SUSE-SU-2024:2940-1

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2024-39494: ima: Fix use-after-free on a dentry's dname.name (bsc#1227716).
• CVE-2024-42096: x86: stop playing stack games in profile_pc() (bsc#1228633).
• CVE-2024-39506: liquidio: adjust a NULL pointer handling path in liovfrepcopypacket (bsc#1227729).
• CVE-2021-47619: i40e: Fix queues reservation for XDP (bsc#1226645).
• CVE-2024-42145: IB/core: Implement a limit on UMAD receive List (bsc#1228743).
• CVE-2024-42124: scsi: qedf: Make qedfexecutetmf() non-preemptible (bsc#1228705).
• CVE-2024-42223: media: dvb-frontends: tda10048: Fix integer overflow (bsc#1228726)
• CVE-2024-42119: drm/amd/display: Skip finding free audio for unknown engine_id (bsc#1228584)
• CVE-2024-42120: drm/amd/display: Check pipe offset before setting vblank (bsc#1228588)
• CVE-2024-41095: drm/nouveau/dispnv04: fix null pointer dereference in nv17tvgetldmodes (bsc#1228662)
• CVE-2024-42224: net: dsa: mv88e6xxx: Correct check for empty list (bsc#1228723).
• CVE-2024-41072: wifi: cfg80211: wext: add extra SIOCSIWSCAN data check (bsc#1228626).
• CVE-2024-41048: skmsg: Skip zero length skb in skmsgrecvmsg (bsc#1228565).
• CVE-2024-40995: net/sched: actapi: fix possible infinite loop in tcfidrcheckalloc() (bsc#1227830).
• CVE-2024-41044: ppp: reject claimed-as-LCP but actually malformed packets (bsc#1228530).
• CVE-2024-41066: ibmvnic: add tx check to prevent skb leak (bsc#1228640).
• CVE-2024-42093: net/dpaa2: Avoid explicit cpumask var allocation on stack (bsc#1228680).
• CVE-2024-41089: drm/nouveau/dispnv04: fix null pointer dereference in (bsc#1228658)
• CVE-2024-41060: drm/radeon: check bo_va->bo is non-NULL before using it (bsc#1228567)
• CVE-2022-48829: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes (bsc#1228055).
• CVE-2022-48828: NFSD: Fix ia_size underflow (bsc#1228054).
• CVE-2022-48827: NFSD: Fix the behavior of READ near OFFSET_MAX (bsc#1228037).
• CVE-2024-41078: btrfs: qgroup: fix quota root leak after quota disable failure (bsc#1228655).
• CVE-2024-41071: wifi: mac80211: Avoid address calculations via out of bounds array indexing (bsc#1228625).
• CVE-2024-41064: powerpc/eeh: avoid possible crash when edev->pdev changes (bsc#1228599).
• CVE-2024-35949: btrfs: make sure that WRITTEN is set on all metadata blocks (bsc#1224700).
• CVE-2024-41081: ila: block BH in ila_output() (bsc#1228617).
• CVE-2024-40978: scsi: qedi: Fix crash while reading debugfs attribute (bsc#1227929).
• CVE-2022-48792: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task (bsc#1228013).
• CVE-2022-48823: scsi: qedf: Fix refcount issue when LOGO is received during TMF (bsc#1228045).
• CVE-2024-40998: ext4: fix uninitialized ratelimitstate->lock access in _ext4fillsuper() (bsc#1227866).
• CVE-2024-41059: hfsplus: fix uninit-value in copy_name (bsc#1228561).
• CVE-2024-40987: drm/amdgpu: fix UBSAN warning in kv_dpm.c (bsc#1228235)
• CVE-2022-48826: drm/vc4: Fix deadlock on DSI device attach error (bsc#1227975)
• CVE-2024-27437: vfio/pci: Disable auto-enable of exclusive INTx IRQ (bsc#1222625).
• CVE-2024-41015: ocfs2: add bounds checking to ocfs2checkdir_entry() (bsc#1228409).
• CVE-2024-41016: ocfs2: strict bound check before memcmp in ocfs2xattrfind_entry() (bsc#1228410).
