SUSE-SU-2018:1309-1

Source
https://www.suse.com/support/update/announcement/2018/suse-su-20181309-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:1309-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2018:1309-1
Related
Published
2018-05-16T14:59:01Z
Modified
2018-05-16T14:59:01Z
Summary
Security update for the Linux Kernel
Details

The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2018-10124: The killsomethinginfo function in kernel/signal.c might have allowed local users to cause a denial of service via an INT_MIN argument (bnc#1089752).
  • CVE-2018-10087: The kernelwait4 function in kernel/exit.c might have allowed local users to cause a denial of service by triggering an attempted use of the -INTMIN value (bnc#1089608).
  • CVE-2018-7757: Memory leak in the sassmpgetphyevents function in drivers/scsi/libsas/sasexpander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sasphy directory, as demonstrated by the /sys/class/sasphy/phy-1:0:12/invaliddword_count file (bnc#1084536).
  • CVE-2018-7566: Buffer overflow via an SNDRVSEQIOCTLSETCLIENT_POOL ioctl write operation to /dev/snd/seq by a local user potentially allowing for code execution (bnc#1083483).
  • CVE-2017-0861: Use-after-free vulnerability in the sndpcminfo function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors (bnc#1088260 1088268).
  • CVE-2018-8822: Incorrect buffer length handling in the ncpreadkernel function could have beenexploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162).
  • CVE-2017-13166: Prevent elevation of privilege vulnerability in the video driver (bnc#1072865).
  • CVE-2017-18203: The dmgetfromkobject function in drivers/md/dm.c allow local users to cause a denial of service (BUG) by leveraging a race condition with _dm_destroy during creation and removal of DM devices (bnc#1083242).
  • CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP (bnc#1078674).
  • CVE-2017-18208: The madvisewillneed function in mm/madvise.c allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISEWILLNEED for a DAX mapping (bnc#1083494).
  • CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118).
  • CVE-2018-6927: The futex_requeue function in kernel/futex.c allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757).
  • CVE-2017-16914: The 'stubsendretsubmit()' function (drivers/usb/usbip/stubtx.c) allowed attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet (bnc#1078669).
  • CVE-2016-7915: The hidinputfield function in drivers/hid/hid-core.c allowed physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver (bnc#1010470).
  • CVE-2015-5156: The virtnetprobe function in drivers/net/virtionet.c attempted to support a FRAGLIST feature without proper memory allocation, which allowed guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets (bnc#940776).
  • CVE-2017-12190: The biomapuseriov and biounmapuser functions in block/bio.c did unbalanced refcounting when a SCSI I/O vector had small consecutive buffers belonging to the same page. The bioaddpcpage function merged them into one, but the page reference was never dropped. This caused a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (bnc#1062568).
  • CVE-2017-16912: The 'getpipe()' function (drivers/usb/usbip/stubrx.c) allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673).
  • CVE-2017-16913: The 'stubrecvcmdsubmit()' function (drivers/usb/usbip/stubrx.c) when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672).

The following non-security bugs were fixed:

  • Integrate fixes resulting from bsc#1088147 More info in the respective commit messages.
  • KABI: x86/kaiser: properly align trampoline stack.
  • KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
  • KEYS: prevent creating a different user's keyrings (bnc#1065999).
  • NFSv4: fix getacl head length estimation (git-fixes).
  • PCI: Use function 0 VPD for identical functions, regular VPD for others (bnc#943786 git-fixes).
  • Revert 'USB: cdc-acm: fix broken runtime suspend' (bsc#1067912)
  • Subject: afiucv: enable control sends in case of SENDSHUTDOWN (bnc#1085513, LTC#165135).
  • blacklist.conf: blacklisted 7edaeb6841df ('kernel/watchdog: Prevent false positives with turbo modes') (bnc#1063516)
  • blacklist.conf: blacklisted 9fbc1f635fd0bd28cb32550211bf095753ac637a (bnc#1089665)
  • blacklist.conf: blacklisted ba4877b9ca51f80b5d30f304a46762f0509e1635 (bnc#1089668)
  • cifs: fix buffer overflow in cifsbuildpathtoroot() (bsc#1085113).
  • drm/mgag200: fix a test in mgavgamode_valid() (bsc#1087092).
  • hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) (bnc#1013018).
  • hrtimer: Reset hrtimer cpu base proper on CPU hotplug (bnc#1013018).
  • ide-cd: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
  • ipc/msg: introduce msgctl(MSGSTATANY) (bsc#1072689).
  • ipc/sem: introduce semctl(SEMSTATANY) (bsc#1072689).
  • ipc/shm: introduce shmctl(SHMSTATANY) (bsc#1072689).
  • jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path (git-fixes).
  • leds: do not overflow sysfs buffer in ledtriggershow (bsc#1080464).
  • media: cpia2: Fix a couple off by one bugs (bsc#1050431).
  • mm/mmap.c: do not blow on PROTNONE MAPFIXED holes in the stack (bnc#1039348).
  • pipe: actually allow root to exceed the pipe buffer limits (git-fixes).
  • posix-timers: Protect posix clock array access against speculation (bnc#1081358).
  • powerpc/fadump: Add a warning when 'fadumpreservemem=' is used (bnc#1032084).
  • powerpc/fadump: reuse crashkernel parameter for fadump memory reservation (bnc#1032084).
  • powerpc/fadump: update documentation about crashkernel parameter reuse (bnc#1032084).
  • powerpc/fadump: use 'fadumpreservemem=' when specified (bnc#1032084).
  • powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032, bsc#1075088).
  • qeth: repair SBAL elements calculation (bnc#1085513, LTC#165484).
  • s390/qeth: fix underestimated count of buffer elements (bnc#1082091, LTC#164529).
  • scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
  • usbnet: Fix a race between usbnet_stop() and the BH (bsc#1083275).
  • x86-64: Move the 'user' vsyscall segment out of the data segment (bsc#1082424).
  • x86/espfix: Fix return stack in dodoublefault() (bsc#1085279).
  • x86/kaiser: properly align trampoline stack (bsc#1087260).
  • x86/retpoline: do not perform thunk calls in ring3 vsyscall code (bsc#1085331).
  • xen/x86/CPU: Check speculation control CPUID bit (bsc#1068032).
  • xen/x86/CPU: Sync CPU feature flags late (bsc#1075994 bsc#1075091).
  • xen/x86/asm/traps: Disable tracing and kprobes in fixupbadiret and sync_regs (bsc#909077).
  • xen/x86/cpu: Factor out application of forced CPU caps (bsc#1075994 bsc#1075091).
  • xen/x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option (bsc#1065600).
  • xen/x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
  • xen/x86/idle: Toggle IBRS when going idle (bsc#1068032).
  • xen/x86/kaiser: Move feature detection up (bsc#1068032).
  • xfs: check for buffer errors before waiting (bsc#1052943).
  • xfs: fix allocbt cursor leak in xfsallocagvextentnear (bsc#1087762).
  • xfs: really fix the cursor leak in xfsallocagvextentnear (bsc#1087762).
References

Affected packages

SUSE:Linux Enterprise Real Time 11 SP4 / kernel-rt

Package

Name
kernel-rt
Purl
purl:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.101.rt130-69.24.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-rt_trace-base": "3.0.101.rt130-69.24.1",
            "kernel-rt-devel": "3.0.101.rt130-69.24.1",
            "kernel-rt_trace": "3.0.101.rt130-69.24.1",
            "kernel-rt_trace-devel": "3.0.101.rt130-69.24.1",
            "kernel-source-rt": "3.0.101.rt130-69.24.1",
            "kernel-rt": "3.0.101.rt130-69.24.1",
            "kernel-syms-rt": "3.0.101.rt130-69.24.1",
            "kernel-rt-base": "3.0.101.rt130-69.24.1"
        }
    ]
}

SUSE:Linux Enterprise Real Time 11 SP4 / kernel-rt_trace

Package

Name
kernel-rt_trace
Purl
purl:rpm/suse/kernel-rt_trace&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.101.rt130-69.24.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-rt_trace-base": "3.0.101.rt130-69.24.1",
            "kernel-rt-devel": "3.0.101.rt130-69.24.1",
            "kernel-rt_trace": "3.0.101.rt130-69.24.1",
            "kernel-rt_trace-devel": "3.0.101.rt130-69.24.1",
            "kernel-source-rt": "3.0.101.rt130-69.24.1",
            "kernel-rt": "3.0.101.rt130-69.24.1",
            "kernel-syms-rt": "3.0.101.rt130-69.24.1",
            "kernel-rt-base": "3.0.101.rt130-69.24.1"
        }
    ]
}

SUSE:Linux Enterprise Real Time 11 SP4 / kernel-source-rt

Package

Name
kernel-source-rt
Purl
purl:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.101.rt130-69.24.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-rt_trace-base": "3.0.101.rt130-69.24.1",
            "kernel-rt-devel": "3.0.101.rt130-69.24.1",
            "kernel-rt_trace": "3.0.101.rt130-69.24.1",
            "kernel-rt_trace-devel": "3.0.101.rt130-69.24.1",
            "kernel-source-rt": "3.0.101.rt130-69.24.1",
            "kernel-rt": "3.0.101.rt130-69.24.1",
            "kernel-syms-rt": "3.0.101.rt130-69.24.1",
            "kernel-rt-base": "3.0.101.rt130-69.24.1"
        }
    ]
}

SUSE:Linux Enterprise Real Time 11 SP4 / kernel-syms-rt

Package

Name
kernel-syms-rt
Purl
purl:rpm/suse/kernel-syms-rt&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.101.rt130-69.24.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-rt_trace-base": "3.0.101.rt130-69.24.1",
            "kernel-rt-devel": "3.0.101.rt130-69.24.1",
            "kernel-rt_trace": "3.0.101.rt130-69.24.1",
            "kernel-rt_trace-devel": "3.0.101.rt130-69.24.1",
            "kernel-source-rt": "3.0.101.rt130-69.24.1",
            "kernel-rt": "3.0.101.rt130-69.24.1",
            "kernel-syms-rt": "3.0.101.rt130-69.24.1",
            "kernel-rt-base": "3.0.101.rt130-69.24.1"
        }
    ]
}