Security update for the Linux Kernel

SUSE Security Update: Security update for the Linux Kernel
Announcement ID: SUSE-SU-2018:1172-1
Rating: important
References: #1010470 #1039348 #1052943 #1062568 #1062840 #1063416 #1067118 #1072689 #1072865 #1078669 #1078672 #1078673 #1078674 #1080464 #1080757 #1082424 #1083242 #1083483 #1083494 #1084536 #1085331 #1086162 #1087088 #1087209 #1087260 #1087762 #1088147 #1088260 #1089608 #1089752 #940776
Affected Products:
  • SUSE Linux Enterprise Server 11-SP3-LTSS
  • SUSE Linux Enterprise Server 11-EXTRA
  • SUSE Linux Enterprise Point of Sale 11-SP3
  • SUSE Linux Enterprise Debuginfo 11-SP3

  • An update that solves 20 vulnerabilities and has 11 fixes is now available.

    Description:



    The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive
    various security and bugfixes.

    The following security bugs were fixed:

    - CVE-2018-1087: And an unprivileged KVM guest user could use this flaw to
    potentially escalate their privileges inside a guest. (bsc#1087088)
    - CVE-2018-8897: An unprivileged system user could use incorrect set up
    interrupt stacks to crash the Linux kernel resulting in DoS issue.
    (bsc#1087088)
    - CVE-2018-10124: The kill_something_info function in kernel/signal.c
    might allow local users to cause a denial of service via an INT_MIN
    argument (bnc#1089752).
    - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might allow
    local users to cause a denial of service by triggering an attempted use
    of the -INT_MIN value (bnc#1089608).
    - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in
    drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial
    of service (memory consumption) via many read accesses to files in the
    /sys/class/sas_phy directory, as demonstrated by the
    /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536
    1087209).
    - CVE-2018-7566: A Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL
    ioctl write operation to /dev/snd/seq by a local user was fixed
    (bnc#1083483).
    - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function
    in the ALSA subsystem allowed attackers to gain privileges via
    unspecified vectors (bnc#1088260).
    - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel
    function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious
    NCPFS servers to crash the kernel or execute code (bnc#1086162).
    - CVE-2017-13166: An elevation of privilege vulnerability in the kernel
    v4l2 video driver. (bnc#1072865).
    - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c
    allow local users to cause a denial of service (BUG) by leveraging a
    race condition with __dm_destroy during creation and removal of DM
    devices (bnc#1083242).
    - CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to
    disclose kernel memory addresses. Successful exploitation requires that
    a USB device is attached over IP (bnc#1078674).
    - CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed
    local users to cause a denial of service (infinite loop) by triggering
    use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
    - CVE-2017-16644: The hdpvr_probe function in
    drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a
    denial of service (improper error handling and system crash) or possibly
    have unspecified other impact via a crafted USB device (bnc#1067118).
    - CVE-2018-6927: The futex_requeue function in kernel/futex.c might allow
    attackers to cause a denial of service (integer overflow) or possibly
    have unspecified other impact by triggering a negative wake or requeue
    value (bnc#1080757).
    - CVE-2017-16914: The "stub_send_ret_submit()" function
    (drivers/usb/usbip/stub_tx.c) allowed attackers to cause a denial of
    service (NULL pointer dereference) via a specially crafted USB over IP
    packet (bnc#1078669).
    - CVE-2016-7915: The hid_input_field function in drivers/hid/hid-core.c
    allowed physically proximate attackers to obtain sensitive information
    from kernel memory or cause a denial of service (out-of-bounds read) by
    connecting a device, as demonstrated by a Logitech DJ receiver
    (bnc#1010470).
    - CVE-2015-5156: The virtnet_probe function in drivers/net/virtio_net.c
    attempted to support a FRAGLIST feature without proper memory
    allocation, which allowed guest OS users to cause a denial of service
    (buffer overflow and memory corruption) via a crafted sequence of
    fragmented packets (bnc#940776).
    - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions in
    block/bio.c did unbalanced refcounting when a SCSI I/O vector has small
    consecutive buffers belonging to the same page. The bio_add_pc_page
    function merges them into one, but the page reference is never dropped.
    This causes a memory leak and possible system lockup (exploitable
    against the host OS by a guest OS user, if a SCSI disk is passed through
    to a virtual machine) due to an out-of-memory condition (bnc#1062568).
    - CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c)
    allowed attackers to cause a denial of service (out-of-bounds read) via
    a specially crafted USB over IP packet (bnc#1078673).
    - CVE-2017-16913: The "stub_recv_cmd_submit()" function
    (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed
    attackers to cause a denial of service (arbitrary memory allocation) via
    a specially crafted USB over IP packet (bnc#1078672).