• CVE-2024-41063: bluetooth: hcicore: cancel all works upon hciunregister_dev() (bsc#1228580).
• CVE-2024-42070: netfilter: nftables: fully validate NFTDATA_VALUE on store to data registers (bsc#1228470).
• CVE-2024-41070: KVM: PPC: Book3S HV: Prevent UAF in kvmspaprtceattachiommu_group() (bsc#1228581).
• CVE-2021-47405: HID: usbhid: free rawreport buffers in usbhidstop (bsc#1225238).
• CVE-2024-40988: drm/radeon: fix UBSAN warning in kv_dpm.c (bsc#1227957)
• CVE-2024-40932: drm/exynos/vidi: fix memory leak in .get_modes() (bsc#1227828)
• CVE-2021-47403: ipack: ipoctal: fix module reference leak (bsc#1225241).
• CVE-2021-47388: mac80211: fix use-after-free in CCMP/GCMP RX (bsc#1225214).
• CVE-2024-41014: xfs: add bounds checking to xlogrecoverprocess_data (bsc#1228408).
• CVE-2024-41091: tun: add missing verification for short frame (bsc#1228327).
• CVE-2024-41090: tap: add missing verification for short frame (bsc#1228328).
• CVE-2024-40999: net: ena: Add validation for completion descriptors consistency (bsc#1227913).
• CVE-2024-35837: net: mvpp2: clear BM pool before initialization (bsc#1224500).
• CVE-2021-47588: sit: do not call ipip6devfree() from sitinitnet() (bsc#1226568).
• CVE-2022-48804: vtioctl: fix arrayindexnospec in vtsetactivate (bsc#1227968).
• CVE-2024-40967: serial: imx: Introduce timeout when waiting on transmitter empty (bsc#1227891).
• CVE-2024-40966: kABI: tty: add the option to have a tty reject a new ldisc (bsc#1227886).
• CVE-2022-48850: net-sysfs: add check for netdevice being present to speed_show (bsc#1228071).
• CVE-2021-47582: usb: core: Do not hold the device lock while sleeping in doproccontrol() (bsc#1226559).
• CVE-2024-40982: ssb: fix potential NULL pointer dereference in ssbdeviceuevent() (bsc#1227865).
• CVE-2021-47468: isdn: mISDN: Fix sleeping function called from invalid context (bsc#1225346).
• CVE-2021-47395: mac80211: limit injected vht mcs/nss in ieee80211parsetx_radiotap (bsc#1225326).
• CVE-2022-48810: ipmr,ip6mr: acquire RTNL before calling ip[6]mrfreetable() on failure path (bsc#1227936).
• CVE-2023-52594: Fixed potential array-index-out-of-bounds read in ath9khtctxstatus() (bsc#1221045).
• CVE-2022-48855: sctp: fix kernel-infoleak for SCTP sockets (bsc#1228003).
• CVE-2021-47580: scsi: scsidebug: Fix type in mint to avoid stack OOB (bsc#1226550).
• CVE-2024-26735: ipv6: sr: fix possible use-after-free and null-ptr-deref (bsc#1222372).
• CVE-2024-38560: scsi: bfa: Ensure the copied buf is NUL terminated (bsc#1226786).
• CVE-2022-48811: ibmvnic: do not release napi in _ibmvnicopen() (bsc#1227928).
• CVE-2021-0129: Improper access control in BlueZ may have allowed an authenticated user to potentially enable information disclosure via adjacent access (bsc#1186463).
• CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (bsc#1179610).
• CVE-2024-40937: gve: Clear napi->skb before devkfreeskb_any() (bsc#1227836).
• CVE-2024-39507: net: hns3: fix kernel crash problem in concurrent scenario (bsc#1227730).
• CVE-2024-40923: vmxnet3: disable rx data ring on dma allocation failure (bsc#1227786).
• CVE-2024-40941: wifi: iwlwifi: mvm: do not read past the mfuart notifcation (bsc#1227771).
