SUSE: 2018:0482-1: important: the Linux Kernel
Summary
The SUSE Linux Enterprise 12 SP2 Realtime kernel was updated to 4.4.114 to
receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-5715: Systems with microprocessors utilizing speculative
execution and indirect branch prediction may allow unauthorized
disclosure of information to an attacker with local user access via a
side-channel analysis (bnc#1068032).
The previous fix using CPU Microcode has been complemented by building
the Linux Kernel with return trampolines aka "retpolines".
- CVE-2018-5333: In the Linux kernel the rds_cmsg_atomic function in
net/rds/rdma.c mishandled cases where page pinning fails or an invalid
address is supplied, leading to an rds_atomic_free_op NULL pointer
dereference (bnc#1075617).
- CVE-2018-5332: In the Linux kernel the rds_message_alloc_sgs() function
did not validate a value that is used during DMA page allocation,
leading to a heap-based out-of-bounds write (related to the
rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621).
- CVE-2017-17862: kernel/bpf/verifier.c in the Linux kernel ignores
unreachable code, even though it would still be processed by JIT
compilers. This behavior, also considered an improper branch-pruning
logic issue, could possibly be used by local users for denial of service
(bnc#1073928).
- CVE-2017-17864: kernel/bpf/verifier.c in the Linux kernel mishandled
states_equal comparisons between the pointer data type and the
UNKNOWN_VALUE data type, which allowed local users to obtain potentially
sensitive address information, aka a "pointer leak (bnc#1073928).
- CVE-2017-17712: The raw_sendmsg() function in net/ipv4/raw.c in the
Linux kernel has a race condition in inet->hdrincl that leads to
uninitialized stack pointer usage; this allowed a local user to execute
code and gain privileges (bnc#1073229 1073230).
- CVE-2017-15129: A use-after-free vulnerability was found in network
namespaces code affecting the Linux kernel The function
get_net_ns_by_id() in net/core/net_namespace.c did not check for the
net::count value after it has found a peer network in netns_ids idr,
which could lead to double free and memory corruption. This
vulnerability could allow an unprivileged local user to induce kernel
memory corruption on the system, leading to a crash. Due to the nature
of the flaw, privilege escalation cannot be fully ruled out, although it
is thought to be unlikely (bnc#1074839).
- CVE-2017-18017: The tcpmss_mangle_packet function in
net/netfilter/xt_TCPMSS.c in the Linux kernel allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or
possibly have unspecified other impact by leveraging the presence of
xt_TCPMSS in an iptables action (bnc#1074488).
- CVE-2018-1000004: In the Linux kernel a race condition vulnerability
exists in the sound system, this can lead to a deadlock and denial of
service condition (bnc#1076017).
The following non-security bugs were fixed:
- 509: fix printing uninitialized stack memory when OID is empty
(bsc#1075078).
- 8021q: fix a memory leak for VLAN 0 device (bnc#1012382).
- acpi / scan: Prefer devices without _HID/_CID for _ADR matching
(bnc#1012382).
- af_key: fix buffer overread in parse_exthdrs() (bnc#1012382).
- af_key: fix buffer overread in verify_address_len() (bnc#1012382).
- afs: Adjust mode bits processing (bnc#1012382).
- afs: Connect up the CB.ProbeUuid (bnc#1012382).
- afs: Fix afs_kill_pages() (bnc#1012382).
- afs: Fix missing put_page() (bnc#1012382).
- afs: Fix page leak in afs_write_begin() (bnc#1012382).
- afs: Fix the maths in afs_fs_store_data() (bnc#1012382).
- afs: Flush outstanding writes when an fd is closed (bnc#1012382).
- afs: Migrate vlocation fields to 64-bit (bnc#1012382).
- afs: Populate and use client modification time (bnc#1012382).
- afs: Populate group ID from vnode status (bnc#1012382).
- afs: Prevent callback expiry timer overflow (bnc#1012382).
- alpha: fix build failures (bnc#1012382).
- alsa: aloop: Fix inconsistent format due to incomplete rule
(bsc#1031717).
- alsa: aloop: Fix racy hw constraints adjustment (bsc#1031717).
- alsa: aloop: Release cable upon open error path (bsc#1031717).
- alsa: hda - Apply headphone noise quirk for another Dell XPS 13 variant
(bsc#1031717).
- alsa: hda - Apply the existing quirk to iMac 14,1 (bsc#1031717).
- alsa: pcm: Abort properly at pending signal in OSS read/write loops
(bsc#1031717).
- alsa: pcm: Add missing error checks in OSS emulation plugin builder
(bsc#1031717).
- alsa: pcm: Allow aborting mutex lock at OSS read/write loops
(bsc#1031717).
- alsa: pcm: Remove incorrect snd_BUG_ON() usages (bsc#1031717).
- alsa: pcm: Remove yet superfluous WARN_ON() (bsc#1031717).
- arc: uaccess: dont use "l" gcc inline asm constraint modifier
(bnc#1012382).
- arm64: Add hypervisor safe helper for checking constant capabilities
(bsc#1068032).
- arm64: Add macros to read/write system registers (bsc#1068032).
- arm64: add macro to extract ESR_ELx.EC (bsc#1068032).
- arm64: Add skeleton to harden the branch predictor against aliasing
attacks (bsc#1068032).
- arm64: Add trace_hardirqs_off annotation in ret_to_user (bsc#1068032).
- arm64: alternative: add auto-nop infrastructure (bsc#1068032).
- arm64: barriers: introduce nops and __nops macros for NOP sequences
(bsc#1068032).
- arm64: cpu_errata: Allow an erratum to be match for all revisions of a
core (bsc#1068032).
- arm64: cpufeature: Add scope for capability check (bsc#1068032).
- arm64/cpufeature: do not use mutex in bringup path (bsc#1068032).
- arm64: cpufeature: Pass capability structure to ->enable callback
(bsc#1068032).
- arm64: debug: remove unused local_dbg_{enable, disable} macros
(bsc#1068032).
- arm64: Disable kpti for non broadcast TLB HW (bsc#1068032).
- arm64: Disable TTBR0_EL1 during normal kernel execution (bsc#1068032).
- arm64: do not pull uaccess.h into *.S (bsc#1068032).
- arm64: Enable CONFIG_ARM64_SW_TTBR0_PAN (bsc#1068032).
- arm64: entry: Add exception trampoline page for exceptions from EL0
(bsc#1068032).
- arm64: entry: Add fake CPU feature for unmapping the kernel at EL0
(bsc#1068032).
- arm64: entry: Explicitly pass exception level to kernel_ventry macro
(bsc#1068032).
- arm64: entry: Hook up entry trampoline to exception vectors (bsc#1068032).
- arm64: entry: remove pointless SPSR mode check (bsc#1068032).
- arm64: entry.S convert el0_sync (bsc#1068032).
- arm64: entry.S: convert el1_sync (bsc#1068032).
- arm64: entry.S: convert elX_irq (bsc#1068032).
- arm64: entry.S: move SError handling into a C function for future
expansion (bsc#1068032).
- arm64: entry.S: Remove disable_dbg (bsc#1068032).
- arm64: explicitly mask all exceptions (bsc#1068032).
- arm64: factor out entry stack manipulation (bsc#1068032).
- arm64: factor out PAGE_* and CONT_* definitions (bsc#1068032).
- arm64: Factor out PAN enabling/disabling into separate uaccess_* macros
(bsc#1068032).
- arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm
macro (bsc#1068032).
- arm64: factor work_pending state machine to C (bsc#1068032).
- arm64: Fix circular include of asm/lse.h through linux/jump_label.h
(bsc#1068032).
- arm64: Fix compilation (bsc#1068032).
- arm64: fpsimd: Prevent registers leaking from dead tasks (bnc#1012382).
- arm64: Handle el1 synchronous instruction aborts cleanly (bsc#1068032).
- arm64: head.S: get rid of x25 and x26 with 'global' scope (bsc#1068032).
- arm64: Implement branch predictor hardening for affected Cortex-A CPUs
(bsc#1068032).
- arm64: Initialise high_memory global variable earlier (bnc#1012382).
- arm64: introduce an order for exceptions (bsc#1068032).
- arm64: introduce mov_q macro to move a constant into a 64-bit register
(bsc#1068032).
- arm64: Introduce uaccess_{disable,enable} functionality based on
TTBR0_EL1 (bsc#1068032).
- arm64: kaslr: Put kernel vectors address in separate data page
(bsc#1068032).
- arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0 (bsc#1068032).
- arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry (bsc#1068032).
- arm64: kill ESR_LNX_EXEC (bsc#1068032).
- arm64: kpti: Fix the interaction between ASID switching and software PAN
(bsc#1068032).
- arm64: kvm: Fix SMCCC handling of unimplemented SMC/HVC calls
(bnc#1012382).
- arm64: kvm: fix VTTBR_BADDR_MASK BUG_ON off-by-one (bnc#1012382).
- arm64: kvm: Survive unknown traps from guests (bnc#1012382).
- arm64: kvm: Use per-CPU vector when BP hardening is enabled
(bsc#1068032).
- arm64: Mask all exceptions during kernel_exit (bsc#1068032).
- arm64: mm: Add arm64_kernel_unmapped_at_el0 helper (bsc#1068032).
- arm64: mm: Allocate ASIDs in pairs (bsc#1068032).
- arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN (bsc#1068032).
- arm64: mm: hardcode rodata=true (bsc#1068032).
- arm64: mm: Introduce TTBR_ASID_MASK for getting at the ASID in the TTBR
(bsc#1068032).
- arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI
(bsc#1068032).
- arm64: mm: Map entry trampoline into trampoline and kernel page tables
(bsc#1068032).
- arm64: mm: Move ASID from TTBR0 to TTBR1 (bsc#1068032).
- arm64: mm: Rename post_ttbr0_update_workaround (bsc#1068032).
- arm64: mm: Temporarily disable ARM64_SW_TTBR0_PAN (bsc#1068032).
- arm64: mm: Use non-global mappings for kernel space (bsc#1068032).
- arm64: Move BP hardening to check_and_switch_context (bsc#1068032).
- arm64: Move post_ttbr_update_workaround to C code (bsc#1068032).
- arm64: Move the async/fiq helpers to explicitly set process context
flags (bsc#1068032).
- arm64: Store struct thread_info in sp_el0 (bsc#1068032).
- arm64: SW PAN: Point saved ttbr0 at the zero page when switching to
init_mm (bsc#1068032).
- arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb (bsc#1068032).
- arm64: swp emulation: bound LL/SC retries before rescheduling
(bsc#1068032).
- arm64: sysreg: allow write_sysreg to use XZR (bsc#1068032).
- arm64: sysreg: Fix unprotected macro argmuent in write_sysreg
(bsc#1068032).
- arm64: Take into account ID_AA64PFR0_EL1.CSV3 (bsc#1068032).
- arm64: tlbflush.h: add __tlbi() macro (bsc#1068032).
- arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks
(bsc#1068032).
- arm64: use alternative auto-nop (bsc#1068032).
- arm64: use RET instruction for exiting the trampoline (bsc#1068032).
- arm64: Use static keys for CPU features (bsc#1068032).
- arm64: xen: Enable user access before a privcmd hvc call (bsc#1068032).
- arm: avoid faulting on qemu (bnc#1012382).
- arm: BUG if jumping to usermode address in kernel mode (bnc#1012382).
- arm-ccn: perf: Prevent module unload while PMU is in use (bnc#1012382).
- arm: dma-mapping: disallow dma_get_sgtable() for non-kernel managed
memory (bnc#1012382).
- arm: dts: am335x-evmsk: adjust mmc2 param to allow suspend (bnc#1012382).
- arm: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7
(bnc#1012382).
- arm: dts: ti: fix pci bus dtc warnings (bnc#1012382).
- arm: kprobes: Align stack to 8-bytes in test code (bnc#1012382).
- arm: kprobes: Fix the return address of multiple kretprobes
(bnc#1012382).
- arm: kvm: Fix VTTBR_BADDR_MASK BUG_ON off-by-one (bnc#1012382).
- arm: kvm: Survive unknown traps from guests (bnc#1012382).
- arm: OMAP1: DMA: Correct the number of logical channels (bnc#1012382).
- arm: OMAP2+: Fix device node reference counts (bnc#1012382).
- arm: OMAP2+: gpmc-onenand: propagate error on initialization failure
(bnc#1012382).
- arm: OMAP2+: Release device node after it is no longer needed
(bnc#1012382).
- asm-prototypes: Clear any CPP defines before declaring the functions
(git-fixes).
- asn.1: check for error from ASN1_OP_END__ACT actions (bnc#1012382).
- asn.1: fix out-of-bounds read when parsing indefinite length item
(bnc#1012382).
- ath9k: fix tx99 potential info leak (bnc#1012382).
- atm: horizon: Fix irq release error (bnc#1012382).
- audit: ensure that 'audit=1' actually enables audit for PID 1
(bnc#1012382).
- axonram: Fix gendisk handling (bnc#1012382).
- backlight: pwm_bl: Fix overflow condition (bnc#1012382).
- bcache: add a comment in journal bucket reading (bsc#1076110).
- bcache: Avoid nested function definition (bsc#1076110).
- bcache: check return value of register_shrinker (bsc#1076110).
- bcache: debug: avoid accessing .bi_io_vec directly (bsc#1076110).
- bcache: documentation formatting, edited for clarity, stripe alignment
notes (bsc#1076110).
- bcache: documentation updates and corrections (bsc#1076110).
- bcache: Do not reinvent the wheel but use existing llist API
(bsc#1076110).
- bcache: do not write back data if reading it failed (bsc#1076110).
- bcache: explicitly destroy mutex while exiting (bnc#1012382).
- bcache: fix a comments typo in bch_alloc_sectors() (bsc#1076110).
- bcache: fix sequential large write IO bypass (bsc#1076110).
- bcache: fix wrong cache_misses statistics (bnc#1012382).
- bcache: gc does not work when triggering by manual command (bsc#1076110,
bsc#1038078).
- bcache: implement PI controller for writeback rate (bsc#1076110).
- bcache: increase the number of open buckets (bsc#1076110).
- bcache: only permit to recovery read error when cache device is clean
(bnc#1012382 bsc#1043652).
- bcache: partition support: add 16 minors per bcacheN device
(bsc#1076110).
- bcache: pr_err: more meaningful error message when nr_stripes is invalid
(bsc#1076110).
- bcache: rearrange writeback main thread ratelimit (bsc#1076110).
- bcache: recover data from backing when data is clean (bnc#1012382
bsc#1043652).
- bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
(bsc#1076110).
- bcache: Remove deprecated create_workqueue (bsc#1076110).
- bcache: Remove redundant block_size assignment (bsc#1076110).
- bcache: Remove redundant parameter for cache_alloc() (bsc#1076110).
- bcache: Remove redundant set_capacity (bsc#1076110).
- bcache: remove unused parameter (bsc#1076110).
- bcache: rewrite multiple partitions support (bsc#1076110, bsc#1038085,
bsc#1019784).
- bcache: safeguard a dangerous addressing in closure_queue (bsc#1076110).
- bcache: silence static checker warning (bsc#1076110).
- bcache: smooth writeback rate control (bsc#1076110).
- bcache: switch to using blk_queue_write_cache() (bsc#1076110).
- bcache.txt: standardize document format (bsc#1076110).
- bcache: update bio->bi_opf bypass/writeback REQ_ flag hints
(bsc#1076110).
- bcache: update bucket_in_use in real time (bsc#1076110).
- bcache: Update continue_at() documentation (bsc#1076110).
- bcache: update document info (bsc#1076110).
- bcache: use kmalloc to allocate bio in bch_data_verify() (bsc#1076110).
- bcache: use llist_for_each_entry_safe() in __closure_wake_up()
(bsc#1076110).
- bcache: writeback rate clamping: make 32 bit safe (bsc#1076110).
- bcache: writeback rate shouldn't artifically clamp (bsc#1076110).
- be2net: restore properly promisc mode after queues reconfiguration
(bsc#963844 FATE#320192).
- block: export bio_free_pages to other modules (bsc#1076110).
- block: wake up all tasks blocked in get_request() (bnc#1012382).
- bluetooth: btusb: driver to enable the usb-wakeup feature (bnc#1012382).
- bnx2x: do not rollback VF MAC/VLAN filters we did not configure
(bnc#1012382).
- bnx2x: fix possible overrun of VFPF multicast addresses array
(bnc#1012382).
- bnx2x: prevent crash when accessing PTP with interface down
(bnc#1012382).
- btrfs: account for pinned bytes in should_alloc_chunk (bsc#1066842).
- btrfs: add missing memset while reading compressed inline extents
(bnc#1012382).
- can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
(bnc#1012382).
- can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once (bnc#1012382).
- can: ems_usb: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- can: esd_usb2: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- can: gs_usb: fix return value of the "set_bittiming" callback
(bnc#1012382).
- can: kvaser_usb: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
(bnc#1012382).
- can: kvaser_usb: free buf in error paths (bnc#1012382).
- can: kvaser_usb: ratelimit errors if incomplete messages are received
(bnc#1012382).
- can: peak: fix potential bug in packet fragmentation (bnc#1012382).
- can: ti_hecc: Fix napi poll return value for repoll (bnc#1012382).
- can: usb_8dev: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- cdc-acm: apply quirk for card reader (bsc#1060279).
- cdrom: factor out common open_for_* code (bsc#1048585).
- cdrom: wait for tray to close (bsc#1048585).
- ceph: drop negative child dentries before try pruning inode's alias
(bnc#1012382).
- ceph: more accurate statfs (bsc#1077068).
- clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o
VPU (bnc#1012382).
- clk: mediatek: add the option for determining PLL source clock
(bnc#1012382).
- clk: tegra: Fix cclk_lp divisor register (bnc#1012382).
- cpuidle: fix broadcast control when broadcast can not be entered
(bnc#1012382).
- cpuidle: powernv: Pass correct drv->cpumask for registration
(bnc#1012382).
- cpuidle: Validate cpu_dev in cpuidle_add_sysfs() (bnc#1012382).
- crypto: algapi - fix NULL dereference in crypto_remove_spawns()
(bnc#1012382).
- crypto: chacha20poly1305 - validate the digest size (bnc#1012382).
- crypto: crypto4xx - increase context and scatter ring buffer elements
(bnc#1012382).
- crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex
(bnc#1012382).
- crypto: mcryptd - protect the per-CPU queue with a lock (bnc#1012382).
- crypto: n2 - cure use after free (bnc#1012382).
- crypto: pcrypt - fix freeing pcrypt instances (bnc#1012382).
- crypto: s5p-sss - Fix completing crypto request in IRQ handler
(bnc#1012382).
- crypto: tcrypt - fix buffer lengths in test_aead_speed() (bnc#1012382).
- cxl: Check if vphb exists before iterating over AFU devices
(bsc#1066223).
- dax: Pass detailed error code from __dax_fault() (bsc#1072484).
- dccp: do not restart ccid2_hc_tx_rto_expire() if sk in closed state
(bnc#1012382).
- delay: add poll_event_interruptible (bsc#1048585).
- dmaengine: dmatest: move callback wait queue to thread context
(bnc#1012382).
- dmaengine: Fix array index out of bounds warning in __get_unmap_pool()
(bnc#1012382).
- dmaengine: pl330: fix double lock (bnc#1012382).
- dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type
(bnc#1012382).
- dm btree: fix serious bug in btree_split_beneath() (bnc#1012382).
- dm bufio: fix shrinker scans when (nr_to_scan
References
#1012382 #1019784 #1031717 #1036737 #1038078
#1038085 #1043652 #1048585 #1052360 #1060279
#1066223 #1066842 #1068032 #1068038 #1068569
#1068984 #1069160 #1070799 #1072163 #1072484
#1072589 #1073229 #1073230 #1073928 #1074134
#1074488 #1074621 #1074709 #1074839 #1074847
#1075066 #1075078 #1075087 #1075091 #1075428
#1075617 #1075621 #1075627 #1075994 #1076017
#1076110 #1076806 #1076809 #1076872 #1076899
#1077068 #1077560 #1077592 #1077871 #1078526
#1078681 #963844 #988524
Cross- CVE-2017-15129 CVE-2017-17712 CVE-2017-17862
CVE-2017-17864 CVE-2017-18017 CVE-2017-5715
CVE-2018-1000004 CVE-2018-5332 CVE-2018-5333
Affected Products:
SUSE Linux Enterprise Real Time Extension 12-SP2
https://www.suse.com/security/cve/CVE-2017-15129.html
https://www.suse.com/security/cve/CVE-2017-17712.html
https://www.suse.com/security/cve/CVE-2017-17862.html
https://www.suse.com/security/cve/CVE-2017-17864.html
https://www.suse.com/security/cve/CVE-2017-18017.html
https://www.suse.com/security/cve/CVE-2017-5715.html
https://www.suse.com/security/cve/CVE-2018-1000004.html
https://www.suse.com/security/cve/CVE-2018-5332.html
https://www.suse.com/security/cve/CVE-2018-5333.html
https://bugzilla.suse.com/1012382
https://bugzilla.suse.com/1019784
https://bugzilla.suse.com/1031717
https://bugzilla.suse.com/1036737
https://bugzilla.suse.com/1038078
https://bugzilla.suse.com/1038085
https://bugzilla.suse.com/1043652
https://bugzilla.suse.com/1048585
https://bugzilla.suse.com/1052360
https://bugzilla.suse.com/1060279
https://bugzilla.suse.com/1066223
https://bugzilla.suse.com/1066842
https://bugzilla.suse.com/1068032
https://bugzilla.suse.com/1068038
https://bugzilla.suse.com/1068569
https://bugzilla.suse.com/1068984
https://bugzilla.suse.com/1069160
https://bugzilla.suse.com/1070799
https://bugzilla.suse.com/1072163
https://bugzilla.suse.com/1072484
https://bugzilla.suse.com/1072589
https://bugzilla.suse.com/1073229
https://bugzilla.suse.com/1073230
https://bugzilla.suse.com/1073928
https://bugzilla.suse.com/1074134
https://bugzilla.suse.com/1074488
https://bugzilla.suse.com/1074621
https://bugzilla.suse.com/1074709
https://bugzilla.suse.com/1074839
https://bugzilla.suse.com/1074847
https://bugzilla.suse.com/1075066
https://bugzilla.suse.com/1075078
https://bugzilla.suse.com/1075087
https://bugzilla.suse.com/1075091
https://bugzilla.suse.com/1075428
https://bugzilla.suse.com/1075617
https://bugzilla.suse.com/1075621
https://bugzilla.suse.com/1075627
https://bugzilla.suse.com/1075994
https://bugzilla.suse.com/1076017
https://bugzilla.suse.com/1076110
https://bugzilla.suse.com/1076806
https://bugzilla.suse.com/1076809
https://bugzilla.suse.com/1076872
https://bugzilla.suse.com/1076899
https://bugzilla.suse.com/1077068
https://bugzilla.suse.com/1077560
https://bugzilla.suse.com/1077592
https://bugzilla.suse.com/1077871
https://bugzilla.suse.com/1078526
https://bugzilla.suse.com/1078681
https://bugzilla.suse.com/963844
https://bugzilla.suse.com/988524
--