Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2018:2981-1
Rating:	important
References:	bsc#1012382 bsc#1043912 bsc#1044189 bsc#1046302 bsc#1046306 bsc#1046307 bsc#1046543 bsc#1050244 bsc#1051510 bsc#1054914 bsc#1055014 bsc#1055117 bsc#1058659 bsc#1060463 bsc#1064232 bsc#1065600 bsc#1065729 bsc#1068032 bsc#1069138 bsc#1071995 bsc#1077761 bsc#1077989 bsc#1078720 bsc#1080157 bsc#1082555 bsc#1083647 bsc#1083663 bsc#1084332 bsc#1085042 bsc#1085262 bsc#1086282 bsc#1089663 bsc#1090528 bsc#1092903 bsc#1093389 bsc#1094244 bsc#1095344 bsc#1096748 bsc#1097105 bsc#1098459 bsc#1098822 bsc#1099922 bsc#1099999 bsc#1100000 bsc#1100001 bsc#1100132 bsc#1101557 bsc#1101669 bsc#1102346 bsc#1102870 bsc#1102875 bsc#1102877 bsc#1102879 bsc#1102882 bsc#1102896 bsc#1103363 bsc#1103387 bsc#1103421 bsc#1103948 bsc#1103949 bsc#1103961 bsc#1104172 bsc#1104353 bsc#1104824 bsc#1105247 bsc#1105524 bsc#1105536 bsc#1105597 bsc#1105603 bsc#1105672 bsc#1105907 bsc#1106007 bsc#1106016 bsc#1106105 bsc#1106121 bsc#1106170 bsc#1106178 bsc#1106191 bsc#1106229 bsc#1106230 bsc#1106231 bsc#1106233 bsc#1106235 bsc#1106236 bsc#1106237 bsc#1106238 bsc#1106240 bsc#1106291 bsc#1106297 bsc#1106333 bsc#1106369 bsc#1106426 bsc#1106427 bsc#1106464 bsc#1106509 bsc#1106511 bsc#1106594 bsc#1106636 bsc#1106688 bsc#1106697 bsc#1106743 bsc#1106779 bsc#1106800 bsc#1106890 bsc#1106891 bsc#1106892 bsc#1106893 bsc#1106894 bsc#1106896 bsc#1106897 bsc#1106898 bsc#1106899 bsc#1106900 bsc#1106901 bsc#1106902 bsc#1106903 bsc#1106905 bsc#1106906 bsc#1106948 bsc#1106995 bsc#1107008 bsc#1107060 bsc#1107061 bsc#1107065 bsc#1107073 bsc#1107074 bsc#1107078 bsc#1107265 bsc#1107319 bsc#1107320 bsc#1107522 bsc#1107535 bsc#1107689 bsc#1107735 bsc#1107756 bsc#1107870 bsc#1107924 bsc#1107945 bsc#1107966 bsc#1108010 bsc#1108093 bsc#1108243 bsc#1108520 bsc#1108870 bsc#1109269 bsc#1109511 bsc#920344
Cross-References:	CVE-2018-10938 CVE-2018-10940 CVE-2018-1128 CVE-2018-1129 CVE-2018-12896 CVE-2018-13093 CVE-2018-13094 CVE-2018-13095 CVE-2018-14613 CVE-2018-14617 CVE-2018-16658 CVE-2018-6554 CVE-2018-6555
CVSS scores:	CVE-2018-10938 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-10938 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-10940 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-10940 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-1128 ( SUSE ): 8.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVE-2018-1128 ( NVD ): 7.5 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-1129 ( SUSE ): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2018-1129 ( NVD ): 6.5 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2018-12896 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-12896 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-13093 ( SUSE ): 6.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2018-13093 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-13094 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-13094 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-13095 ( SUSE ): 6.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2018-13095 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-14613 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-14613 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-14617 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-14617 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-16658 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2018-16658 ( NVD ): 6.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2018-6554 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-6554 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-6555 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2018-6555 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Basesystem Module 15 Development Tools Module 15 Legacy Module 15 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise High Availability Extension 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Live Patching 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Workstation Extension 15

An update that solves 13 vulnerabilities and has 134 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2018-14617: Prevent NULL pointer dereference and panic in hfsplus_lookup() when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bsc#1102870)
CVE-2018-14613: Prevent invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, caused by a lack of block group item validation in check_leaf_item (bsc#1102896).
CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)
CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001)
CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000)
CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999)
CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922)
CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689)
CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511)
CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509)
CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748)
CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748)
CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016)

The following non-security bugs were fixed:

/dev/mem: Add bounce buffer for copy-out (git-fixes).
/dev/mem: Avoid overwriting "err" in read_mem() (git-fixes).
9p/net: Fix zero-copy path in the 9p virtio transport (bsc#1051510).
9p/virtio: fix off-by-one error in sg list bounds check (bsc#1051510).
9p: fix multiple NULL-pointer-dereferences (bsc#1051510).
ACPI / EC: Add another entry for Thinkpad X1 Carbon 6th (bsc#1051510).
ACPI / EC: Add parameter to force disable the GPE on suspend (bsc#1051510).
ACPI / EC: Use ec_no_wakeup on ThinkPad X1 Yoga 3rd (bsc#1051510).
ACPI / EC: Use ec_no_wakeup on Thinkpad X1 Carbon 6th (bsc#1051510).
ACPI / EC: Use ec_no_wakeup on more Thinkpad X1 Carbon 6th systems (bsc#1051510).
ACPI / PCI: pci_link: Allow the absence of _PRS and change log level (bsc#1104172).
ACPI / bus: Only call dmi_check_system on X86 (bsc#1105597, bsc#1106178).
ACPI / scan: Initialize status to ACPI_STA_DEFAULT (bsc#1051510).
ACPI/IORT: Remove temporary iort_get_id_mapping_index() ACPICA guard (bsc#1103387).
ACPI/PCI: pci_link: reduce verbosity when IRQ is enabled (bsc#1104172).
ACPICA: iasl: Add SMMUv3 device ID mapping index support (bsc#1103387).
ALSA: cs46xx: Deliver indirect-PCM transfer error.
ALSA: emu10k1: Deliver indirect-PCM transfer error.
ALSA: fireface: fix memory leak in ff400_switch_fetching_mode() (bsc#1051510).
ALSA: firewire-digi00x: fix memory leak of private data (bsc#1051510).
ALSA: firewire-tascam: fix memory leak of private data (bsc#1051510).
ALSA: hda - Fix cancel_work_sync() stall from jackpoll work (bsc#1051510).
ALSA: mips: Deliver indirect-PCM transfer error.
ALSA: oxfw: fix memory leak for model-dependent data at error path (bsc#1051510).
ALSA: oxfw: fix memory leak of discovered stream formats at error path (bsc#1051510).
ALSA: oxfw: fix memory leak of private data (bsc#1051510).
ALSA: pcm: Call ack() whenever appl_ptr is updated.
ALSA: pcm: Fix negative appl_ptr handling in pcm-indirect helpers.
ALSA: pcm: Fix possible inconsistent appl_ptr update via mmap.
ALSA: pcm: Simplify forward/rewind codes.
ALSA: pcm: Skip ack callback without actual appl_ptr update.
ALSA: pcm: Use a common helper for PCM state check and hwsync.
ALSA: pcm: Workaround for weird PulseAudio behavior on rewind error.
ALSA: rme32: Deliver indirect-PCM transfer error.
ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot (bsc#1051510).
ARM: DRA7/OMAP5: Enable ACTLR[0] (Enable invalidates of BTB) for secondary cores (bsc#1051510).
ARM: hisi: fix error handling and missing of_node_put (bsc#1051510).
ARM: hisi: handle of_iomap and fix missing of_node_put (bsc#1051510).
ARM: imx: flag failure of of_iomap (bsc#1051510).
ARM: imx_v4_v5_defconfig: Select ULPI support (bsc#1051510).
ARM: imx_v6_v7_defconfig: Select ULPI support (bsc#1051510).
ARM: pxa: irq: fix handling of ICMR registers in suspend/resume (bsc#1051510).
ASoC: rsnd: fixup not to call clk_get/set under non-atomic (bsc#1051510).
ASoC: rsnd: move rsnd_ssi_config_init() execute condition into it (bsc#1051510).
ASoC: rsnd: update pointer more accurate (bsc#1051510).
ASoC: wm8994: Fix missing break in switch (bsc#1051510).
Apply e666d4e9ceec crypto: vmx - Use skcipher for ctr fallback to SLE12-SP4 (bsc#1106464).
Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV (bsc#1051510).
Bluetooth: hidp: Fix handling of strncpy for hid->name information (bsc#1051510).
Prevent errors at reboot (bsc#1093389)
Documentation: add some docs for errseq_t (bsc#1107008).
