Security update for the Linux Kernel

Announcement ID: SUSE-SU-2019:1240-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2018-12126 ( SUSE ): 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
  • CVE-2018-12126 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2018-12127 ( SUSE ): 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
  • CVE-2018-12127 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2018-12130 ( SUSE ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2018-12130 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2018-16880 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-16880 ( NVD ): 5.9 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
  • CVE-2019-11091 ( SUSE ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2019-11091 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2019-3882 ( SUSE ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-3882 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-3882 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-9003 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-9003 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-9003 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-9500 ( SUSE ): 5.0 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVE-2019-9500 ( NVD ): 8.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
  • CVE-2019-9503 ( SUSE ): 4.7 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
  • CVE-2019-9503 ( NVD ): 8.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Products:
  • Public Cloud Module 15
  • SUSE Linux Enterprise High Performance Computing 15
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server for SAP Applications 15

An update that solves nine vulnerabilities and has 159 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 for Azure kernel was updated to receive various security and bugfixes.

Four new speculative execution issues have been identified in Intel CPUs. (bsc#1111331)

  • CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
  • CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
  • CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
  • CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

This kernel update contains software mitigations, utilizing CPU microcode updates shipped in parallel.

For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736

The following security bugs were fixed:

  • CVE-2019-9003: Attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop (bnc#1126704).
  • CVE-2018-16880: A flaw was found in the handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (bnc#1122767).
  • CVE-2019-9500: A brcmfmac heap buffer overflow in brcmf_wowl_nd_results was fixed. (bnc#1132681).
  • CVE-2019-9503: A brcmfmac frame validation bypass was fixed. (bnc#1132828).
  • CVE-2019-3882: A flaw was found in the vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). (bnc#1131416 bnc#1131427).

The following non-security bugs were fixed:

  • 9p: do not trust pdu content for stat item size (bsc#1051510).
  • acpi: acpi_pad: Do not launch acpi_pad threads on idle cpus (bsc#1113399).
  • acpi, nfit: Prefer _DSM over _LSR for namespace label reads (bsc#1132426).
  • acpi / SBS: Fix GPE storm on recent MacBookPro's (bsc#1051510).
  • alsa: core: Fix card races between register and disconnect (bsc#1051510).
  • alsa: echoaudio: add a check for ioremap_nocache (bsc#1051510).
  • alsa: firewire: add const qualifier to identifiers for read-only symbols (bsc#1051510).
  • alsa: firewire-motu: add a flag for AES/EBU on XLR interface (bsc#1051510).
  • alsa: firewire-motu: add specification flag for position of flag for MIDI messages (bsc#1051510).
  • alsa: firewire-motu: add support for MOTU Audio Express (bsc#1051510).
  • alsa: firewire-motu: add support for Motu Traveler (bsc#1051510).
  • alsa: firewire-motu: use 'version' field of unit directory to identify model (bsc#1051510).
  • alsa: hda - add Lenovo IdeaCentre B550 to the power_save_blacklist (bsc#1051510).
  • alsa: hda - Add two more machines to the power_save_blacklist (bsc#1051510).
  • alsa: hda - Enforces runtime_resume after S3 and S4 for each codec (bsc#1051510).
  • alsa: hda: Initialize power_state field properly (bsc#1051510).
  • alsa: hda/realtek - Add quirk for Tuxedo XC 1509 (bsc#1131442).
  • alsa: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic (bsc#1051510).
  • alsa: hda/realtek - Add support headset mode for DELL WYSE AIO (bsc#1051510).
  • alsa: hda/realtek - Add support headset mode for New DELL WYSE NB (bsc#1051510).
  • alsa: hda/realtek - add two more pin configuration sets to quirk table (bsc#1051510).
  • alsa: hda/realtek: Enable ASUS X441MB and X705FD headset MIC with ALC256 (bsc#1051510).
  • alsa: hda/realtek: Enable headset MIC of Acer AIO with ALC286 (bsc#1051510).
  • alsa: hda/realtek: Enable headset MIC of Acer Aspire Z24-890 with ALC286 (bsc#1051510).
  • alsa: hda/realtek: Enable headset mic of ASUS P5440FF with ALC256 (bsc#1051510).
  • alsa: hda - Record the current power state before suspend/resume calls (bsc#1051510).
  • alsa: info: Fix racy addition/deletion of nodes (bsc#1051510).
  • alsa: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration (bsc#1051510).
  • alsa: PCM: check if ops are defined before suspending PCM (bsc#1051510).
  • alsa: pcm: Do not suspend stream in unrecoverable PCM state (bsc#1051510).
  • alsa: pcm: Fix possible OOB access in PCM oss plugins (bsc#1051510).
  • alsa: rawmidi: Fix potential Spectre v1 vulnerability (bsc#1051510).
  • alsa: sb8: add a check for request_region (bsc#1051510).
  • alsa: seq: Fix OOB-reads from strlcpy (bsc#1051510).
  • alsa: seq: oss: Fix Spectre v1 vulnerability (bsc#1051510).
  • ASoC: fsl-asoc-card: fix object reference leaks in fsl_asoc_card_probe (bsc#1051510).
  • ASoC: fsl_esai: fix channel swap issue when stream starts (bsc#1051510).
  • ASoC: topology: free created components in tplg load error (bsc#1051510).
  • assume flash part size to be 4MB, if it can't be determined (bsc#1127371).
  • ath10k: avoid possible string overflow (bsc#1051510).
  • auxdisplay: hd44780: Fix memory leak on ->remove() (bsc#1051510).
  • auxdisplay: ht16k33: fix potential user-after-free on module unload (bsc#1051510).
  • batman-adv: Reduce claim hash refcnt only for removed entry (bsc#1051510).
  • batman-adv: Reduce tt_global hash refcnt only for removed entry (bsc#1051510).
  • batman-adv: Reduce tt_local hash refcnt only for removed entry (bsc#1051510).
  • bcm2835: MMC issues (bsc#1070872).
  • blkcg: Introduce blkg_root_lookup() (bsc#1131673).
  • blkcg: Make blkg_root_lookup() work for queues in bypass mode (bsc#1131673).
  • blk-mq: adjust debugfs and sysfs register when updating nr_hw_queues (bsc#1131673).
  • blk-mq: Avoid that submitting a bio concurrently with device removal triggers a crash (bsc#1131673).
  • blk-mq: change gfp flags to GFP_NOIO in blk_mq_realloc_hw_ctxs (bsc#1131673).
  • blk-mq: fallback to previous nr_hw_queues when updating fails (bsc#1131673).
  • blk-mq: init hctx sched after update ctx and hctx mapping (bsc#1131673).
  • blk-mq: realloc hctx when hw queue is mapped to another node (bsc#1131673).
  • blk-mq: sync the update nr_hw_queues with blk_mq_queue_tag_busy_iter (bsc#1131673).
  • block: Ensure that a request queue is dissociated from the cgroup controller (bsc#1131673).
  • block: Fix a race between request queue removal and the block cgroup controller (bsc#1131673).
  • block: Introduce blk_exit_queue() (bsc#1131673).
  • block: kABI fixes for bio_rewind_iter() removal (bsc#1131673).
  • block: remove bio_rewind_iter() (bsc#1131673).
  • Bluetooth: btusb: request wake pin with NOAUTOEN (bsc#1051510).
  • Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt (bsc#1051510).
  • Bluetooth: Fix decrementing reference count twice in releasing socket (bsc#1051510).
  • Bluetooth: hci_ldisc: Initialize hci_dev before open() (bsc#1051510).
  • Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() (bsc#1051510).
  • Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf() (bsc#1133731).
  • bnxt_en: Drop oversize TX packets to prevent errors (networking-stable-19_03_07).
  • bonding: fix PACKET_ORIGDEV regression (git-fixes).
  • bpf: fix use after free in bpf_evict_inode (bsc#1083647).
  • btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size (git-fixes).
  • btrfs: check for refs on snapshot delete resume (bsc#1131335).
  • Btrfs: fix assertion failure on fsync with NO_HOLES enabled (bsc#1131848).
  • btrfs: Fix bound checking in qgroup_trace_new_subtree_blocks (git-fixes).
  • Btrfs: fix deadlock between clone/dedupe and rename (bsc#1130518).
  • Btrfs: fix incorrect file size after shrinking truncate and fsync (bsc#1130195).
  • btrfs: remove WARN_ON in log_dir_items (bsc#1131847).
  • btrfs: save drop_progress if we drop refs at all (bsc#1131336).
  • cdrom: Fix race condition in cdrom_sysctl_register (bsc#1051510).
  • cgroup: fix parsing empty mount option string (bsc#1133094).
  • cifs: allow guest mounts to work for smb3.11 (bsc#1051510).
  • cifs: Do not count -ENODATA as failure for query directory (bsc#1051510).
  • cifs: do not dereference smb_file_target before null check (bsc#1051510).
  • cifs: Do not hide EINTR after sending network packets (bsc#1051510).
  • cifs: Do not reconnect TCP session in add_credits() (bsc#1051510).
  • cifs: Do not reset lease state to NONE on lease break (bsc#1051510).
  • cifs: Fix adjustment of credits for MTU requests (bsc#1051510).
  • cifs: Fix credit calculation for encrypted reads with errors (bsc#1051510).
  • cifs: Fix credits calculations for reads with errors (bsc#1051510).
  • cifs: fix POSIX lock leak and invalid ptr deref (bsc#1114542).
  • cifs: Fix possible hang during async MTU reads and writes (bsc#1051510).
  • cifs: Fix potential OOB access of lock element array (bsc#1051510).
  • cifs: Fix read after write for files with read caching (bsc#1051510).
  • clk: clk-twl6040: Fix imprecise external abort for pdmclk (bsc#1051510).
  • clk: fractional-divider: check parent rate only if flag is set (bsc#1051510).
  • clk: ingenic: Fix doc of ingenic_cgu_div_info (bsc#1051510).
  • clk: ingenic: Fix round_rate misbehaving with non-integer dividers (bsc#1051510).
  • clk: rockchip: fix frac settings of GPLL clock for rk3328 (bsc#1051510).
  • clk: sunxi-ng: v3s: Fix TCON reset de-assert bit (bsc#1051510).
  • clk: vc5: Abort clock configuration without upstream clock (bsc#1051510).
  • clk: x86: Add system specific quirk to mark clocks as critical (bsc#1051510).
  • clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown (bsc#1051510).
  • clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR (bsc#1051510).
  • cpcap-charger: generate events for userspace (bsc#1051510).
  • cpufreq: pxa2xx: remove incorrect __init annotation (bsc#1051510).
  • cpufreq: tegra124: add missing of_node_put() (bsc#1051510).
  • cpupowerutils: bench - Fix cpu online check (bsc#1051510).
  • cpu/speculation: Add 'mitigations=' cmdline option (bsc#1112178).
  • crypto: caam - add missing put_device() call (bsc#1129770).
  • crypto: crypto4xx - properly set IV after de- and encrypt (bsc#1051510).
  • crypto: pcbc - remove bogus memcpy()s with src == dest (bsc#1051510).
  • crypto: sha256/arm - fix crash bug in Thumb2 build (bsc#1051510).
  • crypto: sha512/arm - fix crash bug in Thumb2 build (bsc#1051510).
  • crypto: x86/poly1305 - fix overflow during partial reduction (bsc#1051510).
  • cxgb4: Add capability to get/set SGE Doorbell Queue Timer Tick (bsc#1127371).
  • cxgb4: Added missing break in ndo_udp_tunnel_{add/del} (bsc#1127371).
  • cxgb4: Add flag tc_flower_initialized (bsc#1127371).
  • cxgb4: Add new T5 PCI device id 0x50ae (bsc#1127371).
  • cxgb4: Add new T5 PCI device ids 0x50af and 0x50b0 (bsc#1127371).
  • cxgb4: Add new T6 PCI device ids 0x608a (bsc#1127371).
  • cxgb4: add per rx-queue counter for packet errors (bsc#1127371).
  • cxgb4: Add support for FW_ETH_TX_PKT_VM_WR (bsc#1127371).
  • cxgb4: add support to display DCB info (bsc#1127371).
  • cxgb4: Add support to read actual provisioned resources (bsc#1127371).
  • cxgb4: collect ASIC LA dumps from ULP TX (bsc#1127371).
  • cxgb4: collect hardware queue descriptors (bsc#1127371).
  • cxgb4: collect number of free PSTRUCT page pointers (bsc#1127371).
  • cxgb4: convert flower table to use rhashtable (bsc#1127371).
  • cxgb4: cxgb4: use FW_PORT_ACTION_L1_CFG32 for 32 bit capability (bsc#1127371).
  • cxgb4/cxgb4vf: Add support for SGE doorbell queue timer (bsc#1127371).
  • cxgb4/cxgb4vf: Fix mac_hlist initialization and free (bsc#1127374).
  • cxgb4/cxgb4vf: Link management changes (bsc#1127371).
  • cxgb4/cxgb4vf: Program hash region for {t4/t4vf}_change_mac() (bsc#1127371).
  • cxgb4: display number of rx and tx pages free (bsc#1127371).
  • cxgb4: do not return DUPLEX_UNKNOWN when link is down (bsc#1127371).
  • cxgb4: Export sge_host_page_size to ulds (bsc#1127371).
  • cxgb4: fix the error path of cxgb4_uld_register() (bsc#1127371).
  • cxgb4: impose mandatory VLAN usage when non-zero TAG ID (bsc#1127371).
  • cxgb4: Mask out interrupts that are not enabled (bsc#1127175).
  • cxgb4: move Tx/Rx free pages collection to common code