Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2019:0196-1
Rating:	important
References:	bsc#1024718 bsc#1046299 bsc#1050242 bsc#1050244 bsc#1051510 bsc#1055121 bsc#1055186 bsc#1058115 bsc#1060463 bsc#1065729 bsc#1078248 bsc#1079935 bsc#1082387 bsc#1083647 bsc#1086282 bsc#1086283 bsc#1086423 bsc#1087084 bsc#1087978 bsc#1088386 bsc#1090888 bsc#1091405 bsc#1094244 bsc#1097593 bsc#1102875 bsc#1102877 bsc#1102879 bsc#1102882 bsc#1102896 bsc#1103257 bsc#1104353 bsc#1104427 bsc#1104967 bsc#1105168 bsc#1106105 bsc#1106110 bsc#1106615 bsc#1106913 bsc#1108270 bsc#1109272 bsc#1110558 bsc#1111188 bsc#1111469 bsc#1111696 bsc#1111795 bsc#1112128 bsc#1113722 bsc#1114648 bsc#1114871 bsc#1116040 bsc#1116336 bsc#1116803 bsc#1116841 bsc#1117115 bsc#1117162 bsc#1117165 bsc#1117186 bsc#1117561 bsc#1117656 bsc#1117953 bsc#1118215 bsc#1118319 bsc#1118428 bsc#1118484 bsc#1118505 bsc#1118752 bsc#1118760 bsc#1118761 bsc#1118762 bsc#1118766 bsc#1118767 bsc#1118768 bsc#1118769 bsc#1118771 bsc#1118772 bsc#1118773 bsc#1118774 bsc#1118775 bsc#1118787 bsc#1118788 bsc#1118798 bsc#1118809 bsc#1118962 bsc#1119017 bsc#1119086 bsc#1119212 bsc#1119322 bsc#1119410 bsc#1119714 bsc#1119749 bsc#1119804 bsc#1119946 bsc#1119962 bsc#1119968 bsc#1120036 bsc#1120046 bsc#1120053 bsc#1120054 bsc#1120055 bsc#1120058 bsc#1120088 bsc#1120092 bsc#1120094 bsc#1120096 bsc#1120097 bsc#1120173 bsc#1120214 bsc#1120223 bsc#1120228 bsc#1120230 bsc#1120232 bsc#1120234 bsc#1120235 bsc#1120238 bsc#1120594 bsc#1120598 bsc#1120600 bsc#1120601 bsc#1120602 bsc#1120603 bsc#1120604 bsc#1120606 bsc#1120612 bsc#1120613 bsc#1120614 bsc#1120615 bsc#1120616 bsc#1120617 bsc#1120618 bsc#1120620 bsc#1120621 bsc#1120632 bsc#1120633 bsc#1120743 bsc#1120954 bsc#1121017 bsc#1121058 bsc#1121263 bsc#1121273 bsc#1121477 bsc#1121483 bsc#1121599 bsc#1121621 bsc#1121714 bsc#1121715 bsc#1121973
Cross-References:	CVE-2018-12232 CVE-2018-14625 CVE-2018-16862 CVE-2018-16884 CVE-2018-18397 CVE-2018-19407 CVE-2018-19854 CVE-2018-19985 CVE-2018-20169 CVE-2018-9568
CVSS scores:	CVE-2018-12232 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-12232 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-14625 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-14625 ( NVD ): 5.3 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-16862 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N CVE-2018-16862 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-16884 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-16884 ( NVD ): 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-16884 ( NVD ): 6.5 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H CVE-2018-18397 ( SUSE ): 6.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVE-2018-18397 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2018-19407 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-19407 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-19854 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2018-19854 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-19985 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2018-19985 ( NVD ): 4.6 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-20169 ( SUSE ): 6.3 CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-20169 ( NVD ): 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-20169 ( NVD ): 6.8 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-9568 ( SUSE ): 7.4 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-9568 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-9568 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Availability Extension 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP4 SUSE Linux Enterprise Software Development Kit 12 SP4 SUSE Linux Enterprise Workstation Extension 12 12-SP4

An update that solves 10 vulnerabilities and has 136 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).
