The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.
The following new feature was added:
NVDIMM memory error notification (ACPI 6.2)
The following security bugs were fixed:
CVE-2018-13406: An integer overflow in the uvesafbsetcmap function could
have result in local attackers being able to crash the kernel or potentially
elevate privileges because kmallocarray is not used (bnc#1100418)
CVE-2018-13053: The alarmtimernsleep function had an integer overflow via a
large relative timeout because ktimeaddsafe was not used (bnc#1099924)
CVE-2018-9385: Prevent overread of the 'driver_override' buffer (bsc#1100491)
CVE-2018-13405: The inodeinitowner function allowed local users to create
files with an unintended group ownership allowing attackers to escalate
privileges by making a plain file executable and SGID (bnc#1100416)
CVE-2017-5753: Systems with microprocessors utilizing speculative execution
and branch prediction may have allowed unauthorized disclosure of information
to an attacker with local user access via a side-channel analysis (bsc#1068032)
CVE-2018-1118: Linux kernel vhost did not properly initialize memory in
messages passed between virtual guests and the host operating system. This
could have allowed local privileged users to read some kernel memory contents
when reading from the /dev/vhost-net device file (bsc#1092472)
CVE-2018-12233: A memory corruption bug in JFS could have been triggered by
calling setxattr twice with two different extended attribute names on the same
file. This vulnerability could be triggered by an unprivileged user with the
ability to create files and execute programs (bsc#1097234)
CVE-2018-5848: In the function wmisetie(), the length validation code did
not handle unsigned integer overflow properly. As a result, a large value of
the 'ie_len' argument could have caused a buffer overflow (bnc#1097356)
CVE-2018-1000204: Prevent infoleak caused by incorrect handling of the SG_IO
ioctl (bsc#1096728)
CVE-2018-3639: Systems with microprocessors utilizing speculative execution
and speculative execution of memory reads the addresses of all prior memory
writes are known may have allowed unauthorized disclosure of information to an
attacker with local user access via a side-channel analysis, aka Speculative
Store Bypass (SSB), Variant 4 (bsc#1087082)
CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process's memory
containing command line arguments (or environment strings), an attacker could
have caused utilities from psutils or procps (such as ps, w) to block
indefinitely (denial of service) or for some controlled time (as a
synchronization primitive for other attacks) (bsc#1093158)
CVE-2018-1094: The ext4fillsuper function did not always initialize the
crc32c checksum driver, which allowed attackers to cause a denial of service
(ext4xattrinode_hash NULL pointer dereference and system crash) via a crafted
ext4 image (bsc#1087007)
CVE-2018-1092: The ext4iget function mishandled the case of a root directory
with a zero ilinkscount, which allowed attackers to cause a denial of service
(ext4processfreeddata NULL pointer dereference and OOPS) via a crafted ext4
image (bsc#1087012)
1093: The ext4validblock_bitmap function allowed attackers to cause a
denial of service (out-of-bounds read and system crash) via a crafted ext4
image because balloc.c and ialloc.c do not validate bitmap block numbers
(bsc#1087095)
CVE-2018-1000200: Prevent NULL pointer dereference which could have resulted
in an out of memory (OOM) killing of large mlocked processes (bsc#1090150)
CVE-2018-1130: NULL pointer dereference in dccpwritexmit() function that
allowed a local user to cause a denial of service by a number of certain
crafted system calls (bsc#1092904)
CVE-2018-5803: Prevent error in the 'sctpmake_chunk()' function when
handling SCTP packets length that could have been exploited to cause a kernel
crash (bnc#1083900)
CVE-2018-7492: Prevent NULL pointer dereference in the net/rds/rdma.c
_rdsrdmamap() function that allowed local attackers to cause a system panic
and a denial-of-service, related to RDSGETMR and RDSGETMRFOR_DEST
(bsc#1082962)
CVE-2018-8781: The udlfbmmap function had an integer-overflow vulnerability
allowing local users with access to the udldrmfb driver to obtain full read and
write permissions on kernel physical pages, resulting in a code execution in
kernel space (bsc#1090643)
CVE-2018-10124: The killsomethinginfo function in kernel/signal.c might
have allowed local users to cause a denial of service via an INT_MIN argument
(bnc#1089752)
CVE-2018-10087: The kernelwait4 function in kernel/exit.c might have allowed
local users to cause a denial of service by triggering an attempted use of the
-INTMIN value (bnc#1089608)
CVE-2017-5715: Prevent unauthorized disclosure of information to an attacker
with local user access caused by speculative execution and indirect branch
prediction (bsc#1068032)
The following non-security bugs were fixed:
Fix copyinuser() declaration (bsc#1052766).
1wire: family module autoload fails because of upper/lower case mismatch (bsc#1051510).
8021q: fix a memory leak for VLAN 0 device (networking-stable-180112).
8139too: Use disableirqnosync() in rtl8139pollcontroller() (networking-stable-180515).
Downgrade printk level for MMC SDHCI host version error (bsc#1097941).
Fix kABI breakage due to acpi_ec gpe field change (bsc#1051510).
Fix kABI breakage due to sndusbaudioquirk profilename addition (bsc#1091678).
Fix kABI breakage due to sound/timer.h inclusion (bsc#1051510).
Fix kABI breakage for iwlfwruntime_ops change (bsc#1051510).
Fix kABI breakage for iwlwifi (bsc#1051510).
Fix kABI breakage of iio_buffer (bsc#1051510).
Fix kABI incompatibility by sndpcmossruntime.rwref addition (bsc#1051510).
Fix the build error in adau17x1 soc driver (bsc#1051510)
Fix the build of da9063_wdt module (bsc#1100843) Backport the missing prerequisite commit, move the previous fixes into the sorted section and refresh.
GFS2: Take inode off order_write list when setting jdata flag (bsc#1052766).
HID: add backlight level quirk for Asus ROG laptops (bsc#1101324).
delayacct: Account blkio completion on the correct task (bsc#1052766).
dell_rbu: make firmware payload memory uncachable (bsc#1087978).
device-dax: allow MAP_SYNC to succeed (bsc#1052766).
devlink: Remove redundant free on error path (networking-stable-180328).
direct-io: Prevent NULL pointer access in submitpagesection (bsc#1052766).
disable patches.drivers/s390-qeth-use-Read-device-to-query-hypervisor-for-MA.patch Backport of mainline commit b7493e91c11a ('s390/qeth: use Read device to query hypervisor for MAC') changes assigned MAC address (and breaks networking) on one of our machines and it's not clear which address is actually correct (bsc#1094575).
dlm: fix a clerical error when set SCTP_NODELAY (bsc#1091594).
dlm: make sctpconnectto_sock() return in specified time (bsc#1080542).
dlm: remove ONONBLOCK flag in sctpconnecttosock (bsc#1080542).
dm btree: fix serious bug in btreesplitbeneath() (bsc#1093023).
dm bufio: add missed destroys of client mutex (bsc#1093023).
dm bufio: check result of register_shrinker() (bsc#1093023).
dm bufio: delete outdated comment (bsc#1093023).
dm bufio: do not embed a bio in the dm_buffer structure (bsc#1093023).
dm bufio: eliminate unnecessary labels in dmbufioclient_create() (bsc#1093023).
dm bufio: fix buffer alignment (bsc#1093023).
dm bufio: fix integer overflow when limiting maximum cache size (bsc#1093023).
dm bufio: fix shrinker scans when (nrtoscan lower than retain_target) (bsc#1093023).
dm bufio: get rid of slab cache name allocations (bsc#1093023).
dm bufio: move dm-bufio.h to include/linux/ (bsc#1093023).
dm bufio: relax alignment constraint on slab cache (bsc#1093023).
dm bufio: remove code that merges slab caches (bsc#1093023).
dm bufio: reorder fields in dm_buffer structure (bsc#1093023).
dm bufio: support non-power-of-two block sizes (bsc#1093023).
dm bufio: use REQOPREAD and REQOPWRITE (bsc#1093023).
