Security update for the Linux Kernel

Announcement ID: SUSE-SU-2018:4072-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2017-16533 ( SUSE ): 4.6 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-16533 ( NVD ): 6.6 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-18224 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-18281 ( SUSE ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2018-18281 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-18386 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-18386 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-18445 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2018-18445 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-18445 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-18710 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2018-18710 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2018-19824 ( SUSE ): 6.6 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-19824 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise Desktop 12 SP4
  • SUSE Linux Enterprise High Availability Extension 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise Live Patching 12-SP4
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP4
  • SUSE Linux Enterprise Software Development Kit 12 SP4
  • SUSE Linux Enterprise Workstation Extension 12 12-SP4

An update that solves seven vulnerabilities and has 184 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).
  • CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removed entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry could remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
  • CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
  • CVE-2018-18445: Faulty computation of numeric bounds in the BPF verifier permitted out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).
  • CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
  • CVE-2017-18224: fs/ocfs2/aops.c omitted use of a semaphore and consequently had a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).
  • CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The following non-security bugs were fixed:

  • ACPI/APEI: Handle GSIV and GPIO notification types (bsc#1115567).
  • ACPICA: Tables: Add WSMT support (bsc#1089350).
  • ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized pointer value (bsc#1051510).
  • ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers (bsc#1051510).
  • ACPI, nfit: Fix ARS overflow continuation (bsc#1116895).
  • ACPI, nfit: Prefer _DSM over _LSR for namespace label reads (bsc#1112128).
  • ACPI/nfit, x86/mce: Handle only uncorrectable machine checks (bsc#1114279).
  • ACPI/nfit, x86/mce: Validate a MCE's address before using it (bsc#1114279).
  • ACPI / platform: Add SMB0001 HID to forbidden_id_list (bsc#1051510).
  • ACPI / processor: Fix the return value of acpi_processor_ids_walk() (bsc#1051510).
  • ACPI / watchdog: Prefer iTCO_wdt always when WDAT table uses RTC SRAM (bsc#1051510).
  • act_ife: fix a potential use-after-free (networking-stable-18_09_11).
  • Add the cherry-picked dup id for PCI dwc fix
  • Add version information to KLP_SYMBOLS file
  • ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write (bsc#1051510).
  • ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops (bsc#1051510).
  • ALSA: control: Fix race between adding and removing a user element (bsc#1051510).
  • ALSA: hda: Add 2 more models to the power_save blacklist (bsc#1051510).
  • ALSA: hda: Add ASRock N68C-S UCC the power_save blacklist (bsc#1051510).
  • ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) (bsc#1051510).
  • ALSA: hda - Add quirk for ASUS G751 laptop (bsc#1051510).
  • ALSA: hda/ca0132 - Call pci_iounmap() instead of iounmap() (bsc#1051510).
  • ALSA: hda - Fix headphone pin config for ASUS G751 (bsc#1051510).
  • ALSA: hda: fix unused variable warning (bsc#1051510).
  • ALSA: hda/realtek - Add auto-mute quirk for HP Spectre x360 laptop (bsc#1051510).
  • ALSA: hda/realtek - Add GPIO data update helper (bsc#1051510).
  • ALSA: hda/realtek - Allow skipping spec->init_amp detection (bsc#1051510).
  • ALSA: hda/realtek - fix headset mic detection for MSI MS-B171 (bsc#1051510).
  • ALSA: hda/realtek - Fix HP Headset Mic can't record (bsc#1051510).
  • ALSA: hda/realtek - fix the pop noise on headphone for lenovo laptops (bsc#1051510).
  • ALSA: hda/realtek - Fix the problem of the front MIC on the Lenovo M715 (bsc#1051510).
  • ALSA: hda/realtek - Manage GPIO bits commonly (bsc#1051510).
  • ALSA: hda/realtek - Simplify Dell XPS13 GPIO handling (bsc#1051510).
