060279).
• cdrom: factor out common open_for_* code (bsc#1048585).
• cdrom: wait for tray to close (bsc#1048585).
• delay: add poll_event_interruptible (bsc#1048585).
• dm flakey: add corrupt_bio_byte feature (bsc#1080372).
• dm flakey: add drop_writes (bsc#1080372).
• dm flakey: error READ bios during the down_interval (bsc#1080372).
• dm flakey: fix crash on read when corrupt_bio_byte not set (bsc#1080372).
• dm flakey: fix reads to be issued if drop_writes configured (bsc#1080372).
• dm flakey: introduce "error_writes" feature (bsc#1080372).
• dm flakey: support feature args (bsc#1080372).
• dm flakey: use dm_target_offset and support discards (bsc#1080372).
• ext2: free memory allocated and forget buffer head when io error happens (bnc#1069508).
• ext2: use unlikely to improve the efficiency of the kernel (bnc#1069508).
• ext3: add necessary check in case IO error happens (bnc#1069508).
• ext3: use unlikely to improve the efficiency of the kernel (bnc#1069508).
• fork: clear thread stack upon allocation (bsc#1077560).
• kabi/severities ignore Cell-specific symbols
• kaiser: do not clobber ZF by calling ENABLE_IBRS after test and before jz
• kaiser: fix ia32 compat sysexit (bsc#1080579) sysexit_from_sys_call cannot make assumption of accessible stack after CR3 switch, and therefore should use the SWITCH_USER_CR3_NO_STACK method to flip the pagetable hierarchy.
• kaiser: Fix trampoline stack loading issue on XEN PV
• kaiser: handle non-accessible stack in sysretl_from_sys_call properly (bsc#bsc#1080579)
• kaiser: make sure not to touch stack after CR3 switch in compat syscall return
• kaiser: really do switch away from trampoline stack to kernel stack in ia32_syscall entry (bsc#1080579)
• kbuild: modversions for EXPORT_SYMBOL() for asm (bsc#1074621 bsc#1068032).
• keys: trusted: fix writing past end of buffer in trusted_read() (bsc#1074880).
• media: omap_vout: Fix a possible null pointer dereference in omap_vout_open() (bsc#1050431).
• mISDN: fix a loop count (bsc#1077191).
• mm: pin address_space before dereferencing it while isolating an LRU page (bnc#1081500).
• nfsd: do not share group_info among threads (bsc@1070623).
• ocfs2: avoid blocking in ocfs2_mark_lockres_freeing() in downconvert thread (bsc#1076437).
• ocfs2: do not set OCFS2_LOCK_UPCONVERT_FINISHING if nonblocking lock can not be granted at once (bsc#1076437).
• ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock (bsc#962257).
• powerpc/64: Add macros for annotating the destination of rfid/hrfid (bsc#1068032, bsc#1075088).
• powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075088).
• powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075088).
• powerpc/64s: Add EX_SIZE definition for paca exception save areas (bsc#1068032, bsc#1075088).
• powerpc/64s: Add support for RFI flush of L1-D cache (bsc#1068032, bsc#1075088).
• powerpc/64s: Allow control of RFI flush via debugfs (bsc#1068032, bsc#1075088).
• powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075088).
• powerpc/64s: Simple RFI macro conversions (bsc#1068032, bsc#1075088).
• powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti (bsc#1068032, bsc#1075088).
• powerpc/64s: Wire up cpu_show_meltdown() (bsc#1068032).
• powerpc/asm: Allow including ppc_asm.h in asm files (bsc#1068032, bsc#1075088).
• powerpc: Fix register clobbering when accumulating stolen time (bsc#1059174).
• powerpc: Fix up the kdump base cap to 128M (bsc#1079917, bsc#1077487).
• powerpc: Mark CONFIG_PPC_DEBUG_RFI as BROKEN (bsc#1075088).
• powerpc/perf: Dereference BHRB entries safely (bsc#1064861, FATE#317619, git-fixes).
• powerpc/perf: Fix book3s kernel to userspace backtraces (bsc#1080133).
• powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper (bsc#1068032, bsc#1075088).
• powerpc/pseries: include linux/types.h in asm/hvcall.h (bsc#1068032, bsc#1075088).
• powerpc/pseries: Introduce H_GET_CPU_CHARACTERISTICS (bsc#1068032, bsc#1075088).
• powerpc/pseries: Kill all prefetch streams on context switch (bsc#1068032, bsc#1075088).