• CVE-2022-48860: ethernet: Fix error handling in xemacliteofprobe (bsc#1228008)
• CVE-2022-48863: mISDN: Fix memory leak in dsppipelinebuild() (bsc#1228063).
• CVE-2024-40953: KVM: Fix a data race on lastboostedvcpu in kvmvcpuon_spin() (bsc#1227806).
• CVE-2024-39499: vmci: prevent speculation leaks by sanitizing event in event_deliver() (bsc#1227725)
• CVE-2024-39509: HID: core: remove unnecessary WARN_ON() in implement() (bsc#1227733)
• CVE-2024-39487: bonding: Fix out-of-bounds read in bondoptionarpiptargets_set() (bsc#1227573)
• CVE-2024-35934: net/smc: reduce rtnl pressure in smcpnetcreatepnetidslist() (bsc#1224641)
• CVE-2024-40959: xfrm6: check ip6dstidev() return value in xfrm6getsaddr() (bsc#1227884).
• CVE-2024-35893: net/sched: act_skbmod: prevent kernel-infoleak (bsc#1224512)
• CVE-2021-47441: mlxsw: thermal: Fix out-of-bounds memory accesses (bsc#1225224)
• CVE-2021-47194: cfg80211: call cfg80211stopap when switch from P2P_GO type (bsc#1222829)
• CVE-2024-27020: netfilter: nftables: Fix potential data-race in _nftexprtype_get() (bsc#1223815)
• CVE-2022-48775: Drivers: hv: vmbus: Fix memory leak in vmbusaddchannel_kobj (bsc#1227924).
• CVE-2024-27019: netfilter: nftables: Fix potential data-race in _nftobjtype_get() (bsc#1223813)
• CVE-2024-40929: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids (bsc#1227774).
• CVE-2024-40912: wifi: mac80211: Fix deadlock in ieee80211stapsdeliverwakeup() (bsc#1227790).
• CVE-2024-40942: wifi: mac80211: mesh: Fix leak of meshpreqqueue objects (bsc#1227770).
• CVE-2022-48857: NFC: port100: fix use-after-free in port100sendcomplete (bsc#1228005).
• CVE-2024-36902: ipv6: fib6rules: avoid possible NULL dereference in fib6rule_action() (bsc#1225719).
• CVE-2021-47606: net: netlink: af_netlink: Prevent empty skb by adding a check on len. (bsc#1226555).
• CVE-2024-40901: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory (bsc#1227762).
• CVE-2024-26924: scsi: lpfc: Release hbalock before calling lpfcworkerwake_up() (bsc#1225820).
• CVE-2024-26830: Fixed i40e to not allow untrusted VF to remove administratively set MAC (bsc#1223012).
• CVE-2021-47516: nfp: Fix memory leak in nfpcppareacacheadd() (bsc#1225427).
• CVE-2021-47501: i40e: Fix NULL pointer dereference in i40edbgdump_desc (bsc#1225361).
• CVE-2024-39501: drivers: core: synchronize reallyprobe() and devuevent() (bsc#1227754).
• CVE-2023-52743: ice: Do not use WQMEMRECLAIM flag for workqueue (bsc#1225003)
• CVE-2021-47542: net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic83xxadd_rings() (bsc#1225455)
• CVE-2024-36901: ipv6: prevent NULL dereference in ip6_output() (bsc#1225711)
• CVE-2024-36004: i40e: Do not use WQMEMRECLAIM flag for workqueue (bsc#1224545)
• CVE-2024-27025: nbd: null check for nlaneststart (bsc#1223778)
• CVE-2021-47599: btrfs: use latestdev in btrfsshow_devname (bsc#1226571).
• CVE-2023-52435: net: prevent mss overflow in skb_segment() (bsc#1220138).
• CVE-2024-26663: tipc: Check the bearer type before calling tipcudpnlbeareradd() (bsc#1222326).
• CVE-2021-47597: inet_diag: fix kernel-infoleak for UDP sockets (bsc#1226553).
• CVE-2024-39490: ipv6: sr: fix missing skbuff release in seg6input_core (bsc#1227626).
• CVE-2024-38558: net: openvswitch: fix overwriting ct original tuple for ICMPv6 (bsc#1226783).
• CVE-2024-26615: net/smc: fix illegal rmb_desc access in SMC-D connection dump (bsc#1220942).
• CVE-2023-52619: Fixed possible crash when setting number of cpus to an odd number in pstore/ram (bsc#1221618).
• CVE-2024-26659: Fixed wrong handling of isoc Babble and Buffer Overrun events in xhci (bsc#1222317).
• CVE-2024-35978: Bluetooth: Fix memory leak in hcireqsync_complete() (bsc#1224571).
• CVE-2023-52669: crypto: s390/aes - Fix buffer overread in CTR mode (bsc#1224637).
• CVE-2023-52615: Fixed page fault dead lock on mmap-ed hwrng (bsc#1221614).
• CVE-2023-52612: Fixed req->dst buffer overflow in crypto/scomp (bsc#1221616).
• CVE-2024-35995: ACPI: CPPC: Use accesswidth over bitwidth for system memory accesses (bsc#1224557).
• CVE-2023-52623: Fixed suspicious RCU usage in SUNRPC (bsc#1222060).
• CVE-2021-47295: net: sched: fix memory leak in tcindexpartialdestroy_work (bsc#1224975)
• CVE-2024-38630: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger (bsc#1226908).
• CVE-2021-47559: net/smc: Fix NULL pointer dereferencing in smcvlanby_tcpsk() (bsc#1225396).

The following non-security bugs were fixed:

• Fix spurious WARNING caused by a qxl driver patch (bsc#1227213,bsc#1227191)
• Btrfs: incremental send, fix emission of invalid clone operations (bsc#1228030).
• Btrfs: send, improve clone range (bsc#1228030).
• KVM: PPC: Book3S HV: Do not take kvm->lock around kvmforeach_vcpu (bsc#1065729).
• KVM: PPC: Book3S HV: remove extraneous asterisk from rmhostipi_action() comment (bsc#1065729).
• KVM: PPC: Book3S PR: Exiting split hack mode needs to fixup both PC and LR (bsc#1065729).
• KVM: PPC: Book3S: Fix some RCU-list locks (git-fixes).
• KVM: PPC: Book3S: Only report KVMCAPSPAPRTCEVFIO on powernv machines (bsc#1065729).
• KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list (bsc#1065729).
• KVM: PPC: Inform the userspace about TCE update failures (bsc#1065729).
• KVM: PPC: Move and undef TRACEINCLUDEPATH/FILE (bsc#1065729).
• PCI: Fix resource double counting on remove & rescan (git-fixes).
• PCI: hv: Return zero, not garbage, when reading PCIINTERRUPTPIN (git-fixes).
• Tools: hv: kvp: eliminate 'may be used uninitialized' warning (git-fixes).
• USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages (git-fixes).
• btrfs: fix 64bit compat send ioctl arguments not initializing version member (bsc#1228030).
• btrfs: fix send ioctl on 32bit with 64bit kernel (bsc#1228030).
• btrfs: remove unused members dirpath from recordedref (bsc#1228030).
• btrfs: send: add new command FILEATTR for file attributes (bsc#1228030).
• btrfs: send: add stream v2 definitions (bsc#1228030).
• btrfs: send: always use the rbtree based inode ref management infrastructure (bsc#1228030).
• btrfs: send: avoid copying file data (bsc#1228030).
• btrfs: send: explicitly number commands and attributes (bsc#1228030).
• btrfs: send: fix failures when processing inodes with no links (bsc#1228030).
• btrfs: send: fix send failure of a subcase of orphan inodes (bsc#1228030).
• btrfs: send: fix sending link commands for existing file paths (bsc#1228030).
• btrfs: send: get rid of isize logic in sendwrite() (bsc#1228030).
• btrfs: send: introduce recordedrefalloc and recordedreffree (bsc#1228030).
• btrfs: send: prepare for v2 protocol (bsc#1228030).
• btrfs: send: refactor arguments of getinodeinfo() (bsc#1228030).
• btrfs: send: remove stale code when checking for shared extents (bsc#1228030).
• btrfs: send: remove unused foundtype parameter to lookupdiriteminode() (bsc#1228030).
• btrfs: send: remove unused sendctx::{total,cmd}send_size (bsc#1228030).
• btrfs: send: use boolean types for current inode status (bsc#1228030).
• btrfs: silence maybe-uninitialized warning in clone_range (bsc#1228030).
• drm/vc4: dsi: Only register our component once a DSI device is (bsc#1227975)
• hvnetvsc: rndisfilter needs to select NLS (git-fixes).
• ipv6: sr: fix incorrect unregister order (git-fixes).
• net: mana: Fix the extra HZ in manahwcsend_request (git-fixes).
• net: mana: select PAGE_POOL (git-fixes).
• netsched: add a temporary refcnt for struct tcindexdata (bsc#1224975).
• netsched: fix a memory leak in clstcindex (bsc#1224975).
• netsched: fix a missing refcnt in tcindexinit() (bsc#1224975).
• netsched: hold rtnl lock in tcindexpartialdestroywork() (bsc#1224975)
• nvme: fixup comment for nvme RDMA Provider Type (git-fixes).
• ocfs2: fix DIO failure due to insufficient transaction credits (bsc#1216834).
• ocfs2: remove redundant assignment to variable free_space (bsc#1228409).
• ocfs2: strict bound check before memcmp in ocfs2xattrfind_entry() (bsc#1228410).
• scsi: qla2xxx: Avoid possible run-time warning with long model_num (bsc#1228850).
• scsi: qla2xxx: Complete command early within lock (bsc#1228850).
• scsi: qla2xxx: Convert comma to semicolon (bsc#1228850).
• scsi: qla2xxx: Drop driver owner assignment (bsc#1228850).
• scsi: qla2xxx: During vport delete send async logout explicitly (bsc#1228850).
• scsi: qla2xxx: Fix debugfs output for fwresourcecount (bsc#1228850).
• scsi: qla2xxx: Fix flash read failure (bsc#1228850).
• scsi: qla2xxx: Fix for possible memory corruption (bsc#1228850).
• scsi: qla2xxx: Fix optrom version displayed in FDMI (bsc#1228850).
• scsi: qla2xxx: Reduce fabric scan duplicate code (bsc#1228850).
• scsi: qla2xxx: Remove unused struct 'scsidiftuple' (bsc#1228850).
• scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds (bsc#1228850).
• scsi: qla2xxx: Unable to act on RSCN for port online (bsc#1228850).
• scsi: qla2xxx: Update version to 10.02.09.300-k (bsc#1228850).
• scsi: qla2xxx: Use QP lock to search for bsg (bsc#1228850).
• scsi: qla2xxx: validate nvmelocalport correctly (bsc#1228850).
• signal: Introduce clear_siginfo (git-fixes).
• string.h: Introduce memtostr() and memtostr_pad() (bsc#1228850).
• tools lib: Fix builds when glibc contains strlcpy() (git-fixes).
• tools: hv: fix KVP and VSS daemons exit code (git-fixes).
• usb: add a hcdusesdma helper (git-fixes).
• usb: atm: cxacru: fix endpoint checking in cxacru_bind() (git-fixes).
• usb: musb: da8xx: fix a resource leak in probe() (git-fixes).
• x86/bhi: Avoid warning in #DB handler due to BHI mitigation (git-fixes).
• x86/bugs: Remove CONFIGBHIMITIGATIONAUTO and spectrebhi=auto (git-fixes).
• x86/bugs: Replace CONFIGSPECTREBHI{ON,OFF} with CONFIGMITIGATIONSPECTREBHI (git-fixes).
• xfs: check that dir block entries do not off the end of the buffer (git-fixes).
• xfs: refactor xfsverifiererror and xfsbufioerror (git-fixes).
• xfs: remove XFSWANTCORRUPTED_RETURN from dir3 data verifiers (git-fixes).
• xhci: Poll for U0 after disabling USB2 LPM (git-fixes).