Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2020:3273-1
Rating:	important
References:	bsc#1065600 bsc#1066382 bsc#1149032 bsc#1163592 bsc#1164648 bsc#1170415 bsc#1175721 bsc#1175749 bsc#1176354 bsc#1177281 bsc#1177766 bsc#1177799 bsc#1177801 bsc#1178166 bsc#1178173 bsc#1178175 bsc#1178176 bsc#1178177 bsc#1178183 bsc#1178184 bsc#1178185 bsc#1178186 bsc#1178190 bsc#1178191 bsc#1178255 bsc#1178307 bsc#1178330 bsc#1178395
Cross-References:	CVE-2020-25656 CVE-2020-25705 CVE-2020-8694
CVSS scores:	CVE-2020-25656 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25656 ( NVD ): 4.1 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2020-25705 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-25705 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-8694 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-8694 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products:	Basesystem Module 15-SP2 Development Tools Module 15-SP2 Legacy Module 15-SP2 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise High Availability Extension 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Live Patching 15-SP2 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Workstation Extension 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1

An update that solves three vulnerabilities and has 25 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bug fixes.

The following security bugs were fixed:

• CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
• CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
• CVE-2020-25705: A ICMP global rate limiting side-channel was removed which could lead to e.g. the SADDNS attack (bsc#1175721)

The following non-security bugs were fixed:

• act_ife: load meta modules before tcf_idr_check_alloc() (networking-stable-20_09_24).
• ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes).
• ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes).
• block: Set same_page to false in __bio_try_merge_page if ret is false (git-fixes).
• Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb (git-fixes).
• Bluetooth: Only mark socket zapped after unlocking (git-fixes).
• bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex (git-fixes).
• bonding: show saner speed for broadcast mode (networking-stable-20_08_24).
• brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes).
• brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes).
• btrfs: allocate scrub workqueues outside of locks (bsc#1178183).
• btrfs: do not force read-only after error in drop snapshot (bsc#1176354).
• btrfs: drop path before adding new uuid tree entry (bsc#1178176).
• btrfs: fix filesystem corruption after a device replace (bsc#1178395).
• btrfs: fix NULL pointer dereference after failure to create snapshot (bsc#1178190).
• btrfs: fix overflow when copying corrupt csums for a message (bsc#1178191).
• btrfs: fix space cache memory leak after transaction abort (bsc#1178173).
• btrfs: move btrfs_rm_dev_replace_free_srcdev outside of all locks (bsc#1178395).
• btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing (bsc#1178395).
• btrfs: set the correct lockdep class for new nodes (bsc#1178184).
• btrfs: set the lockdep class for log tree extent buffers (bsc#1178186).
• can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes).
• ceph: promote to unsigned long long before shifting (bsc#1178175).
• crypto: ccp - fix error handling (git-fixes).
• cxgb4: fix memory leak during module unload (networking-stable-20_09_24).
• cxgb4: Fix offset when clearing filter byte counters (networking-stable-20_09_24).
• Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes
• Disable module compression on SLE15 SP2 (bsc#1178307)
• dmaengine: dw: Activate FIFO-mode for memory peripherals only (git-fixes).
• eeprom: at25: set minimum read/write access stride to 1 (git-fixes).
• futex: Adjust absolute futex timeouts with per time namespace offset (bsc#1164648).
• futex: Consistently use fshared as boolean (bsc#1149032).
• futex: Fix incorrect should_fail_futex() handling (bsc#1149032).
• futex: Remove put_futex_key() (bsc#1149032).
• futex: Remove unused or redundant includes (bsc#1149032).
• gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24).
• gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11).
• HID: ite: Add USB id match for Acer One S1003 keyboard dock (git-fixes).
• ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897).
• ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes).
• icmp: randomize the global rate limiter (git-fixes).
• ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24).
• ipv4: Initialize flowi4_multipath_hash in data path (networking-stable-20_09_24).
• ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes).
• ipv4: Update exception handling for multipath routes via same device (networking-stable-20_09_24).
• ipv6: avoid lockdep issue in fib6_del() (networking-stable-20_09_24).
• ipv6: Fix sysctl max for fib_multipath_hash_policy (networking-stable-20_09_11).
• ipvlan: fix device features (networking-stable-20_08_24).
• kallsyms: Refactor kallsyms_show_value() to take cred (git-fixes).
• kbuild: enforce -Werror=return-type (bsc#1177281).
• KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (git-fixes).
• libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178177).
• mac80211: handle lack of sband->bitrates in rates (git-fixes).
• mailbox: avoid timer start from callback (git-fixes).
• media: ati_remote: sanity check for both endpoints (git-fixes).
• media: bdisp: Fix runtime PM imbalance on error (git-fixes).
• media: exynos4-is: Fix a reference count leak (git-fixes).
• media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes).
• media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes).
• media: firewire: fix memory leak (git-fixes).
• media: i2c: ov5640: Enable data pins on poweron for DVP mode (git-fixes).
• media: i2c: ov5640: Remain in power down for DVP mode unless streaming (git-fixes).
• media: i2c: ov5640: Separate out mipi configuration from s_power (git-fixes).
• media: media/pci: prevent memory leak in bttv_probe (git-fixes).
• media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes).
• media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes).
• media: rcar_drif: Allocate v4l2_async_subdev dynamically (git-fixes).
• media: rcar_drif: Fix fwnode reference leak when parsing DT (git-fixes).
• media: saa7134: avoid a shift overflow (git-fixes).
• media: st-delta: Fix reference count leak in delta_run_work (git-fixes).
• media: sti: Fix reference count leaks (git-fixes).
• media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes).
• media: venus: core: Fix runtime PM imbalance in venus_probe (git-fixes).
• media: vsp1: Fix runtime PM imbalance on error (git-fixes).
• mic: vop: copy data to kernel space then write to io memory (git-fixes).
• misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes).
• misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes).
• mm: fix a race during THP splitting (bsc#1178255).
• mm: madvise: fix vma user-after-free (git-fixes).
• mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes).
• module: Correctly truncate sysfs sections output (git-fixes).
• module: Do not expose section addresses to non-CAP_SYSLOG (git-fixes).
• module: Refactor section attr into bin attribute (git-fixes).
• module: statically initialize init section freeing data (git-fixes).
• mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes).
• net/core: check length before updating Ethertype in skb_mpls_{push,pop} (git-fixes).
• net/mlx5: Fix FTE cleanup (networking-stable-20_09_24).
• net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported (networking-stable-20_09_24).
• net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported (networking-stable-20_09_24).
• net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow (networking-stable-20_08_24).
• net/smc: Prevent kernel-infoleak in __smc_diag_dump() (networking-stable-20_08_24).
• net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU (networking-stable-20_09_24).
• net: DCB: Validate DCB_ATTR_DCB_BUFFER argument (networking-stable-20_09_24).
• net: disable netpoll on fresh napis (networking-stable-20_09_11).
• net: dsa: b53: check for timeout (networking-stable-20_08_24).
• net: dsa: rtl8366: Properly clear member config (networking-stable-20_09_24).
• net: fec: correct the error path for regulator disable in probe (networking-stable-20_08_24).
• net: Fix bridge enslavement failure (networking-stable-20_09_24).
• net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24).
• net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11).
• net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24).
• net: lantiq: Disable IRQs only if NAPI gets scheduled (networking-stable-20_09_24).
• net: lantiq: Use napi_complete_done() (networking-stable-20_09_24).
• net: lantiq: use netif_tx_napi_add() for TX NAPI (networking-stable-20_09_24).
• net: lantiq: Wake TX queue again (networking-stable-20_09_24).
• net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24).
• net: phy: Do not warn in phy_stop() on PHY_DOWN (networking-stable-20_09_24).
• net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24).
• net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant (networking-stable-20_09_24).
• net: sctp: Fix negotiation of the number of data streams (networking-stable-20_08_24).
• net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11).
• net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11).
• net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes).
• net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes).
• netlabel: fix problems with mapping removal (networking-stable-20_09_11).
• nfp: use correct define to return NONE fec (networking-stable-20_09_24).
• PM: hibernate: remove the bogus call to get_gendisk() in software_resume() (git-fixes).
• r8169: fix issue with forced threading in combination with shared interrupts (git-fixes).
• rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886) The in-tree KMP that is built with SLE kernels have a different scriptlet that is embedded in kernel-binary.spec.in rather than *.sh files.
• rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592)
• rtl8xxxu: prevent potential memory leak (git-fixes).
• rtw88: increse the size of rx buffer size (git-fixes).
• s390/cio: add cond_resched() in the slow_eval_known_fn() loop (bsc#1177799 LTC#188733).
• s390/dasd: Fix zero write for FBA devices (bsc#1177801 LTC#188735).
• scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226).
• sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11).
• selftests/timers: Turn off timeout setting (git-fixes).
• spi: spi-s3c64xx: Check return values (git-fixes).
• spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath() (git-fixes).
• taprio: Fix allowing too small intervals (networking-stable-20_09_24).
• time: Prevent undefined behaviour in timespec64_to_ns() (bsc#1164648).
• tipc: fix memory leak caused by tipc_buf_append() (git-fixes).
• tipc: Fix memory leak in tipc_group_create_member() (networking-stable-20_09_24).
• tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24).
• tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11).
• tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes).
• tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24).
• tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24).
• tty: ipwireless: fix error handling (git-fixes).
• tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes).
• usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes).
• usb: cdc-acm: handle broken union descriptors (git-fixes).
• usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes).
• usb: core: Solve race condition in anchor cleanup functions (git-fixes).
• usb: dwc3: simple: add support for Hikey 970 (git-fixes).
• usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes).
• usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes).
• usb: ohci: Default to per-port over-current protection (git-fixes).
• x86/alternative: Do not call text_poke() in lazy TLB mode (bsc#1175749).
• xen/gntdev.c: Mark pages as dirty (bsc#1065600).
• xfs: fix high key handling in the rt allocator's query_range function (git-fixes).
• xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files (git-fixes).
• xfs: limit entries returned when counting fsmap records (git-fixes).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3273=1
• Development Tools Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-3273=1
• Legacy Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2020-3273=1
• SUSE Linux Enterprise Live Patching 15-SP2
  zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2020-3273=1
  Please note that this is the initial kernel livepatch without fixes itself, this package is later updated by separate standalone kernel livepatch updates.
• SUSE Linux Enterprise High Availability Extension 15 SP2
  zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2020-3273=1
• SUSE Linux Enterprise Workstation Extension 15 SP2
  zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3273=1