  • ALSA: hda/realtek - Support ALC300 (bsc#1051510).
  • ALSA: oss: Use kvzalloc() for local buffer allocations (bsc#1051510).
  • ALSA: sparc: Fix invalid snd_free_pages() at error path (bsc#1051510).
  • ALSA: usb-audio: Add vendor and product name for Dell WD19 Dock (bsc#1051510).
  • ALSA: usb-audio: update quirk for B&W PX to remove microphone (bsc#1051510).
  • ALSA: wss: Fix invalid snd_free_pages() at error path (bsc#1051510).
  • amd/iommu: Fix Guest Virtual APIC Log Tail Address Register (bsc#1106105).
  • arm64: KVM: Move CPU ID reg trap setup off the world switch path (bsc#1110998).
  • arm64: KVM: Sanitize PSTATE.M when being set from userspace (bsc#1110998).
  • arm64: KVM: Tighten guest core register access from userspace (bsc#1110998).
  • ARM: dts: at91: add new compatibility string for macb on sama5d3 (bsc#1051510).
  • ASoC: dwc: Added a quirk DW_I2S_QUIRK_16BIT_IDX_OVERRIDE to dwc (bsc#1085535)
  • ASoC: Intel: cht_bsw_max98090: add support for Baytrail (bsc#1051510).
  • ASoC: intel: cht_bsw_max98090_ti: Add quirk for boards using pmc_plt_clk_0 (bsc#1051510).
  • ASoC: intel: skylake: Add missing break in skl_tplg_get_token() (bsc#1051510).
  • ASoC: Intel: Skylake: Reset the controller in probe (bsc#1051510).
  • ASoC: rsnd: adg: care clock-frequency size (bsc#1051510).
  • ASoC: rsnd: do not fallback to PIO mode when -EPROBE_DEFER (bsc#1051510).
  • ASoC: rt5514: Fix the issue of the delay volume applied again (bsc#1051510).
  • ASoC: sigmadsp: safeload should not have lower byte limit (bsc#1051510).
  • ASoC: sun8i-codec: fix crash on module removal (bsc#1051510).
  • ASoC: wm8804: Add ACPI support (bsc#1051510).
  • ata: Fix racy link clearance (bsc#1107866).
  • ataflop: fix error handling during setup (bsc#1051510).
  • ath10k: fix kernel panic issue during pci probe (bsc#1051510).
  • ath10k: fix scan crash due to incorrect length calculation (bsc#1051510).
  • ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait (bsc#1051510).
  • ath10k: schedule hardware restart if WMI command times out (bsc#1051510).
  • autofs: fix autofs_sbi() does not check super block type (git-fixes).
  • autofs: fix slab out of bounds read in getname_kernel() (git-fixes).
  • autofs: mount point create should honour passed in mode (git-fixes).
  • badblocks: fix wrong return value in badblocks_set if badblocks are disabled (git-fixes).
  • batman-adv: Avoid probe ELP information leak (bsc#1051510).
  • batman-adv: Expand merged fragment buffer for full packet (bsc#1051510).
  • batman-adv: fix backbone_gw refcount on queue_work() failure (bsc#1051510).
  • batman-adv: fix hardif_neigh refcount on queue_work() failure (bsc#1051510).
  • batman-adv: Use explicit tvlv padding for ELP packets (bsc#1051510).
  • bdi: Fix another oops in wb_workfn() (bsc#1112746).
  • bdi: Preserve kabi when adding cgwb_release_mutex (bsc#1112746).
  • bitops: protect variables in bit_clear_unless() macro (bsc#1051510).
  • bitops: protect variables in set_mask_bits() macro (bsc#1051510).
  • Blacklist commit that modifies Scsi_Host/kabi (bsc#1114579)
  • Blacklist sd_zbc patch that is too invasive (bsc#1114583)
  • Blacklist virtio patch that uses bio_integrity_bytes() (bsc#1114585)
  • blk-mq: I/O and timer unplugs are inverted in blktrace (bsc#1112713).
  • block, bfq: fix wrong init of saved start time for weight raising (bsc#1112708).
  • block: bfq: swap puts in bfqg_and_blkg_put (bsc#1112712).
  • block: copy ioprio in __bio_clone_fast() (bsc#1082653).
  • block: respect virtual boundary mask in bvecs (bsc#1113412).
  • Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth (bsc#1051510).
  • Bluetooth: SMP: fix crash in unpairing (bsc#1051510).
  • bnxt_en: Fix TX timeout during netpoll (networking-stable-18_10_16).
  • bnxt_en: free hwrm resources, if driver probe fails (networking-stable-18_10_16).
  • bonding: avoid possible dead-lock (networking-stable-18_10_16).
  • bonding: fix length of actor system (networking-stable-18_11_02).
  • bonding: fix warning message (networking-stable-18_10_16).
  • bonding: pass link-local packets to bonding master also (networking-stable-18_10_16).
  • bpf: fix partial copy of map_ptr when dst is scalar (bsc#1083647).
  • bpf, net: add skb_mac_header_len helper (networking-stable-18_09_24).
  • bpf/verifier: disallow pointer subtraction (bsc#1083647).
  • bpf: wait for running BPF programs when updating map-in-map (bsc#1083647).
  • brcmfmac: fix for proper support of 160MHz bandwidth (bsc#1051510).
  • brcmfmac: fix reporting support for 160 MHz channels (bsc#1051510).
  • brcmutil: really fix decoding channel info for 160 MHz bandwidth (bsc#1051510).
  • bridge: do not add port to router list when receives query with source 0.0.0.0 (networking-stable-18_11_02).
  • Btrfs: Enhance btrfs_trim_fs function to handle error better (Dependency for bsc#1113667).
  • Btrfs: Ensure btrfs_trim_fs can trim the whole filesystem (bsc#1113667).
  • Btrfs: fix assertion failure during fsync in no-holes mode (bsc#1118136).
  • Btrfs: fix assertion on fsync of regular file when using no-holes feature (bsc#1118137).
  • Btrfs: fix cur_offset in the error case for nocow (bsc#1118140).
  • Btrfs: fix data corruption due to cloning of eof block (bsc#1116878).
  • Btrfs: fix deadlock on tree root leaf when finding free extent (bsc#1116876).
  • Btrfs: fix deadlock when writing out free space caches (bsc#1116700).
  • Btrfs: fix infinite loop on inode eviction after deduplication of eof block (bsc#1116877).
  • Btrfs: fix missing error return in btrfs_drop_snapshot (Git-fixes bsc#1109919).
  • Btrfs: fix null pointer dereference on compressed write path error (bsc#1116698).
  • Btrfs: fix use-after-free during inode eviction (bsc#1116701).
  • Btrfs: fix use-after-free when dumping free space (bsc#1116862).
  • Btrfs: fix warning when replaying log after fsync of a tmpfile (bsc#1116692).
  • Btrfs: fix wrong dentries after fsync of file that got its parent replaced (bsc#1116693).
  • Btrfs: handle errors while updating refcounts in update_ref_for_cow (Git-fixes bsc#1109915).
  • Btrfs: make sure we create all new block groups (bsc#1116699).
  • Btrfs: protect space cache inode alloc with GFP_NOFS (bsc#1116863).
  • Btrfs: send, fix infinite loop due to directory rename dependencies (bsc#1118138).
  • cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) (bsc#1051510).
  • can: dev: __can_get_echo_skb(): Do not crash the kernel if can_priv::echo_skb is accessed out of bounds (bsc#1051510).
  • can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() (bsc#1051510).
  • can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb (bsc#1051510).
  • can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length (bsc#1051510).
  • can: hi311x: Use level-triggered interrupt (bsc#1051510).
  • can: raw: check for CAN FD capa