Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3060 Security update for the Linux Kernel 10 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: linux kernel Publisher: SUSE Operating System: SUSE Impact/Access: Root Compromise -- Existing Account Access Privileged Data -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-17182 CVE-2018-16658 CVE-2018-16276 CVE-2018-15594 CVE-2018-15572 CVE-2018-14734 CVE-2018-14678 CVE-2018-14634 CVE-2018-14617 CVE-2018-13095 CVE-2018-13094 CVE-2018-13093 CVE-2018-12896 CVE-2018-10940 CVE-2018-10938 CVE-2018-10902 CVE-2018-10883 CVE-2018-10882 CVE-2018-10881 CVE-2018-10880 CVE-2018-10879 CVE-2018-10878 CVE-2018-10877 CVE-2018-10876 CVE-2018-10853 CVE-2018-9363 CVE-2018-7757 CVE-2018-7480 CVE-2018-6555 CVE-2018-6554 Reference: ASB-2018.0124 ESB-2018.3020 ESB-2018.3010 ESB-2018.2981 ESB-2018.2974 ESB-2018.2958 ESB-2018.2955 ESB-2018.2930 ESB-2018.2885 Original Bulletin: https://www.suse.com/support/update/announcement/2018/suse-su-20183083-1.html https://www.suse.com/support/update/announcement/2018/suse-su-20183084-1.html https://www.suse.com/support/update/announcement/2018/suse-su-20183088-1.html Comment: This bulletin contains three (3) security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:3083-1 Rating: important References: #1012382 #1062604 #1064232 #1065999 #1092903 #1093215 #1096547 #1097104 #1099811 #1099813 #1099844 #1099845 #1099846 #1099849 #1099863 #1099864 #1099922 #1100001 #1100089 #1102870 #1103445 #1104319 #1104495 #1104906 #1105322 #1105412 #1106095 #1106369 #1106509 #1106511 #1107689 #1108399 #1108912 Cross-References: CVE-2018-10853 CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-10902 CVE-2018-10940 CVE-2018-12896 CVE-2018-13093 CVE-2018-14617 CVE-2018-14634 CVE-2018-16276 CVE-2018-16658 CVE-2018-17182 CVE-2018-6554 CVE-2018-6555 Affected Products: SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that solves 20 vulnerabilities and has 13 fixes is now available. Description: The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-14634: Prevent integer overflow in create_elf_tables that allowed a local attacker to exploit this vulnerability via a SUID-root binary and obtain full root privileges (bsc#1108912) - CVE-2018-14617: Prevent NULL pointer dereference and panic in hfsplus_lookup() when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bsc#1102870) - CVE-2018-16276: Incorrect bounds checking in the yurex USB driver in yurex_read allowed local attackers to use user access read/writes to crash the kernel or potentially escalate privileges (bsc#1106095) - CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922) - CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001) - CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903) - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689) - CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511) - CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509) - CVE-2018-10853: The KVM hypervisor did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could have used this flaw to potentially escalate privileges inside guest (bsc#1097104) - CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322). - CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844) - CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863) - CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845) - CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849) - CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864) - CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846) - CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811) - CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813) - CVE-2018-17182: An issue was discovered in the Linux kernel The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399). The following non-security bugs were fixed: - bcache: avoid unncessary cache prefetch bch_btree_node_get(). - bcache: calculate the number of incremental GC nodes according to the total of btree nodes. - bcache: display rate debug parameters to 0 when writeback is not running. - bcache: do not check return value of debugfs_create_dir(). - bcache: finish incremental GC. - bcache: fix error setting writeback_rate through sysfs interface (bsc#1064232). - bcache: fix I/O significant decline while backend devices registering. - bcache: free heap cache_set->flush_btree in bch_journal_free. - bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section. - bcache: release dc->writeback_lock properly in bch_writeback_thread(). - bcache: set max writeback rate when I/O request is idle (bsc#1064232). - bcache: simplify the calculation of the total amount of flash dirty data. - Do not report CPU affected by L1TF when ARCH_CAP_RDCL_NO bit is set (bsc#1104906). - ext4: check for allocation block validity with block group locked (bsc#1104495). - ext4: do not update checksum of new initialized bitmaps (bnc#1012382). - ext4: fix check to prevent initializing reserved inodes (bsc#1104319). - ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445). - kABI: protect struct x86_emulate_ops (kabi). - KEYS: prevent creating a different user's keyrings (bnc#1065999). - KVM: MMU: always terminate page walks at level 1 (bsc#1062604). - KVM: MMU: simplify last_pte_bitmap (bsc#1062604). - KVM: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604). - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369). - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369). - updated sssbd handling (bsc#1093215, bsc#1105412). - usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547). - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369). - sched/sysctl: Check user input value of sysctl_sched_time_avg (bsc#1100089). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-2185=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-2185=1 Package List: - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): kernel-default-3.12.61-52.146.1 kernel-default-base-3.12.61-52.146.1 kernel-default-base-debuginfo-3.12.61-52.146.1 kernel-default-debuginfo-3.12.61-52.146.1 kernel-default-debugsource-3.12.61-52.146.1 kernel-default-devel-3.12.61-52.146.1 kernel-syms-3.12.61-52.146.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kernel-xen-3.12.61-52.146.1 kernel-xen-base-3.12.61-52.146.1 kernel-xen-base-debuginfo-3.12.61-52.146.1 kernel-xen-debuginfo-3.12.61-52.146.1 kernel-xen-debugsource-3.12.61-52.146.1 kernel-xen-devel-3.12.61-52.146.1 kgraft-patch-3_12_61-52_146-default-1-1.5.1 kgraft-patch-3_12_61-52_146-xen-1-1.5.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): kernel-devel-3.12.61-52.146.1 kernel-macros-3.12.61-52.146.1 kernel-source-3.12.61-52.146.1 - SUSE Linux Enterprise Server 12-LTSS (s390x): kernel-default-man-3.12.61-52.146.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.61-52.146.1 kernel-ec2-debuginfo-3.12.61-52.146.1 kernel-ec2-debugsource-3.12.61-52.146.1 kernel-ec2-devel-3.12.61-52.146.1 kernel-ec2-extra-3.12.61-52.146.1 kernel-ec2-extra-debuginfo-3.12.61-52.146.1 References: https://www.suse.com/security/cve/CVE-2018-10853.html https://www.suse.com/security/cve/CVE-2018-10876.html https://www.suse.com/security/cve/CVE-2018-10877.html https://www.suse.com/security/cve/CVE-2018-10878.html https://www.suse.com/security/cve/CVE-2018-10879.html https://www.suse.com/security/cve/CVE-2018-10880.html https://www.suse.com/security/cve/CVE-2018-10881.html https://www.suse.com/security/cve/CVE-2018-10882.html https://www.suse.com/security/cve/CVE-2018-10883.html https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10940.html https://www.suse.com/security/cve/CVE-2018-12896.html https://www.suse.com/security/cve/CVE-2018-13093.html https://www.suse.com/security/cve/CVE-2018-14617.html https://www.suse.com/security/cve/CVE-2018-14634.html https://www.suse.com/security/cve/CVE-2018-16276.html https://www.suse.com/security/cve/CVE-2018-16658.html https://www.suse.com/security/cve/CVE-2018-17182.html https://www.suse.com/security/cve/CVE-2018-6554.html https://www.suse.com/security/cve/CVE-2018-6555.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1062604 https://bugzilla.suse.com/1064232 https://bugzilla.suse.com/1065999 https://bugzilla.suse.com/1092903 https://bugzilla.suse.com/1093215 https://bugzilla.suse.com/1096547 https://bugzilla.suse.com/1097104 https://bugzilla.suse.com/1099811 https://bugzilla.suse.com/1099813 https://bugzilla.suse.com/1099844 https://bugzilla.suse.com/1099845 https://bugzilla.suse.com/1099846 https://bugzilla.suse.com/1099849 https://bugzilla.suse.com/1099863 https://bugzilla.suse.com/1099864 https://bugzilla.suse.com/1099922 https://bugzilla.suse.com/1100001 https://bugzilla.suse.com/1100089 https://bugzilla.suse.com/1102870 https://bugzilla.suse.com/1103445 https://bugzilla.suse.com/1104319 https://bugzilla.suse.com/1104495 https://bugzilla.suse.com/1104906 https://bugzilla.suse.com/1105322 https://bugzilla.suse.com/1105412 https://bugzilla.suse.com/1106095 https://bugzilla.suse.com/1106369 https://bugzilla.suse.com/1106509 https://bugzilla.suse.com/1106511 https://bugzilla.suse.com/1107689 https://bugzilla.suse.com/1108399 https://bugzilla.suse.com/1108912 _______________________________________________ ============================================================================== SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:3084-1 Rating: important References: #1012382 #1042286 #1062604 #1064232 #1065364 #1082519 #1082863 #1084536 #1085042 #1088810 #1089066 #1092903 #1094466 #1095344 #1096547 #1097104 #1099597 #1099811 #1099813 #1099844 #1099845 #1099846 #1099849 #1099863 #1099864 #1099922 #1099993 #1099999 #1100000 #1100001 #1100152 #1102517 #1102715 #1102870 #1103445 #1104319 #1104495 #1105292 #1105296 #1105322 #1105348 #1105396 #1105536 #1106016 #1106095 #1106369 #1106509 #1106511 #1106512 #1106594 #1107689 #1107735 #1107966 #1108239 #1108399 #1109333 Cross-References: CVE-2018-10853 CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-10902 CVE-2018-10938 CVE-2018-10940 CVE-2018-12896 CVE-2018-13093 CVE-2018-13094 CVE-2018-13095 CVE-2018-14617 CVE-2018-14678 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276 CVE-2018-16658 CVE-2018-17182 CVE-2018-6554 CVE-2018-6555 CVE-2018-7480 CVE-2018-7757 CVE-2018-9363 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise High Availability 12-SP2 SUSE Enterprise Storage 4 OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that solves 28 vulnerabilities and has 28 fixes is now available. Description: The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes. - CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest (bnc#1097104). - CVE-2018-10876: A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (bnc#1099811) - CVE-2018-10877: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (bnc#1099846) - CVE-2018-10878: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. (bnc#1099813) - CVE-2018-10879: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. (bnc#1099844) - CVE-2018-10880: Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service. (bnc#1099845) - CVE-2018-10881: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (bnc#1099864) - CVE-2018-10882: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. (bnc#1099849) - CVE-2018-10883: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (bnc#1099863) - CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322). - CVE-2018-10938: A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system before an attacker could leverage this flaw (bnc#1106016). - CVE-2018-10940: The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bnc#1092903). - CVE-2018-12896: An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922). - CVE-2018-13093: There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001). - CVE-2018-13094: An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000). - CVE-2018-13095: A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999). - CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870). - CVE-2018-14678: The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S did not properly maintain RBX, which allowed local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges (bnc#1102715). - CVE-2018-15572: The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517 bnc#1105296). - CVE-2018-15594: arch/x86/kernel/paravirt.c mishandled certain indirect calls, which made it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests (bnc#1105348). - CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095). - CVE-2018-16658: An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 (bnc#1107689). - CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399). - CVE-2018-6554: Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509). - CVE-2018-6555: The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511). - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536). - CVE-2018-9363: A buffer overflow in bluetooth HID report processing could be used by malicious bluetooth devices to crash the kernel or potentially execute code (bnc#1105292). The following security bugs were fixed: - CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863). The following non-security bugs were fixed: - atm: Preserve value of skb->truesize when accounting to vcc (bsc#1089066). - bcache: avoid unncessary cache prefetch bch_btree_node_get() (bsc#1064232). - bcache: calculate the number of incremental GC nodes according to the total of btree nodes (bsc#1064232). - bcache: display rate debug parameters to 0 when writeback is not running (bsc#1064232). - bcache: do not check return value of debugfs_create_dir() (bsc#1064232). - bcache: finish incremental GC (bsc#1064232). - bcache: fix error setting writeback_rate through sysfs interface (bsc#1064232). - bcache: fix I/O significant decline while backend devices registering (bsc#1064232). - bcache: free heap cache_set->flush_btree in bch_journal_free (bsc#1064232). - bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section (bsc#1064232). - bcache: release dc->writeback_lock properly in bch_writeback_thread() (bsc#1064232). - bcache: set max writeback rate when I/O request is idle (bsc#1064232). - bcache: simplify the calculation of the total amount of flash dirty data (bsc#1064232). - ext4: check for allocation block validity with block group locked (bsc#1104495). - ext4: do not update checksum of new initialized bitmaps (bnc#1012382). - ext4: fix check to prevent initializing reserved inodes (bsc#1104319). - ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445). - ibmvnic: Include missing return code checks in reset function (bnc#1107966). - kABI: protect struct x86_emulate_ops (kabi). - kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597) - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - kvm: MMU: always terminate page walks at level 1 (bsc#1062604). - kvm: MMU: simplify last_pte_bitmap (bsc#1062604). - kvm: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604). - kvm: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369). - kvm: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369). - net: add skb_condense() helper (bsc#1089066). - net: adjust skb->truesize in pskb_expand_head() (bsc#1089066). - net: adjust skb->truesize in ___pskb_trim() (bsc#1089066). - net: ena: Eliminate duplicate barriers on weakly-ordered archs (bsc#1108239). - net: ena: fix device destruction to gracefully free resources (bsc#1108239). - net: ena: fix driver when PAGE_SIZE == 64kB (bsc#1108239). - net: ena: fix incorrect usage of memory barriers (bsc#1108239). - net: ena: fix missing calls to READ_ONCE (bsc#1108239). - net: ena: fix missing lock during device destruction (bsc#1108239). - net: ena: fix potential double ena_destroy_device() (bsc#1108239). - net: ena: fix surprise unplug NULL dereference kernel crash (bsc#1108239). - net: ena: Fix use of uninitialized DMA address bits field (bsc#1108239). - netfilter: xt_CT: fix refcnt leak on error path (bnc#1012382 bsc#1100152). - netlink: do not enter direct reclaim from netlink_trim() (bsc#1042286). - nfs: Use an appropriate work queue for direct-write completion (bsc#1082519). - ovl: fix random return value on mount (bsc#1099993). - ovl: fix uid/gid when creating over whiteout (bsc#1099993). - ovl: modify ovl_permission() to do checks on two inodes (bsc#1106512). - ovl: override creds with the ones from the superblock mounter (bsc#1099993). - powerpc: Avoid code patching freed init sections (bnc#1107735). - powerpc/livepatch: Fix livepatch stack access (bsc#1094466). - powerpc/modules: Do not try to restore r2 after a sibling call (bsc#1094466). - powerpc/tm: Avoid possible userspace r1 corruption on reclaim (bsc#1109333). - powerpc/tm: Fix userspace r13 corruption (bsc#1109333). - provide special timeout module parameters for EC2 (bsc#1065364). - stop_machine: Atomically queue and wake stopper threads (git-fixes). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810). - usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547). - x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715). - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536). - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369). - x86: Drop kernel trampoline stack. It is involved in breaking kdump/kexec infrastucture. (bsc#1099597) - xen: avoid crash in disable_hotplug_cpu (bsc#1106594). - xen/blkback: do not keep persistent grants too long (bsc#1085042). - xen/blkback: move persistent grants flags to bool (bsc#1085042). - xen/blkfront: cleanup stale persistent grants (bsc#1085042). - xen/blkfront: reorder tests in xlblk_init() (bsc#1085042). - xfs: add a new xfs_iext_lookup_extent_before helper (bsc#1095344). - xfs: add asserts for the mmap lock in xfs_{insert,collapse}_file_space (bsc#1095344). - xfs: add a xfs_bmap_fork_to_state helper (bsc#1095344). - xfs: add a xfs_iext_update_extent helper (bsc#1095344). - xfs: add comments documenting the rebalance algorithm (bsc#1095344). - xfs: add some comments to xfs_iext_insert/xfs_iext_insert_node (bsc#1095344). - xfs: add xfs_trim_extent (bsc#1095344). - xfs: allow unaligned extent records in xfs_bmbt_disk_set_all (bsc#1095344). - xfs: borrow indirect blocks from freed extent when available (bsc#1095344). - xfs: cleanup xfs_bmap_last_before (bsc#1095344). - xfs: do not create overlapping extents in xfs_bmap_add_extent_delay_real (bsc#1095344). - xfs: do not rely on extent indices in xfs_bmap_collapse_extents (bsc#1095344). - xfs: do not rely on extent indices in xfs_bmap_insert_extents (bsc#1095344). - xfs: do not set XFS_BTCUR_BPRV_WASDEL in xfs_bunmapi (bsc#1095344). - xfs: during btree split, save new block key & ptr for future insertion (bsc#1095344). - xfs: factor out a helper to initialize a local format inode fork (bsc#1095344). - xfs: fix memory leak in xfs_iext_free_last_leaf (bsc#1095344). - xfs: fix number of records handling in xfs_iext_split_leaf (bsc#1095344). - xfs: handle indlen shortage on delalloc extent merge (bsc#1095344). - xfs: handle zero entries case in xfs_iext_rebalance_leaf (bsc#1095344). - xfs: improve kmem_realloc (bsc#1095344). - xfs: inline xfs_shift_file_space into callers (bsc#1095344). - xfs: introduce the xfs_iext_cursor abstraction (bsc#1095344). - xfs: iterate over extents in xfs_bmap_extents_to_btree (bsc#1095344). - xfs: iterate over extents in xfs_iextents_copy (bsc#1095344). - xfs: make better use of the 'state' variable in xfs_bmap_del_extent_real (bsc#1095344). - xfs: merge xfs_bmap_read_extents into xfs_iread_extents (bsc#1095344). - xfs: move pre/post-bmap tracing into xfs_iext_update_extent (bsc#1095344). - xfs: move some code around inside xfs_bmap_shift_extents (bsc#1095344). - xfs: move some more code into xfs_bmap_del_extent_real (bsc#1095344). - xfs: move xfs_bmbt_irec and xfs_exntst_t to xfs_types.h (bsc#1095344). - xfs: move xfs_iext_insert tracepoint to report useful information (bsc#1095344). - xfs: new inode extent list lookup helpers (bsc#1095344). - xfs: pass an on-disk extent to xfs_bmbt_validate_extent (bsc#1095344). - xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_lookup_eq (bsc#1095344). - xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_update (bsc#1095344). - xfs: pass struct xfs_bmbt_irec to xfs_bmbt_validate_extent (bsc#1095344). - xfs: provide helper for counting extents from if_bytes (bsc#1095344). - xfs: refactor delalloc accounting in xfs_bmap_add_extent_delay_real (bsc#1095344). - xfs: refactor delalloc indlen reservation split into helper (bsc#1095344). - xfs: refactor dir2 leaf readahead shadow buffer cleverness (bsc#1095344). - xfs: refactor xfs_bmap_add_extent_delay_real (bsc#1095344). - xfs: refactor xfs_bmap_add_extent_hole_delay (bsc#1095344). - xfs: refactor xfs_bmap_add_extent_hole_real (bsc#1095344). - xfs: refactor xfs_bmap_add_extent_unwritten_real (bsc#1095344). - xfs: refactor xfs_bunmapi_cow (bsc#1095344). - xfs: refactor xfs_del_extent_real (bsc#1095344). - xfs: remove a duplicate assignment in xfs_bmap_add_extent_delay_real (bsc#1095344). - xfs: remove all xfs_bmbt_set_* helpers except for xfs_bmbt_set_all (bsc#1095344). - xfs: remove a superflous assignment in xfs_iext_remove_node (bsc#1095344). - xfs: Remove dead code from inode recover function (bsc#1105396). - xfs: remove if_rdev (bsc#1095344). - xfs: remove prev argument to xfs_bmapi_reserve_delalloc (bsc#1095344). - xfs: remove support for inlining data/extents into the inode fork (bsc#1095344). - xfs: remove the never fully implemented UUID fork format (bsc#1095344). - xfs: remove the nr_extents argument to xfs_iext_insert (bsc#1095344). - xfs: remove the nr_extents argument to xfs_iext_remove (bsc#1095344). - xfs: remove XFS_BMAP_MAX_SHIFT_EXTENTS (bsc#1095344). - xfs: remove XFS_BMAP_TRACE_EXLIST (bsc#1095344). - xfs: remove xfs_bmbt_get_state (bsc#1095344). - xfs: remove xfs_bmse_shift_one (bsc#1095344). - xfs: rename bno to end in __xfs_bunmapi (bsc#1095344). - xfs: repair malformed inode items during log recovery (bsc#1105396). - xfs: replace xfs_bmbt_lookup_ge with xfs_bmbt_lookup_first (bsc#1095344). - xfs: replace xfs_qm_get_rtblks with a direct call to xfs_bmap_count_leaves (bsc#1095344). - xfs: rewrite getbmap using the xfs_iext_* helpers (bsc#1095344). - xfs: rewrite xfs_bmap_count_leaves using xfs_iext_get_extent (bsc#1095344). - xfs: rewrite xfs_bmap_first_unused to make better use of xfs_iext_get_extent (bsc#1095344). - xfs: simplify the xfs_getbmap interface (bsc#1095344). - xfs: simplify validation of the unwritten extent bit (bsc#1095344). - xfs: split indlen reservations fairly when under reserved (bsc#1095344). - xfs: split xfs_bmap_shift_extents (bsc#1095344). - xfs: switch xfs_bmap_local_to_extents to use xfs_iext_insert (bsc#1095344). - xfs: treat idx as a cursor in xfs_bmap_add_extent_delay_real (bsc#1095344). - xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_delay (bsc#1095344). - xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_real (bsc#1095344). - xfs: treat idx as a cursor in xfs_bmap_add_extent_unwritten_real (bsc#1095344). - xfs: treat idx as a cursor in xfs_bmap_collapse_extents (bsc#1095344). - xfs: treat idx as a cursor in xfs_bmap_del_extent_* (bsc#1095344). - xfs: update freeblocks counter after extent deletion (bsc#1095344). - xfs: update got in xfs_bmap_shift_update_extent (bsc#1095344). - xfs: use a b+tree for the in-core extent list (bsc#1095344). - xfs: use correct state defines in xfs_bmap_del_extent_{cow,delay} (bsc#1095344). - xfs: use new extent lookup helpers in xfs_bmapi_read (bsc#1095344). - xfs: use new extent lookup helpers in xfs_bmapi_write (bsc#1095344). - xfs: use new extent lookup helpers in __xfs_bunmapi (bsc#1095344). - xfs: use the state defines in xfs_bmap_del_extent_real (bsc#1095344). - xfs: use xfs_bmap_del_extent_delay for the data fork as well (bsc#1095344). - xfs: use xfs_iext_*_extent helpers in xfs_bmap_shift_extents (bsc#1095344). - xfs: use xfs_iext_*_extent helpers in xfs_bmap_split_extent_at (bsc#1095344). - xfs: use xfs_iext_get_extent instead of open coding it (bsc#1095344). - xfs: use xfs_iext_get_extent in xfs_bmap_first_unused (bsc#1095344). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2188=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2188=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2188=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2018-2188=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2018-2188=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-2188=1 - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-2188=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): kernel-default-4.4.121-92.95.1 kernel-default-base-4.4.121-92.95.1 kernel-default-base-debuginfo-4.4.121-92.95.1 kernel-default-debuginfo-4.4.121-92.95.1 kernel-default-debugsource-4.4.121-92.95.1 kernel-default-devel-4.4.121-92.95.1 kernel-syms-4.4.121-92.95.1 - SUSE OpenStack Cloud 7 (x86_64): kgraft-patch-4_4_121-92_95-default-1-3.4.1 lttng-modules-2.7.1-9.6.1 lttng-modules-debugsource-2.7.1-9.6.1 lttng-modules-kmp-default-2.7.1_k4.4.121_92.95-9.6.1 lttng-modules-kmp-default-debuginfo-2.7.1_k4.4.121_92.95-9.6.1 - SUSE OpenStack Cloud 7 (noarch): kernel-devel-4.4.121-92.95.1 kernel-macros-4.4.121-92.95.1 kernel-source-4.4.121-92.95.1 - SUSE OpenStack Cloud 7 (s390x): kernel-default-man-4.4.121-92.95.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kernel-default-4.4.121-92.95.1 kernel-default-base-4.4.121-92.95.1 kernel-default-base-debuginfo-4.4.121-92.95.1 kernel-default-debuginfo-4.4.121-92.95.1 kernel-default-debugsource-4.4.121-92.95.1 kernel-default-devel-4.4.121-92.95.1 kernel-syms-4.4.121-92.95.1 kgraft-patch-4_4_121-92_95-default-1-3.4.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): kernel-devel-4.4.121-92.95.1 kernel-macros-4.4.121-92.95.1 kernel-source-4.4.121-92.95.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): lttng-modules-2.7.1-9.6.1 lttng-modules-debugsource-2.7.1-9.6.1 lttng-modules-kmp-default-2.7.1_k4.4.121_92.95-9.6.1 lttng-modules-kmp-default-debuginfo-2.7.1_k4.4.121_92.95-9.6.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): kernel-default-4.4.121-92.95.1 kernel-default-base-4.4.121-92.95.1 kernel-default-base-debuginfo-4.4.121-92.95.1 kernel-default-debuginfo-4.4.121-92.95.1 kernel-default-debugsource-4.4.121-92.95.1 kernel-default-devel-4.4.121-92.95.1 kernel-syms-4.4.121-92.95.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_95-default-1-3.4.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): lttng-modules-2.7.1-9.6.1 lttng-modules-debugsource-2.7.1-9.6.1 lttng-modules-kmp-default-2.7.1_k4.4.121_92.95-9.6.1 lttng-modules-kmp-default-debuginfo-2.7.1_k4.4.121_92.95-9.6.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): kernel-devel-4.4.121-92.95.1 kernel-macros-4.4.121-92.95.1 kernel-source-4.4.121-92.95.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x): kernel-default-man-4.4.121-92.95.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): kernel-default-4.4.121-92.95.1 kernel-default-base-4.4.121-92.95.1 kernel-default-base-debuginfo-4.4.121-92.95.1 kernel-default-debuginfo-4.4.121-92.95.1 kernel-default-debugsource-4.4.121-92.95.1 kernel-default-devel-4.4.121-92.95.1 kernel-syms-4.4.121-92.95.1 lttng-modules-2.7.1-9.6.1 lttng-modules-debugsource-2.7.1-9.6.1 lttng-modules-kmp-default-2.7.1_k4.4.121_92.95-9.6.1 lttng-modules-kmp-default-debuginfo-2.7.1_k4.4.121_92.95-9.6.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): kernel-devel-4.4.121-92.95.1 kernel-macros-4.4.121-92.95.1 kernel-source-4.4.121-92.95.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.121-92.95.1 cluster-md-kmp-default-debuginfo-4.4.121-92.95.1 cluster-network-kmp-default-4.4.121-92.95.1 cluster-network-kmp-default-debuginfo-4.4.121-92.95.1 dlm-kmp-default-4.4.121-92.95.1 dlm-kmp-default-debuginfo-4.4.121-92.95.1 gfs2-kmp-default-4.4.121-92.95.1 gfs2-kmp-default-debuginfo-4.4.121-92.95.1 kernel-default-debuginfo-4.4.121-92.95.1 kernel-default-debugsource-4.4.121-92.95.1 ocfs2-kmp-default-4.4.121-92.95.1 ocfs2-kmp-default-debuginfo-4.4.121-92.95.1 - SUSE Enterprise Storage 4 (noarch): kernel-devel-4.4.121-92.95.1 kernel-macros-4.4.121-92.95.1 kernel-source-4.4.121-92.95.1 - SUSE Enterprise Storage 4 (x86_64): kernel-default-4.4.121-92.95.1 kernel-default-base-4.4.121-92.95.1 kernel-default-base-debuginfo-4.4.121-92.95.1 kernel-default-debuginfo-4.4.121-92.95.1 kernel-default-debugsource-4.4.121-92.95.1 kernel-default-devel-4.4.121-92.95.1 kernel-syms-4.4.121-92.95.1 kgraft-patch-4_4_121-92_95-default-1-3.4.1 lttng-modules-2.7.1-9.6.1 lttng-modules-debugsource-2.7.1-9.6.1 lttng-modules-kmp-default-2.7.1_k4.4.121_92.95-9.6.1 lttng-modules-kmp-default-debuginfo-2.7.1_k4.4.121_92.95-9.6.