• powerpc/pseries: Query hypervisor for RFI flush settings (bsc#1068032, bsc#1075088).
• powerpc/pseries: rfi-flush: Call setup_rfi_flush() after LPM migration (bsc#1068032, bsc#1075088).
• powerpc/pseries/rfi-flush: Call setup_rfi_flush() after LPM migration (bsc#1075088).
• powerpc/pseries/rfi-flush: Drop PVR-based selection (bsc#1075088).
• powerpc/rfi-flush: Add DEBUG_RFI config option (bsc#1068032, bsc#1075088).
• powerpc/rfi-flush: Factor out init_fallback_flush() (bsc#1075088).
• powerpc/rfi-flush: Make setup_rfi_flush() not __init (bsc#1075088).
• powerpc/rfi-flush: Move RFI flush fields out of the paca (unbreak kABI) (bsc#1068032, bsc#1075088).
• powerpc/rfi-flush: Move the logic to avoid a redo into the sysfs code (bsc#1068032, bsc#1075088).
• powerpc/rfi-flush: Move the logic to avoid a redo into the sysfs code (bsc#1075088).
• powerpc/vdso64: Use double word compare on pointers (bsc#1070781).
• rfi-flush: Make DEBUG_RFI a CONFIG option (bsc#1068032, bsc#1075088).
• rfi-flush: Move rfi_flush_fallback_area to end of paca (bsc#1075088).
• rfi-flush: Move RFI flush fields out of the paca (unbreak kABI) (bsc#1075088).
• rfi-flush: Switch to new linear fallback flush (bsc#1068032, bsc#1075088).
• s390: add ppa to the idle loop (bnc#1077406, LTC#163910).
• s390/cpuinfo: show facilities as reported by stfle (bnc#1076849, LTC#163741).
• scsi: libiscsi: fix shifting of DID_REQUEUE host byte (bsc#1078875).
• scsi: sr: wait for the medium to become ready (bsc#1048585).
• scsi: virtio_scsi: let host do exception handling (bsc#936530,bsc#1060682).
• storvsc: do not assume SG list is continuous when doing bounce buffers (bsc#1075410).
• sysfs/cpu: Add vulnerability folder (bnc#1012382).
• sysfs/cpu: Fix typos in vulnerability documentation (bnc#1012382).
• sysfs: spectre_v2, handle spec_ctrl (bsc#1075994 bsc#1075091).
• Update config files: enable CPU vulnerabilities reporting via sysfs
• x86/acpi: Handle SCI interrupts above legacy space gracefully (bsc#1068984).
• x86/acpi: Reduce code duplication in mp_override_legacy_irq() (bsc#1068984).
• x86/boot: Fix early command-line parsing when matching at end (bsc#1068032).
• x86/cpu: Factor out application of forced CPU caps (bsc#1075994 bsc#1075091).
• x86/cpu: Implement CPU vulnerabilites sysfs functions (bnc#1012382).
• x86/CPU: Sync CPU feature flags late (bsc#1075994 bsc#1075091).
• x86/kaiser: Populate shadow PGD with NX bit only if supported by platform (bsc#1076154 bsc#1076278).
• x86/kaiser: use trampoline stack for kernel entry.
• x86/microcode/intel: Extend BDW late-loading further with LLC size check (bsc#1054305).
• x86/microcode/intel: Extend BDW late-loading with a revision check (bsc#1054305).
• x86/microcode: Rescan feature flags upon late loading (bsc#1075994 bsc#1075091).
• x86/retpolines/spec_ctrl: disable IBRS on !SKL if retpolines are active (bsc#1068032).
• x86/spec_ctrl: handle late setting of X86_FEATURE_SPEC_CTRL properly (bsc#1075994 bsc#1075091).
• x86/spectre_v2: fix ordering in IBRS initialization (bsc#1075994 bsc#1075091).
