SUSE-SU-2018:1309-1: important: Security update for the Linux Kernel

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed May 16 13:10:55 MDT 2018


   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:1309-1
Rating:             important
References:         #1010470 #1013018 #1032084 #1039348 #1050431 
                    #1052943 #1062568 #1062840 #1063416 #1063516 
                    #1065600 #1065999 #1067118 #1067912 #1068032 
                    #1072689 #1072865 #1075088 #1075091 #1075994 
                    #1078669 #1078672 #1078673 #1078674 #1080464 
                    #1080757 #1080813 #1081358 #1082091 #1082424 
                    #1083242 #1083275 #1083483 #1083494 #1084536 
                    #1085113 #1085279 #1085331 #1085513 #1086162 
                    #1087092 #1087209 #1087260 #1087762 #1088147 
                    #1088260 #1089608 #1089665 #1089668 #1089752 
                    #909077 #940776 #943786 #951638 
Cross-References:   CVE-2015-5156 CVE-2016-7915 CVE-2017-0861
                    CVE-2017-12190 CVE-2017-13166 CVE-2017-16644
                    CVE-2017-16911 CVE-2017-16912 CVE-2017-16913
                    CVE-2017-16914 CVE-2017-18203 CVE-2017-18208
                    CVE-2018-10087 CVE-2018-10124 CVE-2018-6927
                    CVE-2018-7566 CVE-2018-7757 CVE-2018-8822
                   
Affected Products:
                    SUSE Linux Enterprise Real Time Extension 11-SP4
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that solves 18 vulnerabilities and has 36 fixes
   is now available.

Description:


   The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2018-10124: The kill_something_info function in kernel/signal.c
     might have allowed local users to cause a denial of service via an
     INT_MIN argument (bnc#1089752).
   - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have
     allowed local users to cause a denial of service by triggering an
     attempted use of the
     -INT_MIN value (bnc#1089608).
   - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in
     drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial
     of service (memory consumption) via many read accesses to files in the
     /sys/class/sas_phy directory, as demonstrated by the
     /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).
   - CVE-2018-7566: Buffer overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL
     ioctl write operation to /dev/snd/seq by a local user potentially
     allowing for code execution (bnc#1083483).
   - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function
     in the ALSA subsystem allowed attackers to gain privileges via
     unspecified vectors (bnc#1088260 1088268).
   - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel
     function could have beenexploited by malicious NCPFS servers to crash
     the kernel or execute code (bnc#1086162).
   - CVE-2017-13166: Prevent elevation of privilege vulnerability in the
     video driver (bnc#1072865).
   - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c
     allow local users to cause a denial of service (BUG) by leveraging a
     race condition with __dm_destroy during creation and removal of DM
     devices (bnc#1083242).
   - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose
     kernel memory addresses. Successful exploitation requires that a USB
     device is attached over IP (bnc#1078674).
   - CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed
     local users to cause a denial of service (infinite loop) by triggering
     use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
   - CVE-2017-16644: The hdpvr_probe function in
     drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a
     denial of service (improper error handling and system crash) or possibly
     have unspecified
     other impact via a crafted USB device (bnc#1067118).
   - CVE-2018-6927: The futex_requeue function in kernel/futex.c allowed
     attackers to cause a denial of service (integer overflow) or possibly
     have unspecified
     other impact by triggering a negative wake or requeue value
      (bnc#1080757).
   - CVE-2017-16914: The "stub_send_ret_submit()" function
     (drivers/usb/usbip/stub_tx.c) allowed attackers to cause a denial of
     service (NULL pointer dereference) via a specially crafted USB over IP
     packet (bnc#1078669).
   - CVE-2016-7915: The hid_input_field function in drivers/hid/hid-core.c
     allowed physically proximate attackers to obtain sensitive information
     from kernel memory or cause a denial of service (out-of-bounds read) by
     connecting a device, as demonstrated by a Logitech DJ receiver
     (bnc#1010470).
   - CVE-2015-5156: The virtnet_probe function in drivers/net/virtio_net.c
     attempted to support a FRAGLIST feature without proper memory
     allocation, which allowed guest OS users to cause a denial of service
     (buffer overflow and memory corruption) via a crafted sequence of
     fragmented packets (bnc#940776).
   - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions in
     block/bio.c did unbalanced refcounting when a SCSI I/O vector had small
     consecutive buffers belonging to the same page. The bio_add_pc_page
     function merged them into one, but the page reference was never dropped.
     This caused a memory leak and possible system lockup (exploitable
     against the host OS by a guest OS user, if a SCSI disk is passed through
     to a virtual machine) due to an
     out-of-memory condition (bnc#1062568).
   - CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c)
     allowed attackers to cause a denial of service (out-of-bounds read) via
     a specially crafted USB over IP packet (bnc#1078673).
   - CVE-2017-16913: The "stub_recv_cmd_submit()" function
     (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed
     attackers to cause a denial of service (arbitrary memory allocation) via
     a specially crafted USB over IP packet (bnc#1078672).

   The following non-security bugs were fixed:

   - Integrate fixes resulting from bsc#1088147 More info in the respective
     commit messages.
   - KABI: x86/kaiser: properly align trampoline stack.
   - KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
   - KEYS: prevent creating a different user's keyrings (bnc#1065999).
   - NFSv4: fix getacl head length estimation (git-fixes).
   - PCI: Use function 0 VPD for identical functions, regular VPD for others
     (bnc#943786 git-fixes).
   - Revert "USB: cdc-acm: fix broken runtime suspend" (bsc#1067912)
   - Subject: af_iucv: enable control sends in case of SEND_SHUTDOWN
     (bnc#1085513, LTC#165135).
   - blacklist.conf: blacklisted 7edaeb6841df ("kernel/watchdog: Prevent
     false positives with turbo modes") (bnc#1063516)
   - blacklist.conf: blacklisted 9fbc1f635fd0bd28cb32550211bf095753ac637a
     (bnc#1089665)
   - blacklist.conf: blacklisted ba4877b9ca51f80b5d30f304a46762f0509e1635
     (bnc#1089668)
   - cifs: fix buffer overflow in cifs_build_path_to_root() (bsc#1085113).
   - drm/mgag200: fix a test in mga_vga_mode_valid() (bsc#1087092).
   - hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
     (bnc#1013018).
   - hrtimer: Reset hrtimer cpu base proper on CPU hotplug (bnc#1013018).
   - ide-cd: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
   - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
   - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
   - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
   - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
     (git-fixes).
   - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
   - media: cpia2: Fix a couple off by one bugs (bsc#1050431).
   - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
     (bnc#1039348).
   - pipe: actually allow root to exceed the pipe buffer limits (git-fixes).
   - posix-timers: Protect posix clock array access against speculation
     (bnc#1081358).
   - powerpc/fadump: Add a warning when 'fadump_reserve_mem=' is used
     (bnc#1032084).
   - powerpc/fadump: reuse crashkernel parameter for fadump memory
     reservation (bnc#1032084).
   - powerpc/fadump: update documentation about crashkernel parameter reuse
     (bnc#1032084).
   - powerpc/fadump: use 'fadump_reserve_mem=' when specified (bnc#1032084).
   - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032,
     bsc#1075088).
   - qeth: repair SBAL elements calculation (bnc#1085513, LTC#165484).
   - s390/qeth: fix underestimated count of buffer elements (bnc#1082091,
     LTC#164529).
   - scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
   - usbnet: Fix a race between usbnet_stop() and the BH (bsc#1083275).
   - x86-64: Move the "user" vsyscall segment out of the data segment
     (bsc#1082424).
   - x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).
   - x86/kaiser: properly align trampoline stack (bsc#1087260).
   - x86/retpoline: do not perform thunk calls in ring3 vsyscall code
     (bsc#1085331).
   - xen/x86/CPU: Check speculation control CPUID bit (bsc#1068032).
   - xen/x86/CPU: Sync CPU feature flags late (bsc#1075994 bsc#1075091).
   - xen/x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and
     sync_regs (bsc#909077).
   - xen/x86/cpu: Factor out application of forced CPU caps (bsc#1075994
     bsc#1075091).
   - xen/x86/cpu: Fix bootup crashes by sanitizing the argument of the
     'clearcpuid=' command-line option (bsc#1065600).
   - xen/x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
   - xen/x86/idle: Toggle IBRS when going idle (bsc#1068032).
   - xen/x86/kaiser: Move feature detection up (bsc#1068032).
   - xfs: check for buffer errors before waiting (bsc#1052943).
   - xfs: fix allocbt cursor leak in xfs_alloc_ag_vextent_near (bsc#1087762).
   - xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near
     (bsc#1087762).


