SUSE-SU-2025:4123-1

This update for the SUSE Linux Enterprise kernel 4.12.14-122.231 fixes various security issues

The following security issues were fixed:

• CVE-2022-48956: ipv6: avoid use-after-free in ip6_fragment() (bsc#1232637).
• CVE-2022-49014: net: tun: Fix use-after-free in tun_detach() (bsc#1232818).
• CVE-2022-49053: scsi: target: tcmu: Fix possible page UAF (bsc#1237930).
• CVE-2022-49080: mm/mempolicy: fix mpolnew leak in sharedpolicy_replace (bsc#1238324).
• CVE-2022-49179: block, bfq: don't move oom_bfqq (bsc#1241331).
• CVE-2022-49465: blk-throttle: set BIO_THROTTLED when bio has been throttled (bsc#1238920).
• CVE-2022-49545: ALSA: usb-audio: cancel pending work at closing a MIDI substream (bsc#1238730).
• CVE-2022-49563: crypto: qat - add param check for RSA (bsc#1238788).
• CVE-2022-49564: crypto: qat - add param check for DH (bsc#1238790).
• CVE-2022-50252: igb: Do not free q_vector unless new one was allocated (bsc#1249847).
• CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).
• CVE-2024-45016: netem: fix return value if duplicate enqueue fails (bsc#1230998).
• CVE-2024-46818: drm/amd/display: check gpio_id before used as array index (bsc#1231204).
• CVE-2024-47674: mm: avoid leaving partial pfn mappings around in error case (bsc#1231676).
• CVE-2024-47684: tcp: check skb is non-NULL in tcprtodelta_us() (bsc#1231993).
• CVE-2024-47706: block, bfq: fix possible UAF for bfqq->bic with merge chain (bsc#1231943).
• CVE-2024-49860: ACPI: sysfs: validate return type of _STR method (bsc#1231862).
• CVE-2024-50115: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory (bsc#1233019).
• CVE-2024-50125: Bluetooth: SCO: Fix UAF on scosocktimeout (bsc#1232929).
• CVE-2024-50154: tcp/dccp: Don't use timerpending() in reqskqueue_unlink() (bsc#1233072).
• CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233712).
• CVE-2024-50279: dm cache: fix out-of-bounds access to the dirty bitset when resizing (bsc#1233708).
• CVE-2024-50301: security/keys: fix slab-out-of-bounds in keytaskpermission (bsc#1233680).
• CVE-2024-50302: HID: core: zero-initialize the report buffer (bsc#1233679).
• CVE-2024-53104: media: uvcvideo: Skip parsing frames of type UVCVSUNDEFINED in uvcparseformat (bsc#1236783).
• CVE-2024-53146: NFSD: prevent a potential integer overflow (bsc#1234854).
• CVE-2024-53156: wifi: ath9k: add range check for connrspepid in htcconnectservice() (bsc#1234847).
• CVE-2024-53168: sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket (bsc#1243650).
• CVE-2024-53173: NFSv4.0: Fix a use-after-free problem in the asynchronous open() (bsc#1234892).
• CVE-2024-53214: vfio/pci: Properly hide first-in-list PCIe extended capability (bsc#1235005).
• CVE-2024-56600: net: inet6: do not leave a dangling sk pointer in inet6_create() (bsc#1235218).
• CVE-2024-56601: net: inet: do not leave a dangling sk pointer in inet_create() (bsc#1235231).
• CVE-2024-56605: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2capsockcreate() (bsc#1235062).
• CVE-2024-56650: netfilter: xtables: fix LED ID check in ledtg_check() (bsc#1235431).
• CVE-2024-56664: bpf, sockmap: fix race between element replace and close() (bsc#1235250).
• CVE-2024-57893: ALSA: seq: oss: fix races at processing SysEx messages (bsc#1235921).
• CVE-2024-57996: netsched: schsfq: don't allow 1 packet limit (bsc#1239077).
• CVE-2024-8805: BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability (bsc#1240840).
• CVE-2025-21702: pfifotailenqueue: Drop new packet when sch->limit == 0 (bsc#1245797).
• CVE-2025-21772: partitions: mac: fix handling of bogus partition table (bsc#1238912).
• CVE-2025-21791: vrf: use RCU protection in l3mdevl3out() (bsc#1240744).
• CVE-2025-21971: netsched: Prevent creation of classes with TCH_ROOT (bsc#1245794).
• CVE-2025-37752: netsched: schsfq: move the limit validation (bsc#1245776).
• CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1245793).
• CVE-2025-38000: schhfsc: Fix qlen accounting bug when using peek in hfscenqueue() (bsc#1245775).
• CVE-2025-38079: crypto: algifhash - fix double free in hashaccept (bsc#1245218).
• CVE-2025-38083: netsched: prio: fix a race in priotune() (bsc#1245350).
• CVE-2025-38177: kernel: schhfsc: make hfscqlen_notify() idempotent (bsc#1246356).
• CVE-2025-38181: calipso: fix null-ptr-deref in calipsoreq{set,del}attr() (bsc#1246001).
• CVE-2025-38212: ipc: fix to protect IPCS lookups using RCU (bsc#1246030).
• CVE-2025-38477: net/sched: schqfq: Fix race condition on qfqaggregate (bsc#1247315).
• CVE-2025-38494: HID: core: do not bypass hidhwraw_request (bsc#1247350).
• CVE-2025-38495: HID: core: ensure the allocated report buffer can contain the reserved report ID (bsc#1247351).
• CVE-2025-38498: dochangetype(): refuse to operate on unmounted/not ours mounts (bsc#1247499).
• CVE-2025-38499: cloneprivatemnt(): make sure that caller has CAPSYSADMIN in the right userns (bsc#1248673).
• CVE-2025-38617: net/packet: fix a race in packetsetring() and packet_notifier() (bsc#1249208).
• CVE-2025-38618: vsock: Do not allow binding to VMADDRPORTANY (bsc#1249207).
• CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).

The following non security issues were fixed:

• Add the git commit and branch to the package description (bsc#920633)
• Fix description in rpm spec file Spec file description mentions initial kGraft patch which is only true for real initial patch. Make it more neutral. (bsc#930408)
• Mark the module as supported (bsc#904970)
• Provide common kallsyms wrapper API With bsc#1103203, the need for disambiguating between a multiply defined symbol arose. This is something the kallsymslookupname() based code snippet we used to copy&paste to every individual CVE fix can't handle. Implement a proper wrapper API for doing the kallsyms lookups.
• Require exact kernel version in the patch (bsc#920615)
• Revert 'Require exact kernel version in the patch' This needs to be done differently, so that modprobe --force works as expected. (bsc#920615) This reverts commit c62c11aecd4e3f8822e1b835fea403acc3148c5a.
• Set immediate flag for the initial patch Setting immediate to true will simplify installation of the initial patch and possibly also of the further updates. (bsc#907150)
• The stubs' signatures have changed: each argument used to get mapped to either long or long long, but on x8664, the stubs are now receiving a single struct ptregs only -- it's their responsibility to extract the arguments as appropriate. In order to not require each and every live patch touching syscalls to include an insane amount of ifdeffery, provide a set of #defines hiding it: 1.) KLPSYSCALLSYM(name) expands to the syscall stub name for 64 bits as defined by SYSCALLDEFINEx(x, name, ...). 2.) If the architeture requires 32bit specific stubs for syscalls sharing a common implementation between 32 and 64bits, the KLPARCHHASSYSCALLCOMPATSTUBS macro is defined. 3.) If KLPARCHHASSYSCALLCOMPATSTUBS is defined, then KLPSYSCALLCOMPATSTUBSYM(name) expands to the syscall stub name for 32 bits as defined by _SYSCALLDEFINEx(x, name, ...). 4.) For syscalls not sharing a common implementation between 32 and 64 bits, i.e. those defined by COMPATSYSCALLDEFINEx(), the macro KLPCOMPATSYSCALLSYM(name) expands to the stub name defined as defined by COMPATSYSCALLDEFINEx(x, name, ...). 5.) Finally, for hiding differences between the signatures, provide the macro KLPSYSCALLDECLx(x, sym, ...) which expands to a declaration of sym, with the x arguments either mapped to long resp. long long each, or collapsed to a single struct ptregs argument as appropriate for the architecture. Note that these macros are defined as appropriate on kernels before and after 4.17, so that live patch code can be shared. (bsc#1149841)
• bsc#1249208: fix livepatching target module name (bsc#1252946)
• unamepatch: convert to the syscall stub wrapper macros from klpsyscalls.h In order to make the live patch to the newuname() syscall work on kernels >= 4.17 again, convert it to the KLPSYSCALL*() wrapper macros provided by klp_syscalls.h. (bsc#1149841)