SUSE-SU-2021:2644-1: important: Security update for the Linux Kernel

sle-security-updates at sle-security-updates at
Tue Aug 10 13:56:54 UTC 2021

   SUSE Security Update: Security update for the Linux Kernel

Announcement ID:    SUSE-SU-2021:2644-1
Rating:             important
References:         #1065729 #1085224 #1094840 #1113295 #1176724 
                    #1176931 #1176940 #1179195 #1181161 #1183871 
                    #1184114 #1184350 #1184804 #1185377 #1186206 
                    #1186482 #1186483 #1186672 #1187038 #1187476 
                    #1187846 #1188026 #1188101 #1188405 #1188620 
                    #1188750 #1188838 #1188876 #1188885 #1188973 
Cross-References:   CVE-2020-0429 CVE-2020-36386 CVE-2021-22543
                    CVE-2021-3659 CVE-2021-37576
CVSS scores:
                    CVE-2020-0429 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-0429 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2020-36386 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
                    CVE-2020-36386 (SUSE): 5.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
                    CVE-2021-22543 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-3659 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-37576 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Server 12-SP5

   An update that solves 5 vulnerabilities and has 25 fixes is
   now available.


   The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive
   various security and bugfixes.

   The following security bugs were fixed:

   - CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in
     net/mac802154/llsec.c (bsc#1188876).
   - CVE-2021-22543: Fixed improper handling of VM_IO|VM_PFNMAP vmas in KVM,
     which could bypass RO checks and can lead to pages being freed while
     still accessible by the VMM and guest. This allowed users with the
     ability to start and control a VM to read/write random pages of memory
     and can result in local privilege escalation (bsc#1186482).
   - CVE-2021-37576: Fixed an issue on the powerpc platform, where a KVM
     guest OS user could cause host OS memory corruption via rtas_args.nargs
   - CVE-2020-0429: In l2tp_session_delete and related functions of
     l2tp_core.c, there is possible memory corruption due to a use after
     free. This could lead to local escalation of privilege with System
     execution privileges needed. (bsc#1176724).
   - CVE-2020-36386: Fixed a slab out-of-bounds read in
     hci_extended_inquiry_result_evt (bsc#1187038).

   The following non-security bugs were fixed:

   - ACPI: AMBA: Fix resource name in /proc/iomem (git-fixes).
   - ACPI: bus: Call kobject_put() in acpi_init() error path (git-fixes).
   - ACPI: processor idle: Fix up C-state latency if not ordered (git-fixes).
   - ALSA: bebob: add support for ToneWeal FW66 (git-fixes).
   - ALSA: hda: Add IRQ check for platform_get_irq() (git-fixes).
   - ALSA: ppc: fix error return code in snd_pmac_probe() (git-fixes).
   - ALSA: sb: Fix potential ABBA deadlock in CSP driver (git-fixes).
   - ALSA: sb: Fix potential double-free of CSP mixer elements (git-fixes).
   - ALSA: usb-audio: fix rate on Ozone Z90 USB headset (git-fixes).
   - ASoC: soc-core: Fix the error return code in
     snd_soc_of_parse_audio_routing() (git-fixes).
   - ASoC: tegra: Set driver_name=tegra for all machine drivers (git-fixes).
   - Bluetooth: Fix the HCI to MGMT status conversion table (git-fixes).
   - Bluetooth: Shutdown controller after workqueues are flushed or cancelled
   - Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc
   - HID: wacom: Correct base usage for capacitive ExpressKey status bits
   - PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun (git-fixes).
   - PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun (git-fixes).
   - PCI: Add ACS quirk for Broadcom BCM57414 NIC (git-fixes).
   - PCI: Leave Apple Thunderbolt controllers on for s2idle or standby
   - PCI: quirks: fix false kABI positive (git-fixes).
   - Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem"
   - USB: cdc-acm: blacklist Heimann USB Appset device (git-fixes).
   - USB: move many drivers to use DEVICE_ATTR_WO (git-fixes).
   - USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick (git-fixes).
   - USB: serial: cp210x: fix comments for GE CS1000 (git-fixes).
   - USB: serial: cp210x: fix comments for GE CS1000 (git-fixes).
   - USB: serial: option: add support for u-blox LARA-R6 family (git-fixes).
   - USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS (git-fixes).
   - ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()
   - can: ems_usb: fix memory leak (git-fixes).
   - can: esd_usb2: fix memory leak (git-fixes).
   - can: hi311x: fix a signedness bug in hi3110_cmd() (git-fixes).
   - can: mcba_usb_start(): add missing urb->transfer_dma initialization
   - can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF (git-fixes).
   - can: sja1000: sja1000_err(): do not count arbitration lose as an error
   - can: sun4i_can: sun4i_can_err(): do not count arbitration lose as an
     error (git-fixes).
   - can: ti_hecc: Fix memleak in ti_hecc_probe (git-fixes).
   - can: usb_8dev: fix memory leak (git-fixes).
   - ceph: do not WARN if we're still opening a session to an MDS
   - cifs: Fix preauth hash corruption (git-fixes).
   - cifs: Return correct error code from smb2_get_enc_key (git-fixes).
   - cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath
   - cifs: fix interrupted close commands (git-fixes).
   - cifs: fix memory leak in smb2_copychunk_range (git-fixes).
   - cosa: Add missing kfree in error path of cosa_write (git-fixes).
   - crypto: do not free algorithm before using (git-fixes).
   - cw1200: add missing MODULE_DEVICE_TABLE (git-fixes).
   - dma-buf/sync_file: Do not leak fences on merge failure (git-fixes).
   - drm/amd/amdgpu/sriov disable all ip hw status by default (git-fixes).
   - drm/panel: raspberrypi-touchscreen: Prevent double-free (git-fixes).
   - drm/radeon: Add the missed drm_gem_object_put() in
     radeon_user_framebuffer_create() (git-fixes).
   - drm/virtio: Fix double free on probe failure (git-fixes).
   - drm: Return -ENOTTY for non-drm ioctls (git-fixes).
   - e100: handle eeprom as little endian (git-fixes).
   - gpio: zynq: Check return value of pm_runtime_get_sync (git-fixes).
   - gve: Add DQO fields for core data structures (bsc#1176940).
   - gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags
   - gve: Add NULL pointer checks when freeing irqs (bsc#1176940).
   - gve: Add basic driver framework for Compute Engine Virtual NIC
   - gve: Add dqo descriptors (bsc#1176940).
   - gve: Add ethtool support (jsc#SLE-10538).
   - gve: Add stats for gve (bsc#1176940).
   - gve: Add support for DQO RX PTYPE map (bsc#1176940).
   - gve: Add support for raw addressing device option (bsc#1176940).
   - gve: Add support for raw addressing in the tx path (bsc#1176940).
   - gve: Add support for raw addressing to the rx path (bsc#1176940).
   - gve: Add workqueue and reset support (jsc#SLE-10538).
   - gve: Batch AQ commands for creating and destroying queues (bsc#1176940).
   - gve: Check TX QPL was actually assigned (bsc#1176940).
   - gve: Copy and paste bug in gve_get_stats() (jsc#SLE-10538).
   - gve: Correct SKB queue index validation (bsc#1176940).
   - gve: DQO: Add RX path (bsc#1176940).
   - gve: DQO: Add TX path (bsc#1176940).
   - gve: DQO: Add core netdev features (bsc#1176940).
   - gve: DQO: Add ring allocation and initialization (bsc#1176940).
   - gve: DQO: Configure interrupts on device up (bsc#1176940).
   - gve: DQO: Fix off by one in gve_rx_dqo() (bsc#1176940).
   - gve: DQO: Remove incorrect prefetch (bsc#1176940).
   - gve: Enable Link Speed Reporting in the driver (bsc#1176940).
   - gve: Fix an error handling path in 'gve_probe()' (bsc#1176940).
   - gve: Fix case where desc_cnt and data_cnt can get out of sync
   - gve: Fix error return code in gve_alloc_qpls() (jsc#SLE-10538).
   - gve: Fix the queue page list allocated pages count (bsc#1176940).
   - gve: Fix u64_stats_sync to initialize start (jsc#SLE-10538).
   - gve: Fix warnings reported for DQO patchset (bsc#1176940).
   - gve: Fixes DMA synchronization (jsc#SLE-10538).
   - gve: Get and set Rx copybreak via ethtool (bsc#1176940).
   - gve: Introduce a new model for device options (bsc#1176940).
   - gve: Introduce per netdev `enum gve_queue_format` (bsc#1176940).
   - gve: Make gve_rx_slot_page_info.page_offset an absolute offset
   - gve: Move some static functions to a common file (bsc#1176940).
   - gve: NIC stats for report-stats and for ethtool (bsc#1176940).
   - gve: Propagate error codes to caller (bsc#1176940).
   - gve: Remove the exporting of gve_probe (jsc#SLE-10538).
   - gve: Replace zero-length array with flexible-array member (bsc#1176940).
   - gve: Rx Buffer Recycling (bsc#1176940).
   - gve: Simplify code and axe the use of a deprecated API (bsc#1176940).
   - gve: Update adminq commands to support DQO queues (bsc#1176940).
   - gve: Update mgmt_msix_idx if num_ntfy changes (bsc#1176940).
   - gve: Upgrade memory barrier in poll routine (bsc#1176940).
   - gve: Use dev_info/err instead of netif_info/err (bsc#1176940).
   - gve: Use link status register to report link status (bsc#1176940).
   - gve: adminq: DQO specific device descriptor logic (bsc#1176940).
   - gve: fix -ENOMEM null check on a page allocation (jsc#SLE-10538).
   - gve: fix dma sync bug where not all pages synced (bsc#1176940).
   - gve: fix unused variable/label warnings (jsc#SLE-10538).
   - gve: gve_rx_copy: Move padding to an argument (bsc#1176940).
   - gve: replace kfree with kvfree (jsc#SLE-10538).
   - ibmvnic: retry reset if there are no other resets (bsc#1184350
   - iio: accel: bma180: Use explicit member assignment (git-fixes).
   - iwlwifi: mvm: do not change band on bound PHY contexts (git-fixes).
   - kabi: fix nvme_wait_freeze_timeout() return type (bsc#1181161).
   - Regenerate makefile when not using mkmakefile.
   - build-id check requires elfutils.
   - kernel-binary.spec: Exctract s390 decompression code (jsc#SLE-17042).
   - kernel-binary.spec: Fix up usrmerge for non-modular kernels.
   - kernel-binary.spec: Only use mkmakefile when it exists Linux 5.13 no
     longer had a mkmakefile script
   - kernel-binary.spec: Remove obsolete and wrong comment mkmakefile is
     repleced by echo on newer kernel
   - Build using an utf-8 locale. Sphinx cannot handle
     UTF-8 input in non-UTF-8 locale.
   - kfifo: DECLARE_KIFO_PTR(fifo, u64) does not work on arm 32 bit
   - lib/decompress_unlz4.c: correctly handle zero-padding around initrds
   - mISDN: fix possible use-after-free in HFC_cleanup() (git-fixes).
   - media: bt8xx: Fix a missing check bug in bt878_probe (git-fixes).
   - media: cobalt: fix race condition in setting HPD (git-fixes).
   - media: cpia2: fix memory leak in cpia2_usb_probe (git-fixes).
   - media: dvb_net: avoid speculation from net slot (git-fixes).
   - media: dvd_usb: memory leak in cinergyt2_fe_attach (git-fixes).
   - media: em28xx: Fix possible memory leak of em28xx struct (git-fixes).
   - media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()
   - media: pvrusb2: fix warning in pvr2_i2c_core_done (git-fixes).
   - media: siano: fix device register error path (git-fixes).
   - media: st-hva: Fix potential NULL pointer dereferences (git-fixes).
   - media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K
   - media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
   - mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE (git-fixes).
   - mlxsw: core: Use variable timeout for EMAD retries (git-fixes).
   - mmc: core: Allow UHS-I voltage switch for SDSC cards if supported
   - mmc: via-sdmmc: add a check against NULL pointer dereference (git-fixes).
   - net/mlx5: Disable QoS when min_rates on all VFs are zero (git-fixes).
   - net/mlx5: Query PPS pin operational status before registering it
   - net/mlx5: Verify Hardware supports requested ptp function on a given pin
   - net: Google gve: Remove dma_wmb() before ringing doorbell (bsc#1176940).
   - net: b44: fix error return code in b44_init_one() (git-fixes).
   - net: broadcom CNIC: requires MMU (git-fixes).
   - net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 (git-fixes).
   - net: gve: convert strlcpy to strscpy (bsc#1176940).
   - net: gve: remove duplicated allowed (bsc#1176940).
   - nfc: nfcsim: fix use after free during module unload (git-fixes).
   - nvme-core: add cancel tagset helpers (bsc#1181161).
   - nvme-multipath: fix double initialization of ANA state (bsc#1181161).
   - nvme-rdma: add clean action for failed reconnection (bsc#1181161).
   - nvme-rdma: fix reset hang if controller died in the middle of a reset
   - nvme-rdma: use cancel tagset helper for tear down (bsc#1181161).
   - nvme: have nvme_wait_freeze_timeout return if it timed out (bsc#1181161).
   - nvmet: use new ana_log_size instead the old one (bsc#1181161).
   - platform/x86: toshiba_acpi: Fix missing error code in
     toshiba_acpi_setup_keyboard() (git-fixes).
   - power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE (git-fixes).
   - power: supply: ab8500: Avoid NULL pointers (git-fixes).
   - power: supply: ab8500: add missing MODULE_DEVICE_TABLE (git-fixes).
   - power: supply: charger-manager: add missing MODULE_DEVICE_TABLE
   - powerpc/64s: Move branch cache flushing bcctr variant to ppc-ops.h
     (bsc#1188885 ltc#193722).
   - powerpc/64s: rename pnv|pseries_setup_rfi_flush to
     _setup_security_mitigations (bsc#1188885 ltc#193722).
   - powerpc/papr_scm: Properly handle UUID types and API (bsc#1113295,
   - powerpc/pesries: Get STF barrier requirement from
     H_GET_CPU_CHARACTERISTICS (bsc#1188885 ltc#193722).
   - powerpc/pseries/scm: Use a specific endian format for storing uuid from
     the device tree (bsc#1113295, git-fixes).
   - powerpc/pseries: Get entry and uaccess flush required bits from
     H_GET_CPU_CHARACTERISTICS (bsc#1188885 ltc#193722).
   - powerpc/pseries: add new branch prediction security bits for link stack
     (bsc#1188885 ltc#193722).
   - powerpc/pseries: export LPAR security flavor in lparcfg (bsc#1188885
   - powerpc/security: Add a security feature for STF barrier (bsc#1188885
   - powerpc/security: Allow for processors that flush the link stack using
     the special bcctr (bsc#1188885 ltc#193722).
   - powerpc/security: Fix link stack flush instruction (bsc#1188885
   - powerpc/security: change link stack flush state to the flush type enum
     (bsc#1188885 ltc#193722).
   - powerpc/security: make display of branch cache flush more consistent
     (bsc#1188885 ltc#193722).
   - powerpc/security: re-name count cache flush to branch cache flush
     (bsc#1188885 ltc#193722).
   - powerpc/security: split branch cache flush toggle from code patching
     (bsc#1188885 ltc#193722).
   - pwm: spear: Do not modify HW state in .remove callback (git-fixes).
   - qlcnic: fix error return code in qlcnic_83xx_restart_hw() (git-fixes).
   - regulator: da9052: Ensure enough delay time for .set_voltage_time_sel
   - replaced with above upstream fix.
   - replaced with upstream security mitigation cleanup
   - rtc: max77686: Do not enforce (incorrect) interrupt trigger type
   - scripts/git_sort/ add bpf git repo
   - scsi: fc: Add 256GBit speed setting to SCSI FC transport (bsc#1188101).
   - scsi: smartpqi: create module parameters for LUN reset (bsc#1179195).
   - smb3: Fix out-of-bounds bug in SMB2_negotiate() (git-fixes).
   - spi: Make of_register_spi_device also set the fwnode (git-fixes).
   - spi: mediatek: fix fifo rx mode (git-fixes).
   - spi: omap-100k: Fix the length judgment problem (git-fixes).
   - spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf' (git-fixes).
   - spi: spi-topcliff-pch: Fix potential double free in
     pch_spi_process_messages() (git-fixes).
   - ssb: sdio: Do not overwrite const buffer if block_write fails
   - tracing: Do not reference char * as a string in histograms (git-fixes).
   - tty: serial: 8250: serial_cs: Fix a memory leak in error handling path
   - tty: serial: fsl_lpuart: fix the potential risk of division or modulo by
     zero (git-fixes).
   - usb: dwc2: gadget: Fix sending zero length packet in DDMA mode
   - usb: hub: Disable USB 3 device initiated lpm if exit latency is too high
   - usb: max-3421: Prevent corruption of freed memory (git-fixes).
   - usb: max-3421: Prevent corruption of freed memory (git-fixes).
   - usbip: Fix incorrect double assignment to udc->ud.tcp_rx (git-fixes).
   - usbip: fix vudc usbip_sockfd_store races leading to gpf (git-fixes).
   - usbip: vudc synchronize sysfs code paths (git-fixes).
   - usbip: vudc: fix missing unlock on error in usbip_sockfd_store()
   - uuid: Add inline helpers to import / export UUIDs (bsc#1113295,
   - virtio_console: Assure used length from device is limited (git-fixes).
   - w1: ds2438: fixing bug that would always get page0 (git-fixes).
   - watchdog: Fix possible use-after-free by calling del_timer_sync()
   - watchdog: Fix possible use-after-free in wdt_startup() (git-fixes).
   - watchdog: iTCO_wdt: Account for rebooting on second timeout (git-fixes).
   - watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()
   - wireless: wext-spy: Fix out-of-bounds warning (git-fixes).
   - wl1251: Fix possible buffer overflow in wl1251_cmd_scan (git-fixes).
   - wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP (git-fixes).
   - workqueue: fix UAF in pwq_unbound_release_workfn() (bsc#1188973).
   - xen-pciback: reconfigure also from backend watch handler (git-fixes).
   - xfrm: xfrm_state_mtu should return at least 1280 for ipv6 (bsc#1185377).
   - xhci: Fix lost USB 2 remote wake (git-fixes).

Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2644=1

Package List:

   - SUSE Linux Enterprise Server 12-SP5 (noarch):


   - SUSE Linux Enterprise Server 12-SP5 (x86_64):



More information about the sle-security-updates mailing list