SUSE-SU-2021:1899-1: important: Security update for the Linux Kernel

sle-security-updates at sle-security-updates at
Tue Jun 8 22:23:45 UTC 2021

   SUSE Security Update: Security update for the Linux Kernel

Announcement ID:    SUSE-SU-2021:1899-1
Rating:             important
References:         #1064802 #1066129 #1087082 #1101816 #1103992 
                    #1104353 #1104427 #1104745 #1109837 #1113431 
                    #1126390 #1133021 #1152457 #1174682 #1176081 
                    #1177666 #1180552 #1181383 #1182256 #1183738 
                    #1183947 #1184081 #1184082 #1184611 #1184855 
                    #1185428 #1185481 #1185680 #1185703 #1185724 
                    #1185758 #1185827 #1185901 #1185906 #1185938 
                    #1186060 #1186111 #1186390 #1186416 #1186439 
                    #1186441 #1186452 #1186460 #1186498 
Cross-References:   CVE-2020-24586 CVE-2020-24587 CVE-2020-26139
                    CVE-2020-26141 CVE-2020-26145 CVE-2020-26147
                    CVE-2021-23133 CVE-2021-23134 CVE-2021-32399
                    CVE-2021-33034 CVE-2021-33200 CVE-2021-3491
CVSS scores:
                    CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
                    CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
                    CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
                    CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
                    CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
                    CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
                    CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
                    CVE-2021-23133 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-23133 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
                    CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Real Time Extension 12-SP5

   An update that solves 12 vulnerabilities and has 32 fixes
   is now available.


   The SUSE Linux Enterprise 12 SP5 RT kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic
     operations by the BPF verifier could be abused to perform out-of-bounds
     reads and writes in kernel memory (bsc#1186484).
   - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This
     could lead to writing an arbitrary values. (bsc#1186111)
   - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP)
     forwards EAPOL frames to other clients even though the sender has not
     yet successfully authenticated to the AP. (bnc#1186062)
   - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed
     local attackers to elevate their privileges. (bnc#1186060)
   - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This
     vulnerability is related to the PROVIDE_BUFFERS operation, which allowed
     the MAX_RW_COUNT limit to be bypassed (bsc#1185642).
   - CVE-2021-32399: Fixed a race condition when removing the HCI controller
   - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected
     Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't
     require that received fragments be cleared from memory after
     (re)connecting to a network. Under the right circumstances this can be
     abused to inject arbitrary network packets and/or exfiltrate user data
   - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected
     Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't
     require that all fragments of a frame are encrypted under the same key.
     An adversary can abuse this to decrypt selected fragments when another
     device sends fragmented frames and the WEP, CCMP, or GCMP encryption key
     is periodically renewed (bnc#1185859 bnc#1185862).
   - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble
     fragments, even though some of them were sent in plaintext. This
     vulnerability can be abused to inject packets and/or exfiltrate selected
     fragments when another device sends fragmented frames and the WEP, CCMP,
     or GCMP data-confidentiality protocol is used (bnc#1185859).
   - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305
     4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept
     second (or subsequent) broadcast fragments even when sent in plaintext
     and process them as full unfragmented frames. An adversary can abuse
     this to inject arbitrary network packets independent of the network
     configuration. (bnc#1185860)
   - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H,
     where the Message Integrity Check (authenticity) of fragmented TKIP
     frames was not verified. An adversary can abuse this to inject and
     possibly decrypt packets in WPA or WPA2 networks that support the TKIP
     data-confidentiality protocol. (bnc#1185987)
   - CVE-2021-23133: Fixed a race condition in SCTP sockets, which could lead
     to privilege escalation from the context of a network service or an
     unprivileged process. (bnc#1184675)

   The following non-security bugs were fixed:

   - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes).
   - ACPICA: Enable sleep button on ACPI legacy wake (bsc#1181383).
   - ALSA: aloop: Fix initialization of controls (git-fixes).
   - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect
   - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls
   - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails
   - ARM: footbridge: fix PCI interrupt mapping (git-fixes).
   - ASoC: fsl_esai: Fix TDM slot setup for I2S mode (git-fixes).
   - ASoC: intel: atom: Stop advertising non working S24LE support
   - ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips
   - Avoid potentially erroneos RST drop (bsc#1183947).
   - Do not drop out of segments RST if tcp_be_liberal is set (bsc#1183947).
   - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724).
   - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724).
   - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes).
   - EDAC/amd64: Gather hardware information early (bsc#1180552).
   - EDAC/amd64: Make struct amd64_family_type global (bsc#1180552).
   - EDAC/amd64: Save max number of controllers to family type (bsc#1180552).
   - HID: alps: fix error return code in alps_input_configured() (git-fixes).
   - HID: plantronics: Workaround for double volume key presses (git-fixes).
   - HID: wacom: Assign boolean values to a bool variable (git-fixes).
   - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of
     devices (git-fixes).
   - Input: i8042 - fix Pegatron C15B ID entry (git-fixes).
   - Input: nspire-keypad - enable interrupts only when opened (git-fixes).
   - KVM: s390: fix guarded storage control register handling (bsc#1133021).
   - NFSv4: Replace closed stateids with the "invalid special stateid"
   - PCI: Release OF node in pci_scan_device()'s error path (git-fixes).
   - RDMA/hns: Delete redundant condition judgment related to eq
   - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (bsc#1103992).
   - SUNRPC in case of backlog, hand free slots directly to waiting task
   - USB: serial: fix return value for unsupported ioctls (git-fixes).
   - USB: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes).
   - af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL
   - ata: libahci_platform: fix IRQ check (git-fixes).
   - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices
   - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes).
   - batman-adv: Do not always reallocate the fragmentation skb head
   - bluetooth: eliminate the potential race condition when removing the HCI
     controller (git-fixes).
   - bnxt_en: fix ternary sign extension bug in bnxt_show_temp()
   - bpf: Fix masking negation logic upon negative dst register (git-fixes).
   - btrfs: fix race between transaction aborts and fsyncs leading to
     use-after-free (bsc#1186441).
   - btrfs: fix race when picking most recent mod log operation for an old
     root (bsc#1186439).
   - bus: qcom: Put child node before return (git-fixes).
   - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes).
   - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes).
   - clk: fix invalid usage of list cursor in register (git-fixes).
   - clk: fix invalid usage of list cursor in unregister (git-fixes).
   - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1
     GHz (git-fixes).
   - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to
     L0 (git-fixes).
   - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM
     clock (git-fixes).
   - clk: socfpga: fix iomem pointer cast on 64-bit (git-fixes).
   - clk: uniphier: Fix potential infinite loop (git-fixes).
   - cpufreq: Kconfig: fix documentation links (git-fixes).
   - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode
   - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init
   - crypto: qat - Fix a double free in adf_create_ring (git-fixes).
   - crypto: qat - do not release uninitialized resources (git-fixes).
   - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes).
   - cxgb4: Fix unintentional sign extension issues (bsc#1064802 bsc#1066129).
   - dm: fix redundant IO accounting for bios that need splitting
   - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes).
   - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes).
   - docs: kernel-parameters: Move gpio-mockup for alphabetic order
   - drivers: net: fix memory leak in atusb_probe (git-fixes).
   - drivers: net: fix memory leak in peak_usb_create_dev (git-fixes).
   - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes).
   - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes).
   - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes).
   - drm/omap: fix misleading indentation in pixinc() (git-fixes).
   - drm/radeon: fix copy of uninitialized variable back to userspace
   - e1000e: Fix duplicate include guard (git-fixes).
   - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes).
   - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes).
   - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit
   - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes).
   - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641).
   - gianfar: Handle error code at MAC address change (git-fixes).
   - i2c: cadence: add IRQ check (git-fixes).
   - i2c: emev2: add IRQ check (git-fixes).
   - i2c: jz4780: add IRQ check (git-fixes).
   - i40e: Added Asym_Pause to supported link modes (git-fixes).
   - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (jsc#SLE-4797).
   - i40e: Fix sparse errors in i40e_txrx.c (git-fixes).
   - i40e: Fix use-after-free in i40e_client_subtask() (bsc#1101816 ).
   - i40e: fix broken XDP support (git-fixes).
   - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes).
   - i40e: fix the restart auto-negotiation after FEC modified (jsc#SLE-4797).
   - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938
   - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043).
   - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043).
   - ibmvnic: remove default label from to_string switch (bsc#1152457
     ltc#174432 git-fixes).
   - igb: Fix duplicate include guard (git-fixes).
   - igb: check timestamp validity (git-fixes).
   - ipmi/watchdog: Stop watchdog timer when the current action is 'none'
   - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext()
   - kABI: powerpc/64: add back start_tb and accum_tb to thread_struct.
   - kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081).
   - liquidio: Fix unintented sign extension of a left shift of a u16
   - mac80211: bail out if cipher schemes are invalid (git-fixes).
   - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN
   - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes).
   - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082).
   - md/raid1: properly indicate failure when ending a failed write request
   - md: do not flush workqueue unconditionally in md_open (bsc#1184081).
   - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081).
   - md: md_open returns -EBUSY when entering racing area (bsc#1184081).
   - md: split mddev_find (bsc#1184081).
   - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes).
   - media: m88rs6000t: avoid potential out-of-bounds reads on arrays
   - media: omap4iss: return error code when omap4iss_get() failed
   - mfd: lpc_sch: Partially revert "Add support for Intel Quark X1000"
   - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes).
   - misc: lis3lv02d: Fix false-positive WARN on various HP models
   - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes).
   - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct
   - mlxsw: spectrum_mr: Update egress RIF list before route's action
   - mm: mempolicy: fix potential pte_unmap_unlock pte error (bsc#1185906).
   - mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified
   - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes).
   - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes).
   - mt7601u: fix always true expression (git-fixes).
   - mtd: require write permissions for locking and badblock ioctls
   - net, xdp: Update pkt_type if generic XDP changes unicast MAC
   - net/ethernet: Add parse_protocol header_ops support (bsc#1176081).
   - net/mlx4_en: update moderation when config reset (git-fixes).
   - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes).
   - net/mlx5e: Remove the wrong assumption about transport offset
   - net/mlx5e: Trust kernel regarding transport offset (bsc#1176081).
   - net/packet: Ask driver for protocol if not provided by user
   - net/packet: Remove redundant skb->protocol set (bsc#1176081).
   - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template
   - net: Do not set transport offset to invalid value (bsc#1176081).
   - net: Introduce parse_protocol header_ops callback (bsc#1176081).
   - net: hns3: Fix for geneve tx checksum bug (bsc#1104353 ).
   - net: hns3: add check for HNS3_NIC_STATE_INITED in
     hns3_reset_notify_up_enet() (bsc#1104353).
   - net: hns3: disable phy loopback setting in hclge_mac_start_phy
   - net: hns3: fix for vxlan gpe tx checksum bug (bsc#1104353 ).
   - net: hns3: fix incorrect configuration for igu_egu_hw_err (bsc#1104353).
   - net: hns3: initialize the message content in hclge_get_link_mode()
   - net: hns3: use netif_tx_disable to stop the transmit queue (bsc#1104353).
   - net: thunderx: Fix unintentional sign extension issue (git-fixes).
   - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes).
   - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947
   - netfilter: conntrack: avoid misleading 'invalid' in log message
     (bsc#1183947 bsc#1185950).
   - netfilter: conntrack: improve RST handling when tuple is re-used
     (bsc#1183947 bsc#1185950).
   - netfilter: conntrack: tcp: only close if RST matches exact sequence
     (bsc#1183947 bsc#1185950).
   - nfc: pn533: prevent potential memory corruption (git-fixes).
   - nvme-fc: clear q_live at beginning of association teardown (git-fixes).
   - nvme-loop: Introduce no merge flag for biovec (bsc#1174682).
   - pata_arasan_cf: fix IRQ check (git-fixes).
   - pata_ipx4xx_cf: fix IRQ check (git-fixes).
   - pcnet32: Use pci_resource_len to validate PCI resource (git-fixes).
   - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y,
     unconditionally (git-fixes).
   - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes).
   - pinctrl: lewisburg: Update number of pins in community (git-fixes).
   - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards
     with critclk_systems DMI table (git-fixes).
   - powerpc/64: remove start_tb and accum_tb from thread_struct (bsc#1186487
   - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666
   - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082
   - powerpc/pseries: lparcfg calculate PURR on demand (bsc#1186487
   - regulator: bd9571mwv: Fix AVS and DVFS voltage range (git-fixes).
   - rsxx: remove extraneous 'const' qualifier (git-fixes).
   - rtc: ds1307: Fix wday settings for rx8130 (git-fixes).
   - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes).
   - s390/dasd: fix hanging DASD driver unbind (bsc#1183754 LTC#192081).
   - s390/dasd: fix hanging IO request during DASD driver unbind (bsc#1183754
   - s390/entry: save the caller of psw_idle (bsc#1185677).
   - s390/kdump: fix out-of-memory with PCI (bsc#1182256 LTC#191375).
   - sata_mv: add IRQ checks (git-fixes).
   - scsi: core: Run queue in case of I/O resource contention failure
   - scsi: libfc: Avoid invoking response handler twice if ep is already
     completed (bsc#1186573).
   - scsi: lpfc: Add a option to enable interlocked ABTS before job
     completion (bsc#1186452).
   - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186452).
   - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology
   - scsi: lpfc: Fix Node recovery when driver is handling simultaneous
     PLOGIs (bsc#1186452).
   - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command
   - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the
     SGLs (bsc#1186452).
   - scsi: lpfc: Fix node handling for Fabric Controller and Domain
     Controller (bsc#1186452).
   - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186452).
   - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created
   - scsi: lpfc: Ignore GID-FT response that may be received after a link
     flip (bsc#1186452).
   - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric
     controller (bsc#1186452).
   - scsi: lpfc: Update lpfc version to (bsc#1186452).
   - scsi: qla2xxx: Prevent PRLI in target mode (git-fixes).
   - smc: disallow TCP_ULP in smc_setsockopt() (bsc#1109837).
   - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz (git-fixes).
   - spi: spi-ti-qspi: Free DMA resources (git-fixes).
   - staging: rtl8192u: Fix potential infinite loop (git-fixes).
   - tcp: fix to update snd_wl1 in bulk receiver fast path (bsc#1185827).
   - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val'
   - tracing: Map all PIDs to command lines (git-fixes).
   - uio: uio_hv_generic: use devm_kzalloc() for private data alloc
   - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes).
   - uio_hv_generic: Fix another memory leak in error handling paths
   - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes).
   - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes).
   - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes).
   - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS
   - usb: xhci: Increase timeout for HC halt (git-fixes).
   - video: hyperv_fb: Add ratelimit on error message (bsc#1185724).
   - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes).
   - xsk: Respect device's headroom and tailroom on generic xmit path

Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Real Time Extension 12-SP5:

      zypper in -t patch SUSE-SLE-RT-12-SP5-2021-1899=1

Package List:

   - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch):


   - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64):



More information about the sle-security-updates mailing list