CVE-2018-12232: In net/socket.c in the there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat did not increment the file descriptor reference count, which allowed close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash (bnc#1097593).
CVE-2018-14625: A flaw was found where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients (bnc#1106615).
CVE-2018-16862: A security flaw was found in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186).
CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).
CVE-2018-18397: The userfaultfd implementation mishandled access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c (bnc#1117656).
CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).
CVE-2018-19854: An issue was discovered in the crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker did not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option) (bnc#1118428).
CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).
CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).

The following non-security bugs were fixed:

acpi / CPPC: Check for valid PCC subspace only if PCC is used (bsc#1117115).
acpi / CPPC: Update all pr_(debug/err) messages to log the susbspace id (bsc#1117115).
aio: fix spectre gadget in lookup_ioctx (bsc#1120594).
alsa: cs46xx: Potential NULL dereference in probe (bsc#1051510).
alsa: emu10k1: Fix potential Spectre v1 vulnerabilities (bsc#1051510).
alsa: emux: Fix potential Spectre v1 vulnerabilities (bsc#1051510).
alsa: fireface: fix for state to fetch PCM frames (bsc#1051510).
alsa: fireface: fix reference to wrong register for clock configuration (bsc#1051510).
alsa: firewire-lib: fix wrong assignment for 'out_packet_without_header' tracepoint (bsc#1051510).
alsa: firewire-lib: fix wrong handling payload_length as payload_quadlet (bsc#1051510).
alsa: firewire-lib: use the same print format for 'without_header' tracepoints (bsc#1051510).
alsa: hda: add mute LED support for HP EliteBook 840 G4 (bsc#1051510).
alsa: hda: Add support for AMD Stoney Ridge (bsc#1051510).
alsa: hda/ca0132 - make pci_iounmap() call conditional (bsc#1051510).
alsa: hda: fix front speakers on Huawei MBXP (bsc#1051510).
alsa: hda/realtek - Add support for Acer Aspire C24-860 headset mic (bsc#1051510).
alsa: hda/realtek - Add unplug function into unplug state of Headset Mode for ALC225 (bsc#1051510).
alsa: hda/realtek: ALC286 mic and headset-mode fixups for Acer Aspire U27-880 (bsc#1051510).
alsa: hda/realtek: ALC294 mic and headset-mode fixups for ASUS X542UN (bsc#1051510).
alsa: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 (bsc#1051510).
alsa: hda/realtek: Enable audio jacks of ASUS UX391UA with ALC294 (bsc#1051510).
alsa: hda/realtek: Enable audio jacks of ASUS UX433FN/UX333FA with ALC294 (bsc#1051510).
alsa: hda/realtek: Enable audio jacks of ASUS UX533FD with ALC294 (bsc#1051510).
alsa: hda/realtek: Enable the headset mic auto detection for ASUS laptops (bsc#1051510).
alsa: hda/realtek - Fixed headphone issue for ALC700 (bsc#1051510).
alsa: hda/realtek: Fix mic issue on Acer AIO Veriton Z4660G (bsc#1051510).
alsa: hda/realtek: Fix mic issue on Acer AIO Veriton Z4860G/Z6860G (bsc#1051510).
alsa: hda/realtek - Fix speaker output regression on Thinkpad T570 (bsc#1051510).
alsa: hda/realtek - Fix the mute LED regresion on Lenovo X1 Carbon (bsc#1051510).
alsa: hda/realtek - Support Dell headset mode for New AIO platform (bsc#1051510).
alsa: hda/tegra: clear pending irq handlers (bsc#1051510).
alsa: pcm: Call snd_pcm_unlink() conditionally at closing (bsc#1051510).
alsa: pcm: Fix interval evaluation with openmin/max (bsc#1051510).
alsa: pcm: Fix potential Spectre v1 vulnerability (bsc#1051510).
alsa: pcm: Fix starvation on down_write_nonblock() (bsc#1051510).
alsa: rme9652: Fix potential Spectre v1 vulnerability (bsc#1051510).
alsa: trident: Suppress gcc string warning (bsc#1051510).
alsa: usb-audio: Add SMSL D1 to quirks for native DSD support (bsc#1051510).
alsa: usb-audio: Add support for Encore mDSD USB DAC (bsc#1051510).
alsa: usb-audio: Avoid access before bLength check in build_audio_procunit() (bsc#1051510).
alsa: usb-audio: Fix an out-of-bound read in create_composite_quirks (bsc#1051510).
alsa: x86: Fix runtime PM for hdmi-lpe-audio (bsc#1051510).
apparmor: do not try to replace stale label in ptrace access check (git-fixes).
apparmor: do not try to replace stale label in ptraceme check (git-fixes).
apparmor: Fix uninitialized value in aa_split_fqname (git-fixes).
arm64: Add work around for Arm Cortex-A55 Erratum 1024718 (bsc#1120612).
arm64: atomics: Remove '&' from '+&' asm constraint in lse atomics (bsc#1120613).
arm64: cpu_errata: include required headers (bsc#1120615).
arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing (bsc#1120633).
arm64: Fix /proc/iomem for reserved but not memory regions (bsc#1120632).
arm64: lse: Add early clobbers to some input/output asm operands (bsc#1120614).
arm64: lse: remove -fcall-used-x0 flag (bsc#1120618).
arm64: mm: always enable CONFIG_HOLES_IN_ZONE (bsc#1120617).
arm64/numa: Report correct memblock range for the dummy node (bsc#1120620).
arm64/numa: Unify common error path in numa_init() (bsc#1120621).
arm64: remove no-op -p linker flag (bsc#1120616).
ASoC: dapm: Recalculate audio map forcely when card instantiated (bsc#1051510).
ASoC: intel: cht_bsw_max98090_ti: Add pmc_plt_clk_0 quirk for Chromebook Clapper (bsc#1051510).
ASoC: intel: cht_bsw_max98090_ti: Add pmc_plt_clk_0 quirk for Chromebook Gnawty (bsc#1051510).
ASoC: Intel: mrfld: fix uninitialized variable access (bsc#1051510).
ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred probing (bsc#1051510).
ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE (bsc#1051510).
ASoC: omap-mcbsp: Fix latency value calculation for pm_qos (bsc#1051510).
ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE (bsc#1051510).
ASoC: rsnd: fixup clock start checker (bsc#1051510).
ASoC: wm_adsp: Fix dma-unsafe read of scratch registers (bsc#1051510).
ath10k: do not assume this is a PCI dev in generic code (bsc#1051510).
ath6kl: Only use match sets when firmware supports it (bsc#1051510).
b43: Fix error in cordic routine (bsc#1051510).
bcache: fix miss key refill->end in writeback (Git-fixes).
bcache: trace missed reading by cache_missed (Git-fixes).
Blacklist 5182f26f6f74 crypto: ccp - Make function sev_get_firmware() static
blk-mq: remove synchronize_rcu() from blk_mq_del_queue_tag_set() (Git-fixes).
block: allow max_discard_segments to be stacked (Git-fixes).
block: blk_init_allocated_queue() set q->fq as NULL in the fail case (Git-fixes).
block: really disable runtime-pm for blk-mq (Git-fixes).
block: reset bi_iter.bi_done after splitting bio (Git-fixes).
block/swim: Fix array bounds check (Git-fixes).
bnxt_en: do not try to offload VLAN 'modify' action (bsc#1050242 ).
bnxt_en: Fix enables field in HWRM_QUEUE_COS2BW_CFG request (bsc#1086282).
bnxt_en: Fix VNIC reservations on the PF (bsc#1086282 ).
bnxt_en: get the reduced max_irqs by the ones used by RDMA (bsc#1050242).
bpf: fix check of allowed specifiers in bpf_trace_printk (bsc#1083647).
bpf: use per htab salt for bucket hash (git-fixes).
btrfs: Always try all copies when reading extent buffers (git-fixes).
btrfs: delete dead code in btrfs_orphan_add() (bsc#1111469).
btrfs: delete dead code in btrfs_orphan_commit_root() (bsc#1111469).
btrfs: do not BUG_ON() in btrfs_truncate_inode_items() (bsc#1111469).