Package List:

• Basesystem Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • kernel-default-debuginfo-5.3.18-24.37.1
  • kernel-default-base-5.3.18-24.37.1.9.13.1
  • kernel-default-devel-debuginfo-5.3.18-24.37.1
  • kernel-default-devel-5.3.18-24.37.1
  • kernel-default-debugsource-5.3.18-24.37.1
• Basesystem Module 15-SP2 (noarch)
  • kernel-devel-5.3.18-24.37.1
  • kernel-macros-5.3.18-24.37.1
• Basesystem Module 15-SP2 (aarch64 nosrc x86_64)
  • kernel-preempt-5.3.18-24.37.1
• Basesystem Module 15-SP2 (aarch64 ppc64le s390x x86_64 nosrc)
  • kernel-default-5.3.18-24.37.1
• Basesystem Module 15-SP2 (aarch64 x86_64)
  • kernel-preempt-debuginfo-5.3.18-24.37.1
  • kernel-preempt-debugsource-5.3.18-24.37.1
• Development Tools Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • kernel-obs-build-5.3.18-24.37.1
  • kernel-obs-build-debugsource-5.3.18-24.37.1
  • kernel-syms-5.3.18-24.37.1
• Development Tools Module 15-SP2 (noarch)
  • kernel-source-5.3.18-24.37.1
• Development Tools Module 15-SP2 (noarch nosrc)
  • kernel-docs-5.3.18-24.37.1
• Development Tools Module 15-SP2 (nosrc)
  • kernel-preempt-5.3.18-24.37.1
• Development Tools Module 15-SP2 (aarch64 x86_64)
  • kernel-preempt-debuginfo-5.3.18-24.37.1
  • kernel-preempt-debugsource-5.3.18-24.37.1
  • kernel-preempt-devel-debuginfo-5.3.18-24.37.1
  • kernel-preempt-devel-5.3.18-24.37.1
• Legacy Module 15-SP2 (nosrc)
  • kernel-default-5.3.18-24.37.1
• Legacy Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • kernel-default-debuginfo-5.3.18-24.37.1
  • reiserfs-kmp-default-5.3.18-24.37.1
  • kernel-default-debugsource-5.3.18-24.37.1
  • reiserfs-kmp-default-debuginfo-5.3.18-24.37.1
• SUSE Linux Enterprise Live Patching 15-SP2 (ppc64le s390x x86_64)
  • kernel-livepatch-5_3_18-24_37-default-debuginfo-1-5.3.1
  • kernel-default-livepatch-devel-5.3.18-24.37.1
  • kernel-default-debuginfo-5.3.18-24.37.1
  • kernel-livepatch-SLE15-SP2_Update_7-debugsource-1-5.3.1
  • kernel-default-livepatch-5.3.18-24.37.1
  • kernel-livepatch-5_3_18-24_37-default-1-5.3.1
  • kernel-default-debugsource-5.3.18-24.37.1
• SUSE Linux Enterprise Live Patching 15-SP2 (nosrc)
  • kernel-default-5.3.18-24.37.1
• SUSE Linux Enterprise High Availability Extension 15 SP2 (aarch64 ppc64le s390x x86_64)
  • dlm-kmp-default-5.3.18-24.37.1
  • kernel-default-debuginfo-5.3.18-24.37.1
  • cluster-md-kmp-default-5.3.18-24.37.1
  • ocfs2-kmp-default-5.3.18-24.37.1
  • gfs2-kmp-default-debuginfo-5.3.18-24.37.1
  • gfs2-kmp-default-5.3.18-24.37.1
  • ocfs2-kmp-default-debuginfo-5.3.18-24.37.1
  • cluster-md-kmp-default-debuginfo-5.3.18-24.37.1
  • kernel-default-debugsource-5.3.18-24.37.1
  • dlm-kmp-default-debuginfo-5.3.18-24.37.1
• SUSE Linux Enterprise High Availability Extension 15 SP2 (nosrc)
  • kernel-default-5.3.18-24.37.1
• SUSE Linux Enterprise Workstation Extension 15 SP2 (x86_64)
  • kernel-default-extra-5.3.18-24.37.1
  • kernel-default-debugsource-5.3.18-24.37.1
  • kernel-default-debuginfo-5.3.18-24.37.1
  • kernel-default-extra-debuginfo-5.3.18-24.37.1
• SUSE Linux Enterprise Workstation Extension 15 SP2 (nosrc)
  • kernel-default-5.3.18-24.37.1