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): kernel-default-4.4.121-92.95.1 kernel-default-debuginfo-4.4.121-92.95.1 kernel-default-debugsource-4.4.121-92.95.1 References: https://www.suse.com/security/cve/CVE-2018-10853.html https://www.suse.com/security/cve/CVE-2018-10876.html https://www.suse.com/security/cve/CVE-2018-10877.html https://www.suse.com/security/cve/CVE-2018-10878.html https://www.suse.com/security/cve/CVE-2018-10879.html https://www.suse.com/security/cve/CVE-2018-10880.html https://www.suse.com/security/cve/CVE-2018-10881.html https://www.suse.com/security/cve/CVE-2018-10882.html https://www.suse.com/security/cve/CVE-2018-10883.html https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10938.html https://www.suse.com/security/cve/CVE-2018-10940.html https://www.suse.com/security/cve/CVE-2018-12896.html https://www.suse.com/security/cve/CVE-2018-13093.html https://www.suse.com/security/cve/CVE-2018-13094.html https://www.suse.com/security/cve/CVE-2018-13095.html https://www.suse.com/security/cve/CVE-2018-14617.html https://www.suse.com/security/cve/CVE-2018-14678.html https://www.suse.com/security/cve/CVE-2018-15572.html https://www.suse.com/security/cve/CVE-2018-15594.html https://www.suse.com/security/cve/CVE-2018-16276.html https://www.suse.com/security/cve/CVE-2018-16658.html https://www.suse.com/security/cve/CVE-2018-17182.html https://www.suse.com/security/cve/CVE-2018-6554.html https://www.suse.com/security/cve/CVE-2018-6555.html https://www.suse.com/security/cve/CVE-2018-7480.html https://www.suse.com/security/cve/CVE-2018-7757.html https://www.suse.com/security/cve/CVE-2018-9363.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1042286 https://bugzilla.suse.com/1062604 https://bugzilla.suse.com/1064232 https://bugzilla.suse.com/1065364 https://bugzilla.suse.com/1082519 https://bugzilla.suse.com/1082863 https://bugzilla.suse.com/1084536 https://bugzilla.suse.com/1085042 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1089066 https://bugzilla.suse.com/1092903 https://bugzilla.suse.com/1094466 https://bugzilla.suse.com/1095344 https://bugzilla.suse.com/1096547 https://bugzilla.suse.com/1097104 https://bugzilla.suse.com/1099597 https://bugzilla.suse.com/1099811 https://bugzilla.suse.com/1099813 https://bugzilla.suse.com/1099844 https://bugzilla.suse.com/1099845 https://bugzilla.suse.com/1099846 https://bugzilla.suse.com/1099849 https://bugzilla.suse.com/1099863 https://bugzilla.suse.com/1099864 https://bugzilla.suse.com/1099922 https://bugzilla.suse.com/1099993 https://bugzilla.suse.com/1099999 https://bugzilla.suse.com/1100000 https://bugzilla.suse.com/1100001 https://bugzilla.suse.com/1100152 https://bugzilla.suse.com/1102517 https://bugzilla.suse.com/1102715 https://bugzilla.suse.com/1102870 https://bugzilla.suse.com/1103445 https://bugzilla.suse.com/1104319 https://bugzilla.suse.com/1104495 https://bugzilla.suse.com/1105292 https://bugzilla.suse.com/1105296 https://bugzilla.suse.com/1105322 https://bugzilla.suse.com/1105348 https://bugzilla.suse.com/1105396 https://bugzilla.suse.com/1105536 https://bugzilla.suse.com/1106016 https://bugzilla.suse.com/1106095 https://bugzilla.suse.com/1106369 https://bugzilla.suse.com/1106509 https://bugzilla.suse.com/1106511 https://bugzilla.suse.com/1106512 https://bugzilla.suse.com/1106594 https://bugzilla.suse.com/1107689 https://bugzilla.suse.com/1107735 https://bugzilla.suse.com/1107966 https://bugzilla.suse.com/1108239 https://bugzilla.suse.com/1108399 https://bugzilla.suse.com/1109333 _______________________________________________ ============================================================================== SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:3088-1 Rating: important References: #1045538 #1048185 #1050381 #1050431 #1057199 #1060245 #1064861 #1068032 #1080157 #1087081 #1092772 #1092903 #1093666 #1096547 #1098822 #1099922 #1100132 #1100705 #1102517 #1102870 #1103119 #1104481 #1104684 #1104818 #1104901 #1105100 #1105322 #1105348 #1105536 #1105723 #1106095 #1106105 #1106199 #1106202 #1106206 #1106209 #1106212 #1106369 #1106509 #1106511 #1106609 #1106886 #1106930 #1106995 #1107001 #1107064 #1107071 #1107650 #1107689 #1107735 #1107949 #1108096 #1108170 #1108823 #1108912 Cross-References: CVE-2018-10902 CVE-2018-10940 CVE-2018-12896 CVE-2018-14617 CVE-2018-14634 CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276 CVE-2018-16658 CVE-2018-6554 CVE-2018-6555 Affected Products: SUSE Linux Enterprise Real Time Extension 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 43 fixes is now available. Description: The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-14634: Prevent integer overflow in create_elf_tables that allowed a local attacker to exploit this vulnerability via a SUID-root binary and obtain full root privileges (bsc#1108912) - CVE-2018-14617: Prevent NULL pointer dereference and panic in hfsplus_lookup() when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bsc#1102870) - CVE-2018-16276: Incorrect bounds checking in the yurex USB driver in yurex_read allowed local attackers to use user access read/writes to crash the kernel or potentially escalate privileges (bsc#1106095) - CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922) - CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903) - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689) - CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511) - CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509) - CVE-2018-15594: Ensure correct handling of indirect calls, to prevent attackers for conducting Spectre-v2 attacks against paravirtual guests (bsc#1105348) - CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517) - CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322). - CVE-2018-14734: ucma_leave_multicast accessed a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bsc#1103119) The following non-security bugs were fixed: - ACPI: APEI / ERST: Fix missing error handling in erst_reader() (bsc#1045538). - ALSA: fm801: propagate TUNER_ONLY bit when autodetected (bsc#1045538). - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode (bsc#1045538). - ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() (bsc#1045538). - ALSA: pcm: fix fifo_size frame calculation (bsc#1045538). - ALSA: snd-aoa: add of_node_put() in error path (bsc#1045538). - ALSA: usb-audio: Add sanity checks in v2 clock parsers (bsc#1045538). - ALSA: usb-audio: Add sanity checks to FE parser (bsc#1045538). - ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute (bsc#1045538). - ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() (bsc#1045538). - ALSA: usb-audio: Fix parameter block size for UAC2 control requests (bsc#1045538). - ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit (bsc#1045538). - ALSA: usb-audio: Fix potential out-of-bound access at parsing SU (bsc#1045538). - ALSA: usb-audio: Set correct type for some UAC2 mixer controls (bsc#1045538). - ASoC: blackfin: Fix missing break (bsc#1045538). - Enforce module signatures if the kernel is locked down (bsc#1093666). - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369). - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369). - PCI: Fix TI816X class code quirk (bsc#1050431). - Refresh patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch (bsc#1105100). - TPM: Zero buffer whole after copying to userspace (bsc#1050381). - USB: serial: io_ti: fix NULL-deref in interrupt callback (bsc#1106609). - USB: serial: sierra: fix potential deadlock at close (bsc#1100132). - applicom: dereferencing NULL on error path (git-fixes). - ath5k: Change led pin configuration for compaq c700 laptop (bsc#1048185). - base: make module_create_drivers_dir race-free (git-fixes). - block: fix an error code in add_partition() (bsc#1106209). - btrfs: scrub: Do not use inode page cache in scrub_handle_errored_block() (bsc#1108096). - btrfs: scrub: Do not use inode pages for device replace (bsc#1107949). - dasd: Add IFCC notice message (bnc#1104481, LTC#170484). - drm/i915: Remove bogus __init annotation from DMI callbacks (bsc#1106886). - drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() (bsc#1106886). - drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() (bsc#1106886). - drm: crtc: integer overflow in drm_property_create_blob() (bsc#1106886). - fbdev: omapfb: off by one in omapfb_register_client() (bsc#1106886). - iommu/amd: Finish TLB flush in amd_iommu_unmap() (bsc#1106105). - iommu/amd: Fix the left value check of cmd buffer (bsc#1106105). - iommu/amd: Free domain id when free a domain of struct dma_ops_domain (bsc#1106105). - iommu/amd: Update Alias-DTE in update_device_table() (bsc#1106105). - iommu/vt-d: Do not over-free page table directories (bsc#1106105). - iommu/vt-d: Ratelimit each dmar fault printing (bsc#1106105). - ipv6: Regenerate host route according to node pointer upon loopback up (bsc#1100705). - ipv6: correctly add local routes when lo goes up (bsc#1100705). - ipv6: introduce ip6_rt_put() (bsc#1100705). - ipv6: reallocate addrconf router for ipv6 address when lo device up (bsc#1100705). - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection (bnc#1107071). - mm/mempolicy.c: avoid use uninitialized preferred_node (bnc#1107064). - modsign: log module name in the event of an error (bsc#1093666). - modsign: print module name along with error message (bsc#1093666). - module: make it clear when we're handling the module copy in info->hdr (bsc#1093666). - module: setup load info before module_sig_check() (bsc#1093666). - nbd: ratelimit error msgs after socket close (bsc#1106206). - ncpfs: return proper error from NCP_IOC_SETROOT ioctl (bsc#1106199). - perf/x86/intel: Add cpu_(prepare|starting|dying) for core_pmu (bsc#1104901). - powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032, git-fixes). - powerpc/fadump: Do not use hugepages when fadump is active (bsc#1092772, bsc#1107650). - powerpc/fadump: exclude memory holes while reserving memory in second kernel (bsc#1092772, bsc#1107650). - powerpc/fadump: re-register firmware-assisted dump if already registered (bsc#1108170, bsc#1108823). - powerpc/lib: Fix off-by-one in alternate feature patching (bsc#1064861). - powerpc/lib: Fix the feature fixup tests to actually work (bsc#1064861). - powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 (bsc#1068032, bsc#1080157, git-fixes). - powerpc: Avoid code patching freed init sections (bnc#1107735). - powerpc: make feature-fixup tests fortify-safe (bsc#1064861). - ptrace: fix PTRACE_LISTEN race corrupting task->state (bnc#1107001). - qlge: Fix netdev features configuration (bsc#1098822). - resource: fix integer overflow at reallocation (bsc#1045538). - rpm/kernel-docs.spec.in: Expand kernel tree directly from sources (bsc#1057199) - s390/ftrace: use expoline for indirect branches (bnc#1106930, LTC#171029). - s390/kernel: use expoline for indirect branches (bnc#1106930, LTC#171029). - s390/qeth: do not clobber buffer on async TX completion (bnc#1060245, LTC#170349). - s390: Correct register corruption in critical section cleanup (bnc#1106930, LTC#171029). - s390: add assembler macros for CPU alternatives (bnc#1106930, LTC#171029). - s390: detect etoken facility (bnc#1106930, LTC#171029). - s390: move expoline assembler macros to a header (bnc#1106930, LTC#171029). - s390: move spectre sysfs attribute code (bnc#1106930, LTC#171029). - s390: remove indirect branch from do_softirq_own_stack (bnc#1106930, LTC#171029). - sys: do not hold uts_sem while accessing userspace memory (bnc#1106995). - tpm: fix race condition in tpm_common_write() (bsc#1050381). - tracing/blktrace: Fix to allow setting same value (bsc#1106212). - tty: vt, fix bogus division in csi_J (git-fixes). - tty: vt, return error when con_startup fails (git-fixes). - uml: fix hostfs mknod() (bsc#1106202). - usb: audio-v2: Correct the comment for struct uac_clock_selector_descriptor (bsc#1045538). - usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547). - x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104684, bnc#1104818). - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1087081). - x86/init: fix build with CONFIG_SWAP=n (bsc#1105723). - x86/mm: Prevent kernel Oops in PTDUMP code with HIGHPTE=y (bsc#1106105). - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536). - x86/vdso: Fix vDSO build if a retpoline is emitted (git-fixes). - xen x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - xen x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - xen, x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104684, bnc#1104818). - xen: x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1087081). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 11-SP4: zypper in -t patch slertesp4-linux-kernel-13810=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-linux-kernel-13810=1 Package List: - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64): kernel-rt-3.0.101.rt130-69.36.1 kernel-rt-base-3.0.101.rt130-69.36.1 kernel-rt-devel-3.0.101.rt130-69.36.1 kernel-rt_trace-3.0.101.rt130-69.36.1 kernel-rt_trace-base-3.0.101.rt130-69.36.1 kernel-rt_trace-devel-3.0.101.rt130-69.36.1 kernel-source-rt-3.0.101.rt130-69.36.1 kernel-syms-rt-3.0.101.rt130-69.36.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): kernel-rt-debuginfo-3.0.101.rt130-69.36.1 kernel-rt-debugsource-3.0.101.rt130-69.36.1 kernel-rt_debug-debuginfo-3.0.101.rt130-69.36.1 kernel-rt_debug-debugsource-3.0.101.rt130-69.36.1 kernel-rt_trace-debuginfo-3.0.101.rt130-69.36.1 kernel-rt_trace-debugsource-3.0.101.rt130-69.36.1 References: https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10940.html https://www.suse.com/security/cve/CVE-2018-12896.html https://www.suse.com/security/cve/CVE-2018-14617.html https://www.suse.com/security/cve/CVE-2018-14634.html https://www.suse.com/security/cve/CVE-2018-14734.html https://www.suse.com/security/cve/CVE-2018-15572.html https://www.suse.com/security/cve/CVE-2018-15594.html https://www.suse.com/security/cve/CVE-2018-16276.html https://www.suse.com/security/cve/CVE-2018-16658.html https://www.suse.com/security/cve/CVE-2018-6554.html https://www.suse.com/security/cve/CVE-2018-6555.html https://bugzilla.suse.com/1045538 https://bugzilla.suse.com/1048185 https://bugzilla.suse.com/1050381 https://bugzilla.suse.com/1050431 https://bugzilla.suse.com/1057199 https://bugzilla.suse.com/1060245 https://bugzilla.suse.com/1064861 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1080157 https://bugzilla.suse.com/1087081 https://bugzilla.suse.com/1092772 https://bugzilla.suse.com/1092903 https://bugzilla.suse.com/1093666 https://bugzilla.suse.com/1096547 https://bugzilla.suse.com/1098822 https://bugzilla.suse.com/1099922 https://bugzilla.suse.com/1100132 https://bugzilla.suse.com/1100705 https://bugzilla.suse.com/1102517 https://bugzilla.suse.com/1102870 https://bugzilla.suse.com/1103119 https://bugzilla.suse.com/1104481 https://bugzilla.suse.com/1104684 https://bugzilla.suse.com/1104818 https://bugzilla.suse.com/1104901 https://bugzilla.suse.com/1105100 https://bugzilla.suse.com/1105322 https://bugzilla.suse.com/1105348 https://bugzilla.suse.com/1105536 https://bugzilla.suse.com/1105723 https://bugzilla.suse.com/1106095 https://bugzilla.suse.com/1106105 https://bugzilla.suse.com/1106199 https://bugzilla.suse.com/1106202 https://bugzilla.suse.com/1106206 https://bugzilla.suse.com/1106209 https://bugzilla.suse.com/1106212 https://bugzilla.suse.com/1106369 https://bugzilla.suse.com/1106509 https://bugzilla.suse.com/1106511 https://bugzilla.suse.com/1106609 https://bugzilla.suse.com/1106886 https://bugzilla.suse.com/1106930 https://bugzilla.suse.com/1106995 https://bugzilla.suse.com/1107001 https://bugzilla.suse.com/1107064 https://bugzilla.suse.com/1107071 https://bugzilla.suse.com/1107650 https://bugzilla.suse.com/1107689 https://bugzilla.suse.com/1107735 https://bugzilla.suse.com/1107949 https://bugzilla.suse.com/1108096 https://bugzilla.suse.com/1108170 https://bugzilla.suse.com/1108823 https://bugzilla.suse.com/1108912 _______________________________________________ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW71/02aOgq3Tt24GAQi98A/+MGODYN/GPjuXvkhebXX/I7jQ52bqcCH8 3SYQvmsyAGL3ZzEF+7Lrq1KXsg4o/daHZWYU7kVqegAeTFdJn9AREpHad2Im4Huj Q0q4Wn0acbLLmCywvua1jbJ+SQiIpk4iyRt/y1cxhuy74TzBYx5g2NMEF9nsuEZy 6dbOemHsBEYlqtR/ra07iOwkPNuY5sUtXIteAPSXmUBQ+MjZj7le6fN8x4cV0UlH LL+/UWIES+N3dgxqAWX/ko+9vxrPVKsE9mcDusrKWkkqcOsHika4hWjJLj8gALYo xqMOm3o7CFXJORTj4bK/levrrDEsG3MV6ciyFl1MyPb8WveqXXt7qxiXUDUJ67D0 umY2jvA7aEycV8DdXUALwTNgsabxPIfJMLbd5BB2MaXS28+b9O5w8iYNsrujXKFY 4zQve5k2G2B7QUKM7YsxVqvkwy7bF4NPraSRbcdTKHxRHaMcqJRXTa19MMM1Mzpo U9U03WrvX/2ZGKPV5AWneDOekzyV6QQDap77x+5q1RYMKLoY0hu1mYa3w/OYrfAr DBGd2N7A7G7MrJgn3fhcnbL2rf8YdS0HPD/pOXoq9ML1n+9/PuLi0K2IxlNB8iXY vZDFKP1YsbuFM+t0dmLFxaPqPhHC00OxYsWPAinV34K5CXw2mt12X3aT4TZdVM36 7rEbfBIJr4c= =oq9c -----END PGP SIGNATURE-----