Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2019:1241-1
Rating:	important
References:	bsc#1050549 bsc#1051510 bsc#1052904 bsc#1053043 bsc#1055117 bsc#1055121 bsc#1055186 bsc#1061840 bsc#1065600 bsc#1065729 bsc#1070872 bsc#1082555 bsc#1083647 bsc#1085535 bsc#1085536 bsc#1088804 bsc#1094244 bsc#1097583 bsc#1097584 bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1100132 bsc#1103186 bsc#1103259 bsc#1108193 bsc#1108937 bsc#1111331 bsc#1112128 bsc#1112178 bsc#1113399 bsc#1113722 bsc#1114279 bsc#1114542 bsc#1114638 bsc#1119086 bsc#1119680 bsc#1120318 bsc#1120902 bsc#1122767 bsc#1123105 bsc#1125342 bsc#1126221 bsc#1126356 bsc#1126704 bsc#1126740 bsc#1127175 bsc#1127371 bsc#1127372 bsc#1127374 bsc#1127378 bsc#1127445 bsc#1128415 bsc#1128544 bsc#1129273 bsc#1129276 bsc#1129770 bsc#1130130 bsc#1130154 bsc#1130195 bsc#1130335 bsc#1130336 bsc#1130337 bsc#1130338 bsc#1130425 bsc#1130427 bsc#1130518 bsc#1130527 bsc#1130567 bsc#1130579 bsc#1131062 bsc#1131107 bsc#1131167 bsc#1131168 bsc#1131169 bsc#1131170 bsc#1131171 bsc#1131172 bsc#1131173 bsc#1131174 bsc#1131175 bsc#1131176 bsc#1131177 bsc#1131178 bsc#1131179 bsc#1131180 bsc#1131290 bsc#1131326 bsc#1131335 bsc#1131336 bsc#1131416 bsc#1131427 bsc#1131442 bsc#1131467 bsc#1131574 bsc#1131587 bsc#1131659 bsc#1131673 bsc#1131847 bsc#1131848 bsc#1131851 bsc#1131900 bsc#1131934 bsc#1131935 bsc#1132083 bsc#1132219 bsc#1132226 bsc#1132227 bsc#1132365 bsc#1132368 bsc#1132369 bsc#1132370 bsc#1132372 bsc#1132373 bsc#1132384 bsc#1132397 bsc#1132402 bsc#1132403 bsc#1132404 bsc#1132405 bsc#1132407 bsc#1132411 bsc#1132412 bsc#1132413 bsc#1132414 bsc#1132426 bsc#1132527 bsc#1132531 bsc#1132555 bsc#1132558 bsc#1132561 bsc#1132562 bsc#1132563 bsc#1132564 bsc#1132570 bsc#1132571 bsc#1132572 bsc#1132589 bsc#1132618 bsc#1132681 bsc#1132726 bsc#1132828 bsc#1132943 bsc#1133005 bsc#1133094 bsc#1133095 bsc#1133115 bsc#1133149 bsc#1133486 bsc#1133529 bsc#1133584 bsc#1133667 bsc#1133668 bsc#1133672 bsc#1133674 bsc#1133675 bsc#1133698 bsc#1133702 bsc#1133731 bsc#1133769 bsc#1133772 bsc#1133774 bsc#1133778 bsc#1133779 bsc#1133780 bsc#1133825 bsc#1133850 bsc#1133851 bsc#1133852
Cross-References:	CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-16880 CVE-2019-11091 CVE-2019-3882 CVE-2019-9003 CVE-2019-9500 CVE-2019-9503
CVSS scores:	CVE-2018-12126 ( SUSE ): 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2018-12126 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-12127 ( SUSE ): 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2018-12127 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-12130 ( SUSE ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-12130 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-16880 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-16880 ( NVD ): 5.9 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVE-2019-11091 ( SUSE ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2019-11091 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2019-3882 ( SUSE ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-3882 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-3882 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-9003 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-9003 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9003 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9500 ( SUSE ): 5.0 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2019-9500 ( NVD ): 8.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2019-9503 ( SUSE ): 4.7 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2019-9503 ( NVD ): 8.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Availability Extension 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP4 SUSE Linux Enterprise Software Development Kit 12 SP4 SUSE Linux Enterprise Workstation Extension 12 12-SP4

An update that solves nine vulnerabilities and has 161 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)

CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

This kernel update contains software mitigations for these issues, which also utilize CPU microcode updates shipped in parallel.

For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736

The following security bugs were fixed:

CVE-2018-16880: A flaw was found in the handle_rx() function in the vhost_net driver. A malicious virtual guest, under specific conditions, could trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (bnc#1122767).
CVE-2019-3882: A flaw was found in the vfio interface implementation that permitted violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). (bnc#1131416 bnc#1131427).
CVE-2019-9003: Attackers could trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop (bnc#1126704).
CVE-2019-9500: A brcmfmac heap buffer overflow in brcmf_wowl_nd_results was fixed. (bnc#1132681).
CVE-2019-9503: A brcmfmac frame validation bypass was fixed. (bnc#1132828).

The following non-security bugs were fixed:

9p: do not trust pdu content for stat item size (bsc#1051510).
ACPI: acpi_pad: Do not launch acpi_pad threads on idle cpus (bsc#1113399).
acpi, nfit: Prefer _DSM over _LSR for namespace label reads (bsc#1112128) (bsc#1132426).
ACPI / SBS: Fix GPE storm on recent MacBookPro's (bsc#1051510).
alsa: core: Fix card races between register and disconnect (bsc#1051510).
alsa: echoaudio: add a check for ioremap_nocache (bsc#1051510).
alsa: firewire: add const qualifier to identifiers for read-only symbols (bsc#1051510).
alsa: firewire-motu: add a flag for AES/EBU on XLR interface (bsc#1051510).
alsa: firewire-motu: add specification flag for position of flag for MIDI messages (bsc#1051510).
alsa: firewire-motu: add support for MOTU Audio Express (bsc#1051510).
alsa: firewire-motu: add support for Motu Traveler (bsc#1051510).
alsa: firewire-motu: use 'version' field of unit directory to identify model (bsc#1051510).
alsa: hda - add Lenovo IdeaCentre B550 to the power_save_blacklist (bsc#1051510).
alsa: hda - Add two more machines to the power_save_blacklist (bsc#1051510).
alsa: hda - Enforces runtime_resume after S3 and S4 for each codec (bsc#1051510).
alsa: hda: Initialize power_state field properly (bsc#1051510).
alsa: hda/realtek - Add new Dell platform for headset mode (bsc#1051510).
alsa: hda/realtek - Add quirk for Tuxedo XC 1509 (bsc#1131442).
alsa: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic (bsc#1051510).
alsa: hda/realtek - Add support headset mode for DELL WYSE AIO (bsc#1051510).
alsa: hda/realtek - Add support headset mode for New DELL WYSE NB (bsc#1051510).
alsa: hda/realtek - add two more pin configuration sets to quirk table (bsc#1051510).
alsa: hda/realtek - Apply the fixup for ASUS Q325UAR (bsc#1051510).
alsa: hda/realtek: Enable ASUS X441MB and X705FD headset MIC with ALC256 (bsc#1051510).
alsa: hda/realtek: Enable headset MIC of Acer AIO with ALC286 (bsc#1051510).
alsa: hda/realtek: Enable headset MIC of Acer Aspire Z24-890 with ALC286 (bsc#1051510).
alsa: hda/realtek: Enable headset mic of ASUS P5440FF with ALC256 (bsc#1051510).
alsa: hda/realtek - Fixed Dell AIO speaker noise (bsc#1051510).
alsa: hda - Record the current power state before suspend/resume calls (bsc#1051510).
alsa: info: Fix racy addition/deletion of nodes (bsc#1051510).
alsa: line6: use dynamic buffers (bsc#1051510).
alsa: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration (bsc#1051510).
alsa: PCM: check if ops are defined before suspending PCM (bsc#1051510).
alsa: pcm: Do not suspend stream in unrecoverable PCM state (bsc#1051510).
alsa: pcm: Fix possible OOB access in PCM oss plugins (bsc#1051510).
alsa: rawmidi: Fix potential Spectre v1 vulnerability (bsc#1051510).
alsa: sb8: add a check for request_region (bsc#1051510).
alsa: seq: Fix OOB-reads from strlcpy (bsc#1051510).
alsa: seq: oss: Fix Spectre v1 vulnerability (bsc#1051510).
ASoC: fsl-asoc-card: fix object reference leaks in fsl_asoc_card_probe (bsc#1051510).
ASoC: fsl_esai: fix channel swap issue when stream starts (bsc#1051510).
ASoC: topology: free created components in tplg load error (bsc#1051510).
assume flash part size to be 4MB, if it can't be determined (bsc#1127371).
ath10k: avoid possible string overflow (bsc#1051510).
auxdisplay: hd44780: Fix memory leak on ->remove() (bsc#1051510).
auxdisplay: ht16k33: fix potential user-after-free on module unload (bsc#1051510).
batman-adv: Reduce claim hash refcnt only for removed entry (bsc#1051510).
batman-adv: Reduce tt_global hash refcnt only for removed entry (bsc#1051510).
batman-adv: Reduce tt_local hash refcnt only for removed entry (bsc#1051510).
bcm2835 MMC issues (bsc#1070872).
blkcg: Introduce blkg_root_lookup() (bsc#1131673).
blkcg: Make blkg_root_lookup() work for queues in bypass mode (bsc#1131673).
blk-mq: adjust debugfs and sysfs register when updating nr_hw_queues (bsc#1131673).
blk-mq: Avoid that submitting a bio concurrently with device removal triggers a crash (bsc#1131673).
blk-mq: change gfp flags to GFP_NOIO in blk_mq_realloc_hw_ctxs (bsc#1131673).
blk-mq: fallback to previous nr_hw_queues when updating fails (bsc#1131673).
blk-mq: init hctx sched after update ctx and hctx mapping (bsc#1131673).
blk-mq: realloc hctx when hw queue is mapped to another node (bsc#1131673).
blk-mq: sync the update nr_hw_queues with blk_mq_queue_tag_busy_iter (bsc#1131673).
