ESB-2018.0923 - [SUSE] kernel: Multiple vulnerabilities 2018-03-29

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

        SUSE Security Update: Security update for the Linux Kernel
                               29 March 2018


        AusCERT Security Bulletin Summary

Product:           kernel
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Root Compromise   -- Existing Account
                   Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7566 CVE-2018-6927 CVE-2018-5333
                   CVE-2018-5332 CVE-2018-1068 CVE-2018-1066
                   CVE-2017-18221 CVE-2017-18208 CVE-2017-18204
                   CVE-2017-18017 CVE-2017-16914 CVE-2017-16913
                   CVE-2017-16912 CVE-2017-16911 CVE-2017-16644
                   CVE-2017-15299 CVE-2017-13166 CVE-2017-12190

Reference:         ASB-2016.0103

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for the Linux Kernel

Announcement ID:    SUSE-SU-2018:0834-1
Rating:             important
References:         #1010470 #1012382 #1045330 #1062568 #1063416 
                    #1066001 #1067118 #1068032 #1072689 #1072865 
                    #1074488 #1075617 #1075621 #1077560 #1078669 
                    #1078672 #1078673 #1078674 #1080255 #1080464 
                    #1080757 #1082299 #1083244 #1083483 #1083494 
                    #1083640 #1084323 #1085107 #1085114 #1085279 
Cross-References:   CVE-2016-7915 CVE-2017-12190 CVE-2017-13166
                    CVE-2017-15299 CVE-2017-16644 CVE-2017-16911
                    CVE-2017-16912 CVE-2017-16913 CVE-2017-16914
                    CVE-2017-18017 CVE-2017-18204 CVE-2017-18208
                    CVE-2017-18221 CVE-2018-1066 CVE-2018-1068
                    CVE-2018-5332 CVE-2018-5333 CVE-2018-6927
Affected Products:
                    SUSE Linux Enterprise Server 12-LTSS
                    SUSE Linux Enterprise Module for Public Cloud 12

   An update that solves 19 vulnerabilities and has 12 fixes
   is now available.


   The SUSE Linux Enterprise 12 kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall
     interface for bridging. This allowed a privileged user to arbitrarily
     write to a limited range of kernel memory (bnc#1085107).
   - CVE-2017-18221: The __munlock_pagevec function allowed local users to
     cause a denial of service (NR_MLOCK accounting corruption) via crafted
     use of mlockall and munlockall system calls (bnc#1084323).
   - CVE-2018-1066: Prevent NULL pointer dereference in
     fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker
     controlling a CIFS server to kernel panic a client that has this server
     mounted, because an empty TargetInfo field in an NTLMSSP setup
     negotiation response was mishandled during session recovery
   - CVE-2017-13166: Prevent elevation of privilege vulnerability in the
     kernel v4l2 video driver (bnc#1072865).
   - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose
     kernel memory addresses. Successful exploitation required that a USB
     device was attached over IP (bnc#1078674).
   - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key
     that already exists but is uninstantiated, which allowed local users to
     cause a denial of service (NULL pointer dereference and system crash) or
     possibly have unspecified other impact via a crafted system call
   - CVE-2017-18208: The madvise_willneed function kernel allowed local users
     to cause a denial of service (infinite loop) by triggering use of
     MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
   - CVE-2018-7566: The ALSA sequencer core initializes the event pool on
     demand by invoking snd_seq_pool_init() when the first write happens and
     the pool is empty. A user could have reset the pool size manually via
     ioctl concurrently, which may have lead UAF or out-of-bound access
   - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause
     a denial of service (deadlock) via DIO requests (bnc#1083244).
   - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a
     denial of service (improper error handling and system crash) or possibly
     have unspecified other impact via a crafted USB device (bnc#1067118).
   - CVE-2018-6927: The futex_requeue function allowed attackers to cause a
     of service (integer overflow) or possibly have unspecified other impact
      by triggering a negative wake or requeue value (bnc#1080757).
   - CVE-2017-16914: The "stub_send_ret_submit()" function allowed attackers
     to cause a denial of service (NULL pointer dereference) via a specially
     crafted USB over IP packet (bnc#1078669).
   - CVE-2016-7915: The hid_input_field function allowed physically proximate
     attackers to obtain sensitive information from kernel memory or cause a
     of service (out-of-bounds read) by connecting a device (bnc#1010470).
   - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did
     unbalanced refcounting when a SCSI I/O vector had small consecutive
     buffers belonging to the same page. The bio_add_pc_page function merged
     them into one, but the page reference was never dropped. This caused a
     memory leak and possible system lockup (exploitable against the host OS
     by a guest OS user, if a SCSI disk is passed through to a virtual
     machine) due to an out-of-memory condition (bnc#1062568).
   - CVE-2017-16912: The "get_pipe()" function allowed attackers to cause a
     of service (out-of-bounds read) via a specially crafted USB over IP
      packet (bnc#1078673).
   - CVE-2017-16913: The "stub_recv_cmd_submit()" function when handling
     CMD_SUBMIT packets allowed attackers to cause a denial of service
     (arbitrary memory allocation) via a specially crafted USB over IP packet
   - CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a
     value that is used during DMA page allocation, leading to a heap-based
     out-of-bounds write (related to the rds_rdma_extra_size function in
     net/rds/rdma.c) (bnc#1075621).
   - CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled
     cases where page pinning fails or an invalid address is supplied,
     leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617).
   - CVE-2017-18017: The tcpmss_mangle_packet function allowed remote
     attackers to cause a denial of service (use-after-free and memory
     corruption) or possibly have unspecified other impact by leveraging the
     presence of xt_TCPMSS in an iptables action (bnc#1074488).

   The following non-security bugs were fixed:

   - Fix build on arm64 by defining empty gmb() (bnc#1068032).
   - KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
   - KEYS: fix writing past end of user-supplied buffer in keyring_read()
   - KEYS: return full count in keyring_read() if buffer is too small
   - include/stddef.h: Move offsetofend() from vfio.h to a generic kernel
     header (bsc#1077560).
   - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
   - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
   - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
   - x86/kaiser: use trampoline stack for kernel entry (bsc#1077560)
   - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
   - livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow
     variables support (bsc#1082299).
   - livepatch: introduce shadow variable API. Shadow variables support
   - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF
   - media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32
   - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32
   - media: v4l2-compat-ioctl32.c: do not copy back the result for certain
     errors (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type
   - media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: move 'helper' functions to
     __get/put_v4l2_format32 (bnc#1012382).
   - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382).
   - media: v4l2-ioctl.c: do not copy back the result for -ENOTTY
   - netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets
   - netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107).
   - packet: only call dev_add_pack() on freshly allocated fanout instances
   - pipe: cap initial pipe capacity according to pipe-max-size limit
   - x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-2018-558=1

   - SUSE Linux Enterprise Module for Public Cloud 12:

      zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-558=1

Package List:

   - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):


   - SUSE Linux Enterprise Server 12-LTSS (x86_64):


   - SUSE Linux Enterprise Server 12-LTSS (noarch):


   - SUSE Linux Enterprise Server 12-LTSS (s390x):


   - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64):



- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins