Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2019:0095-1
Rating:	important
References:	bsc#1011920 bsc#1012382 bsc#1012422 bsc#1020645 bsc#1031392 bsc#1035053 bsc#1042422 bsc#1043591 bsc#1044189 bsc#1048129 bsc#1050431 bsc#1050549 bsc#1053043 bsc#1054239 bsc#1057199 bsc#1062303 bsc#1063026 bsc#1065600 bsc#1065726 bsc#1066223 bsc#1067906 bsc#1073579 bsc#1076393 bsc#1078788 bsc#1079524 bsc#1082519 bsc#1082863 bsc#1082979 bsc#1083215 bsc#1083527 bsc#1084427 bsc#1084536 bsc#1084760 bsc#1087209 bsc#1088087 bsc#1089343 bsc#1090535 bsc#1091158 bsc#1093118 bsc#1094244 bsc#1094555 bsc#1094562 bsc#1094825 bsc#1095344 bsc#1095753 bsc#1095805 bsc#1096052 bsc#1096547 bsc#1098050 bsc#1098996 bsc#1099597 bsc#1099810 bsc#1101555 bsc#1102495 bsc#1102715 bsc#1102870 bsc#1102875 bsc#1102877 bsc#1102879 bsc#1102882 bsc#1102896 bsc#1103156 bsc#1103269 bsc#1103308 bsc#1103405 bsc#1104124 bsc#1105025 bsc#1105428 bsc#1105795 bsc#1105931 bsc#1106095 bsc#1106105 bsc#1106110 bsc#1106240 bsc#1106293 bsc#1106359 bsc#1106434 bsc#1106512 bsc#1106594 bsc#1106913 bsc#1106929 bsc#1106934 bsc#1107060 bsc#1107299 bsc#1107318 bsc#1107535 bsc#1107829 bsc#1107870 bsc#1107924 bsc#1108096 bsc#1108170 bsc#1108240 bsc#1108281 bsc#1108315 bsc#1108377 bsc#1108399 bsc#1108498 bsc#1108803 bsc#1108823 bsc#1109038 bsc#1109158 bsc#1109333 bsc#1109336 bsc#1109337 bsc#1109441 bsc#1109772 bsc#1109784 bsc#1109806 bsc#1109818 bsc#1109907 bsc#1109919 bsc#1109923 bsc#1110006 bsc#1110297 bsc#1110337 bsc#1110363 bsc#1110468 bsc#1110600 bsc#1110601 bsc#1110602 bsc#1110603 bsc#1110604 bsc#1110605 bsc#1110606 bsc#1110611 bsc#1110612 bsc#1110613 bsc#1110614 bsc#1110615 bsc#1110616 bsc#1110618 bsc#1110619 bsc#1110930 bsc#1111363 bsc#1111516 bsc#1111870 bsc#1112007 bsc#1112262 bsc#1112263 bsc#1112894 bsc#1112902 bsc#1112903 bsc#1112905 bsc#1113667 bsc#1113751 bsc#1113766 bsc#1113769 bsc#1114178 bsc#1114229 bsc#1114648 bsc#1115593 bsc#981083 bsc#997172
Cross-References:	CVE-2018-14613 CVE-2018-14617 CVE-2018-14633 CVE-2018-16276 CVE-2018-16597 CVE-2018-17182 CVE-2018-18281 CVE-2018-18386 CVE-2018-18690 CVE-2018-18710 CVE-2018-7480 CVE-2018-7757 CVE-2018-9516
CVSS scores:	CVE-2018-14613 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-14613 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-14617 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-14617 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-14633 ( SUSE ): 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-14633 ( NVD ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2018-14633 ( NVD ): 7.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2018-16276 ( SUSE ): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2018-16276 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-16276 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-16597 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2018-16597 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2018-17182 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-17182 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-17182 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-18281 ( SUSE ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-18281 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-18386 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-18386 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-18690 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-18690 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-18710 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-18710 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-7480 ( SUSE ): 6.7 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H CVE-2018-7480 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-7480 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-7757 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-7757 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-9516 ( SUSE ): 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2018-9516 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP3

An update that solves 13 vulnerabilities and has 140 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 12 SP3 Azure kernel was updated to 4.4.162 to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).
CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bnc#1108498).
CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).
CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399).
CVE-2018-16597: Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem (bnc#1106512).
CVE-2018-14613: There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c (bnc#1102896).
CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870).
CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095 bnc#1115593).
CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1087209).
CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863).