• x86/spectre_v2: nospectre_v2 means nospec too (bsc#1075994 bsc#1075091).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Real Time Extension 11 SP4
  zypper in -t patch slertesp4-kernel-rt-20180209-13539=1

Package List:

• SUSE Linux Enterprise Real Time Extension 11 SP4 (nosrc x86_64)
  • kernel-rt-3.0.101.rt130-69.21.1
  • kernel-rt_trace-3.0.101.rt130-69.21.1
• SUSE Linux Enterprise Real Time Extension 11 SP4 (x86_64)
  • kernel-source-rt-3.0.101.rt130-69.21.1
  • kernel-rt-base-3.0.101.rt130-69.21.1
  • kernel-rt_trace-base-3.0.101.rt130-69.21.1
  • kernel-rt_trace-devel-3.0.101.rt130-69.21.1
  • kernel-rt-devel-3.0.101.rt130-69.21.1
  • kernel-syms-rt-3.0.101.rt130-69.21.1

References:

• https://www.suse.com/security/cve/CVE-2015-1142857.html
• https://www.suse.com/security/cve/CVE-2017-13215.html
• https://www.suse.com/security/cve/CVE-2017-17741.html
• https://www.suse.com/security/cve/CVE-2017-18017.html
• https://www.suse.com/security/cve/CVE-2017-18079.html
• https://www.suse.com/security/cve/CVE-2017-5715.html
• https://www.suse.com/security/cve/CVE-2018-1000004.html
• https://www.suse.com/security/cve/CVE-2018-5332.html
• https://www.suse.com/security/cve/CVE-2018-5333.html
• https://bugzilla.suse.com/show_bug.cgi?id=1012382
• https://bugzilla.suse.com/show_bug.cgi?id=1045538
• https://bugzilla.suse.com/show_bug.cgi?id=1048585
• https://bugzilla.suse.com/show_bug.cgi?id=1049128
• https://bugzilla.suse.com/show_bug.cgi?id=1050431
• https://bugzilla.suse.com/show_bug.cgi?id=1054305
• https://bugzilla.suse.com/show_bug.cgi?id=1059174
• https://bugzilla.suse.com/show_bug.cgi?id=1060279
• https://bugzilla.suse.com/show_bug.cgi?id=1060682
• https://bugzilla.suse.com/show_bug.cgi?id=1063544
• https://bugzilla.suse.com/show_bug.cgi?id=1064861
• https://bugzilla.suse.com/show_bug.cgi?id=1068032
• https://bugzilla.suse.com/show_bug.cgi?id=1068984
• https://bugzilla.suse.com/show_bug.cgi?id=1069508
• https://bugzilla.suse.com/show_bug.cgi?id=1070623
• https://bugzilla.suse.com/show_bug.cgi?id=1070781
• https://bugzilla.suse.com/show_bug.cgi?id=1073311
• https://bugzilla.suse.com/show_bug.cgi?id=1074488
• https://bugzilla.suse.com/show_bug.cgi?id=1074621
• https://bugzilla.suse.com/show_bug.cgi?id=1074880
• https://bugzilla.suse.com/show_bug.cgi?id=1075088
• https://bugzilla.suse.com/show_bug.cgi?id=1075091
• https://bugzilla.suse.com/show_bug.cgi?id=1075410
• https://bugzilla.suse.com/show_bug.cgi?id=1075617
• https://bugzilla.suse.com/show_bug.cgi?id=1075621
• https://bugzilla.suse.com/show_bug.cgi?id=1075908
• https://bugzilla.suse.com/show_bug.cgi?id=1075994
• https://bugzilla.suse.com/show_bug.cgi?id=1076017
• https://bugzilla.suse.com/show_bug.cgi?id=1076154
• https://bugzilla.suse.com/show_bug.cgi?id=1076278
• https://bugzilla.suse.com/show_bug.cgi?id=1076437
• https://bugzilla.suse.com/show_bug.cgi?id=1076849
• https://bugzilla.suse.com/show_bug.cgi?id=1077191
• https://bugzilla.suse.com/show_bug.cgi?id=1077355
• https://bugzilla.suse.com/show_bug.cgi?id=1077406
• https://bugzilla.suse.com/show_bug.cgi?id=1077487
• https://bugzilla.suse.com/show_bug.cgi?id=1077560
• https://bugzilla.suse.com/show_bug.cgi?id=1077922
• https://bugzilla.suse.com/show_bug.cgi?id=1078875
• https://bugzilla.suse.com/show_bug.cgi?id=1079917
• https://bugzilla.suse.com/show_bug.cgi?id=1080133
• https://bugzilla.suse.com/show_bug.cgi?id=1080359
• https://bugzilla.suse.com/show_bug.cgi?id=1080363
• https://bugzilla.suse.com/show_bug.cgi?id=1080372
• https://bugzilla.suse.com/show_bug.cgi?id=1080579
• https://bugzilla.suse.com/show_bug.cgi?id=1080685
• https://bugzilla.suse.com/show_bug.cgi?id=1080774
• https://bugzilla.suse.com/show_bug.cgi?id=1081500
• https://bugzilla.suse.com/show_bug.cgi?id=936530
• https://bugzilla.suse.com/show_bug.cgi?id=962257