Security update for the Linux Kernel

Announcement ID: SUSE-SU-2020:1087-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2019-19768 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2019-19768 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19770 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
  • CVE-2019-19770 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
  • CVE-2019-3701 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-3701 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2019-9458 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9458 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-10942 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-10942 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
  • CVE-2020-11494 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2020-11494 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
  • CVE-2020-11669 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-11669 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-2732 ( SUSE ): 3.2 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
  • CVE-2020-2732 ( NVD ): 6.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2020-8647 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
  • CVE-2020-8647 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
  • CVE-2020-8649 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
  • CVE-2020-8649 ( NVD ): 5.9 CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
  • CVE-2020-8834 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
  • CVE-2020-8834 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
  • CVE-2020-9383 ( SUSE ): 4.3 CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2020-9383 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Affected Products:
  • Public Cloud Module 15-SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Manager Proxy 4.0
  • SUSE Manager Retail Branch Server 4.0
  • SUSE Manager Server 4.0

An update that solves 12 vulnerabilities and has 139 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 SP1 azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276).
  • CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424).
  • CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629).
  • CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295).
  • CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386).
  • CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198).
  • CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390).
  • CVE-2020-8647: There was a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929).
  • CVE-2020-8649: There was a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931).
  • CVE-2020-9383: An issue was discovered set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it (bnc#1165111).
  • CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285).
  • CVE-2020-2732: Fixed a flaw in the KVM hypervisor instruction emulation for L2 guests. Under some circumstances, an L2 guest may have tricked the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971).

The following non-security bugs were fixed:

  • ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510).
  • ACPI: watchdog: Fix gas->access_width usage (bsc#1051510).
  • ahci: Add support for Amazon's Annapurna Labs SATA controller (bsc#1169013).
  • ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510).
  • ALSA: core: Add snd_device_get_state() helper (bsc#1051510).
  • ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510).
  • ALSA: emu10k1: Fix endianness annotations (bsc#1051510).
  • ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard (bsc#1051510).
  • ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510).
  • ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510).
  • ALSA: hda: default enable CA0132 DSP support (bsc#1051510).
  • ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510).
  • ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 (bsc#1111666).
  • ALSA: hda/realtek - Add Headset Mic supported (bsc#1111666).
  • ALSA: hda/realtek - Add more codec supported Headset Button (bsc#1111666).
  • ALSA: hda/realtek - a fake key event is triggered by running shutup (bsc#1051510).
  • ALSA: hda/realtek - Apply quirk for MSI GP63, too (bsc#1111666).
  • ALSA: hda/realtek - Apply quirk for yet another MSI laptop (bsc#1111666).
  • ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 (git-fixes).
  • ALSA: hda/realtek: Enable mute LED on an HP system (bsc#1051510).
  • ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 (git-fixes).
  • ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 (bsc#1111666).
  • ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 (bsc#1111666).
  • ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes).
  • ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master (bsc#1111666).
  • ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups (bsc#1051510).
  • ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510).
  • ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510).
  • ALSA: hda: Use scnprintf() for string truncation (bsc#1051510).
  • ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510).
  • ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510).
  • ALSA: info: remove redundant assignment to variable c (bsc#1051510).
  • ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510).
  • ALSA: line6: Fix endless MIDI read loop (git-fixes).
  • ALSA: pcm: Fix superfluous snprintf() usage (bsc#1051510).
  • ALSA: pcm.h: add for_each_pcm_streams() (bsc#1051510).
  • ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes).
  • ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510).
  • ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes).
  • ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write (bsc#1051510).
  • ALSA: pcm: Use a macro for parameter masks to reduce the needed cast (bsc#1051510).
  • ALSA: seq: oss: Fix running status after receiving sysex (git-fixes).
  • ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes).
  • ALSA: usb-audio: Add boot quirk for MOTU M Series (bsc#1111666).
  • ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 (bsc#1111666).
  • ALSA: usb-audio: Add delayed_register option (bsc#1051510).
  • ALSA: usb-audio: add implicit fb quirk for MOTU M Series (bsc#1111666).
  • ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82 (bsc#1111666).
  • ALSA: usb-audio: Add support for MOTU MicroBook IIc (bsc#1051510).
  • ALSA: usb-audio: Apply 48kHz fixed rate playback for Jabra Evolve 65 headset (bsc#1111666).
  • ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) (bsc#1051510).
  • ALSA: usb-audio: Do not create a mixer element with bogus volume range (bsc#1051510).
  • ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor (bsc#1051510).
  • ALSA: usb-audio: fix Corsair Virtuoso mixer label collision (bsc#1111666).
  • ALSA: usb-audio: Fix mixer controls' USB interface for Kingston HyperX Amp (0951:16d8) (bsc#1051510).
  • ALSA: usb-audio: Fix UAC2/3 effect unit parsing (bsc#1111666).
  • ALSA: usb-audio: Inform devices that need delayed registration (bsc#1051510).
  • ALSA: usb-audio: Parse source ID of UAC2 effect unit (bsc#1051510).
  • ALSA: usb-audio: Rewrite registration quirk handling (bsc#1051510).
  • ALSA: usb-audio: unlock on error in probe (bsc#1111666).
  • ALSA: usb-audio: Use lower hex numbers for IDs (bsc#1111666).
  • ALSA: usb-midi: Replace zero-length array with flexible-array member (bsc#1051510).
  • ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510).
  • ALSA: usx2y: use for_each_pcm_streams() macro (bsc#1051510).
  • ALSA: via82xx: Fix endianness annotations (bsc#1051510).
  • amdgpu/gmc_v9: save/restore sdpif regs during S3 (bsc#1113956)
  • apei/ghes: Do not delay GHES polling (bsc#1166982).
  • ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510).
  • ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510).
  • ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510).
  • ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510).
  • ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510).
  • ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510).
  • ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510).
  • ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510).
  • ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510).
  • ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510).
  • ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510).
  • atm: zatm: Fix empty body Clang warnings (bsc#1051510).
  • b43legacy: Fix -Wcast-function-type (bsc#1051510).
  • batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510).
  • batman-adv: Do not schedule OGM for disabled interface (bsc#1051510).
  • batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510).
  • binfmt_elf: Do not move brk for INTERP-less ET_EXEC (bsc#1169013).
  • binfmt_elf: move brk out of mmap when doing direct loader exec (bsc#1169013).
  • blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).
  • blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316).
  • blktrace: fix dereference after null check (bsc#1159285).
  • blktrace: fix trace mutex deadlock (bsc#1159285).
  • block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760).
  • block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762).
  • Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510).
  • bnxt_en: Fix NTUPLE firmware command failures (bsc#1104745 ).
  • bnxt_en: Fix TC queue mapping (networking-stable-20_02_05).
  • bnxt_en: Improve device shutdown method (bsc#1104745 ).
  • bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs (bsc#1134090 jsc#SLE-5954).
  • bnxt_en: Support all variants of the 5750X chip family (bsc#1167216).
  • bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09).
  • bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647).
  • bpf: Explicitly memset the bpf_attr structure (bsc#1083647).
  • bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill (bsc#1109837).
  • brcmfmac: abort and release host after error (bsc#1111666).
  • btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949).
  • btrfs: add a flush step for delayed iputs (bsc#1165949).
  • btrfs: add assertions for releasing trans handle reservations (bsc#1165949).
  • btrfs: add btrfs_delete_ref_head helper (bsc#1165949).
  • btrfs: add enospc debug messages for ticket failure (bsc#1165949).
  • btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949).
  • btrfs: add new flushing states for the delayed refs rsv (bsc#1165949).
  • btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949).
  • btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer (bsc#1168273).
  • btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949).
  • btrfs: always reserve our entire size for the global reserve (bsc#1165949).
  • btrfs: assert on non-empty delayed iputs (bsc##1165949).
  • btrfs: be more explicit about allowed flush states (bsc#1165949).
  • btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949).
  • btrfs: catch cow on deleting snapshots (bsc#1165949).
  • btrfs: change the minimum global reserve size (bsc#1165949).
  • btrfs: check if there are free block groups for commit (bsc#1165949).
  • btrfs: clean up error handling in btrfs_truncate() (bsc#1165949).
  • btrfs: cleanup extent_op handling (bsc#1165949).
  • btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949).
  • btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949).
  • btrfs: clear space cache inode generation always (bsc#1165949).
  • btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949).
  • btrfs: Do mandatory tree block check before submitting bio (bsc#1168273).
  • btrfs: do not account global reserve in can_overcommit (bsc#1165949).
  • btrfs: do not allow reservations if we have pending tickets (bsc#1165949).
  • btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949).
  • btrfs: do not end the transaction for delayed refs in throttle (bsc#1165