Security update for the Linux Kernel

Announcement ID: SUSE-SU-2019:0095-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2018-14613 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-14613 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-14617 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-14617 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-14633 ( SUSE ): 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-14633 ( NVD ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
  • CVE-2018-14633 ( NVD ): 7.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
  • CVE-2018-16276 ( SUSE ): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-16276 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-16276 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-16597 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2018-16597 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • CVE-2018-17182 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-17182 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-17182 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-18281 ( SUSE ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2018-18281 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-18386 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-18386 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-18690 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-18690 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-18710 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2018-18710 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2018-7480 ( SUSE ): 6.7 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H
  • CVE-2018-7480 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-7480 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-7757 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-7757 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-9516 ( SUSE ): 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-9516 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3

An update that solves 13 vulnerabilities and has 140 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 12 SP3 Azure kernel was updated to 4.4.162 to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
  • CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
  • CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).
  • CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
  • CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bnc#1108498).
  • CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).
  • CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399).
  • CVE-2018-16597: Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem (bnc#1106512).
  • CVE-2018-14613: There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c (bnc#1102896).
  • CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870).
  • CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095 bnc#1115593).
  • CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1087209).
  • CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863).

The following non-security bugs were fixed:

  • 6lowpan: iphc: reset mac_header after decompress to fix panic (bnc#1012382).
  • alsa: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping (bnc#1012382).
  • alsa: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO (bnc#1012382).
  • alsa: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge (bnc#1012382).
  • alsa: hda - Fix cancel_work_sync() stall from jackpoll work (bnc#1012382).
  • alsa: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 (bnc#1012382).
  • alsa: msnd: Fix the default sample sizes (bnc#1012382).
  • alsa: pcm: Fix snd_interval_refine first/last with open min/max (bnc#1012382).
  • alsa: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro (bnc#1012382).
  • apparmor: remove no-op permission check in policy_unpack (git-fixes).
  • arc: build: Get rid of toolchain check (bnc#1012382).
  • arc: clone syscall to setp r25 as thread pointer (bnc#1012382).
  • arch/hexagon: fix kernel/dma.c build warning (bnc#1012382).
  • arch-symbols: use bash as interpreter since the script uses bashism.
  • arc: [plat-axs*]: Enable SWAP (bnc#1012382).
  • arm64: bpf: jit JMP_JSET_{X,K} (bsc#1110613).
  • arm64: Correct type for PUD macros (bsc#1110600).
  • arm64: cpufeature: Track 32bit EL0 support (bnc#1012382).
  • arm64: dts: qcom: db410c: Fix Bluetooth LED trigger (bnc#1012382).
  • arm64: fix erroneous __raw_read_system_reg() cases (bsc#1110606).
  • arm64: Fix potential race with hardware DBM in ptep_set_access_flags() (bsc#1110605).
  • arm64: fpsimd: Avoid FPSIMD context leakage for the init task (bsc#1110603).
  • arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto" (bnc#1012382).
  • arm64: kasan: avoid bad virt_to_pfn() (bsc#1110612).
  • arm64: kasan: avoid pfn_to_nid() before page array is initialized (bsc#1110619).
  • arm64/kasan: do not allocate extra shadow memory (bsc#1110611).
  • arm64: kernel: Update kerneldoc for cpu_suspend() rename (bsc#1110602).
  • arm64: kgdb: handle read-only text / modules (bsc#1110604).
  • arm64: KVM: Sanitize PSTATE.M when being set from userspace (bnc#1012382).
  • arm64: KVM: Tighten guest core register access from userspace (bnc#1012382).
  • arm64/mm/kasan: do not use vmemmap_populate() to initialize shadow (bsc#1110618).
  • arm64: ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails (bsc#1110601).
  • arm64: supported.conf: mark armmmci as not supported
  • arm64 Update config files. (bsc#1110468) Set MMC_QCOM_DML to build-in and delete driver from supported.conf
  • arm64: vdso: fix clock_getres for 4GiB-aligned res (bsc#1110614).
  • arm: dts: at91: add new compatibility string for macb on sama5d3 (bnc#1012382).
  • arm: dts: dra7: fix DCAN node addresses (bnc#1012382).
  • arm: exynos: Clear global variable on init error path (bnc#1012382).
  • arm: hisi: check of_iomap and fix missing of_node_put (bnc#1012382).
  • arm: hisi: fix error handling and missing of_node_put (bnc#1012382).
  • arm: hisi: handle of_iomap and fix missing of_node_put (bnc#1012382).
  • arm: mvebu: declare asm symbols as character arrays in pmsu.c (bnc#1012382).
  • asm/sections: add helpers to check for section data (bsc#1063026).
  • ASoC: cs4265: fix MMTLR Data switch control (bnc#1012382).
  • ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs (bnc#1012382).
  • ASoC: sigmadsp: safeload should not have lower byte limit (bnc#1012382).
  • ASoC: wm8804: Add ACPI support (bnc#1012382).
  • ASoC: wm8994: Fix missing break in switch (bnc#1012382).
  • ata: libahci: Correct setting of DEVSLP register (bnc#1012382).
  • ath10k: disable bundle mgmt tx completion event support (bnc#1012382).
  • ath10k: fix scan crash due to incorrect length calculation (bnc#1012382).
  • ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait (bnc#1012382).
  • ath10k: prevent active scans on potential unusable channels (bnc#1012382).
  • ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock (bnc#1012382).
  • audit: fix use-after-free in audit_add_watch (bnc#1012382).
  • autofs: fix autofs_sbi() does not check super block type (bnc#1012382).
  • binfmt_elf: Respect error