Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2019:13937-1
Rating:	important
References:	bsc#1031240 bsc#1039803 bsc#1066674 bsc#1071021 bsc#1094186 bsc#1094825 bsc#1104070 bsc#1104366 bsc#1104367 bsc#1107189 bsc#1108498 bsc#1109200 bsc#1113201 bsc#1113751 bsc#1113769 bsc#1114920 bsc#1115007 bsc#1115038 bsc#1116412 bsc#1116841 bsc#1117515 bsc#1118152 bsc#1118319 bsc#1119255 bsc#1119714 bsc#1120743 bsc#905299 bsc#936875 bsc#968018 bsc#990682
Cross-References:	CVE-2017-1000407 CVE-2017-16533 CVE-2017-7273 CVE-2018-18281 CVE-2018-18386 CVE-2018-18710 CVE-2018-19407 CVE-2018-19824 CVE-2018-19985 CVE-2018-20169 CVE-2018-9516 CVE-2018-9568
CVSS scores:	CVE-2017-1000407 ( SUSE ): 5.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2017-1000407 ( NVD ): 7.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2017-16533 ( SUSE ): 4.6 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-16533 ( NVD ): 6.6 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-7273 ( SUSE ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-7273 ( NVD ): 6.6 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-18281 ( SUSE ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-18281 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-18386 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-18386 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-18710 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-18710 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-19407 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-19407 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-19824 ( SUSE ): 6.6 CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-19824 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-19985 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2018-19985 ( NVD ): 4.6 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-20169 ( SUSE ): 6.3 CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-20169 ( NVD ): 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-20169 ( NVD ): 6.8 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-9516 ( SUSE ): 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2018-9516 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-9568 ( SUSE ): 7.4 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-9568 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-9568 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Point of Service 11 SP3 SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3

An update that solves 12 vulnerabilities and has 18 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to 3.0.101 to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1108498).
• CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).
• CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).
• CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).
• CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1118319).
• CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).
• CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused (bnc#1113769).
• CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
• CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
• CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240).
• CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).
• CVE-2017-1000407: Fixed a denial of service, which was caused by flooding the diagnostic port 0x80 an exception leading to a kernel panic (bnc#1071021).

The following non-security bugs were fixed:

• ALSA: pcm: Fix potential deadlock in OSS emulation (bsc#968018, bsc#1104366).
• cpusets, isolcpus: exclude isolcpus from load balancing in cpusets (bsc#1119255).
• Drivers: scsi: storvsc: Change the limits to reflect the values on the host (bug#1107189).
• drivers: scsi: storvsc: Correctly handle TEST_UNIT_READY failure (bug#1107189).
• Drivers: scsi: storvsc: Filter commands based on the storage protocol version (bug#1107189).
• Drivers: scsi: storvsc: Fix a bug in handling VMBUS protocol version (bug#1107189).
• Drivers: scsi: storvsc: Implement a eh_timed_out handler (bug#1107189).
• Drivers: scsi: storvsc: Set cmd_per_lun to reflect value supported by the Host (bug#1107189).
• drivers: scsi: storvsc: Set srb_flags in all cases (bug#1107189).
• EHCI: improved logic for isochronous scheduling (bsc#1117515).
• ipv4: remove the unnecessary variable in udp_mcast_next (bsc#1104070).
• KEYS: prevent creating a different user's keyrings (bnc#1094186).
• KVM: x86: Fix the duplicate failure path handling in vmx_init (bsc#1104367).
• MM: increase safety margin provided by PF_LESS_THROTTLE (bsc#1116412).
• MM/vmscan.c: avoid throttling reclaim for loop-back nfsd threads (bsc#1116412).
• net/ipv6/udp: Fix ipv6 multicast socket filter regression (bsc#1104070).
• NFS: avoid deadlocks with loop-back mounted NFS filesystems (bsc#1116412).
• NFS: avoid waiting at all in nfs_release_page when congested (bsc#1116412).
• NFS: Do not write enable new pages while an invalidation is proceeding (bsc#1116412).
• NFS: Fix a regression in the read() syscall (bsc#1116412).
• NFS: Fix races in nfs_revalidate_mapping (bsc#1116412).
• NFS: fix the handling of NFS_INO_INVALID_DATA flag in nfs_revalidate_mapping (bsc#1116412).
• NFS: Fix writeback performance issue on cache invalidation (bsc#1116412).
• reiserfs: do not preallocate blocks for extended attributes (bsc#990682).
• reiserfs: fix race in readdir (bsc#1039803).
• sched, isolcpu: make cpu_isolated_map visible outside scheduler (bsc#1119255).
• scsi: storvsc: Always send on the selected outgoing channel (bug#1107189).
• scsi: storvsc: Do not assume that the scatterlist is not chained (bug#1107189).
• scsi: storvsc: Fix a bug in copy_from_bounce_buffer() (bug#1107189).
• scsi: storvsc: Increase the ring buffer size (bug#1107189).
• scsi: storvsc: Size the queue depth based on the ringbuffer size (bug#1107189).
• storvsc: fix a bug in storvsc limits (bug#1107189).
• storvsc: force discovery of LUNs that may have been removed (bug#1107189).
• storvsc: get rid of overly verbose warning messages (bug#1107189).
• storvsc: in responce to a scan event, scan the host (bug#1107189).
• storvsc: Set the SRB flags correctly when no data transfer is needed (bug#1107189).
• udp: ipv4: Add udp early demux (bsc#1104070).
• udp: restore UDPlite many-cast delivery (bsc#1104070).
• udp: Simplify __udp*_lib_mcast_deliver (bsc#1104070).
• udp: Use hash2 for long hash1 chains in __udp*_lib_mcast_deliver (bsc#1104070).
• USB: EHCI: add new root-hub state: STOPPING (bsc#1117515).
• USB: EHCI: add pointer to end of async-unlink list (bsc#1117515).
• USB: EHCI: add symbolic constants for QHs (bsc#1117515).
• USB: EHCI: always scan each interrupt QH (bsc#1117515).
• USB: EHCI: do not lose events during a scan (bsc#1117515).
• USB: EHCI: do not refcount iso_stream structures (bsc#1117515).
• USB: EHCI: do not refcount QHs (bsc#1117515).
• USB: EHCI: fix initialization bug in iso_stream_schedule() (bsc#1117515).
• USB: EHCI: fix up locking (bsc#1117515).
• USB: EHCI: initialize data before resetting hardware (bsc#1117515).
• USB: EHCI: introduce high-res timer (bsc#1117515).
• USB: EHCI: remove PS3 status polling (bsc#1117515).
• USB: EHCI: remove unneeded suspend/resume code (bsc#1117515).
• USB: EHCI: rename "reclaim" (bsc#1117515).
• USB: EHCI: resolve some unlikely races (bsc#1117515).
• USB: EHCI: return void instead of 0 (bsc#1117515).
• USB: EHCI: simplify isochronous scanning (bsc#1117515).
• USB: EHCI: unlink multiple async QHs together (bsc#1117515).
• USB: EHCI: use hrtimer for async schedule (bsc#1117515).
• USB: EHCI: use hrtimer for controller death (bsc#1117515).
• USB: EHCI: use hrtimer for interrupt QH unlink (bsc#1117515).
• USB: EHCI: use hrtimer for (s)iTD deallocation (bsc#1117515).
• USB: EHCI: use hrtimer for the IAA watchdog (bsc#1117515).
• USB: EHCI: use hrtimer for the I/O watchdog (bsc#1117515).
• USB: EHCI: use hrtimer for the periodic schedule (bsc#1117515).
• USB: EHCI: use hrtimer for unlinking empty async QHs (bsc#1117515).
• XFS: do not BUG() on mixed direct and mapped I/O (bsc#1114920).
• XFS: stop searching for free slots in an inode chunk when there are none (bsc#1115007).
• XFS: validate sb_logsunit is a multiple of the fs blocksize (bsc#1115038).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Point of Service 11 SP3
  zypper in -t patch sleposp3-kernel-20190123-13937=1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3
  zypper in -t patch slessp3-kernel-20190123-13937=1

Package List:

• SUSE Linux Enterprise Point of Service 11 SP3 (nosrc i586)
  • kernel-xen-3.0.101-0.47.106.59.1
  • kernel-pae-3.0.101-0.47.106.59.1
  • kernel-ec2-3.0.101-0.47.106.59.1
  • kernel-default-3.0.101-0.47.106.59.1
  • kernel-trace-3.0.101-0.47.106.59.1
• SUSE Linux Enterprise Point of Service 11 SP3 (i586)
  • kernel-trace-devel-3.0.101-0.47.106.59.1
  • kernel-default-devel-3.0.101-0.47.106.59.1
  • kernel-ec2-base-3.0.101-0.47.106.59.1
  • kernel-xen-devel-3.0.101-0.47.106.59.1
  • kernel-ec2-devel-3.0.101-0.47.106.59.1
  • kernel-syms-3.0.101-0.47.106.59.1
  • kernel-xen-base-3.0.101-0.47.106.59.1
  • kernel-pae-base-3.0.101-0.47.106.59.1
  • kernel-pae-devel-3.0.101-0.47.106.59.1
  • kernel-default-base-3.0.101-0.47.106.59.1
  • kernel-source-3.0.101-0.47.106.59.1
  • kernel-trace-base-3.0.101-0.47.106.59.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc s390x x86_64 i586)
  • kernel-default-3.0.101-0.47.106.59.1
  • kernel-trace-3.0.101-0.47.106.59.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (s390x x86_64 i586)
  • kernel-trace-devel-3.0.101-0.47.106.59.1
  • kernel-default-devel-3.0.101-0.47.106.59.1
  • kernel-syms-3.0.101-0.47.106.59.1
  • kernel-default-base-3.0.101-0.47.106.59.1
  • kernel-source-3.0.101-0.47.106.59.1
  • kernel-trace-base-3.0.101-0.47.106.59.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc x86_64 i586)
  • kernel-ec2-3.0.101-0.47.106.59.1
  • kernel-xen-3.0.101-0.47.106.59.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (x86_64 i586)
  • kernel-xen-devel-3.0.101-0.47.106.59.1
  • kernel-xen-base-3.0.101-0.47.106.59.1
  • kernel-ec2-devel-3.0.101-0.47.106.59.1
  • kernel-ec2-base-3.0.101-0.47.106.59.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc i586)
  • kernel-pae-3.0.101-0.47.106.59.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (i586)
  • kernel-pae-base-3.0.101-0.47.106.59.1
  • kernel-pae-devel-3.0.101-0.47.106.59.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (s390x)
  • kernel-default-man-3.0.101-0.47.106.59.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc x86_64)
  • kernel-bigsmp-3.0.101-0.47.106.59.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (x86_64)
  • kernel-bigsmp-devel-3.0.101-0.47.106.59.1
  • kernel-bigsmp-base-3.0.101-0.47.106.59.1

References:

• https://www.suse.com/security/cve/CVE-2017-1000407.html
• https://www.suse.com/security/cve/CVE-2017-16533.html
• https://www.suse.com/security/cve/CVE-2017-7273.html
• https://www.suse.com/security/cve/CVE-2018-18281.html
• https://www.suse.com/security/cve/CVE-2018-18386.html
• https://www.suse.com/security/cve/CVE-2018-18710.html
• https://www.suse.com/security/cve/CVE-2018-19407.html
• https://www.suse.com/security/cve/CVE-2018-19824.html
• https://www.suse.com/security/cve/CVE-2018-19985.html
• https://www.suse.com/security/cve/CVE-2018-20169.html
• https://www.suse.com/security/cve/CVE-2018-9516.html
• https://www.suse.com/security/cve/CVE-2018-9568.html
• https://bugzilla.suse.com/show_bug.cgi?id=1031240
• https://bugzilla.suse.com/show_bug.cgi?id=1039803
• https://bugzilla.suse.com/show_bug.cgi?id=1066674
• https://bugzilla.suse.com/show_bug.cgi?id=1071021
• https://bugzilla.suse.com/show_bug.cgi?id=1094186
• https://bugzilla.suse.com/show_bug.cgi?id=1094825
• https://bugzilla.suse.com/show_bug.cgi?id=1104070
• https://bugzilla.suse.com/show_bug.cgi?id=1104366
• https://bugzilla.suse.com/show_bug.cgi?id=1104367
• https://bugzilla.suse.com/show_bug.cgi?id=1107189
• https://bugzilla.suse.com/show_bug.cgi?id=1108498
• https://bugzilla.suse.com/show_bug.cgi?id=1109200
• https://bugzilla.suse.com/show_bug.cgi?id=1113201
• https://bugzilla.suse.com/show_bug.cgi?id=1113751
• https://bugzilla.suse.com/show_bug.cgi?id=1113769
• https://bugzilla.suse.com/show_bug.cgi?id=1114920
• https://bugzilla.suse.com/show_bug.cgi?id=1115007
• https://bugzilla.suse.com/show_bug.cgi?id=1115038
• https://bugzilla.suse.com/show_bug.cgi?id=1116412
• https://bugzilla.suse.com/show_bug.cgi?id=1116841
• https://bugzilla.suse.com/show_bug.cgi?id=1117515
• https://bugzilla.suse.com/show_bug.cgi?id=1118152
• https://bugzilla.suse.com/show_bug.cgi?id=1118319
• https://bugzilla.suse.com/show_bug.cgi?id=1119255
• https://bugzilla.suse.com/show_bug.cgi?id=1119714
• https://bugzilla.suse.com/show_bug.cgi?id=1120743
• https://bugzilla.suse.com/show_bug.cgi?id=905299
• https://bugzilla.suse.com/show_bug.cgi?id=936875
• https://bugzilla.suse.com/show_bug.cgi?id=968018
• https://bugzilla.suse.com/show_bug.cgi?id=990682