    The following non-security bugs were fixed:

    - Integrate fixes resulting from bsc#1088147 More info in the respective
    commit messages.
    - KABI: x86/kaiser: properly align trampoline stack.
    - KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
    - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
    - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
    - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
    - kvm/x86: fix icebp instruction handling (bsc#1087088).
    - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
    - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
    (bnc#1039348).
    - x86-64: Move the "user" vsyscall segment out of the data segment
    (bsc#1082424).
    - x86/entry/64: Do not use IST entry for #BP stack (bsc#1087088).
    - x86/kaiser: properly align trampoline stack (bsc#1087260).
    - x86/retpoline: do not perform thunk calls in ring3 vsyscall code
    (bsc#1085331).
    - xfs: check for buffer errors before waiting (bsc#1052943).
    - xfs: fix allocbt cursor leak in xfs_alloc_ag_vextent_near (bsc#1087762).
    - xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near
    (bsc#1087762).

    Patch Instructions:

    To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 11-SP3-LTSS:
      zypper in -t patch slessp3-kernel-source-20180429-13591=1
    • SUSE Linux Enterprise Server 11-EXTRA:
      zypper in -t patch slexsp3-kernel-source-20180429-13591=1
    • SUSE Linux Enterprise Point of Sale 11-SP3:
      zypper in -t patch sleposp3-kernel-source-20180429-13591=1
    • SUSE Linux Enterprise Debuginfo 11-SP3:
      zypper in -t patch dbgsp3-kernel-source-20180429-13591=1

    Package List:

    • SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64):
      • kernel-default-3.0.101-0.47.106.22.1
      • kernel-default-base-3.0.101-0.47.106.22.1
      • kernel-default-devel-3.0.101-0.47.106.22.1
      • kernel-source-3.0.101-0.47.106.22.1
      • kernel-syms-3.0.101-0.47.106.22.1
      • kernel-trace-3.0.101-0.47.106.22.1
      • kernel-trace-base-3.0.101-0.47.106.22.1
      • kernel-trace-devel-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64):
      • kernel-ec2-3.0.101-0.47.106.22.1
      • kernel-ec2-base-3.0.101-0.47.106.22.1
      • kernel-ec2-devel-3.0.101-0.47.106.22.1
      • kernel-xen-3.0.101-0.47.106.22.1
      • kernel-xen-base-3.0.101-0.47.106.22.1
      • kernel-xen-devel-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64):
      • kernel-bigsmp-3.0.101-0.47.106.22.1
      • kernel-bigsmp-base-3.0.101-0.47.106.22.1
      • kernel-bigsmp-devel-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Server 11-SP3-LTSS (s390x):
      • kernel-default-man-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Server 11-SP3-LTSS (i586):
      • kernel-pae-3.0.101-0.47.106.22.1
      • kernel-pae-base-3.0.101-0.47.106.22.1
      • kernel-pae-devel-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64):
      • kernel-default-extra-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64):
      • kernel-xen-extra-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Server 11-EXTRA (x86_64):
      • kernel-bigsmp-extra-3.0.101-0.47.106.22.1
      • kernel-trace-extra-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Server 11-EXTRA (ppc64):
      • kernel-ppc64-extra-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Server 11-EXTRA (i586):
      • kernel-pae-extra-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Point of Sale 11-SP3 (i586):
      • kernel-default-3.0.101-0.47.106.22.1
      • kernel-default-base-3.0.101-0.47.106.22.1
      • kernel-default-devel-3.0.101-0.47.106.22.1
      • kernel-ec2-3.0.101-0.47.106.22.1
      • kernel-ec2-base-3.0.101-0.47.106.22.1
      • kernel-ec2-devel-3.0.101-0.47.106.22.1
      • kernel-pae-3.0.101-0.47.106.22.1
      • kernel-pae-base-3.0.101-0.47.106.22.1
      • kernel-pae-devel-3.0.101-0.47.106.22.1
      • kernel-source-3.0.101-0.47.106.22.1
      • kernel-syms-3.0.101-0.47.106.22.1
      • kernel-trace-3.0.101-0.47.106.22.1
      • kernel-trace-base-3.0.101-0.47.106.22.1
      • kernel-trace-devel-3.0.101-0.47.106.22.1
      • kernel-xen-3.0.101-0.47.106.22.1
      • kernel-xen-base-3.0.101-0.47.106.22.1
      • kernel-xen-devel-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64):
      • kernel-default-debuginfo-3.0.101-0.47.106.22.1
      • kernel-default-debugsource-3.0.101-0.47.106.22.1
      • kernel-trace-debuginfo-3.0.101-0.47.106.22.1
      • kernel-trace-debugsource-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64):
      • kernel-ec2-debuginfo-3.0.101-0.47.106.22.1
      • kernel-ec2-debugsource-3.0.101-0.47.106.22.1
      • kernel-xen-debuginfo-3.0.101-0.47.106.22.1
      • kernel-xen-debugsource-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Debuginfo 11-SP3 (x86_64):
      • kernel-bigsmp-debuginfo-3.0.101-0.47.106.22.1
      • kernel-bigsmp-debugsource-3.0.101-0.47.106.22.1
    • SUSE Linux Enterprise Debuginfo 11-SP3 (i586):
      • kernel-pae-debuginfo-3.0.101-0.47.106.22.1
      • kernel-pae-debugsource-3.0.101-0.47.106.22.1

    References: