The SUSE Linux Enterprise 12 SP3 kernel for Azure was updated to receive various security and bugfixes.
The following security bugs were fixed:
CVE-2018-19407: The vcpuscanioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic was uninitialized (bnc#1116841).
CVE-2018-19985: The function hsoprobe read ifnum from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hsoprobe or hsogetconfigdata that could be used by local attackers (bnc#1120743).
CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4 (bnc#1087082).
CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which made a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks) (bnc#1093158).
CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrmuser.c allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SORCVBUF setsockopt system call in conjunction with XFRMMSGGETPOLICY Netlink messages (bnc#1069702).
CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bcsvcprocess() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).
CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to _usbgetextradescriptor in drivers/usb/core/usb.c (bnc#1119714).
CVE-2018-9568: In skclonelock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1118319).
CVE-2018-16862: A security flaw was found in the way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186).
CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usbaudioprobe in sound/usb/card.c (bnc#1118152).
The following non-security bugs were fixed:
9p: clear dangling pointers in p9stat_free (bnc#1012382).
9p locks: fix glock.clientid leak in dolock (bnc#1012382).
9p/net: put a lower bound on msize (bnc#1012382).
ACPI/IORT: Fix iortgetplatformdevicedomain() uninitialized pointer value (bsc#1121239).
ACPI/LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers (bnc#1012382).
ACPI/nfit, x86/mce: Handle only uncorrectable machine checks (bsc#1114648).
ACPI/nfit, x86/mce: Validate a MCE's address before using it (bsc#1114648).
ACPI/platform: Add SMB0001 HID to forbiddenidlist (bnc#1012382).
afiucv: Move sockaddr length checks to before accessing safamily in bind and connect handlers (bnc#1012382).
ahci: do not ignore result code of ahciresetcontroller() (bnc#1012382).
aio: fix spectre gadget in lookup_ioctx (bnc#1012382).
aio: hold an extra file reference over AIO read/write operations (bsc#1116027).
ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write (bnc#1012382).
ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops (bnc#1012382).
ALSA: control: Fix race between adding and removing a user element (bnc#1012382).
ALSA: cs46xx: Potential NULL dereference in probe (bnc#1012382).