Security update for the Linux Kernel

Announcement ID: SUSE-SU-2018:1309-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2016-7915 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • CVE-2017-0861 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-0861 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-12190 ( SUSE ): 6.2 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
  • CVE-2017-12190 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
  • CVE-2017-13166 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-13166 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-16644 ( SUSE ): 4.6 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-16644 ( NVD ): 6.6 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-16911 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2017-16911 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2017-16912 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-16912 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-16913 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-16913 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-16914 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2017-16914 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-18203 ( SUSE ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
  • CVE-2017-18203 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-18208 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-18208 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-10087 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-10087 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-10124 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-10124 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-6927 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-6927 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-7566 ( SUSE ): 7.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
  • CVE-2018-7566 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-7757 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-7757 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-8822 ( SUSE ): 6.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-8822 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-8822 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise Real Time Extension 11 SP4

An update that solves 18 vulnerabilities and has 36 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2018-10124: The kill_something_info function in kernel/signal.c might have allowed local users to cause a denial of service via an INT_MIN argument (bnc#1089752).
  • CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have allowed local users to cause a denial of service by triggering an attempted use of the -INT_MIN value (bnc#1089608).
  • CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).
  • CVE-2018-7566: Buffer overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user potentially allowing for code execution (bnc#1083483).
  • CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors (bnc#1088260 1088268).
  • CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function could have beenexploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162).
  • CVE-2017-13166: Prevent elevation of privilege vulnerability in the video driver (bnc#1072865).
  • CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices (bnc#1083242).
  • CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP (bnc#1078674).
  • CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
  • CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118).
  • CVE-2018-6927: The futex_requeue function in kernel/futex.c allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757).
  • CVE-2017-16914: The "stub_send_ret_submit()" function (drivers/usb/usbip/stub_tx.c) allowed attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet (bnc#1078669).
  • CVE-2016-7915: The hid_input_field function in drivers/hid/hid-core.c allowed physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver (bnc#1010470).
  • CVE-2015-5156: The virtnet_probe function in drivers/net/virtio_net.c attempted to support a FRAGLIST feature without proper memory allocation, which allowed guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets (bnc#940776).
  • CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions in block/bio.c did unbalanced refcounting when a SCSI I/O vector had small consecutive buffers belonging to the same page. The bio_add_pc_page function merged them into one, but the page reference was never dropped. This caused a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (bnc#1062568).
  • CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673).
  • CVE-2017-16913: The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672).

The following non-security bugs were fixed:

  • Integrate fixes resulting from bsc#1088147 More info in the respective commit messages.
  • KABI: x86/kaiser: properly align trampoline stack.
  • KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
  • KEYS: prevent creating a different user's keyrings (bnc#1065999).
  • NFSv4: fix getacl head length estimation (git-fixes).
  • PCI: Use function 0 VPD for identical functions, regular VPD for others (bnc#943786 git-fixes).
  • Revert "USB: cdc-acm: fix broken runtime suspend" (bsc#1067912)
  • Subject: af_iucv: enable control sends in case of SEND_SHUTDOWN (bnc#1085513, LTC#165135).
  • blacklist.conf: blacklisted 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") (bnc#1063516)
  • blacklist.conf: blacklisted 9fbc1f635fd0bd28cb32550211bf095753ac637a (bnc#1089665)
  • blacklist.conf: blacklisted ba4877b9ca51f80b5d30f304a46762f0509e1635 (bnc#1089668)
  • cifs: fix buffer overflow in cifs_build_path_to_root() (bsc#1085113).
  • drm/mgag200: fix a test in mga_vga_mode_valid() (bsc#1087092).
  • hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) (bnc#1013018).
  • hrtimer: Reset hrtimer cpu base proper on CPU hotplug (bnc#1013018).
  • ide-cd: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
  • ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
  • ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
  • ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
  • jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path (git-fixes).
  • leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
  • media: cpia2: Fix a couple off by one bugs (bsc#1050431).
  • mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack (bnc#1039348).
  • pipe: actually allow root to exceed the pipe buffer limits (git-fixes).
  • posix-timers: Protect posix clock array access against speculation (bnc#1081358).
  • powerpc/fadump: Add a warning when 'fadump_reserve_mem=' is used (bnc#1032084).
  • powerpc/fadump: reuse crashkernel parameter for fadump memory reservation (bnc#1032084).
  • powerpc/fadump: update documentation about crashkernel parameter reuse (bnc#1032084).
  • powerpc/fadump: use 'fadump_reserve_mem=' when specified (bnc#1032084).
  • powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032, bsc#1075088).
  • qeth: repair SBAL elements calculation (bnc#1085513, LTC#165484).
  • s390/qeth: fix underestimated count of buffer elements (bnc#1082091, LTC#164529).
  • scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
  • usbnet: Fix a race between usbnet_stop() and the BH (bsc#1083275).
  • x86-64: Move the "user" vsyscall segment out of the data segment (bsc#1082424).
  • x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).
  • x86/kaiser: properly align trampoline stack (bsc#1087260).
  • x86/retpoline: do not perform thunk calls in ring3 vsyscall code (bsc#1085331).
  • xen/x86/CPU: Check speculation control CPUID bit (bsc#1068032).
  • xen/x86/CPU: Sync CPU feature flags late (bsc#1075994 bsc#1075091).
  • xen/x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and sync_regs (bsc#909077).
  • xen/x86/cpu: Factor out application of forced CPU caps (bsc#1075994 bsc#1075091).
  • xen/x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option (bsc#1065600).
  • xen/x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
  • xen/x86/idle: Toggle IBRS when going idle (bsc#1068032).
  • xen/x86/kaiser: Move feature detection up (bsc#1068032).
  • xfs: check for buffer errors before waiting (bsc#1052943).
  • xfs: fix allocbt cursor leak in xfs_alloc_ag_vextent_near (bsc#1087762).
  • xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near (bsc#1087762).

Special Instructions and Notes:

  • Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Real Time Extension 11 SP4
    zypper in -t patch slertesp4-kernel-13604=1

Package List:

  • SUSE Linux Enterprise Real Time Extension 11 SP4 (nosrc x86_64)
    • kernel-rt_trace-3.0.101.rt130-69.24.1
    • kernel-rt-3.0.101.rt130-69.24.1
  • SUSE Linux Enterprise Real Time Extension 11 SP4 (x86_64)
    • kernel-rt_trace-base-3.0.101.rt130-69.24.1
    • kernel-syms-rt-3.0.101.rt130-69.24.1
    • kernel-rt_trace-devel-3.0.101.rt130-69.24.1
    • kernel-rt-devel-3.0.101.rt130-69.24.1
    • kernel-rt-base-3.0.101.rt130-69.24.1
    • kernel-source-rt-3.0.101.rt130-69.24.1

References: