The SUSE Linux Enterprise 15 kernel for Azure was updated to receive various security and bugfixes.
The following security bugs were fixed:
CVE-2018-9568: In skclonelock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).
CVE-2018-12232: In net/socket.c there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sockclose and sockfssetattr functions. fchownat did not increment the file descriptor reference count, which allowed close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash (bnc#1097593).
CVE-2018-14625: A flaw was found where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AFVSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AFVSOCK messages destined to other clients (bnc#1106615).
CVE-2018-16862: A security flaw was found in the way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186).
CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bcsvcprocess() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).
CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
CVE-2018-18397: The userfaultfd implementation mishandled access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c (bnc#1117656).
CVE-2018-19407: The vcpuscanioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).
CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usbaudioprobe in sound/usb/card.c (bnc#1118152).
CVE-2018-19854: An issue was discovered in the cryptoreportone() and related functions in crypto/cryptouser.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker did not need a capability (however, the system must have the CONFIGCRYPTO_USER kconfig option) (bnc#1118428).
CVE-2018-19985: The function hsoprobe read ifnum from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hsoprobe or hsogetconfigdata that could be used by local attackers (bnc#1120743).
CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to _usbgetextradescriptor in drivers/usb/core/usb.c (bnc#1119714).
The following non-security bugs were fixed:
ACPI/APEI: Handle GSIV and GPIO notification types (bsc#1115567).
ACPICA: Tables: Add WSMT support (bsc#1089350).
ACPI / CPPC: Check for valid PCC subspace only if PCC is used (bsc#1117115).
ACPI / CPPC: Update all pr_(debug/err) messages to log the susbspace id (bsc#1117115).
ACPI/IORT: Fix iortgetplatformdevicedomain() uninitialized pointer value (bsc#1051510).
ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers (bsc#1051510).
ACPI, nfit: Fix ARS overflow continuation (bsc#1116895).
ACPI/nfit, x86/mce: Handle only uncorrectable machine checks (bsc#1114279).
ACPI/nfit, x86/mce: Validate a MCE's address before using it (bsc#1114279).
ACPI / platform: Add SMB0001 HID to forbiddenidlist (bsc#1051510).
Btrfs: renumber BTRFSINODE runtime flags and switch to enums (bsc#1111469).
Btrfs: reserve space for O_TMPFILE orphan item deletion (bsc#1111469).
Btrfs: run delayed items before dropping the snapshot (bsc#1121263, bsc#1111188).
Btrfs: send, fix infinite loop due to directory rename dependencies (bsc#1118138).
Btrfs: stop creating orphan items for truncate (bsc#1111469).
Btrfs: tree-checker: Do not check max block group size as current max chunk size limit is unreliable (fixes for bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875).
Btrfs: update stale comments referencing vmtruncate() (bsc#1111469).
cachefiles: fix the race between cachefilesburyobject() and rmdir(2) (bsc#1051510).
can: dev: _cangetechoskb(): Do not crash the kernel if canpriv::echoskb is accessed out of bounds (bsc#1051510).
can: dev: cangetechoskb(): factor out non sending code to _cangetecho_skb() (bsc#1051510).
can: dev: _cangetechoskb(): print error message, if trying to echo non existing skb (bsc#1051510).
can: dev: _cangetechoskb(): replace struct canframe by canfdframe to access frame length (bsc#1051510).
extable: Enable RCU if it is not watching in kerneltextaddress() (bsc#1120092).
fbdev: fbcon: Fix unregister crash when more than one framebuffer (bsc#1113722)
fbdev: fbmem: behave better with small rotated displays and many CPUs (bsc#1113722)
fbdev: fix broken menu dependencies (bsc#1113722)
firmware: add firmwarerequestnowarn() - load firmware without warnings ().
firmware: dcdbas: Add support for WSMT ACPI table (bsc#1089350 ).
firmware: dcdbas: include linux/io.h (bsc#1089350).
Fix kABI for 'Ensure we commit after writeback is complete' (bsc#1111809).
Fix the breakage of KMP build on x86_64 (bsc#1121017) The backport of the commit 4cd24de3a098 broke KMP builds because of the failure of make kernelrelease call in spec file. Clear the blacklist and backport the fix from the upstream.
Fix tracing sample code warning (git-fixes).
floppy: fix race condition in _floppyreadblock0() (bsc#1051510).
flowdissector: do not dissect l4 ports for fragments (networking-stable-1811_21).
fscache: fix race between enablement and dropping of object (bsc#1107385).
fscache: Fix race in fscacheopcomplete() due to split atomic_sub & read (Git-fixes).
fscache: Pass the correct cancelled indications to fscacheopcomplete() (Git-fixes).
fs: fix lost error code in dio_complete (bsc#1118762).
fs: Make extension of struct super_block transparent (bsc#1117822).
fsnotify: Fix busy inodes during unmount (bsc#1117822).
fsnotify: fix ignore mask logic in fsnotify() (bsc#1115074).
fs/xfs: Use %pS printk format for direct addresses (git-fixes).
ftrace: Fix debug preempt config name in stacktracer{en,dis}able (bsc#1117172).
ftrace: Fix kmemleak in unregisterftracegraph (bsc#1117181).
ftrace: Fix memleak when unregistering dynamic ops when tracing disabled (bsc#1117174).
ftrace: Remove incorrect setting of glob search field (bsc#1117184).
fuse: fix blocked_waitq wakeup (git-fixes).
fuse: fix leaked notify reply (git-fixes).
fuse: fix possibly missed wake-up after abort (git-fixes).
fuse: Fix use-after-free in fusedevdo_read() (git-fixes).
fuse: Fix use-after-free in fusedevdo_write() (git-fixes).
fuse: fix use-after-free in fusedirectIO() (git-fixes).
fuse: set FR_SENT while locked (git-fixes).
gcc-plugins: Add include required by GCC release 8 (git-fixes).
gcc-plugins: Use dynamic initializers (git-fixes).
genirq: Fix race on spurious interrupt detection (bsc#1051510).
gfs2: Do not leave sfsinfo pointing to freed memory in init_sbd (bsc#1118769).
gfs2: Fix loop in gfs2rbmfind (bsc#1120601).
gfs2: Get rid of potential double-freeing in gfs2createinode (bsc#1120600).
gfs2meta: ->mount() can get NULL devname (bsc#1118768).
gfs2: Put bitmap buffers in put_super (bsc#1118772).
git_sort.py: Remove non-existent remote tj/libata
gpio: davinci: Remove unused member of davincigpiocontroller (git-fixes).
gpio: do not free unallocated ida on gpiochipadddatawithkey() error path (bsc#1051510).
gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers (bsc#1051510).
gpiolib: Fix return value of gpiotodesc() stub if !GPIOLIB (bsc#1051510).
gpio: max7301: fix driver for use with CONFIGVMAPSTACK (bsc#1051510).
gpio: mvebu: only fail on missing clk if pwm is actually to be used (bsc#1051510).
grace: replace BUGON by WARNONCE in exit_net hook (git-fixes).
gsosegment: Reset skb->maclen after modifying network header (networking-stable-180924).
HID: Add quirk for Primax PIXART OEM mice (bsc#1119410).
PCI/ASPM: Do not initialize link state when aspm_disabled is set (bsc#1051510).
PCI: Convert device-specific ACS quirks from NULL termination to ARRAY_SIZE (bsc#1120058).
PCI: Delay after FLR of Intel DC P3700 NVMe (bsc#1120058).
PCI: Disable Samsung SM961/PM961 NVMe before FLR (bsc#1120058).
PCI: dwc: remove duplicate fix References: bsc#1115269 Patch has been already applied by the following commit: 9f73db8b7c PCI: dwc: Fix enumeration end when reaching root subordinate (bsc#1051510)
PCI: Export pciehasflr() (bsc#1120058).
PCI: hv: Use effective affinity mask (bsc#1109772).
PCI: imx6: Fix link training status detection in link up check (bsc#1109806).
PCI: iproc: Activate PAXC bridge quirk for more devices (bsc#1120058).
PCI: iproc: Remove PAXC slot check to allow VF support (bsc#1109806).
PCI: Mark Ceton InfiniTV4 INTx masking as broken (bsc#1120058).
PCI: Mark fall-through switch cases before enabling -Wimplicit-fallthrough (bsc#1120058).
PCI: Mark Intel XXV710 NIC INTx masking as broken (bsc#1120058).
PCI/MSI: Warn and return error if driver enables MSI/MSI-X twice (bsc#1051510).
PCI: vmd: Assign vector zero to all bridges (bsc#1109806).
PCI: vmd: Detach resources after stopping root bus (bsc#1109806).
PCI: vmd: White list for fast interrupt handlers (bsc#1109806).
pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges (bsc#1051510).
percpu: make thiscpugeneric_read() atomic w.r.t. interrupts (bsc#1114279).
perf: fix invalid bit in diagnostic entry (git-fixes).
Revert 'usb: dwc3: gadget: skip Set/Clear Halt when invalid' (bsc#1051510).
Revert wlcore patch to follow stable tree develpment
ring-buffer: Allow for rescheduling when removing pages (bsc#1120238).
ring-buffer: Do no reuse reader page if still in use (bsc#1120096).
ring-buffer: Mask out the info bits when returning buffer page length (bsc#1120094).
rpm/kernel-binary.spec.in: add macros.s into kernel--devel Starting with 4.20-rc1, file arch//kernel/macros.s is needed to build out of tree modules. Add it to kernel-${flavor}-devel packages if it exists.
rpm/kernel-binary.spec.in: allow unsupported modules for -extra (bsc#1111183). SLE-15 and later only.
rpm: use syncconfig instead of silentoldconfig where available Since mainline commit 0085b4191f3e ('kconfig: remove silentoldconfig target'), 'make silentoldconfig' can be no longer used. Use 'make syncconfig' instead if available.
rtc: hctosys: Add missing range error reporting (bsc#1051510).
rtc: m41t80: Correct alarm month range with RTC reads (bsc#1051510).
rtc: pcf2127: fix a kmemleak caused in pcf2127i2cgather_write (bsc#1051510).
rtc: snvs: Add timeouts to avoid kernel lockups (bsc#1051510).
rtl8xxxu: Fix missing break in switch (bsc#1051510).
rtnetlink: Disallow FDB configuration for non-Ethernet device (networking-stable-181102).
rtnetlink: fix rtnlfdbdump() for ndmsg header (networking-stable-181016).
rtnl: limit IFLANUMTXQUEUES and IFLANUMRXQUEUES to 4096 (networking-stable-181016).
s390/cpum_sf: Add data entry sizes to sampling trailer entry (git-fixes).
s390/dasd: simplify locking in dasdtimesout (bsc#1104967,).