SUSE-SU-2018:1309-1: important: Security update for the Linux Kernel

sle-security-updates at sle-security-updates at
Wed May 16 13:10:55 MDT 2018

   SUSE Security Update: Security update for the Linux Kernel

Announcement ID:    SUSE-SU-2018:1309-1
Rating:             important
References:         #1010470 #1013018 #1032084 #1039348 #1050431 
                    #1052943 #1062568 #1062840 #1063416 #1063516 
                    #1065600 #1065999 #1067118 #1067912 #1068032 
                    #1072689 #1072865 #1075088 #1075091 #1075994 
                    #1078669 #1078672 #1078673 #1078674 #1080464 
                    #1080757 #1080813 #1081358 #1082091 #1082424 
                    #1083242 #1083275 #1083483 #1083494 #1084536 
                    #1085113 #1085279 #1085331 #1085513 #1086162 
                    #1087092 #1087209 #1087260 #1087762 #1088147 
                    #1088260 #1089608 #1089665 #1089668 #1089752 
                    #909077 #940776 #943786 #951638 
Cross-References:   CVE-2015-5156 CVE-2016-7915 CVE-2017-0861
                    CVE-2017-12190 CVE-2017-13166 CVE-2017-16644
                    CVE-2017-16911 CVE-2017-16912 CVE-2017-16913
                    CVE-2017-16914 CVE-2017-18203 CVE-2017-18208
                    CVE-2018-10087 CVE-2018-10124 CVE-2018-6927
                    CVE-2018-7566 CVE-2018-7757 CVE-2018-8822
Affected Products:
                    SUSE Linux Enterprise Real Time Extension 11-SP4
                    SUSE Linux Enterprise Debuginfo 11-SP4

   An update that solves 18 vulnerabilities and has 36 fixes
   is now available.


   The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2018-10124: The kill_something_info function in kernel/signal.c
     might have allowed local users to cause a denial of service via an
     INT_MIN argument (bnc#1089752).
   - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have
     allowed local users to cause a denial of service by triggering an
     attempted use of the
     -INT_MIN value (bnc#1089608).
   - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in
     drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial
     of service (memory consumption) via many read accesses to files in the
     /sys/class/sas_phy directory, as demonstrated by the
     /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).
   - CVE-2018-7566: Buffer overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL
     ioctl write operation to /dev/snd/seq by a local user potentially
     allowing for code execution (bnc#1083483).
   - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function
     in the ALSA subsystem allowed attackers to gain privileges via
     unspecified vectors (bnc#1088260 1088268).
   - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel
     function could have beenexploited by malicious NCPFS servers to crash
     the kernel or execute code (bnc#1086162).
   - CVE-2017-13166: Prevent elevation of privilege vulnerability in the
     video driver (bnc#1072865).
   - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c
     allow local users to cause a denial of service (BUG) by leveraging a
     race condition with __dm_destroy during creation and removal of DM
     devices (bnc#1083242).
   - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose
     kernel memory addresses. Successful exploitation requires that a USB
     device is attached over IP (bnc#1078674).
   - CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed
     local users to cause a denial of service (infinite loop) by triggering
     use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
   - CVE-2017-16644: The hdpvr_probe function in
     drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a
     denial of service (improper error handling and system crash) or possibly
     have unspecified
     other impact via a crafted USB device (bnc#1067118).
   - CVE-2018-6927: The futex_requeue function in kernel/futex.c allowed
     attackers to cause a denial of service (integer overflow) or possibly
     have unspecified
     other impact by triggering a negative wake or requeue value
   - CVE-2017-16914: The "stub_send_ret_submit()" function
     (drivers/usb/usbip/stub_tx.c) allowed attackers to cause a denial of
     service (NULL pointer dereference) via a specially crafted USB over IP
     packet (bnc#1078669).
   - CVE-2016-7915: The hid_input_field function in drivers/hid/hid-core.c
     allowed physically proximate attackers to obtain sensitive information
     from kernel memory or cause a denial of service (out-of-bounds read) by
     connecting a device, as demonstrated by a Logitech DJ receiver
   - CVE-2015-5156: The virtnet_probe function in drivers/net/virtio_net.c
     attempted to support a FRAGLIST feature without proper memory
     allocation, which allowed guest OS users to cause a denial of service
     (buffer overflow and memory corruption) via a crafted sequence of
     fragmented packets (bnc#940776).
   - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions in
     block/bio.c did unbalanced refcounting when a SCSI I/O vector had small
     consecutive buffers belonging to the same page. The bio_add_pc_page
     function merged them into one, but the page reference was never dropped.
     This caused a memory leak and possible system lockup (exploitable
     against the host OS by a guest OS user, if a SCSI disk is passed through
     to a virtual machine) due to an
     out-of-memory condition (bnc#1062568).
   - CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c)
     allowed attackers to cause a denial of service (out-of-bounds read) via
     a specially crafted USB over IP packet (bnc#1078673).
   - CVE-2017-16913: The "stub_recv_cmd_submit()" function
     (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed
     attackers to cause a denial of service (arbitrary memory allocation) via
     a specially crafted USB over IP packet (bnc#1078672).

   The following non-security bugs were fixed:

   - Integrate fixes resulting from bsc#1088147 More info in the respective
     commit messages.
   - KABI: x86/kaiser: properly align trampoline stack.
   - KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
   - KEYS: prevent creating a different user's keyrings (bnc#1065999).
   - NFSv4: fix getacl head length estimation (git-fixes).
   - PCI: Use function 0 VPD for identical functions, regular VPD for others
     (bnc#943786 git-fixes).
   - Revert "USB: cdc-acm: fix broken runtime suspend" (bsc#1067912)
   - Subject: af_iucv: enable control sends in case of SEND_SHUTDOWN
     (bnc#1085513, LTC#165135).
   - blacklist.conf: blacklisted 7edaeb6841df ("kernel/watchdog: Prevent
     false positives with turbo modes") (bnc#1063516)
   - blacklist.conf: blacklisted 9fbc1f635fd0bd28cb32550211bf095753ac637a
   - blacklist.conf: blacklisted ba4877b9ca51f80b5d30f304a46762f0509e1635
   - cifs: fix buffer overflow in cifs_build_path_to_root() (bsc#1085113).
   - drm/mgag200: fix a test in mga_vga_mode_valid() (bsc#1087092).
   - hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
   - hrtimer: Reset hrtimer cpu base proper on CPU hotplug (bnc#1013018).
   - ide-cd: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
   - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
   - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
   - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
   - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
   - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
   - media: cpia2: Fix a couple off by one bugs (bsc#1050431).
   - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
   - pipe: actually allow root to exceed the pipe buffer limits (git-fixes).
   - posix-timers: Protect posix clock array access against speculation
   - powerpc/fadump: Add a warning when 'fadump_reserve_mem=' is used
   - powerpc/fadump: reuse crashkernel parameter for fadump memory
     reservation (bnc#1032084).
   - powerpc/fadump: update documentation about crashkernel parameter reuse
   - powerpc/fadump: use 'fadump_reserve_mem=' when specified (bnc#1032084).
   - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032,
   - qeth: repair SBAL elements calculation (bnc#1085513, LTC#165484).
   - s390/qeth: fix underestimated count of buffer elements (bnc#1082091,
   - scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
   - usbnet: Fix a race between usbnet_stop() and the BH (bsc#1083275).
   - x86-64: Move the "user" vsyscall segment out of the data segment
   - x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).
   - x86/kaiser: properly align trampoline stack (bsc#1087260).
   - x86/retpoline: do not perform thunk calls in ring3 vsyscall code
   - xen/x86/CPU: Check speculation control CPUID bit (bsc#1068032).
   - xen/x86/CPU: Sync CPU feature flags late (bsc#1075994 bsc#1075091).
   - xen/x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and
     sync_regs (bsc#909077).
   - xen/x86/cpu: Factor out application of forced CPU caps (bsc#1075994
   - xen/x86/cpu: Fix bootup crashes by sanitizing the argument of the
     'clearcpuid=' command-line option (bsc#1065600).
   - xen/x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
   - xen/x86/idle: Toggle IBRS when going idle (bsc#1068032).
   - xen/x86/kaiser: Move feature detection up (bsc#1068032).
   - xfs: check for buffer errors before waiting (bsc#1052943).
   - xfs: fix allocbt cursor leak in xfs_alloc_ag_vextent_near (bsc#1087762).
   - xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Real Time Extension 11-SP4:

      zypper in -t patch slertesp4-kernel-13604=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-kernel-13604=1

Package List:

   - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64):


   - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):



More information about the sle-security-updates mailing list