The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.162 to receive various security and bugfixes.
The following security bugs were fixed:
CVE-2018-14633: A security flaw was found in the chapservercompute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).
CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfsattrshortformaddname in fs/xfs/libxfs/xfsattr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).
CVE-2018-18710: An issue was discovered in the Linux kernel An information leak in cdromioctlselect_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
CVE-2018-9516: A lack of certain checks in the hiddebugevents_read() function in the drivers/hid/hid-debug.c file might have resulted in receiving userspace buffer overflow and an out-of-bounds write or to the infinite loop. (bnc#1108498).
The following non-security bugs were fixed:
6lowpan: iphc: reset mac_header after decompress to fix panic (bnc#1012382).
alsa: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping (bnc#1012382).
alsa: emu10k1: fix possible info leak to userspace on SNDRVEMU10K1IOCTL_INFO (bnc#1012382).
alsa: hda: Add AZXDCAPSPM_RUNTIME for AMD Raven Ridge (bnc#1012382).
alsa: hda - Fix cancelworksync() stall from jackpoll work (bnc#1012382).
input: atmelmxtts - only use first T9 instance (bnc#1012382).
input: elantech - enable middle button of touchpad on ThinkPad P72 (bnc#1012382).
iommu/amd: Return devid as alias for ACPI HID devices (bsc#1106105).
iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register (bnc#1012382).
iommu/ipmmu-vmsa: Fix allocation in atomic context (bnc#1012382).
ip6_tunnel: be careful when accessing the inner header (bnc#1012382).
ipmi:ssif: Add support for multi-part transmit messages > 2 parts (bsc#1103308).
ip_tunnel: be careful when accessing the inner header (bnc#1012382).
ipv4: fix use-after-free in ipcmsgrecv_dstaddr() (bnc#1012382).
ipv6: fix possible use-after-free in ip6_xmit() (bnc#1012382).
iw_cxgb4: only allow 1 flush on user qps (bnc#1012382).
ixgbe: pcisetdrvdata must be called before register_netdev (Git-fixes bsc#1109923).
jffs2: return -ERANGE when xattr buffer is too small (bnc#1012382).
KABI: move the new handler to end of machdep_calls and hide it from genksyms (bsc#1094244).
kABI: protect struct hnaedesccb (kabi).
kbuild: add .DELETEONERROR special target (bnc#1012382).
kernel-obs-build.spec.in: add --no-hostonly-cmdline to dracut invocation (boo#1062303). call dracut with --no-hostonly-cmdline to avoid the random rootfs UUID being added into the initrd's /etc/cmdline.d/95root-dev.conf
kernel-obs-build: use pae and lpae kernels where available (bsc#1073579).
kernel/params.c: downgrade warning for unsafe parameters (bsc#1050549).
kprobes/x86: Release insn_slot in failure path (bsc#1110006).
kthread: fix boot hang (regression) on MIPS/OpenRISC (bnc#1012382).
kthread: Fix use-after-free if kthread fork fails (bnc#1012382).
kvm: nVMX: Do not expose MPX VMX controls when guest MPX disabled (bsc#1106240).
kvm: nVMX: Do not flush TLB when vmcs12 uses VPID (bsc#1106240).
kvm: PPC: Book3S HV: Do not truncate HPTE index in xlate function (bnc#1012382).
kvm: x86: Do not re-{try,execute} after failed emulation in L2 (bsc#1106240).
kvm: x86: Do not use kvmx86ops->mpx_supported() directly (bsc#1106240).
macros.kernel-source: define linuxarch for KMPs (boo#1098050). CONFIG64BIT is no longer defined so KMP spec files need to include %{?linuxmakearch} in any make call to build modules or descent into the kernel directory for any reason.
macros.kernel-source: pass -b properly in kernel module package (bsc#1107870).
macros.kernel-source: pass -f properly in module subpackage (boo#1076393).
md-cluster: clear another node's suspend_area after the copy is finished (bnc#1012382).
md/raid1: exit sync request if MDRECOVERYINTR is set (git-fixes).
md/raid5: fix data corruption of replacements after originals dropped (bnc#1012382).
media: af9035: prevent buffer overflow on write (bnc#1012382).
media: exynos4-is: Prevent NULL pointer dereference in _ispvideotryfmt() (bnc#1012382).
media: fsl-viu: fix error handling in viuofprobe() (bnc#1012382).
media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data (bnc#1012382).
media: omapvout: Fix a possible null pointer dereference in omapvout_open() (bsc#1050431).
media: s3c-camif: ignore -ENOIOCTLCMD from v4l2subdevcall for s_power (bnc#1012382).
media: soc_camera: ov772x: correct setting of banding filter (bnc#1012382).
media: tm6000: add error handling for dvbregisteradapter (bnc#1012382).
media: uvcvideo: Support realtek's UVC 1.5 device (bnc#1012382).
media: v4l: event: Prevent freeing event subscriptions while accessed (bnc#1012382).
media: videobuf2-core: check for q->error in vb2coreqbuf() (bnc#1012382).
rpm/kernel-binary.spec.in: Only kernel-syzkaller needs gcc-devel (boo#1043591).
rpm/kernel-docs.spec.in: Expand kernel tree directly from sources (bsc#1057199)
rpm/kernel-docs.spec.in: Fix and cleanup for 4.13 doc build (bsc#1048129) The whole DocBook stuff has been deleted. The PDF build still non-working thus the sub-packaging disabled so far.
rpm/kernel-docs.spec.in: refresh dependencies for PDF build (bsc#1048129) But it still does not work with Tex Live 2017, thus disabled yet. Also add texlive-anyfontsize for HTML math handling.
rpm/kernel-module-subpackage: Generate proper supplements in the template ... instead of relying on find-provides.ksyms to do it (bsc#981083).
rpm/kernel-source.spec.in: Do not list deleted depdendency helpers (bsc#981083).
rpm/kernel-spec-macros: Try harder to detect Build Service environment (bsc#1078788)
rtc: bq4802: add error handling for devm_ioremap (bnc#1012382).
rtnl: limit IFLANUMTXQUEUES and IFLANUMRXQUEUES to 4096 (bnc#1012382).
s390/chsc: Add exception handler for CHSC instruction (git-fixes).