The following non-security bugs were fixed:

6lowpan: iphc: reset mac_header after decompress to fix panic (bnc#1012382).
alsa: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping (bnc#1012382).
alsa: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO (bnc#1012382).
alsa: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge (bnc#1012382).
alsa: hda - Fix cancel_work_sync() stall from jackpoll work (bnc#1012382).
alsa: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 (bnc#1012382).
alsa: msnd: Fix the default sample sizes (bnc#1012382).
alsa: pcm: Fix snd_interval_refine first/last with open min/max (bnc#1012382).
alsa: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro (bnc#1012382).
apparmor: remove no-op permission check in policy_unpack (git-fixes).
arc: build: Get rid of toolchain check (bnc#1012382).
arc: clone syscall to setp r25 as thread pointer (bnc#1012382).
arch/hexagon: fix kernel/dma.c build warning (bnc#1012382).
arch-symbols: use bash as interpreter since the script uses bashism.
arc: [plat-axs*]: Enable SWAP (bnc#1012382).
arm64: bpf: jit JMP_JSET_{X,K} (bsc#1110613).
arm64: Correct type for PUD macros (bsc#1110600).
arm64: cpufeature: Track 32bit EL0 support (bnc#1012382).
arm64: dts: qcom: db410c: Fix Bluetooth LED trigger (bnc#1012382).
arm64: fix erroneous __raw_read_system_reg() cases (bsc#1110606).
arm64: Fix potential race with hardware DBM in ptep_set_access_flags() (bsc#1110605).
arm64: fpsimd: Avoid FPSIMD context leakage for the init task (bsc#1110603).
arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto" (bnc#1012382).
arm64: kasan: avoid bad virt_to_pfn() (bsc#1110612).
arm64: kasan: avoid pfn_to_nid() before page array is initialized (bsc#1110619).
arm64/kasan: do not allocate extra shadow memory (bsc#1110611).
arm64: kernel: Update kerneldoc for cpu_suspend() rename (bsc#1110602).
arm64: kgdb: handle read-only text / modules (bsc#1110604).
arm64: KVM: Sanitize PSTATE.M when being set from userspace (bnc#1012382).
arm64: KVM: Tighten guest core register access from userspace (bnc#1012382).
arm64/mm/kasan: do not use vmemmap_populate() to initialize shadow (bsc#1110618).
arm64: ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails (bsc#1110601).
arm64: supported.conf: mark armmmci as not supported
arm64 Update config files. (bsc#1110468) Set MMC_QCOM_DML to build-in and delete driver from supported.conf
arm64: vdso: fix clock_getres for 4GiB-aligned res (bsc#1110614).
arm: dts: at91: add new compatibility string for macb on sama5d3 (bnc#1012382).
arm: dts: dra7: fix DCAN node addresses (bnc#1012382).
arm: exynos: Clear global variable on init error path (bnc#1012382).
arm: hisi: check of_iomap and fix missing of_node_put (bnc#1012382).
arm: hisi: fix error handling and missing of_node_put (bnc#1012382).
arm: hisi: handle of_iomap and fix missing of_node_put (bnc#1012382).
arm: mvebu: declare asm symbols as character arrays in pmsu.c (bnc#1012382).
asm/sections: add helpers to check for section data (bsc#1063026).
ASoC: cs4265: fix MMTLR Data switch control (bnc#1012382).
ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs (bnc#1012382).
ASoC: sigmadsp: safeload should not have lower byte limit (bnc#1012382).
ASoC: wm8804: Add ACPI support (bnc#1012382).
ASoC: wm8994: Fix missing break in switch (bnc#1012382).
ata: libahci: Correct setting of DEVSLP register (bnc#1012382).
ath10k: disable bundle mgmt tx completion event support (bnc#1012382).
ath10k: fix scan crash due to incorrect length calculation (bnc#1012382).
ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait (bnc#1012382).
ath10k: prevent active scans on potential unusable channels (bnc#1012382).
ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock (bnc#1012382).
audit: fix use-after-free in audit_add_watch (bnc#1012382).
autofs: fix autofs_sbi() does not check super block type (bnc#1012382).
binfmt_elf: Respect error