SUSE-SU-2018:2344-2

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081).
• CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343).
• CVE-2018-5390 aka 'SegmentSmack': The Linux Kernel can be forced to make very expensive calls to tcpcollapseofoqueue() and tcppruneofoqueue() for every incoming packet which can lead to a denial of service (bnc#1102340).
• CVE-2018-5391 aka 'FragmentSmack': A flaw in the IP packet reassembly could be used by remote attackers to consume lots of CPU time (bnc#1103097).
• CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucmaleavemulticast to access a certain data structure after a cleanup step in ucmaprocessjoin, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119).
• CVE-2017-18344: The timercreate syscall implementation in kernel/time/posix-timers.c didn't properly validate the sigevent->sigevnotify field, which leads to out-of-bounds access in the showtimer function (called when /proc/$PID/timers is read). This allowed userspace applications to read arbitrary kernel memory (on a kernel built with CONFIGPOSIXTIMERS and CONFIGCHECKPOINT_RESTORE) (bnc#1102851 bnc#1103580).
• CVE-2018-9385: When printing the 'driver_override' option from with-in the amba driver, a very long line could expose one additional uninitialized byte (bnc#1100491).
• CVE-2018-13053: The alarmtimernsleep function in kernel/time/alarmtimer.c had an integer overflow via a large relative timeout because ktimeaddsafe is not used (bnc#1099924).
• CVE-2018-13405: The inodeinitowner function in fs/inode.c allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416).
• CVE-2018-13406: An integer overflow in the uvesafbsetcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmallocarray is not used (bnc#1098016 1100418).
• CVE-2018-5814: Multiple race condition errors when handling probe, disconnect, and rebind operations could be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets (bnc#1096480).

The following non-security bugs were fixed:

• Add support for 5,25,50, and 100G to 802.3ad bonding driver (bsc#1096978)
• bcache: add backingrequestendio() for biendio (bsc#1064232).
• bcache: add CACHESETIODISABLE to struct cacheset flags (bsc#1064232).
• bcache: add iodisable to struct cacheddev (bsc#1064232).
• bcache: add journal statistic (bsc#1076110).
• bcache: Add _printf annotation to _bchcheckkeys() (bsc#1064232).
• bcache: add stopwhencachesetfailed option to backing device (bsc#1064232).
• bcache: add waitforkthreadstop() in bchallocator_thread() (bsc#1064232).
• bcache: Annotate switch fall-through (bsc#1064232).
• bcache: closures: move control bits one bit right (bsc#1076110).
• bcache: correct flash only vols (check all uuids) (bsc#1064232).
• bcache: count backing device I/O error for writeback I/O (bsc#1064232).
• bcache: do not attach backing with duplicate UUID (bsc#1076110).
• bcache: Fix a compiler warning in bcachedeviceinit() (bsc#1064232).
• bcache: fix cacheddev->count usage for bchcacheseterror() (bsc#1064232).
• bcache: fix crashes in duplicate cache device register (bsc#1076110).
• bcache: fix error return value in memory shrink (bsc#1064232).
• bcache: fix for allocator and register thread race (bsc#1076110).
• bcache: fix for data collapse after re-attaching an attached device (bsc#1076110).
• bcache: fix high CPU occupancy during journal (bsc#1076110).
• bcache: Fix, improve efficiency of closure_sync() (bsc#1076110).
• bcache: fix inaccurate io state for detached bcache devices (bsc#1064232).
• bcache: fix incorrect sysfs output value of strip size (bsc#1064232).
• bcache: Fix indentation (bsc#1064232).
• bcache: fix kcrashes with fio in RAID5 backend dev (bsc#1076110).
• bcache: Fix kernel-doc warnings (bsc#1064232).
• bcache: fix misleading error message in bchcountio_errors() (bsc#1064232).
• bcache: fix using of loop variable in memory shrink (bsc#1064232).
• bcache: fix writeback target calc on large devices (bsc#1076110).
• bcache: fix wrong return value in bchdebuginit() (bsc#1076110).
• bcache: mark closuresync() _sched (bsc#1076110).
• bcache: move closure debug file into debug directory (bsc#1064232).
• bcache: properly set task state in bchwritebackthread() (bsc#1064232).
• bcache: quit dc->writebackthread when BCACHEDEV_DETACHING is set (bsc#1064232).
• bcache: reduce cacheset devices iteration by devicesmax_used (bsc#1064232).
• bcache: Reduce the number of sparse complaints about lock imbalances (bsc#1064232).
• bcache: Remove an unused variable (bsc#1064232).
• bcache: ret IOERR when read meets metadata error (bsc#1076110).
• bcache: return 0 from bchdebuginit() if CONFIGDEBUGFS=n (bsc#1064232).
• bcache: return attach error when no cache set exist (bsc#1076110).
• bcache: segregate flash only volume write streams (bsc#1076110).
• bcache: set CACHESETIODISABLE in bchcacheddeverror() (bsc#1064232).
• bcache: set dc->iodisable to true in conditionalstopbcachedevice() (bsc#1064232).
• bcache: set error_limit correctly (bsc#1064232).
• bcache: set writebackrateupdate_seconds in range [1, 60] seconds (bsc#1064232).
• bcache: stop bcache device when backing device is offline (bsc#1064232).
• bcache: stop dc->writebackrateupdate properly (bsc#1064232).
• bcache: stop writeback thread after detaching (bsc#1076110).
• bcache: store disk name in struct cache and struct cached_dev (bsc#1064232).
• bcache: Suppress more warnings about set-but-not-used variables (bsc#1064232).
• bcache: use prinfo() to inform duplicated CACHESETIODISABLE set (bsc#1064232).
• bcache: Use PTRERROR_ZERO() (bsc#1076110).
• bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
• cifs: Check for timeout on Negotiate stage (bsc#1091171).
• cifs: fix bad/NULL ptr dereferencing in SMB2sesssetup() (bsc#1090123).
• cpu/hotplug: Add sysfs state interface (bsc#1089343).
• cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
• cpu/hotplug: Split docpudown() (bsc#1089343).
• ext4: fix unsupported feature message formatting (bsc#1098435).
• Hang/soft lockup in d_invalidate with simultaneous calls (bsc#1094248, bsc@1097140).
• ixgbe: fix possible race in reset subtask (bsc#1101557).
• ixgbe: Refactor queue disable logic to take completion time into account (bsc#1101557).
• ixgbe: Reorder Tx/Rx shutdown to reduce time needed to stop device (bsc#1101557).
• ixgbe: use atomic bitwise operations when handling reset requests (bsc#1101557).
• kabi/severities: add PASS to drivers/md/bcache/*, no one uses bcache kernel module.
• procfs: add tunable for fd/fdinfo dentry retention (bsc#1086652).
• sched/sysctl: Check user input value of sysctlschedtime_avg (bsc#1100089).
• signals: avoid unnecessary taking of sighand->siglock (bsc#1096130).
• x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343).
• x86/cpu/AMD: Evaluate smpnumsiblings early (bsc#1089343).
• x86/CPU/AMD: Move TOPOEXT reenablement before reading smpnumsiblings (bsc#1089343). Update config files.
• x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343).
• x86/cpu/common: Provide detecthtearly() (bsc#1089343).
• x86/cpu/intel: Evaluate smpnumsiblings early (bsc#1089343).
• x86/cpu: Remove the pointless CPU printout (bsc#1089343).
• x86/cpu/topology: Provide detectextendedtopology_early() (bsc#1089343).
• x86/mm: Simplify p[g4um]d_page() macros (1087081).
• x86/pti: do not report XenPV as vulnerable (bsc#1097551).
• x86/smpboot: Do not use smpnumsiblings in _maxlogical_packages calculation (bsc#1089343).
• x86/smp: Provide topologyisprimary_thread() (bsc#1089343).
• x86/topology: Add topologymaxsmt_threads() (bsc#1089343).
• x86/topology: Provide topologysmtsupported() (bsc#1089343).
• xen/grant-table: log the lack of grants (bnc#1085042).