dm bufio: use slab cache for dm_buffer structure allocations (bsc#1093023).
dm cache background tracker: limit amount of background work that may be issued at once (bsc#1093023).
dm cache policy smq: allocate cache blocks in order (bsc#1093023).
dm cache policy smq: change max background work from 10240 to 4096 blocks (bsc#1093023).
dm cache policy smq: handle races with queuing background_work (bsc#1093023).
dm cache policy smq: take origin idle status into account when queuing writebacks (bsc#1093023).
dm cache: convert dmcachemetadata.refcount from atomict to refcount_t (bsc#1093023).
dm cache: fix race condition in the writeback mode overwrite_bio optimisation (bsc#1093023).
dm cache: lift common migration preparation code to alloc_migration() (bsc#1093023).
dm cache: pass cache structure to mode functions (bsc#1093023).
dm cache: remove all obsolete writethrough-specific code (bsc#1093023).
dm cache: remove usused deferred_cells member from struct cache (bsc#1093023).
dm cache: simplify getperbiodata() by removing datasize argument (bsc#1093023).
dm cache: submit writethrough writes in parallel to origin and cache (bsc#1093023).
iwlwifi: mvm: Correctly set IGTK for AP (bsc#1051510).
iwlwifi: mvm: Correctly set the tid for mcast queue (bsc#1051510).
iwlwifi: mvm: Direct multicast frames to the correct station (bsc#1051510).
iwlwifi: mvm: Fix channel switch for count 0 and 1 (bsc#1051510).
iwlwifi: mvm: Increase session protection time after CS (bsc#1051510).
iwlwifi: mvm: always init rs with 20mhz bandwidth rates (bsc#1051510).
iwlwifi: mvm: clear tx queue id when unreserving aggregation queue (bsc#1051510).
iwlwifi: mvm: do not warn in queue sync on RF-kill (bsc#1051510).
iwlwifi: mvm: fix 'failed to remove key' message (bsc#1051510).
iwlwifi: mvm: fix IBSS for devices that support station type API (bsc#1051510).
iwlwifi: mvm: fix TSO with highly fragmented SKBs (bsc#1051510).
iwlwifi: mvm: fix TX of CCMP 256 (bsc#1051510).
iwlwifi: mvm: fix array out of bounds reference (bsc#1051510).
iwlwifi: mvm: fix assert 0x2B00 on older FWs (bsc#1051510).
iwlwifi: mvm: fix error checking for multi/broadcast sta (bsc#1051510).
iwlwifi: mvm: fix race in queue notification wait (bsc#1051510).
iwlwifi: mvm: fix security bug in PN checking (bsc#1051510).
iwlwifi: mvm: honor the maxamsdusubframes limit (bsc#1051510).
iwlwifi: mvm: make sure internal station has a valid id (bsc#1051510).
iwlwifi: mvm: remove DQA non-STA client mode special case (bsc#1051510).
iwlwifi: mvm: set the correct tid when we flush the MCAST sta (bsc#1051510).
iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs (bsc#1051510).
ixgbe: do not set RXDCTL.RLPML for 82599 (bsc#1056657).
ixgbe: prevent ptprxhang from running when in FILTER_ALL mode (bsc#1056657 bsc#1056653).
jbd2: if the journal is aborted then do not allow update of the log tail (bsc#1052766).
jffs2killsb(): deal with failed allocations (bsc#1052766).
kABI: protect ifetlvmeta_decode (kabi).
kABI: protect struct cstate (kabi).
kABI: protect struct ipv6_pinfo (kabi).
kABI: protect tapcreatecdev (kabi).
kabi protect struct acpinfitdesc (bsc#1091424).
kabi/severities: Ignore kABI incompatibility for meson drm The symbols are used only between meson modules, so mostly internal.
kabi/severities: Ignore removed bugs.c symbols The second wave of SSBD patches drops those symbols and we can ignore them from kABI because nothing external should use them - they were exported only for kvm.
kabi/severities: add 'drivers/md/bcache/* PASS' for above change.
kabi/severities: add nvdimm internal symbols to kabi ignore list
kabi: add struct bpf_map back (References: bsc#1098425).
kcm: lock lower socket in kcmattach (networking-stable-1803_28).
kconfig: Avoid format overflow warning from GCC 8.1 (bsc#1051510).
kconfig: Do not leak main menus during parsing (bsc#1051510).
kconfig: Fix automatic menu creation mem leak (bsc#1051510).
kconfig: Fix exprfree() ENOT leak (bsc#1051510).
kernel-binary: also default klp_symbols to 0 here.
kernel-binary: pass ARCH= to kernel build Recent kernel does not save CONFIG_64BIT so it has to be specified by arch.
kernel-binary: pass MAKE_ARGS to install script as well.
kernel-{binary,docs}.spec sort dependencies.
kernel/acct.c: fix the acct->needcheck check in checkfreespace() (Git-fixes).
mac80211: round IEEE80211TXSTATUS_HEADROOM up to multiple of 4 (bsc#1051510).
mac80211: use timeout from the AddBA response instead of the request (bsc#1051510).
macros.kernel-source: Fix building non-x86 KMPs
macros.kernel-source: define linuxarch for KMPs (boo#1098050). CONFIG64BIT is no longer defined so KMP spec files need to include %{?linuxmakearch} in any make call to build modules or descent into the kernel directory for any reason.
macros.kernel-source: ignore errors when using make to print kernel release There is no way to handle the errors anyway and including the error into package version does not give good results.
macvlan: filter out unsupported feature flags (networking-stable-180328).
macvlan: fix memory hole in macvlan_dev (bsc#1099918).
macvlan: remove unused fields in struct macvlan_dev (bsc#1099918).
mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush sequence (bsc#1051510).
mailbox: bcm-flexrm-mailbox: Fix mask used in CMPLSTARTADDR_VALUE() (bsc#1051510).
mailbox: mailbox-test: do not rely on rx_buffer content to signal data ready (bsc#1051510).
mbcache: initialize entry->ereferenced in mbcacheentrycreate() (bsc#1052766).
md-cluster: choose correct label when clustered layout is not supported (bsc#1093023).
md-cluster: do not update recovery_offset for faulty device (bsc#1093023).
md-cluster: make function clusterchecksync_size static (bsc#1093023).
md-multipath: Use seqputc() in multipathstatus() (bsc#1093023).
md/bitmap: clear BITMAPWRITEERROR bit before writing it to sb (bsc#1093023).
md/bitmap: copy correct data for bitmap super (bsc#1093023).
md/bitmap: revert a patch (bsc#1093023).
md/r5cache: call mddevlock/unlock() in r5cjournalmodeshow (bsc#1093023).
md/r5cache: fix iounit handling in r5llog_endio() (bsc#1093023).
md/r5cache: move mddevlock() out of r5cjournalmodeset() (bsc#1093023).
md/r5cache: print more info of log recovery (bsc#1093023).
md/raid0: attach correct cgroup info in bio (bsc#1093023).
md/raid1,raid10: silence warning about wait-within-wait (bsc#1093023).
md/raid1/10: add missed blk plug (bsc#1093023).
md/raid1: Fix trailing semicolon (bsc#1093023).
md/raid1: exit sync request if MDRECOVERYINTR is set (bsc#1093023).
rmdir(),rename(): do shrinkdcacheparent() only on success (bsc#1100340).
rocker: fix possible null pointer dereference in rockerrouterfibeventwork (networking-stable-180206).
route: check sysctlfibmultipathuseneigh earlier than hash (networking-stable-180410).
rpm/config.sh: Fixup BUGZILLA_PRODUCT variable
rpm/kernel-docs.spec.in: Fix and cleanup for 4.13 doc build (bsc#1048129) The whole DocBook stuff has been deleted. The PDF build still non-working thus the sub-packaging disabled so far.
rpm/kernel-source.changes.old: Add pre-SLE15 history (bsc#1098995).
rpm/modules.fips include module list from dracut
rt2x00: do not pause queue unconditionally on error path (bsc#1051510).