The SUSE Linux Enterprise 12 SP3 Azure kernel was updated to 4.4.162 to receive various security and bugfixes.
The following security bugs were fixed:
CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
CVE-2018-18710: An information leak in cdromioctlselect_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfsattrshortformaddname in fs/xfs/libxfs/xfsattr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).
CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
CVE-2018-9516: In hiddebugevents_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bnc#1108498).
CVE-2018-14633: A security flaw was found in the chapservercompute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).
CVE-2018-17182: The vmacacheflushall function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399).
CVE-2018-16597: Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem (bnc#1106512).
CVE-2018-14613: There is an invalid pointer dereference in ioctlmappage() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in checkleaf_item in fs/btrfs/tree-checker.c (bnc#1102896).
CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870).
CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095 bnc#1115593).
CVE-2018-7757: Memory leak in the sassmpgetphyevents function in drivers/scsi/libsas/sasexpander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sasphy directory, as demonstrated by the /sys/class/sasphy/phy-1:0:12/invaliddword_count file (bnc#1087209).
CVE-2018-7480: The blkcginitqueue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863).
The following non-security bugs were fixed:
6lowpan: iphc: reset mac_header after decompress to fix panic (bnc#1012382).
alsa: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping (bnc#1012382).
alsa: emu10k1: fix possible info leak to userspace on SNDRVEMU10K1IOCTL_INFO (bnc#1012382).
alsa: hda: Add AZXDCAPSPM_RUNTIME for AMD Raven Ridge (bnc#1012382).
alsa: hda - Fix cancelworksync() stall from jackpoll work (bnc#1012382).
Input: atmelmxtts - only use first T9 instance (bnc#1012382).
Input: elantech - enable middle button of touchpad on ThinkPad P72 (bnc#1012382).
iommu/amd: Return devid as alias for ACPI HID devices (bsc#1106105).
iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register (bnc#1012382).
iommu/ipmmu-vmsa: Fix allocation in atomic context (bnc#1012382).
ip6_tunnel: be careful when accessing the inner header (bnc#1012382).
ipmi:ssif: Add support for multi-part transmit messages > 2 parts (bsc#1103308).
ip_tunnel: be careful when accessing the inner header (bnc#1012382).
ipv4: fix use-after-free in ipcmsgrecv_dstaddr() (bnc#1012382).
ipv6: fix possible use-after-free in ip6_xmit() (bnc#1012382).
ipvs: fix race between ipvsconnnew() and ipvsdeldest() (bnc#1012382).
irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP (bnc#1012382).
irqchip/gic-v3: Add missing barrier to 32bit version of gicreadiar() (bnc#1012382).
iw_cxgb4: only allow 1 flush on user qps (bnc#1012382).
ixgbe: pcisetdrvdata must be called before register_netdev (Git-fixes bsc#1109923).
jffs2: return -ERANGE when xattr buffer is too small (bnc#1012382).
KABI: move the new handler to end of machdep_calls and hide it from genksyms (bsc#1094244).
kabi.pl: Consider GPL vs. non-GPL exports ()
kabi protect hnaeaeops (bsc#1107924).
kABI: protect struct hnaedesccb (kabi).
kbuild: add .DELETEONERROR special target (bnc#1012382).
kbuild: make missing $DEPMOD a Warning instead of an Error (bnc#1012382).
kernel-{binary,docs}.spec sort dependencies.
kernel-binary: pass ARCH= to kernel build Recent kernel does not save CONFIG_64BIT so it has to be specified by arch.
kernel-binary: pass MAKE_ARGS to install script as well.
kernel-binary.spec Remove superfluous [].
kernel-binary undefine uniquedebugnames Some tools do not understand names like usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
kernel-obs-build.spec.in: add --no-hostonly-cmdline to dracut invocation (boo#1062303). call dracut with --no-hostonly-cmdline to avoid the random rootfs UUID being added into the initrd's /etc/cmdline.d/95root-dev.conf
kernel-obs-build.spec.in: enable xfs module This allows the public cloud team to build images with XFS as root filesystem
kernel-obs-build: use pae and lpae kernels where available (bsc#1073579).
kernel/params.c: downgrade warning for unsafe parameters (bsc#1050549).
kernel-source.spec: Align source numbering.
kernel-*.spec: remove remaining occurences of %release from dependencies There is a mix of %release and %source_rel in manually added dependencies and the %release dependencies tend to fail due to rebuild sync issues. So get rid of them.
kprobes/x86: Release insn_slot in failure path (bsc#1110006).
kthread: fix boot hang (regression) on MIPS/OpenRISC (bnc#1012382).
kthread: Fix use-after-free if kthread fork fails (bnc#1012382).
KVM: nVMX: Do not expose MPX VMX controls when guest MPX disabled (bsc#1106240).
KVM: nVMX: Do not flush TLB when vmcs12 uses VPID (bsc#1106240).
KVM: PPC: Book3S HV: Do not truncate HPTE index in xlate function (bnc#1012382).
KVM: x86: Do not re-{try,execute} after failed emulation in L2 (bsc#1106240).
KVM: x86: Do not use kvmx86ops->mpx_supported() directly (bsc#1106240).
macros.kernel-source: define linuxarch for KMPs (boo#1098050). CONFIG64BIT is no longer defined so KMP spec files need to include %{?linuxmakearch} in any make call to build modules or descent into the kernel directory for any reason.
macros.kernel-source: Fix building non-x86 KMPs
macros.kernel-source: ignore errors when using make to print kernel release There is no way to handle the errors anyway and including the error into package version does not give good results.
macros.kernel-source: pass -b properly in kernel module package (bsc#1107870).
macros.kernel-source: pass -f properly in module subpackage (boo#1076393).
md-cluster: clear another node's suspend_area after the copy is finished (bnc#1012382).
md/raid1: exit sync request if MDRECOVERYINTR is set (git-fixes).
md/raid5: fix data corruption of replacements after originals dropped (bnc#1012382).
media: af9035: prevent buffer overflow on write (bnc#1012382).
media: exynos4-is: Prevent NULL pointer dereference in _ispvideotryfmt() (bnc#1012382).
media: fsl-viu: fix error handling in viuofprobe() (bnc#1012382).
media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data (bnc#1012382).
media: omapvout: Fix a possible null pointer dereference in omapvout_open() (bsc#1050431).
media: s3c-camif: ignore -ENOIOCTLCMD from v4l2subdevcall for s_power (bnc#1012382).
media: soc_camera: ov772x: correct setting of banding filter (bnc#1012382).
media: tm6000: add error handling for dvbregisteradapter (bnc#1012382).
media: uvcvideo: Support realtek's UVC 1.5 device (bnc#1012382).
media: v4l: event: Prevent freeing event subscriptions while accessed (bnc#1012382).
media: videobuf2-core: check for q->error in vb2coreqbuf() (bnc#1012382).