btrfs: do not check inode's runtime flags under root->orphan_lock (bsc#1111469).
btrfs: do not return ino to ino cache if inode item removal fails (bsc#1111469).
btrfs: fix ENOSPC caused by orphan items reservations (bsc#1111469).
btrfs: Fix error handling in btrfs_cleanup_ordered_extents (git-fixes).
btrfs: fix error handling in btrfs_truncate() (bsc#1111469).
btrfs: fix error handling in btrfs_truncate_inode_items() (bsc#1111469).
btrfs: fix fsync of files with multiple hard links in new directories (1120173).
btrfs: Fix memory barriers usage with device stats counters (git-fixes).
btrfs: fix use-after-free on root->orphan_block_rsv (bsc#1111469).
btrfs: get rid of BTRFS_INODE_HAS_ORPHAN_ITEM (bsc#1111469).
btrfs: get rid of unused orphan infrastructure (bsc#1111469).
btrfs: move btrfs_truncate_block out of trans handle (bsc#1111469).
btrfs: qgroup: Dirty all qgroups before rescan (bsc#1120036).
btrfs: refactor btrfs_evict_inode() reserve refill dance (bsc#1111469).
btrfs: renumber BTRFS_INODE_ runtime flags and switch to enums (bsc#1111469).
btrfs: reserve space for O_TMPFILE orphan item deletion (bsc#1111469).
btrfs: run delayed items before dropping the snapshot (bsc#1121263, bsc#1111188).
btrfs: stop creating orphan items for truncate (bsc#1111469).
btrfs: tree-checker: Do not check max block group size as current max chunk size limit is unreliable (fixes for bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875).
btrfs: update stale comments referencing vmtruncate() (bsc#1111469).
can: flexcan: flexcan_irq(): fix indention (bsc#1051510).
cdrom: do not attempt to fiddle with cdo->capability (bsc#1051510).
ceph: do not update importing cap's mseq when handing cap export (bsc#1121273).
char_dev: extend dynamic allocation of majors into a higher range (bsc#1121058).
char_dev: Fix off-by-one bugs in find_dynamic_major() (bsc#1121058).
clk: mmp: Off by one in mmp_clk_add() (bsc#1051510).
clk: mvebu: Off by one bugs in cp110_of_clk_get() (bsc#1051510).
compiler-gcc.h: Add attribute((gnu_inline)) to all inline declarations (git-fixes).
config: arm64: enable erratum 1024718
cpufeature: avoid warning when compiling with clang (Git-fixes).
cpufreq / CPPC: Add cpuinfo_cur_freq support for CPPC (bsc#1117115).
cpufreq: CPPC: fix build in absence of v3 support (bsc#1117115).
cpupower: remove stringop-truncation waring (git-fixes).
crypto: bcm - fix normal/non key hash algorithm failure (bsc#1051510).
crypto: ccp - Add DOWNLOAD_FIRMWARE SEV command ().
crypto: ccp - Add GET_ID SEV command ().
crypto: ccp - Add psp enabled message when initialization succeeds ().
crypto: ccp - Add support for new CCP/PSP device ID ().
crypto: ccp - Allow SEV firmware to be chosen based on Family and Model ().
crypto: ccp - Fix static checker warning ().
crypto: ccp - Remove unused #defines ().
crypto: ccp - Support register differences between PSP devices ().
dasd: fix deadlock in dasd_times_out (bsc#1121477, LTC#174111).
dax: Check page->mapping isn't NULL (bsc#1120054).
dax: Do not access a freed inode (bsc#1120055).
device property: Define type of PROPERTY_ENRTY_*() macros (bsc#1051510).
device property: fix fwnode_graph_get_next_endpoint() documentation (bsc#1051510).
disable stringop truncation warnings for now (git-fixes).
dm: allocate struct mapped_device with kvzalloc (Git-fixes).
dm cache: destroy migration_cache if cache target registration failed (Git-fixes).
dm cache: fix resize crash if user does not reload cache table (Git-fixes).
dm cache metadata: ignore hints array being too small during resize (Git-fixes).
dm cache metadata: save in-core policy_hint_size