Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2018:1482-1
Rating:	important
References:	bsc#1013018 bsc#1070404 bsc#1072689 bsc#1087082 bsc#1088343 bsc#1089386 bsc#1090607 bsc#1091659 bsc#1092497 bsc#1093600 bsc#1093710 bsc#919382
Affected Products:	SLES for SAP Applications 11-SP4 SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4

An update that has 12 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.

This update main focus is a regression fix in SystemV IPC handling. (bsc#1093600)

The following non-security bugs were fixed:

• Drop cBPF SSBD as classic BPF does not really have a proper concept of pointers, and without eBPF maps the out-of-bounds access in speculative execution branch can't be mounted. Moreoever, seccomp BPF uses only such a subset of BPF that can only do absolute indexing, and therefore seccomp data buffer boundarier can't be crossed. Information condensed from Alexei and Kees.
• ibrs used instead of retpoline on Haswell processor with spectre_v2=retpoline (bsc#1092497)
• ib/mlx4: Convert slave port before building address-handle (bug#919382 FATE#317529).
• KABI protect struct _lowcore (bsc#1089386).
• Update config files, add Spectre mitigation for s390x (bnc#1089386, LTC#166572).
• Update s390 config files (bsc#1089386).
• fanotify: fix logic of events on child (bsc#1013018).
• ipc/msg: Fix faulty parsing of msgctl args (bsc#1093600,bsc#1072689).
• ocfs2/dlm: Fix up kABI in dlm_ctxt (bsc#1070404).
• ocfs2/dlm: wait for dlm recovery done when migrating all lock resources (bsc#1013018).
• powerpc, KVM: Split HVMODE_206 cpu feature bit into separate HV and architecture bits (bsc#1087082).
• powerpc: Fix /proc/cpuinfo revision for POWER9 DD2 (FATE#325713, bsc#1093710).
• s390/cio: update chpid descriptor after resource accessibility event (bnc#1091659, LTC#167429).
• s390/dasd: fix IO error for newly defined devices (bnc#1091659, LTC#167398).
• s390/qdio: fix access to uninitialized qdio_q fields (bnc#1091659, LTC#168037).
• s390/qeth: on channel error, reject further cmd requests (bnc#1088343, LTC#165985).
• s390: add automatic detection of the spectre defense (bnc#1089386, LTC#166572).
• s390: add optimized array_index_mask_nospec (bnc#1089386, LTC#166572).
• s390: add sysfs attributes for spectre (bnc#1089386, LTC#166572).
• s390: correct module section names for expoline code revert (bsc#1089386).
• s390: correct nospec auto detection init order (bnc#1089386, LTC#166572).
• s390: do not bypass BPENTER for interrupt system calls (bnc#1089386, LTC#166572).
• s390: fix retpoline build on 31bit (bsc#1089386).
• s390: improve cpu alternative handling for gmb and nobp (bnc#1089386, LTC#166572).
• s390: introduce execute-trampolines for branches (bnc#1089386, LTC#166572).
• s390: move nobp parameter functions to nospec-branch.c (bnc#1089386, LTC#166572).
• s390: report spectre mitigation via syslog (bnc#1089386, LTC#166572).
• s390: run user space and KVM guests with modified branch prediction (bnc#1089386, LTC#166572).
• s390: scrub registers on kernel entry and KVM exit (bnc#1089386, LTC#166572).
• x86, mce: Fix mce_start_timer semantics (bsc#1090607).
• x86/kaiser: symbol kaiser_set_shadow_pgd() exported with non GPL

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Software Development Kit 11 SP4
  zypper in -t patch sdksp4-kernel-20180526-13635=1
• SUSE Linux Enterprise Server 11 SP4
  zypper in -t patch slessp4-kernel-20180526-13635=1
• SLES for SAP Applications 11-SP4
  zypper in -t patch slessp4-kernel-20180526-13635=1

Package List:

• SUSE Linux Enterprise Software Development Kit 11 SP4 (noarch)
  • kernel-docs-3.0.101-108.52.2
• SUSE Linux Enterprise Server 11 SP4 (s390x x86_64 i586 ppc64 ia64 nosrc)
  • kernel-default-3.0.101-108.52.1
  • kernel-trace-3.0.101-108.52.1
• SUSE Linux Enterprise Server 11 SP4 (s390x x86_64 i586 ppc64 ia64)
  • kernel-default-devel-3.0.101-108.52.1
  • kernel-trace-devel-3.0.101-108.52.1
  • kernel-trace-base-3.0.101-108.52.1
  • kernel-source-3.0.101-108.52.1
  • kernel-default-base-3.0.101-108.52.1
  • kernel-syms-3.0.101-108.52.1
• SUSE Linux Enterprise Server 11 SP4 (nosrc x86_64 i586)
  • kernel-ec2-3.0.101-108.52.1
  • kernel-xen-3.0.101-108.52.1
• SUSE Linux Enterprise Server 11 SP4 (x86_64 i586)
  • kernel-xen-base-3.0.101-108.52.1
  • kernel-ec2-base-3.0.101-108.52.1
  • kernel-ec2-devel-3.0.101-108.52.1
  • kernel-xen-devel-3.0.101-108.52.1
• SUSE Linux Enterprise Server 11 SP4 (nosrc i586)
  • kernel-pae-3.0.101-108.52.1
• SUSE Linux Enterprise Server 11 SP4 (i586)
  • kernel-pae-base-3.0.101-108.52.1
  • kernel-pae-devel-3.0.101-108.52.1
• SUSE Linux Enterprise Server 11 SP4 (ppc64 nosrc)
  • kernel-bigmem-3.0.101-108.52.1
  • kernel-ppc64-3.0.101-108.52.1
• SUSE Linux Enterprise Server 11 SP4 (ppc64)
  • kernel-ppc64-devel-3.0.101-108.52.1
  • kernel-bigmem-devel-3.0.101-108.52.1
  • kernel-ppc64-base-3.0.101-108.52.1
  • kernel-bigmem-base-3.0.101-108.52.1
• SUSE Linux Enterprise Server 11 SP4 (s390x)
  • kernel-default-man-3.0.101-108.52.1
• SLES for SAP Applications 11-SP4 (ppc64 nosrc)
  • kernel-bigmem-3.0.101-108.52.1
  • kernel-ppc64-3.0.101-108.52.1
• SLES for SAP Applications 11-SP4 (ppc64)
  • kernel-ppc64-devel-3.0.101-108.52.1
  • kernel-bigmem-devel-3.0.101-108.52.1
  • kernel-ppc64-base-3.0.101-108.52.1
  • kernel-bigmem-base-3.0.101-108.52.1
• SLES for SAP Applications 11-SP4 (ppc64 nosrc x86_64)
  • kernel-default-3.0.101-108.52.1
  • kernel-trace-3.0.101-108.52.1
• SLES for SAP Applications 11-SP4 (ppc64 x86_64)
  • kernel-default-devel-3.0.101-108.52.1
  • kernel-trace-devel-3.0.101-108.52.1
  • kernel-trace-base-3.0.101-108.52.1
  • kernel-source-3.0.101-108.52.1
  • kernel-default-base-3.0.101-108.52.1
  • kernel-syms-3.0.101-108.52.1
• SLES for SAP Applications 11-SP4 (nosrc x86_64)
  • kernel-ec2-3.0.101-108.52.1
  • kernel-xen-3.0.101-108.52.1
• SLES for SAP Applications 11-SP4 (x86_64)
  • kernel-xen-base-3.0.101-108.52.1
  • kernel-ec2-base-3.0.101-108.52.1
  • kernel-ec2-devel-3.0.101-108.52.1
  • kernel-xen-devel-3.0.101-108.52.1

References:

• https://bugzilla.suse.com/show_bug.cgi?id=1013018
• https://bugzilla.suse.com/show_bug.cgi?id=1070404
• https://bugzilla.suse.com/show_bug.cgi?id=1072689
• https://bugzilla.suse.com/show_bug.cgi?id=1087082
• https://bugzilla.suse.com/show_bug.cgi?id=1088343
• https://bugzilla.suse.com/show_bug.cgi?id=1089386
• https://bugzilla.suse.com/show_bug.cgi?id=1090607
• https://bugzilla.suse.com/show_bug.cgi?id=1091659
• https://bugzilla.suse.com/show_bug.cgi?id=1092497
• https://bugzilla.suse.com/show_bug.cgi?id=1093600
• https://bugzilla.suse.com/show_bug.cgi?id=1093710
• https://bugzilla.suse.com/show_bug.cgi?id=919382