Security update for the Linux Kernel

Announcement ID: SUSE-SU-2018:2222-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2017-18344 ( SUSE ): 7.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  • CVE-2017-18344 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2017-5753 ( SUSE ): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2017-5753 ( SUSE ): 7.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  • CVE-2017-5753 ( NVD ): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2017-5753 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2018-1118 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2018-1118 ( NVD ): 2.3 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
  • CVE-2018-13053 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-13053 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-13405 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • CVE-2018-13405 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-13405 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-13406 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-13406 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-13406 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-5390 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-5390 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-5390 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-9385 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-9385 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • Public Cloud Module 15
  • SUSE Linux Enterprise High Performance Computing 15
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server for SAP Applications 15

An update that solves eight vulnerabilities and has 132 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 kernel-azure was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2018-5390 aka "SegmentSmack": A remote attacker even with relatively low bandwidth could have caused lots of CPU usage by triggering the worst case scenario during IP and/or TCP fragment reassembly (bsc#1102340)
  • CVE-2017-18344: The timer_create syscall implementation didn't properly validate input, which could have lead to out-of-bounds access. This allowed userspace applications to read arbitrary kernel memory in some setups. (bsc#1102851)
  • CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could have result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1100418)
  • CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow via a large relative timeout because ktime_add_safe was not used (bnc#1099924)
  • CVE-2018-13405: The inode_init_owner function allowed local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID (bnc#1100416)
  • CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may have allowed unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bsc#1068032)
  • CVE-2018-1118: Linux kernel vhost did not properly initialize memory in messages passed between virtual guests and the host operating system. This could have allowed local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file (bsc#1092472)

The following non-security bugs were fixed:

  • 1wire: family module autoload fails because of upper/lower case mismatch (bsc#1051510)
  • 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() (networking-stable-18_05_15)
  • acpi / LPSS: Add missing prv_offset setting for byt/cht PWM devices (bsc#1051510)
  • acpi / processor: Finish making acpi_processor_ppc_has_changed() void (bsc#1051510)
  • acpi / watchdog: properly initialize resources (bsc#1051510)
  • acpi, APEI, EINJ: Subtract any matching Register Region from Trigger resources (bsc#1051510)
  • acpi, nfit: Fix scrub idle detection (bsc#1094119)
  • acpi/nfit: fix cmd_rc for acpi_nfit_ctl to always return a value (bsc#1051510)
  • acpi: Add helper for deactivating memory region (bsc#1100132)
  • ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS (bsc#1051510)
  • alsa: hda - Handle pm failure during hotplug (bsc#1051510)
  • alsa: hda/ca0132 - use ARRAY_SIZE (bsc#1051510)
  • alsa: hda/ca0132: Delete pointless assignments to struct auto_pin_cfg fields (bsc#1051510)
  • alsa: hda/ca0132: Delete redundant UNSOL event requests (bsc#1051510)
  • alsa: hda/ca0132: Do not test for QUIRK_NONE (bsc#1051510)
  • alsa: hda/ca0132: Fix DMic data rate for Alienware M17x R4 (bsc#1051510)
  • alsa: hda/ca0132: Restore PCM Analog Mic-In2 (bsc#1051510)
  • alsa: hda/ca0132: Restore behavior of QUIRK_ALIENWARE (bsc#1051510)
  • alsa: hda/ca0132: make array ca0132_alt_chmaps static (bsc#1051510)
  • alsa: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk (bsc#1051510)
  • alsa: hda/realtek - Add a quirk for FSC ESPRIMO U9210 (bsc#1051510)
  • alsa: hda/realtek - Fix pop noise on Lenovo P50 and co (bsc#1051510)
  • alsa: hda/realtek - Fix the problem of two front mics on more machines (bsc#1051510)
  • alsa: hda/realtek - Yet another Clevo P950 quirk entry (bsc#1101143)
  • alsa: hda/realtek - two more lenovo models need fixup of MIC_LOCATION (bsc#1051510)
  • alsa: hda: add mute led support for HP ProBook 455 G5 (bsc#1051510)
  • alsa: rawmidi: Change resized buffers atomically (bsc#1051510)
  • alsa: seq: Fix UBSAN warning at SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT ioctl (bsc#1051510)
  • alsa: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl (bsc#1051510)
  • alx: take rtnl before calling __alx_open from resume (bsc#1051510)
  • amd-xgbe: Add pre/post auto-negotiation phy hooks (networking-stable-18_04_26)
  • amd-xgbe: Improve KR auto-negotiation and training (networking-stable-18_04_26)
  • amd-xgbe: Only use the SFP supported transceiver signals (networking-stable-18_04_26)
  • amd-xgbe: Restore pci interrupt enablement setting on resume (networking-stable-18_03_07)
  • arch/*: Kconfig: fix documentation for NMI watchdog (bsc#1099918)
  • arm64: kpti: Use early_param for kpti= command-line option (bsc#1103220)
  • arm: amba: Do not read past the end of sysfs "driver_override" buffer (CVE-2018-9385,bsc#1100491)
  • arm: module: fix modsign build error (bsc#1093666)
  • arp: fix arp_filter on l3slave devices (networking-stable-18_04_10)
  • asoc: cirrus: i2s: Fix LRCLK configuration (bsc#1051510)
  • asoc: cirrus: i2s: Fix {TX|RX}LinCtrlData setup (bsc#1051510)
  • asoc: cs35l35: Add use_single_rw to regmap config (bsc#1051510)
  • asoc: dapm: delete dapm_kcontrol_data paths list before freeing it (bsc#1051510)
  • asoc: mediatek: preallocate pages use platform device (bsc#1051510)
  • ath9k_htc: Add a sanity check in ath9k_htc_ampdu_action() (bsc#1051510)
  • atl1c: reserve min skb headroom (bsc#1051510)
  • audit: Fix wrong task in comparison of session ID (bsc#1051510)
  • audit: ensure that 'audit=1' actually enables audit for PID 1 (bsc#1051510)
  • audit: return on memory error to avoid null pointer dereference (bsc#1051510)
  • auxdisplay: fix broken menu (bsc#1051510)
  • auxdisplay: img-ascii-lcd: Only build on archs that have IOMEM (bsc#1051510)
  • auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bsc#1051510)
  • b44: Initialize 64-bit stats seqcount (bsc#1051510)
  • backlight: as3711_bl: Fix Device Tree node leaks (bsc#1051510)
  • backlight: as3711_bl: Fix Device Tree node lookup (bsc#1051510)
  • backlight: lm3630a: Bump REG_MAX value to 0x50 instead of 0x1F (bsc#1051510)
  • backlight: max8925_bl: Fix Device Tree node lookup (bsc#1051510)
  • backlight: tps65217_bl: Fix Device Tree node lookup (bsc#1051510)
  • batman-adv: Accept only filled wifi station info (bsc#1051510)
  • batman-adv: Always initialize fragment header priority (bsc#1051510)
  • batman-adv: Avoid race in TT TVLV allocator helper (bsc#1051510)
  • batman-adv: Avoid storing non-TT-sync flags on singular entries too (bsc#1051510)
  • batman-adv: Fix TT sync flags for intermediate TT responses (bsc#1051510)
  • batman-adv: Fix bat_ogm_iv best gw refcnt after netlink dump (bsc#1051510)
  • batman-adv: Fix bat_v best gw refcnt after netlink dump (bsc#1051510)
  • batman-adv: Fix check of retrieved orig_gw in batadv_v_gw_is_eligible (bsc#1051510)
  • batman-adv: Fix debugfs path for renamed hardif (bsc#1051510)
  • batman-adv: Fix debugfs path for renamed softif (bsc#1051510)
  • batman-adv: Fix internal interface indices types (bsc#1051510)
  • batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq (bsc#1051510)
  • batman-adv: Fix multicast packet loss with a single WANT_ALL_IPV4/6 flag (bsc#1051510)
  • batman-adv: Fix netlink dumping of BLA backbones (bsc#1051510)
  • batman-adv: Fix netlink dumping of BLA claims (bsc#1051510)
  • batman-adv: Fix skbuff rcsum on packet reroute (bsc#1051510)
  • batman-adv: Ignore invalid batadv_iv_gw during netlink send (bsc#1051510)
  • batman-adv: Ignore invalid batadv_v_gw during netlink send (bsc#1051510)
  • batman-adv: Use default throughput value on cfg80211 error (bsc#1051510)
  • batman-adv: fix TT sync flag inconsistencies (bsc#1051510)
  • batman-adv: fix header size check in batadv_dbg_arp() (bsc#1051510)
  • batman-adv: fix multicast-via-unicast transmission with AP isolation (bsc#1051510)
  • batman-adv: fix packet checksum in receive path (bsc#1051510)
  • batman-adv: fix packet loss for broadcasted DHCP packets to a server (bsc#1051510)
  • batman-adv: invalidate checksum on fragment reassembly (bsc#1051510)
  • batman-adv: update data pointers after skb_cow() (bsc#1051510)
  • bfq: Re-enable auto-loading when built as a module (bsc#1099918)
  • blk-mq-debugfs: fix device sched directory for default scheduler (bsc#1099918)
  • blk-mq: count allocated but not started requests in iostats inflight (bsc#1077989)
  • blk-mq: do not keep offline CPUs mapped to hctx 0 (bsc#1099918)
  • blk-mq: fix sysfs inflight counter (bsc#1077989)
  • blk-mq: make sure hctx->next_cpu is set correctly (bsc#1099918)
  • blk-mq: make sure that correct hctx->next_cpu is set (bsc#1099918)
  • blk-mq: reinit q->tag_set_list entry only after grace period (bsc#1099918)
  • blk-mq: simplify queue mapping; schedule with each possisble CPU (bsc#1099918)
  • block, bfq: add missing invocations of bfqg_stats_update_io_add/remove (bsc#1099918)
  • block, bfq: fix occurrences of request finish method's old name (bsc#1099918)
  • block/swim: Remove extra put_disk() call from error path (bsc#1099918)
  • block: Fix __bio_integrity_endio() documentation (bsc#1099918)
  • block: Fix cloning of requests with a special payload (bsc#1099918)
  • block: always set partition number to '0' in blk_partition_remap() (bsc#1054245)
  • block: always set partition number to '0' in blk_partition_remap() (bsc#1077989)
  • block: bio_check_eod() needs to consider partitions (bsc#1077989)
  • block: cope with WRITE ZEROES failing in blkdev_issue_zeroout() (bsc#1099918)
  • block: factor out __blkdev_issue_zero_pages() (bsc#1099918)
  • block: fail op_is_write() requests to read-only partitions (bsc#1077989)
  • block: pass 'run_queue' to blk_mq_request_bypass_insert (bsc#1077989)
  • block: sed-opal: Fix a couple off by one bugs (bsc#1099918)
  • block: set request_list for request (bsc#1077989)
  • bluetooth: avoid recursive locking in hci_send_to_channel() (bsc#1051510)
  • bluetooth: hci_ll: Add support for the external clock (bsc#1051510)
  • bluetooth: hci_ll: Fix download_firmware() return when __hci_cmd_sync fails (bsc#1051510)
  • bluetooth: hci_nokia: select BT_HCIUART_H4 (bsc#1051510)
  • bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader (bsc#1051510)
  • bluetooth: hci_uart: fix kconfig dependency (bsc#1051510)
  • bnx2x: Collect the device debug information during Tx timeout (bsc#1086323)
  • bnx2x: Collect the device debug information during Tx timeout (bsc#1086323)
  • bnx2x: Deprecate pci_get_bus_and_slot() (bsc#1086323)
  • bnx2x: Replace doorbell barrier() with wmb() (bsc#1086323)
  • bnx2x: Use NETIF_F_GRO_HW (bsc#1086323)
  • bnx2x: Use pci_ari_enabled() instead of local copy (bsc#1086323)
  • bnx2x: fix slowpath null crash (bsc#1086323)
  • bnx2x: fix spelling mistake: "registeration" -> "registration" (bsc#1086323)
  • bnx2x: fix spelling mistake: "registeration" -> "registration" (bsc#1086323)
  • bnx2x: use the right constant (bsc#1086323)
  • bnxt_en: Add BCM5745X NPAR device IDs (bsc#1086282)
  • bnxt_en: Add IRQ remapping logic (bsc#1086282)
  • bnxt_en: Add TC to hardware QoS queue mapping logic (bsc#1086282)
  • bnxt_en: Add ULP calls to stop and restart IRQs (bsc#1086282)
  • bnxt_en: Add cache line size setting to optimize performance (bsc#1086282)
  • bnxt_en: Add cache line size setting to optimize performance (bsc#1086282)
  • bnxt_en: Add extended port statistics support (bsc#1086282)
  • bnxt_en: Add support for ndo_set_vf_trust (bsc#1086282)
  • bnxt_en: Add the new firmware API to query hardware resources (bsc#1086282)
  • bnxt_en: Add the new firmware API to query hardware resources (bsc#1086282)
  • bnxt_en: Adjust default rings for multi-port NICs (bsc#1086282)
  • bnxt_en: Always forward VF MAC address to the PF (bsc#1086282)
  • bnxt_en: Always set output parameters in bnxt_get_max_rings() (bsc#1050242)
  • bnxt_en: Always set output parameters in bnxt_get_max_rings() (bsc#1050242)
  • bnxt_en: Change IRQ assignment for rdma driver (bsc#1086282)
  • bnxt_en: Check max_tx_scheduler_inputs value from firmware (bsc#1086282)
  • bnxt_en: Check max_tx_scheduler_inputs value from firmware (bsc#1086282)
  • bnxt_en: Check the lengths of encapsulated firmware responses (bsc#1086282)
  • bnxt_en: Check the lengths of encapsulated firmware responses (bsc#1086282)
  • bnxt_en: Check unsupported speeds in bnxt_update_link() on PF only (bsc#1086282)
  • bnxt_en: Check unsupported speeds in bnxt_update_link() on PF only (bsc#1086282)
  • bnxt_en: Display function level rx/tx_discard_pkts via ethtool (bsc#1086282)
  • bnxt_en: Display function level rx/tx_discard_pkts via ethtool (bsc#1086282)
  • bnxt_en: Do not allow VF to read EEPROM (bsc#1086282)
  • bnxt_en: Do not modify max IRQ count after rdma driver requests/frees IRQs (bsc#1050242)
  • bnxt_en: Do not modify max IRQ count after rdma driver requests/frees IRQs (bsc#1050242)
  • bnxt_en: Do not reserve rings on VF when min rings were not provisioned by PF (bsc#1086282)
  • bnxt_en: Do not reserve rings on VF when min rings were not provisioned by PF (bsc#1086282)
  • bnxt_en: Do not set firmware time from VF driver on older firmware (bsc#1086282)
  • bnxt_en: Do not set firmware time from VF driver on older firmware (bsc#1086282)
  • bnxt_en: Eliminate duplicate barriers on weakly-ordered archs (bsc#1086282)
  • bnxt_en: Eliminate duplicate barriers on weakly-ordered archs (bsc#1086282)
  • bnxt_en: Expand bnxt_check_rings() to check all resources (bsc#1086282)
  • bnxt_en: Expand bnxt_check_rings() to check all resources (bsc#1086282)
  • bnxt_en: Fix NULL pointer dereference at bnxt_free_irq() (bsc#1086282)
  • bnxt_en: Fix NULL pointer dereference at bnxt_free_irq() (bsc#1086282)
  • bnxt_en: Fix ethtool -x crash when device is down (bsc#1086282)
  • bnxt_en: Fix firmware message delay loop regression (bsc#1086282)
  • bnxt_en: Fix for system hang if request_irq fails (bsc#1050242)
  • bnxt_en: Fix inconsistent BNXT_FLAG_AGG_RINGS logic (bsc#1050242)
  • bnxt_en: Fix regressions when setting up MQPRIO TX rings (bsc#1086282)
  • bnxt_en: Fix regressions when setting up MQPRIO TX rings (bsc#1086282)
  • bnxt_en: Fix the vlan_tci exact match check (bsc#1050242)
  • bnxt_en: Fix vnic accounting in the bnxt_check_rings() path (bsc#1086282)
  • bnxt_en: Fix vnic accounting in the bnxt_check_rings() path (bsc#1086282)
  • bnxt_en: Forward VF MAC address to the PF (bsc#1086282)
  • bnxt_en: Implement new method for the PF to assign SRIOV resources (bsc#1086282)
  • bnxt_en: Implement new method for the PF to assign SRIOV resources (bsc#1086282)
  • bnxt_en: Implement new method to reserve rings (bsc#1086282)
  • bnxt_en: Improve resource accounting for SRIOV (bsc#1086282)
  • bnxt_en: Improve ring allocation logic (bsc#1086282)
  • bnxt_en: Improve valid bit checking in firmware response message (bsc#1086282)
  • bnxt_en: Improve valid bit checking in firmware response message (bsc#1086282)
  • bnxt_en: Include additional hardware port statistics in ethtool -S (bsc#1086282)
  • bnxt_en: Include additional hardware port statistics in ethtool -S (bsc#1086282)
  • bnxt_en: Increase RING_IDLE minimum threshold to 50 (bsc#1086282)
  • bnxt_en: Need to include rdma rings in bnxt_check_rings() (bsc#1086282)
  • bnxt_en: Need to include rdma rings in bnxt_check_rings() (bsc#1086282)
  • bnxt_en: Pass complete VLAN TCI to the stack (bsc#1086282)
  • bnxt_en: Read phy eeprom A2h address only when optical diagnostics is supported (bsc#1086282)
  • bnxt_en: Read phy eeprom A2h address only when optical diagnostics is supported (bsc#1086282)
  • bnxt_en: Refactor bnxt_close_nic() (bsc#1086282)
  • bnxt_en: Refactor bnxt_need_reserve_rings() (bsc#1086282)
  • bnxt_en: Refactor hardware resource data structures (bsc#1086282)
  • bnxt_en: Refactor the functions to reserve hardware rings (bsc#1086282)
  • bnxt_en: Refactor the functions to reserve hardware rings (bsc#1086282)
  • bnxt_en: Remap TC to hardware queues when configuring PFC (bsc#1086282)
  • bnxt_en: Remap TC to hardware queues when configuring PFC (bsc#1086282)
  • bnxt_en: Reserve RSS and L2 contexts for VF (bsc#1086282)
  • bnxt_en: Reserve completion rings and MSIX for bnxt_re rdma driver (bsc#1086282)
  • bnxt_en: Reserve completion rings and MSIX for bnxt_re rdma driver (bsc#1086282)
  • bnxt_en: Reserve resources for RFS (bsc#1086282)
  • bnxt_en: Reserve rings at driver open if none was reserved at probe time (bsc#1086282)
  • bnxt_en: Reserve rings at driver open if none was reserved at probe time (bsc#1086282)
  • bnxt_en: Reserve rings in bnxt_set_channels() if device is down (bsc#1086282)
  • bnxt_en: Reserve rings in bnxt_set_channels() if device is down (bsc#1086282)
  • bnxt_en: Restore MSIX after disabling SRIOV (bsc#1086282)
  • bnxt_en: Set initial default RX and TX ring numbers the same in combined mode (bsc#1086282)
  • bnxt_en: Set initial default RX and TX ring numbers the same in combined mode (bsc#1086282)
  • bnxt_en: Simplify ring alloc/free error messages (bsc#1086282)
  • bnxt_en: Support max-mtu with VF-reps (bsc#1086282)
  • bnxt_en: Update firmware interface to 1.9.0 (bsc#1086282)
  • bnxt_en: Update firmware interface to 1.9.1.15 (bsc#1086282)
  • bnxt_en: Use a dedicated VNIC mode for rdma (bsc#1086282)
  • bnxt_en: close and open NIC, only when the interface is in running state (bsc#1086282)
  • bnxt_en: close and open NIC, only when the i