References:

• https://www.suse.com/security/cve/CVE-2020-25656.html
• https://www.suse.com/security/cve/CVE-2020-25705.html
• https://www.suse.com/security/cve/CVE-2020-8694.html
• https://bugzilla.suse.com/show_bug.cgi?id=1065600
• https://bugzilla.suse.com/show_bug.cgi?id=1066382
• https://bugzilla.suse.com/show_bug.cgi?id=1149032
• https://bugzilla.suse.com/show_bug.cgi?id=1163592
• https://bugzilla.suse.com/show_bug.cgi?id=1164648
• https://bugzilla.suse.com/show_bug.cgi?id=1170415
• https://bugzilla.suse.com/show_bug.cgi?id=1175721
• https://bugzilla.suse.com/show_bug.cgi?id=1175749
• https://bugzilla.suse.com/show_bug.cgi?id=1176354
• https://bugzilla.suse.com/show_bug.cgi?id=1177281
• https://bugzilla.suse.com/show_bug.cgi?id=1177766
• https://bugzilla.suse.com/show_bug.cgi?id=1177799
• https://bugzilla.suse.com/show_bug.cgi?id=1177801
• https://bugzilla.suse.com/show_bug.cgi?id=1178166
• https://bugzilla.suse.com/show_bug.cgi?id=1178173
• https://bugzilla.suse.com/show_bug.cgi?id=1178175
• https://bugzilla.suse.com/show_bug.cgi?id=1178176
• https://bugzilla.suse.com/show_bug.cgi?id=1178177
• https://bugzilla.suse.com/show_bug.cgi?id=1178183
• https://bugzilla.suse.com/show_bug.cgi?id=1178184
• https://bugzilla.suse.com/show_bug.cgi?id=1178185
• https://bugzilla.suse.com/show_bug.cgi?id=1178186
• https://bugzilla.suse.com/show_bug.cgi?id=1178190
• https://bugzilla.suse.com/show_bug.cgi?id=1178191
• https://bugzilla.suse.com/show_bug.cgi?id=1178255
• https://bugzilla.suse.com/show_bug.cgi?id=1178307
• https://bugzilla.suse.com/show_bug.cgi?id=1178330
• https://bugzilla.suse.com/show_bug.cgi?id=1178395