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Real Time Extension 11-SP4:

      zypper in -t patch slertesp4-kernel-13604=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-kernel-13604=1



Package List:

   - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64):

      kernel-rt-3.0.101.rt130-69.24.1
      kernel-rt-base-3.0.101.rt130-69.24.1
      kernel-rt-devel-3.0.101.rt130-69.24.1
      kernel-rt_trace-3.0.101.rt130-69.24.1
      kernel-rt_trace-base-3.0.101.rt130-69.24.1
      kernel-rt_trace-devel-3.0.101.rt130-69.24.1
      kernel-source-rt-3.0.101.rt130-69.24.1
      kernel-syms-rt-3.0.101.rt130-69.24.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):

      kernel-rt-debuginfo-3.0.101.rt130-69.24.1
      kernel-rt-debugsource-3.0.101.rt130-69.24.1
      kernel-rt_debug-debuginfo-3.0.101.rt130-69.24.1
      kernel-rt_debug-debugsource-3.0.101.rt130-69.24.1
      kernel-rt_trace-debuginfo-3.0.101.rt130-69.24.1
      kernel-rt_trace-debugsource-3.0.101.rt130-69.24.1


References:

   https://www.suse.com/security/cve/CVE-2015-5156.html
   https://www.suse.com/security/cve/CVE-2016-7915.html
   https://www.suse.com/security/cve/CVE-2017-0861.html
   https://www.suse.com/security/cve/CVE-2017-12190.html
   https://www.suse.com/security/cve/CVE-2017-13166.html
   https://www.suse.com/security/cve/CVE-2017-16644.html
   https://www.suse.com/security/cve/CVE-2017-16911.html
   https://www.suse.com/security/cve/CVE-2017-16912.html
   https://www.suse.com/security/cve/CVE-2017-16913.html
   https://www.suse.com/security/cve/CVE-2017-16914.html
   https://www.suse.com/security/cve/CVE-2017-18203.html
   https://www.suse.com/security/cve/CVE-2017-18208.html
   https://www.suse.com/security/cve/CVE-2018-10087.html
   https://www.suse.com/security/cve/CVE-2018-10124.html
   https://www.suse.com/security/cve/CVE-2018-6927.html
   https://www.suse.com/security/cve/CVE-2018-7566.html
   https://www.suse.com/security/cve/CVE-2018-7757.html
   https://www.suse.com/security/cve/CVE-2018-8822.html
   https://bugzilla.suse.com/1010470
   https://bugzilla.suse.com/1013018
   https://bugzilla.suse.com/1032084
   https://bugzilla.suse.com/1039348
   https://bugzilla.suse.com/1050431
   https://bugzilla.suse.com/1052943
   https://bugzilla.suse.com/1062568
   https://bugzilla.suse.com/1062840
   https://bugzilla.suse.com/1063416
   https://bugzilla.suse.com/1063516
   https://bugzilla.suse.com/1065600
   https://bugzilla.suse.com/1065999
   https://bugzilla.suse.com/1067118
   https://bugzilla.suse.com/1067912
   https://bugzilla.suse.com/1068032
   https://bugzilla.suse.com/1072689
   https://bugzilla.suse.com/1072865
   https://bugzilla.suse.com/1075088
   https://bugzilla.suse.com/1075091
   https://bugzilla.suse.com/1075994
   https://bugzilla.suse.com/1078669
   https://bugzilla.suse.com/1078672
   https://bugzilla.suse.com/1078673
   https://bugzilla.suse.com/1078674
   https://bugzilla.suse.com/1080464
   https://bugzilla.suse.com/1080757
   https://bugzilla.suse.com/1080813
   https://bugzilla.suse.com/1081358
   https://bugzilla.suse.com/1082091
   https://bugzilla.suse.com/1082424
   https://bugzilla.suse.com/1083242
   https://bugzilla.suse.com/1083275
   https://bugzilla.suse.com/1083483
   https://bugzilla.suse.com/1083494
   https://bugzilla.suse.com/1084536
   https://bugzilla.suse.com/1085113
   https://bugzilla.suse.com/1085279
   https://bugzilla.suse.com/1085331
   https://bugzilla.suse.com/1085513
   https://bugzilla.suse.com/1086162
   https://bugzilla.suse.com/1087092
   https://bugzilla.suse.com/1087209
   https://bugzilla.suse.com/1087260
   https://bugzilla.suse.com/1087762
   https://bugzilla.suse.com/1088147
   https://bugzilla.suse.com/1088260
   https://bugzilla.suse.com/1089608
   https://bugzilla.suse.com/1089665
   https://bugzilla.suse.com/1089668
   https://bugzilla.suse.com/1089752
   https://bugzilla.suse.com/909077
   https://bugzilla.suse.com/940776
   https://bugzilla.suse.com/943786
   https://bugzilla.suse.com/951638



More information about the sle-security-updates mailing list