SUSE-SU-2019:1852-1: important: Security update for the Linux Kernel

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Jul 15 14:05:46 MDT 2019


   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:1852-1
Rating:             important
References:         #1053043 #1066223 #1094555 #1108382 #1109137 
                    #1111188 #1119086 #1120902 #1121263 #1125580 
                    #1126961 #1127155 #1129770 #1131335 #1131336 
                    #1131645 #1132390 #1133140 #1133190 #1133191 
                    #1133738 #1134395 #1135642 #1136598 #1136889 
                    #1136922 #1136935 #1137004 #1137194 #1137739 
                    #1137749 #1137752 #1137915 #1138291 #1138293 
                    #1138374 #1138681 #1139751 #1140575 #1140577 
                    
Cross-References:   CVE-2018-20836 CVE-2019-10126 CVE-2019-10638
                    CVE-2019-10639 CVE-2019-11487 CVE-2019-11599
                    CVE-2019-12380 CVE-2019-12456 CVE-2019-12614
                    CVE-2019-12818 CVE-2019-12819
Affected Products:
                    SUSE OpenStack Cloud 8
                    SUSE Linux Enterprise Server for SAP 12-SP3
                    SUSE Linux Enterprise Server 12-SP3-LTSS
                    SUSE Linux Enterprise High Availability 12-SP3
                    SUSE Enterprise Storage 5
                    SUSE CaaS Platform 3.0
______________________________________________________________________________

   An update that solves 11 vulnerabilities and has 29 fixes
   is now available.

Description:


   The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2019-10638: In the Linux kernel, a device could be tracked by an
     attacker using the IP ID values the kernel produces for connection-less
     protocols (e.g., UDP and ICMP). When such traffic was sent to multiple
     destination IP addresses, it was possible to obtain hash collisions (of
     indices to the counter array) and thereby obtain the hashing key (via
     enumeration). An attack may have been conducted by hosting a crafted web
     page that uses WebRTC or gQUIC to force UDP traffic to
     attacker-controlled IP addresses (bnc#1140575 1140577).
   - CVE-2019-10639: The Linux kernel allowed Information Exposure (partial
     kernel address disclosure), that lead to a KASLR bypass. Specifically,
     it was possible to extract the KASLR kernel image offset using the IP ID
     values the kernel produces for connection-less protocols (e.g., UDP and
     ICMP). When such traffic is sent to multiple destination IP addresses,
     it was possible to obtain hash collisions (of indices to the counter
     array) and thereby obtain the hashing key (via enumeration). This key
     contains enough bits from a kernel address (of a static variable) so
     when the key is extracted (via enumeration), the offset of the kernel
     image is exposed. This attack could be carried out remotely, by the
     attacker forcing the target device to send UDP or ICMP (or certain
     other) traffic to attacker-controlled IP addresses. Forcing a server to
     send UDP traffic is trivial if the server is a DNS server. ICMP traffic
     is trivial if the server answers ICMP Echo requests (ping). For client
     targets, if the target visited the attacker's web page, then WebRTC or
     gQUIC could be used to force UDP traffic to attacker-controlled IP
     addresses. NOTE: this attack against KASLR became viable because IP ID
     generation was changed to have a dependency on an address associated
     with a network namespace (bnc#1140577).
   - CVE-2019-10126: A flaw was found in the Linux kernel. A heap based
     buffer overflow in mwifiex_uap_parse_tail_ies function in
     drivers/net/wireless/marvell/mwifiex/ie.c might have lead to memory
     corruption and possibly other consequences (bnc#1136935).
   - CVE-2018-20836: An issue was discovered in the Linux kernel There was a
     race condition in smp_task_timedout() and smp_task_done() in
     drivers/scsi/libsas/sas_expander.c, leading to a use-after-free
     (bnc#1134395).
   - CVE-2019-11599: The coredump implementation in the Linux kernel did not
     use locking or other mechanisms to prevent vma layout or vma flags
     changes while it ran, which allowed local users to obtain sensitive
     information, cause a denial of service, or possibly have unspecified
     other impact by triggering a race condition with mmget_not_zero or
     get_task_mm call. This is related to fs/userfaultfd.c, mm/mmap.c,
     fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c
     (bnc#1131645 1133738).
   - CVE-2019-12614: An issue was discovered in dlpar_parse_cc_property in
     arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel There was an
     unchecked kstrdup of prop-name, which might have allowed an attacker to
     cause a denial of service (NULL pointer dereference and system crash)
     (bnc#1137194).
   - CVE-2019-12819: An issue was discovered in the Linux kernel The function
     __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(),
     which would trigger a fixed_mdio_bus_init use-after-free. This would
     cause a denial of service (bnc#1138291).
   - CVE-2019-12818: An issue was discovered in the Linux kernel The
     nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL.
     If the caller did not check for this, it would trigger a NULL pointer
     dereference. This would cause a denial of service. This affected
     nfc_llcp_build_gb in net/nfc/llcp_core.c (bnc#1138293).
   - CVE-2019-12456: A double-fetch bug in _ctl_ioctl_main() could lead to a
     local denial of service attack (bsc#1136922 CVE-2019-12456).
   - CVE-2019-12380: An issue was discovered in the efi subsystem in the
     Linux kernel phys_efi_set_virtual_address_map in
     arch/x86/platform/efi/efi.c and efi_call_phys_prolog in
     arch/x86/platform/efi/efi_64.c mishandle memory allocation failures.
     NOTE: This id is disputed as not being an issue because ;All the code
     touched by the referenced commit runs only at boot, before any user
     processes are started. Therefore, there is no possibility for an
     unprivileged user to control it (bnc#1136598).
   - CVE-2019-11487: The Linux kernel before allowed page-_refcount reference
     count overflow, with resultant use-after-free issues, if about 140 GiB
     of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,
     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c,
     mm/gup.c, and mm/hugetlb.c. It could occur with FUSE requests
     (bnc#1133190 1133191).

   The following non-security bugs were fixed:

   - Drop multiversion(kernel) from the KMP template (bsc#1127155).
   - Fix ixgbe backport (bsc#1133140)
   - Revert "KMPs: obsolete older KMPs of the same flavour (bsc#1127155,
     bsc#1109137)." This reverts commit
     4cc83da426b53d47f1fde9328112364eab1e9a19.
   - Update "TCP SACK Panic" series
   - ACPI / CPPC: Check for valid PCC subspace only if PCC is used
     (bsc#1126961).
   - ACPI / CPPC: Fix KASAN global out of bounds warning (bsc#1126961).
   - ACPI / CPPC: Make CPPC ACPI driver aware of PCC subspace IDs
     (bsc#1126961).
   - ACPI / CPPC: Update all pr_(debug/err) messages to log the susbspace id
     (bsc#1126961).
   - ACPI / CPPC: Use 64-bit arithmetic instead of 32-bit (bsc#1126961).
   - ACPI / CPPC: fix build issue with ktime_t used in logical operation
     (bsc#1126961).
   - ACPI: CPPC: remove initial assignment of pcc_ss_data (bsc#1126961).
   - at76c50x-usb: Do not register led_trigger if usb_register_driver failed
     (bsc#1135642).
   - ath6kl: Only use match sets when firmware supports it (bsc#1120902).
   - btrfs: check for refs on snapshot delete resume (bsc#1131335,
     bsc#1137004).
   - btrfs: run delayed items before dropping the snapshot (bsc#1121263,
     bsc#1111188, bsc#1137004).
   - btrfs: save drop_progress if we drop refs at all (bsc#1131336,
     bsc#1137004).
   - ceph: fix potential use-after-free in ceph_mdsc_build_path (bsc#1138681).
   - ceph: flush dirty inodes before proceeding with remount (bsc#1138681).
   - ceph: print inode number in __caps_issued_mask debugging messages
     (bsc#1138681).
   - cpu/hotplug: Provide cpus_read|write_[un]lock() (bsc#1138374,
     LTC#178199).
   - cpu/hotplug: Provide lockdep_assert_cpus_held() (bsc#1138374,
     LTC#178199).
   - cpufreq / CPPC: Add cpuinfo_cur_freq support for CPPC (bsc#1126961).
   - cpufreq: CPPC: fix build in absence of v3 support (bsc#1126961).
   - cpufreq: Replace "max_transition_latency" with "dynamic_switching"
     (bsc#1126961).
   - cpufreq: cn99xx: set platform specific sampling rate (bsc#1126961).
   - ibmvnic: Add device identification to requested IRQs (bsc#1137739).
   - ibmvnic: Do not close unopened driver during reset (bsc#1137752).
   - ibmvnic: Fix unchecked return codes of memory allocations (bsc#1137752).
   - ibmvnic: Refresh device multicast list after reset (bsc#1137752).
   - ibmvnic: remove set but not used variable 'netdev' (bsc#1137739).
   - iwiwifi: fix bad monitor buffer register addresses (bsc#1129770).
   - kabi: cpufreq: rename dynamic_switching to max_transition_latency
     (bsc#1126961).
   - kernel/sys.c: prctl: fix false positive in validate_prctl_map()
     (bsc#1137749).
   - libertas_tf: prevent underflow in process_cmdrequest() (bsc#1119086).
   - mailbox: PCC: Move the MAX_PCC_SUBSPACES definition to header file
     (bsc#1126961).
   - mailbox: pcc: Drop uninformative output during boot (bsc#1126961).
   - mailbox: pcc: Fix crash when request PCC channel 0 (bsc#1126961).
   - mwl8k: Fix rate_idx underflow (bsc#1135642).
   - net/ibmvnic: Remove tests of member address (bsc#1137739).
   - net: Remove NO_IRQ from powerpc-only network drivers (bsc#1137739).
   - nvmet-fc: bring Disconnect into compliance with FC-NVME spec
     (bsc#1136889).
   - nvmet-fc: fix issues with targetport assoc_list list walking
     (bsc#1136889).
   - nvmet: fix fatal_err_work deadlock (bsc#1136889).
   - nvmet_fc: support target port removal with nvmet layer (bsc#1136889).
   - powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild
     (bsc#1138374, LTC#178199).
   - powerpc/eeh: Fix race with driver un/bind (bsc#1066223).
   - powerpc/perf: Add blacklisted events for Power9 DD2.1 (bsc#1053043).
   - powerpc/perf: Add blacklisted events for Power9 DD2.2 (bsc#1053043).
   - powerpc/perf: Fix MMCRA corruption by bhrb_filter (bsc#1053043).
   - powerpc/perf: Infrastructure to support addition of blacklisted events
     (bsc#1053043).
   - powerpc/process: Fix sparse address space warnings (bsc#1066223).
   - powerpc/pseries/mobility: prevent cpu hotplug during DT update
     (bsc#1138374, LTC#178199).
   - powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration
     (bsc#1138374, LTC#178199).
   - rtlwifi: fix false rates in _rtl8821ae_mrate_idx_to_arfr_id()
     (bsc#1120902).
   - scsi: core: add new RDAC LENOVO/DE_Series device (bsc#1132390).
   - scsi: qla2xxx: Fix FC-AL connection target discovery (bsc#1094555).
   - scsi: qla2xxx: Fix N2N target discovery with Local loop (bsc#1094555).
   - signals: avoid random wakeups in sigsuspend() (bsc#1137915)
   - treewide: Use DEVICE_ATTR_WO (bsc#1137739).
   - x86/entry/64/compat: Fix stack switching for XEN PV (bsc#1108382).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 8:

      zypper in -t patch SUSE-OpenStack-Cloud-8-2019-1852=1

   - SUSE Linux Enterprise Server for SAP 12-SP3:

      zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-1852=1

   - SUSE Linux Enterprise Server 12-SP3-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-1852=1

   - SUSE Linux Enterprise High Availability 12-SP3:

      zypper in -t patch SUSE-SLE-HA-12-SP3-2019-1852=1

   - SUSE Enterprise Storage 5:

      zypper in -t patch SUSE-Storage-5-2019-1852=1

   - SUSE CaaS Platform 3.0:

      To install this update, use the SUSE CaaS Platform Velum dashboard.
      It will inform you if it detects new updates and let you then trigger
      updating of the complete cluster in a controlled way.



Package List:

   - SUSE OpenStack Cloud 8 (x86_64):

      kernel-default-4.4.180-94.100.1
      kernel-default-base-4.4.180-94.100.1
      kernel-default-base-debuginfo-4.4.180-94.100.1
      kernel-default-debuginfo-4.4.180-94.100.1
      kernel-default-debugsource-4.4.180-94.100.1
      kernel-default-devel-4.4.180-94.100.1
      kernel-syms-4.4.180-94.100.1
      kgraft-patch-4_4_180-94_100-default-1-4.3.1
      kgraft-patch-4_4_180-94_100-default-debuginfo-1-4.3.1

   - SUSE OpenStack Cloud 8 (noarch):

      kernel-devel-4.4.180-94.100.1
      kernel-macros-4.4.180-94.100.1
      kernel-source-4.4.180-94.100.1

   - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):

      kernel-default-4.4.180-94.100.1
      kernel-default-base-4.4.180-94.100.1
      kernel-default-base-debuginfo-4.4.180-94.100.1
      kernel-default-debuginfo-4.4.180-94.100.1
      kernel-default-debugsource-4.4.180-94.100.1
      kernel-default-devel-4.4.180-94.100.1
      kernel-syms-4.4.180-94.100.1
      kgraft-patch-4_4_180-94_100-default-1-4.3.1
      kgraft-patch-4_4_180-94_100-default-debuginfo-1-4.3.1

   - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch):

      kernel-devel-4.4.180-94.100.1
      kernel-macros-4.4.180-94.100.1
      kernel-source-4.4.180-94.100.1

   - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le s390x x86_64):

      kernel-default-4.4.180-94.100.1
      kernel-default-base-4.4.180-94.100.1
      kernel-default-base-debuginfo-4.4.180-94.100.1
      kernel-default-debuginfo-4.4.180-94.100.1
      kernel-default-debugsource-4.4.180-94.100.1
      kernel-default-devel-4.4.180-94.100.1
      kernel-syms-4.4.180-94.100.1

   - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64):

      kgraft-patch-4_4_180-94_100-default-1-4.3.1
      kgraft-patch-4_4_180-94_100-default-debuginfo-1-4.3.1

   - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch):

      kernel-devel-4.4.180-94.100.1
      kernel-macros-4.4.180-94.100.1
      kernel-source-4.4.180-94.100.1

   - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x):

      kernel-default-man-4.4.180-94.100.1

   - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64):

      cluster-md-kmp-default-4.4.180-94.100.1
      cluster-md-kmp-default-debuginfo-4.4.180-94.100.1
      dlm-kmp-default-4.4.180-94.100.1
      dlm-kmp-default-debuginfo-4.4.180-94.100.1
      gfs2-kmp-default-4.4.180-94.100.1
      gfs2-kmp-default-debuginfo-4.4.180-94.100.1
      kernel-default-debuginfo-4.4.180-94.100.1
      kernel-default-debugsource-4.4.180-94.100.1
      ocfs2-kmp-default-4.4.180-94.100.1
      ocfs2-kmp-default-debuginfo-4.4.180-94.100.1

   - SUSE Enterprise Storage 5 (noarch):

      kernel-devel-4.4.180-94.100.1
      kernel-macros-4.4.180-94.100.1
      kernel-source-4.4.180-94.100.1

   - SUSE Enterprise Storage 5 (x86_64):

      kernel-default-4.4.180-94.100.1
      kernel-default-base-4.4.180-94.100.1
      kernel-default-base-debuginfo-4.4.180-94.100.1
      kernel-default-debuginfo-4.4.180-94.100.1
      kernel-default-debugsource-4.4.180-94.100.1
      kernel-default-devel-4.4.180-94.100.1
      kernel-syms-4.4.180-94.100.1
      kgraft-patch-4_4_180-94_100-default-1-4.3.1
      kgraft-patch-4_4_180-94_100-default-debuginfo-1-4.3.1

   - SUSE CaaS Platform 3.0 (x86_64):

      kernel-default-4.4.180-94.100.1
      kernel-default-debuginfo-4.4.180-94.100.1
      kernel-default-debugsource-4.4.180-94.100.1


References:

   https://www.suse.com/security/cve/CVE-2018-20836.html
   https://www.suse.com/security/cve/CVE-2019-10126.html
   https://www.suse.com/security/cve/CVE-2019-10638.html
   https://www.suse.com/security/cve/CVE-2019-10639.html
   https://www.suse.com/security/cve/CVE-2019-11487.html
   https://www.suse.com/security/cve/CVE-2019-11599.html
   https://www.suse.com/security/cve/CVE-2019-12380.html
   https://www.suse.com/security/cve/CVE-2019-12456.html
   https://www.suse.com/security/cve/CVE-2019-12614.html
   https://www.suse.com/security/cve/CVE-2019-12818.html
   https://www.suse.com/security/cve/CVE-2019-12819.html
   https://bugzilla.suse.com/1053043
   https://bugzilla.suse.com/1066223
   https://bugzilla.suse.com/1094555
   https://bugzilla.suse.com/1108382
   https://bugzilla.suse.com/1109137
   https://bugzilla.suse.com/1111188
   https://bugzilla.suse.com/1119086
   https://bugzilla.suse.com/1120902
   https://bugzilla.suse.com/1121263
   https://bugzilla.suse.com/1125580
   https://bugzilla.suse.com/1126961
   https://bugzilla.suse.com/1127155
   https://bugzilla.suse.com/1129770
   https://bugzilla.suse.com/1131335
   https://bugzilla.suse.com/1131336
   https://bugzilla.suse.com/1131645
   https://bugzilla.suse.com/1132390
   https://bugzilla.suse.com/1133140
   https://bugzilla.suse.com/1133190
   https://bugzilla.suse.com/1133191
   https://bugzilla.suse.com/1133738
   https://bugzilla.suse.com/1134395
   https://bugzilla.suse.com/1135642
   https://bugzilla.suse.com/1136598
   https://bugzilla.suse.com/1136889
   https://bugzilla.suse.com/1136922
   https://bugzilla.suse.com/1136935
   https://bugzilla.suse.com/1137004
   https://bugzilla.suse.com/1137194
   https://bugzilla.suse.com/1137739
   https://bugzilla.suse.com/1137749
   https://bugzilla.suse.com/1137752
   https://bugzilla.suse.com/1137915
   https://bugzilla.suse.com/1138291
   https://bugzilla.suse.com/1138293
   https://bugzilla.suse.com/1138374
   https://bugzilla.suse.com/1138681
   https://bugzilla.suse.com/1139751
   https://bugzilla.suse.com/1140575
   https://bugzilla.suse.com/1140577



More information about the sle-security-updates mailing list