block: Ensure that a request queue is dissociated from the cgroup controller (bsc#1131673).
block: Fix a race between request queue removal and the block cgroup controller (bsc#1131673).
block: Introduce blk_exit_queue() (bsc#1131673).
block: kABI fixes for bio_rewind_iter() removal (bsc#1131673).
block: remove bio_rewind_iter() (bsc#1131673).
bluetooth: btusb: request wake pin with NOAUTOEN (bsc#1051510).
bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt (bsc#1051510).
bluetooth: Fix decrementing reference count twice in releasing socket (bsc#1051510).
bluetooth: hci_ldisc: Initialize hci_dev before open() (bsc#1051510).
bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() (bsc#1051510).
bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf() (bsc#1133731).
bnxt_en: Drop oversize TX packets to prevent errors (networking-stable-19_03_07).
bonding: fix PACKET_ORIGDEV regression (git-fixes).
bpf: fix use after free in bpf_evict_inode (bsc#1083647).
btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size (git-fixes).
btrfs: check for refs on snapshot delete resume (bsc#1131335).
btrfs: fix assertion failure on fsync with NO_HOLES enabled (bsc#1131848).
btrfs: Fix bound checking in qgroup_trace_new_subtree_blocks (git-fixes).
btrfs: fix deadlock between clone/dedupe and rename (bsc#1130518).
btrfs: fix incorrect file size after shrinking truncate and fsync (bsc#1130195).
btrfs: remove WARN_ON in log_dir_items (bsc#1131847).
btrfs: save drop_progress if we drop refs at all (bsc#1131336).
cdrom: Fix race condition in cdrom_sysctl_register (bsc#1051510).
cgroup: fix parsing empty mount option string (bsc#1133094).
cifs: allow guest mounts to work for smb3.11 (bsc#1051510).
cifs: Do not count -ENODATA as failure for query directory (bsc#1051510).
cifs: do not dereference smb_file_target before null check (bsc#1051510).
cifs: Do not hide EINTR after sending network packets (bsc#1051510).
cifs: Do not reconnect TCP session in add_credits() (bsc#1051510).
cifs: Do not reset lease state to NONE on lease break (bsc#1051510).
cifs: Fix adjustment of credits for MTU requests (bsc#1051510).
cifs: Fix credit calculation for encrypted reads with errors (bsc#1051510).
cifs: Fix credits calculations for reads with errors (bsc#1051510).
cifs: fix POSIX lock leak and invalid ptr deref (bsc#1114542).
cifs: Fix possible hang during async MTU reads and writes (bsc#1051510).
cifs: Fix potential OOB access of lock element array (bsc#1051510).
cifs: Fix read after write for files with read caching (bsc#1051510).
clk: clk-twl6040: Fix imprecise external abort for pdmclk (bsc#1051510).
clk: fractional-divider: check parent rate only if flag is set (bsc#1051510).
clk: ingenic: Fix doc of ingenic_cgu_div_info (bsc#1051510).
clk: ingenic: Fix round_rate misbehaving with non-integer dividers (bsc#1051510).
clk: rockchip: fix frac settings of GPLL clock for rk3328 (bsc#1051510).
clk: sunxi-ng: v3s: Fix TCON reset de-assert bit (bsc#1051510).
clk: vc5: Abort clock configuration without upstream clock (bsc#1051510).
clk: x86: Add system specific quirk to mark clocks as critical (bsc#1051510).
clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown (bsc#1051510).
clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR (bsc#1051510).
cpcap-charger: generate events for userspace (bsc#1051510).
cpufreq: pxa2xx: remove incorrect __init annotation (bsc#1051510).
cpufreq: tegra124: add missing of_node_put() (bsc#1051510).
cpupowerutils: bench - Fix cpu online check (bsc#1051510).
cpu/speculation: Add 'mitigations=' cmdline option (bsc#1112178).
crypto: caam - add missing put_device() call (bsc#1129770).
crypto: crypto4xx - properly set IV after de- and encrypt (bsc#1051510).
crypto: pcbc - remove bogus memcpy()s with src == dest (bsc#1051510).
crypto: sha256/arm - fix crash bug in Thumb2 build (bsc#1051510).
crypto: sha512/arm - fix crash bug in Thumb2 build (bsc#1051510).
crypto: x86/poly1305 - fix overflow during partial reduction (bsc#1051510).
cxgb4: Add capability to get/set SGE Doorbell Queue Timer Tick (bsc#1127371).
cxgb4: Added missing break in ndo_udp_tunnel_{add/del} (bsc#1127371).
cxgb4: Add flag tc_flower_initialized (bsc#1127371).
cxgb4: Add new T5 PCI device id 0x50ae (bsc#1127371).
cxgb4: Add new T5 PCI device ids 0x50af and 0x50b0 (bsc#1127371).
cxgb4: Add new T6 PCI device ids 0x608a (bsc#1127371).
cxgb4: ad