Security update for the Linux Kernel

SUSE Security Update: Security update for the Linux Kernel
Announcement ID: SUSE-SU-2018:1173-1
Rating: important
References: #1012382 #1031717 #1046610 #1057734 #1070536 #1075428 #1076847 #1077560 #1082153 #1082299 #1083125 #1083745 #1083836 #1084353 #1084610 #1084721 #1084829 #1085042 #1085185 #1085224 #1085402 #1085404 #1086162 #1086194 #1087088 #1087260 #1087845 #1088241 #1088242 #1088600 #1088684 #1089198 #1089608 #1089644 #1089752 #1090643
Affected Products:
  • SUSE OpenStack Cloud 7
  • SUSE Linux Enterprise Server for SAP 12-SP2
  • SUSE Linux Enterprise Server 12-SP2-LTSS
  • SUSE Enterprise Storage 4
  • OpenStack Cloud Magnum Orchestration 7

  • An update that solves 9 vulnerabilities and has 27 fixes is now available.

    Description:



    The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to 4.4.121 to
    receive various security and bugfixes.

    The following security bugs were fixed:

    - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c
    had an integer-overflow vulnerability that allowed local users with
    access to the udldrmfb driver to obtain full read and write permissions
    on kernel physical pages, resulting in a code execution in kernel space
    (bnc#1090643).
    - CVE-2018-10124: The kill_something_info function in kernel/signal.c
    might have allowed local users to cause a denial of service via an
    INT_MIN argument (bnc#1089752).
    - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have
    allowed local users to cause a denial of service by triggering an
    attempted use of the -INT_MIN value (bnc#1089608).
    - CVE-2017-18257: The __get_data_block function in fs/f2fs/data.c in the
    Linux kernel allowed local users to cause a denial of service (integer
    overflow and loop) via crafted use of the open and fallocate system
    calls with an FS_IOC_FIEMAP ioctl. (bnc#1088241)
    - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel
    function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious
    NCPFS servers to crash the kernel or execute code (bnc#1086162).
    - CVE-2018-8043: The unimac_mdio_probe function in
    drivers/net/phy/mdio-bcm-unimac.c did not validate certain resource
    availability, which allowed local users to cause a denial of service
    (NULL pointer dereference) (bnc#1084829).
    - CVE-2018-7740: The resv_map_release function in mm/hugetlb.c allowed
    local users to cause a denial of service (BUG) via a crafted application
    that made mmap system calls and has a large pgoff argument to the
    remap_file_pages system call (bnc#1084353).
    - CVE-2018-1087: And an unprivileged KVM guest user could use this flaw to
    potentially escalate their privileges inside a guest. (bsc#1087088)
    - CVE-2018-8897: An unprivileged system user could use incorrect set up
    interrupt stacks to crash the Linux kernel resulting in DoS issue.
    (bsc#1087088)

    The following non-security bugs were fixed:

    - alsa: hda/realtek - Fix speaker no sound after system resume
    (bsc#1031717).
    - alsa: hda: Add a power_save blacklist (bnc#1012382).
    - alsa: usb-audio: Add a quirck for B&W PX headphones (bnc#1012382).
    - arm: dts: LogicPD Torpedo: Fix I2C1 pinmux (bnc#1012382).
    - arm: mvebu: Fix broken PL310_ERRATA_753970 selects (bnc#1012382).
    - kvm: mmu: Fix overlap between public and private memslots (bnc#1012382).
    - Partial revert "e1000e: Avoid receiver overrun interrupt bursts"
    (bsc#1075428).
    - Revert "e1000e: Separate signaling for link check/link up" (bsc#1075428).
    - Revert "led: core: Fix brightness setting when setting delay_off=0"
    (bnc#1012382).
    - Revert "watchdog: hpwdt: Remove legacy NMI sourcing (bsc#1085185)." This
    reverts commit 5d4a2355a2a1c2ec6fdf9d18b68ca0a04ff73c70.
    - bpf, x64: implement retpoline for tail call (bnc#1012382).
    - bridge: check brport attr show in brport_show (bnc#1012382).
    - btrfs: Only check first key for committed tree blocks (bsc#1084721).
    - btrfs: Validate child tree block's level and first key (bsc#1084721).
    - btrfs: preserve i_mode if __btrfs_set_acl() fails (bnc#1012382).
    - ch9200: use skb_cow_head() to deal with cloned skbs (bsc#1088684).
    - cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() (bnc#1012382).
    - dcache: Add cond_resched in shrink_dentry_list (bsc#1086194).
    - dm io: fix duplicate bio completion due to missing ref count
    (bnc#1012382).
    - drm/i915/cmdparser: Do not check past the cmd length (bsc#1031717).
    - drm/i915/psr: Check for the specific AUX_FRAME_SYNC cap bit
    (bsc#1031717).
    - e1000e: Avoid missed interrupts following ICR read (bsc#1075428).
    - e1000e: Avoid receiver overrun interrupt bursts (bsc#1075428).
    - e1000e: Fix check_for_link return value with autoneg off (bsc#1075428).
    - e1000e: Fix link check race condition (bsc#1075428).
    - e1000e: Fix queue interrupt re-raising in Other interrupt (bsc#1075428).
    - e1000e: Remove Other from EIAC (bsc#1075428).
    - fib_semantics: Do not match route with mismatching tclassid
    (bnc#1012382).
    - fs/hugetlbfs/inode.c: change put_page/unlock_page order in
    hugetlbfs_fallocate() (git-fixes, bsc#1083745).
    - hdlc_ppp: carrier detect ok, do not turn off negotiation (bnc#1012382).
    - hugetlbfs: fix offset overflow in hugetlbfs mmap (bnc#1084353).
    - ibmvfc: Avoid unnecessary port relogin (bsc#1085404).
    - ibmvnic: Clear pending interrupt after device reset (bsc#1089644).
    - ibmvnic: Define vnic_login_client_data name field as unsized array
    (bsc#1089198).
    - ibmvnic: Disable irqs before exiting reset from closed state
    (bsc#1084610).
    - ibmvnic: Do not notify peers on parameter change resets (bsc#1089198).
    - ibmvnic: Do not reset CRQ for Mobility driver resets (bsc#1088600).
    - ibmvnic: Fix DMA mapping mistakes (bsc#1088600).
    - ibmvnic: Fix failover case for non-redundant configuration (bsc#1088600).
    - ibmvnic: Fix reset return from closed state (bsc#1084610).
    - ibmvnic: Fix reset scheduler error handling (bsc#1088600).
    - ibmvnic: Handle all login error conditions (bsc#1089198).
    - ibmvnic: Potential NULL dereference in clean_one_tx_pool() (bsc#1085224,
    git-fixes).
    - ibmvnic: Remove unused TSO resources in TX pool structure (bsc#1085224).
    - ibmvnic: Update TX pool cleaning routine (bsc#1085224).
    - ibmvnic: Zero used TX descriptor counter on reset (bsc#1088600).
    - ipv6 sit: work around bogus gcc-8 -Wrestrict warning (bnc#1012382).
    - kGraft: fix small race in reversion code (bsc#1083125).
    - kabi/severities: Ignore kgr_shadow_* kABI changes
    - kvm/x86: fix icebp instruction handling (bnc#1012382).
    - livepatch: Allow to call a custom callback when freeing shadow variables
    (bsc#1082299 fate#313296).
    - livepatch: Initialize shadow variables safely by a custom callback
    (bsc#1082299 fate#313296).
    - mac80211: do not WARN on bad WMM parameters from buggy APs (bsc#1031717).
    - md-cluster: fix wrong condition check in raid1_write_request
    (bsc#1085402).
    - media: au0828: fix VIDEO_V4L2 dependency (bsc#1031717).
    - media: cx25821: prevent out-of-bounds read on array card (bsc#1031717).
    - media: m88ds3103: do not call a non-initalized function (bnc#1012382).
    - media: s3c-camif: fix out-of-bounds array access (bsc#1031717).
    - mm/hugetlb.c: do not call region_abort if region_chg fails (bnc#1084353).
    - mpls, nospec: Sanitize array index in mpls_label_ok() (bnc#1012382).
    - net: fix race on decreasing number of TX queues (bnc#1012382).
    - net: ipv4: avoid unused variable warning for sysctl (git-fixes).
    - net: ipv4: do not allow setting net.ipv4.route.min_pmtu below 68
    (bnc#1012382).
    - net: mpls: Pull common label check into helper (bnc#1012382).
    - netlink: ensure to loop over all netns in genlmsg_multicast_allns()
    (bnc#1012382).
    - nospec: Allow index argument to have const-qualified type (bnc#1012382).
    - perf/x86/intel: Add model number for Skylake Server to perf
    (FATE#321269).
    - powerpc/crash: Remove the test for cpu_online in the IPI callback
    (bsc#1088242).
    - powerpc: Do not send system reset request through the oops path
    (bsc#1088242).
    - powerpc: System reset avoid interleaving oops using die synchronisation
    (bsc#1088242).
    - ppp: prevent unregistered channels from connecting to PPP units
    (bnc#1012382).
    - regmap-i2c: Off by one in regmap_i2c_smbus_i2c_read/write()
    (bsc#1031717).
    - regmap: Do not use format_val in regmap_bulk_read (bsc#1031717).
    - regmap: Fix reversed bounds check in regmap_raw_write() (bsc#1031717).
    - regmap: Format data for raw write in regmap_bulk_write (bsc#1031717).
    - rpm/config.sh: ensure sorted patches.
    - s390/cpuinfo: show facilities as reported by stfle (bnc#1076847,
    LTC#163740).
    - s390/qeth: fix IPA command submission race (bnc#1012382).
    - s390/qeth: fix SETIP command handling (bnc#1012382).
    - sctp: fix dst refcnt leak in sctp_v4_get_dst (bnc#1012382).
    - sctp: fix dst refcnt leak in sctp_v6_get_dst() (bnc#1012382).
    - sctp: verify size of a new chunk in _sctp_make_chunk() (bnc#1012382).
    - storvsc: do not schedule work elements during host reset (bsc#1070536,
    bsc#1057734).
    - storvsc_drv: use embedded work structure for host rescan (bsc#1070536,
    bsc#1057734).
    - storvsc_drv: use separate workqueue for rescan (bsc#1070536,
    bsc#1057734).
    - swap: divide-by-zero when zero length swap file on ssd (bsc#1082153).
    - tpm: st33zp24: fix potential buffer overruns caused by bit glitches on
    the bus (bnc#1012382).
    - tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches
    on the bus (bnc#1012382).
    - tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on
    the bus (bnc#1012382).
    - udplite: fix partial checksum initialization (bnc#1012382).
    - watchdog: hpwdt: Remove legacy NMI sourcing (bsc#1085185).
    - x86/apic/vector: Handle legacy irq data correctly (bnc#1012382).
    - x86/entry/64: Do not use IST entry for #BP stack (bsc#1087088).
    - x86/kaiser: Duplicate cpu_tss for an entry trampoline usage (bsc#1077560
    bsc#1083836).
    - x86/kaiser: Remove a user mapping of cpu_tss structure (bsc#1077560
    bsc#1083836).
    - x86/kaiser: Use a per-CPU trampoline stack for kernel entry
    (bsc#1077560).
    - x86/kaiser: enforce trampoline stack alignment (bsc#1087260).
    - x86/speculation: Remove Skylake C2 from Speculation Control microcode
    blacklist (bsc#1087845).
    - xen-blkfront: fix mq start/stop race (bsc#1085042).
    - xen-netback: use skb to determine number of required guest Rx requests
    (bsc#1046610).

    Patch Instructions:

    To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
    Alternatively you can run the command listed for your product:

    • SUSE OpenStack Cloud 7:
      zypper in -t patch SUSE-OpenStack-Cloud-7-2018-814=1
    • SUSE Linux Enterprise Server for SAP 12-SP2:
      zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-814=1
    • SUSE Linux Enterprise Server 12-SP2-LTSS:
      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-814=1
    • SUSE Enterprise Storage 4:
      zypper in -t patch SUSE-Storage-4-2018-814=1
    • OpenStack Cloud Magnum Orchestration 7:
      zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-814=1

    Package List:

    • SUSE OpenStack Cloud 7 (s390x x86_64):
      • kernel-default-4.4.121-92.73.1
      • kernel-default-base-4.4.121-92.73.1
      • kernel-default-base-debuginfo-4.4.121-92.73.1
      • kernel-default-debuginfo-4.4.121-92.73.1
      • kernel-default-debugsource-4.4.121-92.73.1
      • kernel-default-devel-4.4.121-92.73.1
      • kernel-syms-4.4.121-92.73.1
    • SUSE OpenStack Cloud 7 (x86_64):
      • kgraft-patch-4_4_121-92_73-default-1-3.3.1
    • SUSE OpenStack Cloud 7 (noarch):
      • kernel-devel-4.4.121-92.73.1
      • kernel-macros-4.4.121-92.73.1
      • kernel-source-4.4.121-92.73.1
    • SUSE OpenStack Cloud 7 (s390x):
      • kernel-default-man-4.4.121-92.73.1
    • SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):
      • kernel-default-4.4.121-92.73.1
      • kernel-default-base-4.4.121-92.73.1
      • kernel-default-base-debuginfo-4.4.121-92.73.1
      • kernel-default-debuginfo-4.4.121-92.73.1
      • kernel-default-debugsource-4.4.121-92.73.1
      • kernel-default-devel-4.4.121-92.73.1
      • kernel-syms-4.4.121-92.73.1
    • SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64):
      • kgraft-patch-4_4_121-92_73-default-1-3.3.1
    • SUSE Linux Enterprise Server for SAP 12-SP2 (noarch):
      • kernel-devel-4.4.121-92.73.1
      • kernel-macros-4.4.121-92.73.1
      • kernel-source-4.4.121-92.73.1
    • SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):
      • kernel-default-4.4.121-92.73.1
      • kernel-default-base-4.4.121-92.73.1
      • kernel-default-base-debuginfo-4.4.121-92.73.1
      • kernel-default-debuginfo-4.4.121-92.73.1
      • kernel-default-debugsource-4.4.121-92.73.1
      • kernel-default-devel-4.4.121-92.73.1
      • kernel-syms-4.4.121-92.73.1
    • SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64):
      • kgraft-patch-4_4_121-92_73-default-1-3.3.1
    • SUSE Linux Enterprise Server 12-SP2-LTSS (noarch):
      • kernel-devel-4.4.121-92.73.1
      • kernel-macros-4.4.121-92.73.1
      • kernel-source-4.4.121-92.73.1
    • SUSE Linux Enterprise Server 12-SP2-LTSS (s390x):
      • kernel-default-man-4.4.121-92.73.1
    • SUSE Enterprise Storage 4 (x86_64):
      • kernel-default-4.4.121-92.73.1
      • kernel-default-base-4.4.121-92.73.1
      • kernel-default-base-debuginfo-4.4.121-92.73.1
      • kernel-default-debuginfo-4.4.121-92.73.1
      • kernel-default-debugsource-4.4.121-92.73.1
      • kernel-default-devel-4.4.121-92.73.1
      • kernel-syms-4.4.121-92.73.1
      • kgraft-patch-4_4_121-92_73-default-1-3.3.1
    • SUSE Enterprise Storage 4 (noarch):
      • kernel-devel-4.4.121-92.73.1
      • kernel-macros-4.4.121-92.73.1
      • kernel-source-4.4.121-92.73.1
    • OpenStack Cloud Magnum Orchestration 7 (x86_64):
      • kernel-default-4.4.121-92.73.1
      • kernel-default-debuginfo-4.4.121-92.73.1
      • kernel-default-debugsource-4.4.121-92.73.1

    References: