SUSE-SU-2018:2637-1

The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2016-8405: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. (bnc#1099942).
• CVE-2017-13305: A information disclosure vulnerability was fixed in the encrypted-keys handling. (bnc#1094353).
• CVE-2018-1000204: A malformed SG_IO ioctl issued for a SCSI device lead to a local kernel data leak manifesting in up to approximately 1000 memory pages copied to the userspace. The problem has limited scope as non-privileged users usually have no permissions to access SCSI device files. (bnc#1096728).
• CVE-2018-1068: A flaw was found in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107).
• CVE-2018-1130: Linux kernel was vulnerable to a null pointer dereference in dccpwritexmit() function in net/dccp/output.c in that allowed a local user to cause a denial of service by a number of certain crafted system calls (bnc#1092904).
• CVE-2018-12233: In the eaget function in fs/jfs/xattr.c a memory corruption bug in JFS could be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfsxattr (bnc#1097234).
• CVE-2018-13053: The alarmtimernsleep function in kernel/time/alarmtimer.c had an integer overflow via a large relative timeout because ktimeaddsafe is not used (bnc#1099924).
• CVE-2018-13406: An integer overflow in the uvesafbsetcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmallocarray is not used (bnc#1098016 bnc#1100418).
• CVE-2018-3620: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis (bnc#1087081).
• CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bnc#1089343 bnc#1104365).
• CVE-2018-5803: An error in the 'sctpmakechunk()' function (net/sctp/smmake_chunk.c) when handling SCTP packets length could be exploited to cause a kernel crash (bnc#1083900).
• CVE-2018-5814: Multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets (bnc#1096480).
• CVE-2018-7492: A NULL pointer dereference was found in the net/rds/rdma.c _rdsrdmamap() function allowed local attackers to cause a system panic and a denial-of-service, related to RDSGETMR and RDSGETMRFOR_DEST (bnc#1082962).

The following non-security bugs were fixed:

• usb: add USBDEVICEINTERFACE_CLASS macro (bsc#1047487).
• usb: hub: fix non-SS hub-descriptor handling (bsc#1047487).
• usb: kobil_sct: fix non-atomic allocation in write path (bsc#1015828).
• usb: serial: ftdi_sio: fix latency-timer error handling (bsc#1037441).
• usb: serial: io_edgeport: fix NULL-deref at open (bsc#1015828).
• usb: serial: io_edgeport: fix possible sleep-in-atomic (bsc#1037441).
• usb: serial: keyspan_pda: fix modem-status error handling (bsc#1100132).
• usb: visor: Match I330 phone more precisely (bsc#1047487).
• cpu/hotplug: Add sysfs state interface (bsc#1089343).
• cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
• cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
• cpu/hotplug: Split docpudown() (bsc#1089343).
• disable prot_none native mitigation (bnc#1104684)
• drm/i915: fix use-after-free in pageflipcompleted() (bsc#1103909).
• drm: re-enable error handling (bsc#1103884)
• efivarfs: maintain the efivarfs interfaces when sysfs be created and removed (bsc#1097125).
• fix pgd underflow (bnc#1104475) custom walkpagerange rework was incorrect and could underflow pgd if the given range was below a first vma.
• kthread, tracing: Do not expose half-written comm when creating kthreads (Git-fixes).
• nvme: add device id's with intel stripe quirk (bsc#1097562).
• perf/core: Fix group scheduling with mixed hw and sw events (Git-fixes).
• perf/x86/intel: Handle Broadwell family processors (bsc#1093183).
• s390/qeth: fix IPA command submission race (bnc#1099709, LTC#169004).
• scsi: zfcp: fix infinite iteration on ERP ready list (bnc#1102087, LTC#168038).
• scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (bnc#1102087, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (bnc#1102087, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (bnc#1102087, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace on terminaterportio early return (bnc#1102087, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace on terminaterportio for ERP_FAILED (bnc#1102087, LTC#168765).
• scsi: zfcp: fix missing SCSI trace for result of ehhostreset_handler (bnc#1102087, LTC#168765).
• scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (bnc#1102087, LTC#168765).
• series.conf: Remove trailing whitespaces
• slab: introduce kmalloc_array() (bsc#909361).
• smsc75xx: Add workaround for gigabit link up hardware errata (bsc#1100132).
• x64/entry: move ENABLE_IBRS after switching from trampoline stack (bsc#1098658).
• x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343).
• x86/CPU/AMD: Move TOPOEXT reenablement before reading smpnumsiblings (bsc#1089343).
• x86/apic: Ignore secondary threads if nosmt=force (bsc#1089343).
• x86/cpu/AMD: Evaluate smpnumsiblings early (bsc#1089343).
• x86/cpu/AMD: Evaluate smpnumsiblings early (bsc#1089343).
• x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343).
• x86/cpu/common: Provide detecthtearly() (bsc#1089343).
• x86/cpu/intel: Evaluate smpnumsiblings early (bsc#1089343).
• x86/cpu/topology: Provide detectextendedtopology_early() (bsc#1089343).
• x86/cpu: Remove the pointless CPU printout (bsc#1089343).
• x86/fpu: fix signal handling with eager FPU switching (bsc#1100091).
• x86/mm: Simplify p[g4um]d_page() macros (bnc#1087081, bnc#1104684).
• x86/smp: Provide topologyisprimary_thread() (bsc#1089343).
• x86/smpboot: Do not use smpnumsiblings in _maxlogical_packages calculation (bsc#1089343).
• x86/topology: Add topologymaxsmt_threads() (bsc#1089343).
• x86/topology: Provide topologysmtsupported() (bsc#1089343).
• x86/traps: Fix badiretstack in fixupbadiret() (bsc#1098658).
• x86/traps: add missing kernel CR3 switch in bad_iret path (bsc#1098658).
• xen/x86/cpu/common: Provide detecthtearly() (bsc#1089343).
• xen/x86/cpu/topology: Provide detectextendedtopology_early() (bsc#1089343).
• xen/x86/cpu: Remove the pointless CPU printout (bsc#1089343).
• xhci: xhci-mem: off by one in xhcistreamidtoring() (bsc#1100132).