Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2018:4072-1
Rating:	important
References:	bsc#1051510 bsc#1055120 bsc#1061840 bsc#1065600 bsc#1065729 bsc#1066674 bsc#1067906 bsc#1068273 bsc#1076830 bsc#1078248 bsc#1079524 bsc#1082555 bsc#1082653 bsc#1083647 bsc#1084760 bsc#1084831 bsc#1085535 bsc#1086196 bsc#1089350 bsc#1091800 bsc#1094825 bsc#1095805 bsc#1097755 bsc#1100132 bsc#1103356 bsc#1103925 bsc#1104124 bsc#1104731 bsc#1104824 bsc#1105025 bsc#1105428 bsc#1106105 bsc#1106110 bsc#1106237 bsc#1106240 bsc#1107256 bsc#1107385 bsc#1107866 bsc#1108377 bsc#1108468 bsc#1109330 bsc#1109739 bsc#1109772 bsc#1109806 bsc#1109818 bsc#1109907 bsc#1109911 bsc#1109915 bsc#1109919 bsc#1109951 bsc#1110006 bsc#1110998 bsc#1111040 bsc#1111062 bsc#1111174 bsc#1111506 bsc#1111696 bsc#1111809 bsc#1111921 bsc#1111983 bsc#1112128 bsc#1112170 bsc#1112173 bsc#1112208 bsc#1112219 bsc#1112221 bsc#1112246 bsc#1112372 bsc#1112514 bsc#1112554 bsc#1112708 bsc#1112710 bsc#1112711 bsc#1112712 bsc#1112713 bsc#1112731 bsc#1112732 bsc#1112733 bsc#1112734 bsc#1112735 bsc#1112736 bsc#1112738 bsc#1112739 bsc#1112740 bsc#1112741 bsc#1112743 bsc#1112745 bsc#1112746 bsc#1112878 bsc#1112894 bsc#1112899 bsc#1112902 bsc#1112903 bsc#1112905 bsc#1112906 bsc#1112907 bsc#1112963 bsc#1113257 bsc#1113284 bsc#1113295 bsc#1113408 bsc#1113412 bsc#1113501 bsc#1113667 bsc#1113677 bsc#1113722 bsc#1113751 bsc#1113769 bsc#1113780 bsc#1113972 bsc#1114015 bsc#1114178 bsc#1114279 bsc#1114385 bsc#1114576 bsc#1114577 bsc#1114578 bsc#1114579 bsc#1114580 bsc#1114581 bsc#1114582 bsc#1114583 bsc#1114584 bsc#1114585 bsc#1114839 bsc#1115074 bsc#1115269 bsc#1115431 bsc#1115433 bsc#1115440 bsc#1115567 bsc#1115709 bsc#1115976 bsc#1116183 bsc#1116692 bsc#1116693 bsc#1116698 bsc#1116699 bsc#1116700 bsc#1116701 bsc#1116862 bsc#1116863 bsc#1116876 bsc#1116877 bsc#1116878 bsc#1116891 bsc#1116895 bsc#1116899 bsc#1116950 bsc#1117168 bsc#1117172 bsc#1117174 bsc#1117181 bsc#1117184 bsc#1117188 bsc#1117189 bsc#1117349 bsc#1117561 bsc#1117788 bsc#1117789 bsc#1117790 bsc#1117791 bsc#1117792 bsc#1117794 bsc#1117795 bsc#1117796 bsc#1117798 bsc#1117799 bsc#1117801 bsc#1117802 bsc#1117803 bsc#1117804 bsc#1117805 bsc#1117806 bsc#1117807 bsc#1117808 bsc#1117815 bsc#1117816 bsc#1117817 bsc#1117818 bsc#1117819 bsc#1117820 bsc#1117821 bsc#1117822 bsc#1118102 bsc#1118136 bsc#1118137 bsc#1118138 bsc#1118140 bsc#1118152 bsc#1118316
Cross-References:	CVE-2017-16533 CVE-2017-18224 CVE-2018-18281 CVE-2018-18386 CVE-2018-18445 CVE-2018-18710 CVE-2018-19824
CVSS scores:	CVE-2017-16533 ( SUSE ): 4.6 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16533 ( NVD ): 6.6 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-18224 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-18281 ( SUSE ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-18281 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-18386 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-18386 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-18445 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2018-18445 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-18445 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-18710 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-18710 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-19824 ( SUSE ): 6.6 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-19824 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Availability Extension 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP4 SUSE Linux Enterprise Software Development Kit 12 SP4 SUSE Linux Enterprise Workstation Extension 12 12-SP4

An update that solves seven vulnerabilities and has 184 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).
CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removed entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry could remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
CVE-2018-18445: Faulty computation of numeric bounds in the BPF verifier permitted out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).
CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
CVE-2017-18224: fs/ocfs2/aops.c omitted use of a semaphore and consequently had a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).
CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The following non-security bugs were fixed:

ACPI/APEI: Handle GSIV and GPIO notification types (bsc#1115567).
ACPICA: Tables: Add WSMT support (bsc#1089350).
ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized pointer value (bsc#1051510).
ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers (bsc#1051510).
ACPI, nfit: Fix ARS overflow continuation (bsc#1116895).
ACPI, nfit: Prefer _DSM over _LSR for namespace label reads (bsc#1112128).
ACPI/nfit, x86/mce: Handle only uncorrectable machine checks (bsc#1114279).
ACPI/nfit, x86/mce: Validate a MCE's address before using it (bsc#1114279).
ACPI / platform: Add SMB0001 HID to forbidden_id_list (bsc#1051510).
ACPI / processor: Fix the return value of acpi_processor_ids_walk() (bsc#1051510).
ACPI / watchdog: Prefer iTCO_wdt always when WDAT table uses RTC SRAM (bsc#1051510).
act_ife: fix a potential use-after-free (networking-stable-18_09_11).
Add the cherry-picked dup id for PCI dwc fix
Add version information to KLP_SYMBOLS file
ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write (bsc#1051510).
ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops (bsc#1051510).
ALSA: control: Fix race between adding and removing a user element (bsc#1051510).
ALSA: hda: Add 2 more models to the power_save blacklist (bsc#1051510).
ALSA: hda: Add ASRock N68C-S UCC the power_save blacklist (bsc#1051510).
ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) (bsc#1051510).
ALSA: hda - Add quirk for ASUS G751 laptop (bsc#1051510).
ALSA: hda/ca0132 - Call pci_iounmap() instead of iounmap() (bsc#1051510).
ALSA: hda - Fix headphone pin config for ASUS G751 (bsc#1051510).
ALSA: hda: fix unused variable warning (bsc#1051510).
ALSA: hda/realtek - Add auto-mute quirk for HP Spectre x360 laptop (bsc#1051510).
ALSA: hda/realtek - Add GPIO data update helper (bsc#1051510).
ALSA: hda/realtek - Allow skipping spec->init_amp detection (bsc#1051510).
ALSA: hda/realtek - fix headset mic detection for MSI MS-B171 (bsc#1051510).
ALSA: hda/realtek - Fix HP Headset Mic can't record (bsc#1051510).
ALSA: hda/realtek - fix the pop noise on headphone for lenovo laptops (bsc#1051510).
ALSA: hda/realtek - Fix the problem of the front MIC on the Lenovo M715 (bsc#1051510).
ALSA: hda/realtek - Manage GPIO bits commonly (bsc#1051510).
ALSA: hda/realtek - Simplify Dell XPS13 GPIO handling (bsc#1051510).
ALSA: hda/realtek - Support ALC300 (bsc#1051510).
ALSA: oss: Use kvzalloc() for local buffer allocations (bsc#1051510).
ALSA: sparc: Fix invalid snd_free_pages() at error path (bsc#1051510).
ALSA: usb-audio: Add vendor and product name for Dell WD19 Dock (bsc#1051510).
ALSA: usb-audio: update quirk for B&W PX to remove microphone (bsc#1051510).
ALSA: wss: Fix invalid snd_free_pages() at error path (bsc#1051510).
amd/iommu: Fix Guest Virtual APIC Log Tail Address Register (bsc#1106105).
arm64: KVM: Move CPU ID reg trap setup off the world switch path (bsc#1110998).
arm64: KVM: Sanitize PSTATE.M when being set from userspace (bsc#1110998).
arm64: KVM: Tighten guest core register access from userspace (bsc#1110998).
ARM: dts: at91: add new compatibility string for macb on sama5d3 (bsc#1051510).
ASoC: dwc: Added a quirk DW_I2S_QUIRK_16BIT_IDX_OVERRIDE to dwc (bsc#1085535)
ASoC: Intel: cht_bsw_max98090: add support for Baytrail (bsc#1051510).
ASoC: intel: cht_bsw_max98090_ti: Add quirk for boards using pmc_plt_clk_0 (bsc#1051510).
ASoC: intel: skylake: Add missing break in skl_tplg_get_token() (bsc#1051510).
ASoC: Intel: Skylake: Reset the controller in probe (bsc#1051510).
ASoC: rsnd: adg: care clock-frequency size (bsc#1051510).
ASoC: rsnd: do not fallback to PIO mode when -EPROBE_DEFER (bsc#1051510).
ASoC: rt5514: Fix the issue of the delay volume applied again (bsc#1051510).
ASoC: sigmadsp: safeload should not have lower byte limit (bsc#1051510).
ASoC: sun8i-codec: fix crash on module removal (bsc#1051510).
ASoC: wm8804: Add ACPI support (bsc#1051510).
ata: Fix racy link clearance (bsc#1107866).
ataflop: fix error handling during setup (bsc#1051510).
ath10k: fix kernel panic issue during pci probe (bsc#1051510).
ath10k: fix scan crash due to incorrect length calculation (bsc#1051510).
ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait (bsc#1051510).
ath10k: schedule hardware restart if WMI command times out (bsc#1051510).
autofs: fix autofs_sbi() does not check super block type (git-fixes).
autofs: fix slab out of bounds read in getname_kernel() (git-fixes).
autofs: mount point create should honour passed in mode (git-fixes).
badblocks: fix wrong return value in badblocks_set if badblocks are disabled (git-fixes).
batman-adv: Avoid probe ELP information leak (bsc#1051510).
batman-adv: Expand merged fragment buffer for full packet (bsc#1051510).
batman-adv: fix backbone_gw refcount on queue_work() failure (bsc#1051510).
batman-adv: fix hardif_neigh refcount on queue_work() failure (bsc#1051510).
batman-adv: Use explicit tvlv padding for ELP packets (bsc#1051510).
bdi: Fix another oops in wb_workfn() (bsc#1112746).
bdi: Preserve kabi when adding cgwb_release_mutex (bsc#1112746).
bitops: protect variables in bit_clear_unless() macro (bsc#1051510).
bitops: protect variables in set_mask_bits() macro (bsc#1051510).
Blacklist commit that modifies Scsi_Host/kabi (bsc#1114579)
Blacklist sd_zbc patch that is too invasive (bsc#1114583)
Blacklist virtio patch that uses bio_integrity_bytes() (bsc#1114585)
blk-mq: I/O and timer unplugs are inverted in blktrace (bsc#1112713).
block, bfq: fix wrong init of saved start time for weight raising (bsc#1112708).
block: bfq: swap puts in bfqg_and_blkg_put (bsc#1112712).
block: copy ioprio in __bio_clone_fast() (bsc#1082653).
block: respect virtual boundary mask in bvecs (bsc#1113412).
Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth (bsc#1051510).
Bluetooth: SMP: fix crash in unpairing (bsc#1051510).
bnxt_en: Fix TX timeout during netpoll (networking-stable-18_10_16).
bnxt_en: free hwrm resources, if driver probe fails (networking-stable-18_10_16).
bonding: avoid possible dead-lock (networking-stable-18_10_16).
bonding: fix length of actor system (networking-stable-18_11_02).
bonding: fix warning message (networking-stable-18_10_16).
bonding: pass link-local packets to bonding master also (networking-stable-18_10_16).
bpf: fix partial copy of map_ptr when dst is scalar (bsc#1083647).
bpf, net: add skb_mac_header_len helper (networking-stable-18_09_24).
bpf/verifier: disallow pointer subtraction (bsc#1083647).
bpf: wait for running BPF programs when updating map-in-map (bsc#1083647).
brcmfmac: fix for proper support of 160MHz bandwidth (bsc#1051510).
brcmfmac: fix reporting support for 160 MHz channels (bsc#1051510).
brcmutil: really fix decoding channel info for 160 MHz bandwidth (bsc#1051510).
bridge: do not add port to router list when receives query with source 0.0.0.0 (networking-stable-18_11_02).
Btrfs: Enhance btrfs_trim_fs function to handle error better (Dependency for bsc#1113667).
Btrfs: Ensure btrfs_trim_fs can trim the whole filesystem (bsc#1113667).
Btrfs: fix assertion failure during fsync in no-holes mode (bsc#1118136).
Btrfs: fix assertion on fsync of regular file when using no-holes feature (bsc#1118137).
Btrfs: fix cur_offset in the error case for nocow (bsc#1118140).
Btrfs: fix data corruption due to cloning of eof block (bsc#1116878).
Btrfs: fix deadlock on tree root leaf when finding free extent (bsc#1116876).
Btrfs: fix deadlock when writing out free space caches (bsc#1116700).
Btrfs: fix infinite loop on inode eviction after deduplication of eof block (bsc#1116877).
Btrfs: fix missing error return in btrfs_drop_snapshot (Git-fixes bsc#1109919).
Btrfs: fix null pointer dereference on compressed write path error (bsc#1116698).
Btrfs: fix use-after-free during inode eviction (bsc#1116701).
Btrfs: fix use-after-free when dumping free space (bsc#1116862).
Btrfs: fix warning when replaying log after fsync of a tmpfile (bsc#1116692).
Btrfs: fix wrong dentries after fsync of file that got its parent replaced (bsc#1116693).
Btrfs: handle errors while updating refcounts in update_ref_for_cow (Git-fixes bsc#1109915).
Btrfs: make sure we create all new block groups (bsc#1116699).
Btrfs: protect space cache inode alloc with GFP_NOFS (bsc#1116863).
Btrfs: send, fix infinite loop due to directory rename dependencies (bsc#1118138).
cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) (bsc#1051510).
can: dev: __can_get_echo_skb(): Do not crash the kernel if can_priv::echo_skb is accessed out of bounds (bsc#1051510).
can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() (bsc#1051510).
can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb (bsc#1051510).
can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length (bsc#1051510).
can: hi311x: Use level-triggered interrupt (bsc#1051510).
can: raw: check for CAN FD capa