Security update for the Linux Kernel

Announcement ID: SUSE-SU-2018:2980-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2018-10938 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-10938 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-10940 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2018-10940 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-1128 ( SUSE ): 8.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
  • CVE-2018-1128 ( NVD ): 7.5 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-1129 ( SUSE ): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • CVE-2018-1129 ( NVD ): 6.5 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2018-12896 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-12896 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-13093 ( SUSE ): 6.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
  • CVE-2018-13093 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-13094 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-13094 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-13095 ( SUSE ): 6.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
  • CVE-2018-13095 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-14613 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-14613 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-14617 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-14617 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-16658 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2018-16658 ( NVD ): 6.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
  • CVE-2018-6554 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-6554 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-6555 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
  • CVE-2018-6555 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • Basesystem Module 15
  • Development Tools Module 15
  • Legacy Module 15
  • SUSE Linux Enterprise Desktop 15
  • SUSE Linux Enterprise High Availability Extension 15
  • SUSE Linux Enterprise High Performance Computing 15
  • SUSE Linux Enterprise Live Patching 15
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server for SAP Applications 15
  • SUSE Linux Enterprise Workstation Extension 15

An update that solves 13 vulnerabilities and has 134 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2018-14617: Prevent NULL pointer dereference and panic in hfsplus_lookup() when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bsc#1102870)
  • CVE-2018-14613: Prevent invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, caused by a lack of block group item validation in check_leaf_item (bsc#1102896).
  • CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)
  • CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001)
  • CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000)
  • CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999)
  • CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922)
  • CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689)
  • CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511)
  • CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509)
  • CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748)
  • CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748)
  • CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016)

The following non-security bugs were fixed:

  • /dev/mem: Add bounce buffer for copy-out (git-fixes).
  • /dev/mem: Avoid overwriting "err" in read_mem() (git-fixes).
  • 9p/net: Fix zero-copy path in the 9p virtio transport (bsc#1051510).
  • 9p/virtio: fix off-by-one error in sg list bounds check (bsc#1051510).
  • 9p: fix multiple NULL-pointer-dereferences (bsc#1051510).
  • ACPI / EC: Add another entry for Thinkpad X1 Carbon 6th (bsc#1051510).
  • ACPI / EC: Add parameter to force disable the GPE on suspend (bsc#1051510).
  • ACPI / EC: Use ec_no_wakeup on ThinkPad X1 Yoga 3rd (bsc#1051510).
  • ACPI / EC: Use ec_no_wakeup on Thinkpad X1 Carbon 6th (bsc#1051510).
  • ACPI / EC: Use ec_no_wakeup on more Thinkpad X1 Carbon 6th systems (bsc#1051510).
  • ACPI / PCI: pci_link: Allow the absence of _PRS and change log level (bsc#1104172).
  • ACPI / bus: Only call dmi_check_system on X86 (bsc#1105597, bsc#1106178).
  • ACPI / scan: Initialize status to ACPI_STA_DEFAULT (bsc#1051510).
  • ACPI/IORT: Remove temporary iort_get_id_mapping_index() ACPICA guard (bsc#1103387).
  • ACPI/PCI: pci_link: reduce verbosity when IRQ is enabled (bsc#1104172).
  • ACPICA: iasl: Add SMMUv3 device ID mapping index support (bsc#1103387).
  • ALSA: cs46xx: Deliver indirect-PCM transfer error.
  • ALSA: emu10k1: Deliver indirect-PCM transfer error.
  • ALSA: fireface: fix memory leak in ff400_switch_fetching_mode() (bsc#1051510).
  • ALSA: firewire-digi00x: fix memory leak of private data (bsc#1051510).
  • ALSA: firewire-tascam: fix memory leak of private data (bsc#1051510).
  • ALSA: hda - Fix cancel_work_sync() stall from jackpoll work (bsc#1051510).
  • ALSA: mips: Deliver indirect-PCM transfer error.
  • ALSA: oxfw: fix memory leak for model-dependent data at error path (bsc#1051510).
  • ALSA: oxfw: fix memory leak of discovered stream formats at error path (bsc#1051510).
  • ALSA: oxfw: fix memory leak of private data (bsc#1051510).
  • ALSA: pcm: Call ack() whenever appl_ptr is updated.
  • ALSA: pcm: Fix negative appl_ptr handling in pcm-indirect helpers.
  • ALSA: pcm: Fix possible inconsistent appl_ptr update via mmap.
  • ALSA: pcm: Simplify forward/rewind codes.
  • ALSA: pcm: Skip ack callback without actual appl_ptr update.
  • ALSA: pcm: Use a common helper for PCM state check and hwsync.
  • ALSA: pcm: Workaround for weird PulseAudio behavior on rewind error.
  • ALSA: rme32: Deliver indirect-PCM transfer error.
  • ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot (bsc#1051510).
  • ARM: DRA7/OMAP5: Enable ACTLR[0] (Enable invalidates of BTB) for secondary cores (bsc#1051510).
  • ARM: hisi: fix error handling and missing of_node_put (bsc#1051510).
  • ARM: hisi: handle of_iomap and fix missing of_node_put (bsc#1051510).
  • ARM: imx: flag failure of of_iomap (bsc#1051510).
  • ARM: imx_v4_v5_defconfig: Select ULPI support (bsc#1051510).
  • ARM: imx_v6_v7_defconfig: Select ULPI support (bsc#1051510).
  • ARM: pxa: irq: fix handling of ICMR registers in suspend/resume (bsc#1051510).
  • ASoC: rsnd: fixup not to call clk_get/set under non-atomic (bsc#1051510).
  • ASoC: rsnd: move rsnd_ssi_config_init() execute condition into it (bsc#1051510).
  • ASoC: rsnd: update pointer more accurate (bsc#1051510).
  • ASoC: wm8994: Fix missing break in switch (bsc#1051510).
  • Apply e666d4e9ceec crypto: vmx - Use skcipher for ctr fallback to SLE12-SP4 (bsc#1106464).
  • Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV (bsc#1051510).
  • Bluetooth: hidp: Fix handling of strncpy for hid->name information (bsc#1051510).
  • Prevent errors at reboot (bsc#1093389)
  • Documentation: add some docs for errseq_t (bsc#1107008).
  • Fix buggy backport of patches.drivers/libnvdimm-btt-fix-an-incompatibility-in-the-log-layout.patch (bsc#1103961).
  • Fix kABI breakage due to enum addition for ath10k (bsc#1051510).
  • HID: add quirk for another PIXART OEM mouse used by HP (bsc#1051510).
  • HID: i2c-hid: Add no-irq-after-reset quirk for 0911:5288 device.
  • IB/core: type promotion bug in rdma_rw_init_one_mr() (bsc#1046306).
  • IB/hfi1: Invalid NUMA node information can cause a divide by zero (bsc#1060463).
  • IB/hfi1: Remove incorrect call to do_interrupt callback (bsc#1060463).
  • IB/hfi1: Set in_use_ctxts bits for user ctxts only (bsc#1060463 ).
  • IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler (bsc#1046307).
  • IB/ipoib: Fix error return code in ipoib_dev_init() (bsc#1046307 ).
  • IB/mlx4: Test port number before querying type (bsc#1046302 ).
  • IB/mlx4: Use 4K pages for kernel QP's WQE buffer (bsc#1046302 ).
  • Input: atmel_mxt_ts - only use first T9 instance (bsc#1051510).
  • Input: edt-ft5x06 - fix error handling for factory mode on non-M06 (bsc#1051510).
  • Input: edt-ft5x06 - implement support for the EDT-M12 series (bsc#1051510).
  • Input: edt-ft5x06 - make distinction between m06/m09/generic more clear (bsc#1051510).
  • Input: synaptics-rmi4 - fix axis-swap behavior (bsc#1051510).
  • KABI: tpm: change relinquish_locality return value back to void (bsc#1082555).
  • KABI: tpm: do keep the cmd_ready and go_idle as pm ops (bsc#1082555).
  • KVM/x86: remove WARN_ON() for when vm_munmap() fails (bsc#1106240).
  • KVM: Enforce error in ioctl for compat tasks when !KVM_COMPAT (bsc#1106240).
  • KVM: PPC: Book3S: Fix guest DMA when guest partially backed by THP pages (bsc#1077761, git-fixes, bsc#1103948, bsc#1103949).
  • KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369).
  • KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369).
  • KVM: nVMX: Do not flush TLB when vmcs12 uses VPID (bsc#1106240).
  • KVM: nVMX: Fix injection to L2 when L1 do not intercept external-interrupts (bsc#1106240).
  • KVM: nVMX: Fix races when sending nested PI while dest enters/leaves L2 (bsc#1106240).
  • KVM: nVMX: Re-evaluate L1 pending events when running L2 and L1 got posted-interrupt (bsc#1106240).
  • KVM: s390: add etoken support for guests (bsc#1106948, LTC#171029).
  • KVM: s390: force bp isolation for VSIE (bsc#1103421).
  • KVM: s390: implement CPU model only facilities (bsc#1106948, LTC#171029).
  • KVM: x86: Change __kvm_apic_update_irr() to also return if max IRR updated (bsc#1106240).
  • KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled (git-fixes 1f50ddb4f418).
  • KVM: x86: fix APIC page invalidation (bsc#1106240).
  • NET: stmmac: align DMA stuff to largest cache line length (netfilter-stable-18_08_01).
  • NFSv4 client live hangs after live data migration recovery (git-fixes).
  • NFSv4: Fix a sleep in atomic context in nfs4_callback_sequence() (git-fixes).
  • NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message (git-fixes).
  • Netperf performance issue due to AppArmor net mediation (bsc#1108520)
  • PCI: Match Root Port's MPS to endpoint's MPSS as necessary (bsc#1109269).
  • PCI: OF: Fix I/O space page leak (git-fixes).
  • PCI: aardvark: Fix I/O space page leak (git-fixes).
  • PCI: hotplug: Do not leak pci_slot on registration failure (bsc#1051510).
  • PCI: hv: Make sure the bus domain is really unique (git-fixes).
  • PCI: mvebu: Fix I/O space end address calculation (bsc#1051510).
  • PCI: pciehp: Fix use-after-free on unplug (bsc#1051510).
  • PM / Domains: Fix error path during attach in genpd (bsc#1051510).
  • PM / clk: signedness bug in of_pm_clk_add_clks() (bsc#1051510).
  • PM / runtime: Drop usage count for suppliers at device link removal (bsc#1100132).
  • RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c (bsc#1050244).
  • RDMA/bnxt_re: Fix a couple off by one bugs (bsc#1050244 ).
  • RDMA/i40w: Hold read semaphore while looking after VMA (bsc#1058659).
  • Refresh with the upstream patches for lan78xx fixes (bsc#1085262)
  • Replace magic for trusting the secondary keyring with #define (bsc#1051510).<