Fix buggy backport of patches.drivers/libnvdimm-btt-fix-an-incompatibility-in-the-log-layout.patch (bsc#1103961).
Fix kABI breakage due to enum addition for ath10k (bsc#1051510).
HID: add quirk for another PIXART OEM mouse used by HP (bsc#1051510).
HID: i2c-hid: Add no-irq-after-reset quirk for 0911:5288 device.
IB/core: type promotion bug in rdma_rw_init_one_mr() (bsc#1046306).
IB/hfi1: Invalid NUMA node information can cause a divide by zero (bsc#1060463).
IB/hfi1: Remove incorrect call to do_interrupt callback (bsc#1060463).
IB/hfi1: Set in_use_ctxts bits for user ctxts only (bsc#1060463 ).
IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler (bsc#1046307).
IB/ipoib: Fix error return code in ipoib_dev_init() (bsc#1046307 ).
IB/mlx4: Test port number before querying type (bsc#1046302 ).
IB/mlx4: Use 4K pages for kernel QP's WQE buffer (bsc#1046302 ).
Input: atmel_mxt_ts - only use first T9 instance (bsc#1051510).
Input: edt-ft5x06 - fix error handling for factory mode on non-M06 (bsc#1051510).
Input: edt-ft5x06 - implement support for the EDT-M12 series (bsc#1051510).
Input: edt-ft5x06 - make distinction between m06/m09/generic more clear (bsc#1051510).
Input: synaptics-rmi4 - fix axis-swap behavior (bsc#1051510).
KABI: tpm: change relinquish_locality return value back to void (bsc#1082555).
KABI: tpm: do keep the cmd_ready and go_idle as pm ops (bsc#1082555).
KVM/x86: remove WARN_ON() for when vm_munmap() fails (bsc#1106240).
KVM: Enforce error in ioctl for compat tasks when !KVM_COMPAT (bsc#1106240).
KVM: PPC: Book3S: Fix guest DMA when guest partially backed by THP pages (bsc#1077761, git-fixes, bsc#1103948, bsc#1103949).
KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369).
KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369).
KVM: nVMX: Do not flush TLB when vmcs12 uses VPID (bsc#1106240).
KVM: nVMX: Fix injection to L2 when L1 do not intercept external-interrupts (bsc#1106240).
KVM: nVMX: Fix races when sending nested PI while dest enters/leaves L2 (bsc#1106240).
KVM: nVMX: Re-evaluate L1 pending events when running L2 and L1 got posted-interrupt (bsc#1106240).
KVM: s390: add etoken support for guests (bsc#1106948, LTC#171029).
KVM: s390: force bp isolation for VSIE (bsc#1103421).
KVM: s390: implement CPU model only facilities (bsc#1106948, LTC#171029).
KVM: x86: Change __kvm_apic_update_irr() to also return if max IRR updated (bsc#1106240).
KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled (git-fixes 1f50ddb4f418).
KVM: x86: fix APIC page invalidation (bsc#1106240).
NET: stmmac: align DMA stuff to largest cache line length (netfilter-stable-18_08_01).
NFSv4 client live hangs after live data migration recovery (git-fixes).
NFSv4: Fix a sleep in atomic context in nfs4_callback_sequence() (git-fixes).
NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message (git-fixes).
Netperf performance issue due to AppArmor net mediation (bsc#1108520)
PCI: Match Root Port's MPS to endpoint's MPSS as necessary (bsc#1109269).
PCI: OF: Fix I/O space page leak (git-fixes).
PCI: aardvark: Fix I/O space page leak (git-fixes).
PCI: hotplug: Do not leak pci_slot on registration failure (bsc#1051510).
PCI: hv: Make sure the bus domain is really unique (git-fixes).
PCI: mvebu: Fix I/O space end address calculation (bsc#1051510).
PCI: pciehp: Fix use-after-free on unplug (bsc#1051510).
PM / Domains: Fix error path during attach in genpd (bsc#1051510).
PM / clk: signedness bug in of_pm_clk_add_clks() (bsc#1051510).
PM / runtime: Drop usage count for suppliers at device link removal (bsc#1100132).
RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c (bsc#1050244).
RDMA/bnxt_re: Fix a couple off by one bugs (bsc#1050244 ).
RDMA/i40w: Hold read semaphore while looking after VMA (bsc#1058659).
Refresh with the upstream patches for lan78xx fixes (bsc#1085262)
Replace magic for trusting the secondary keyring with #define (bsc#1051510).<