The SUSE Linux Enterprise 12 SP4 for Azure kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
CVE-2019-15291: There was a NULL pointer dereference caused by a malicious USB device in the flexcopusbprobe function in the drivers/media/usb/b2c2/flexcop-usb.c driver (bnc#1146540).
CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel's KVM hypervisor implements the coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvmcoalescedmmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350).
CVE-2017-18595: A double free may be caused by the function allocatetracebuffer in the file kernel/trace/trace.c (bnc#1149555).
CVE-2019-9506: The Bluetooth BR/EDR specification up to and including version 5.1 permitted sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka 'KNOB') that could decrypt traffic and injected arbitrary ciphertext without the victim noticing (bnc#1137865 bnc#1146042).
CVE-2019-14835: A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could have used this flaw to increase their privileges on the host (bnc#1150112).
CVE-2019-15216: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1146361).
CVE-2019-15924: fm10kinitmodule in drivers/net/ethernet/intel/fm10k/fm10kmain.c had a NULL pointer dereference because there was no -ENOMEM upon an allocworkqueue failure (bnc#1149612).
CVE-2019-9456: In the Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have led to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1150025).
CVE-2019-15031: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via an interrupt. To exploit the vulnerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSRTMACTIVE was misused in arch/powerpc/kernel/process.c (bnc#1149713).
CVE-2019-15030: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check (bnc#1149713).
CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free. (bnc#1149626).
CVE-2019-15921: There was a memory leak issue when idralloc() fails in genlregister_family() in net/netlink/genetlink.c (bnc#1149602).
CVE-2018-21008: A use-after-free could have been caused by the function rsimac80211detach in the file drivers/net/wireless/rsi/rsi91xmac80211.c (bnc#1149591).
CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free (bnc#1149552).
CVE-2019-15917: There was a use-after-free issue when hciuartregisterdev() fails in hciuartsetproto() in drivers/bluetooth/hci_ldisc.c (bnc#1149539).
CVE-2019-15926: An out-of-bounds access existed in the functions ath6klwmipstreamtimeouteventrx and ath6klwmicacevent_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c (bnc#1149527).
CVE-2019-15927: An out-of-bounds access existed in the function buildaudioprocunit in the file sound/usb/mixer.c (bnc#1149522).
CVE-2019-15902: Misuse of the upstream 'x86/ptrace: Fix possible spectre-v1 in ptracegetdebugreg()' commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376).
CVE-2019-15666: There was an out-of-bounds array access in _xfrmpolicyunlink, which will cause denial of service, because verifynewpolicyinfo in net/xfrm/xfrmuser.c mishandled directory validation (bnc#1148394).
CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver (bnc#1146524).
CVE-2019-14814: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512).
CVE-2019-14815: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code. (bsc#1146514)
CVE-2019-14816: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516).
CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver (bnc#1146526).
CVE-2019-15538: An issue was discovered in xfssetattrnonsize in fs/xfs/xfsiops.c in the Linux kernel XFS partially wedges when a chgrp fails on account of being out of disk quota. xfssetattrnonsize is failing to unlock the ILOCK after the xfsqmvopchown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS (bnc#1148093).
CVE-2019-15290: There was a NULL pointer dereference caused by a malicious USB device in the ath6klusballocurbfrom_pipe function (bsc#1146543).
CVE-2019-15098: drivers/net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146378).
CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)
CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver (bnc#1146391).
CVE-2019-15292: There was a use-after-free in atalkprocexit, related to net/appletalk/atalkproc.c, net/appletalk/ddp.c, and net/appletalk/sysctlnet_atalk.c (bnc#1146678).
CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver (bnc#1146547).
CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory (bnc#1146519).
CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c (bnc#1146550).
CVE-2019-15221: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver (bnc#1146529).
CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver (bnc#1146531).
CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver (bnc#1146413).
CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver (bnc#1146425).
CVE-2019-15090: An issue was discovered in drivers/scsi/qedi/qedidbg.c in the qedidbg_* family of functions, there is an out-of-bounds read (bnc#1146399).
CVE-2018-20976: An issue was discovered in fs/xfs/xfssuper.c. A use after free exists, related to xfsfsfillsuper failure (bnc#1146285).
CVE-2017-18551: An issue was discovered in drivers/i2c/i2c-core-smbus.c. There was an out of bounds write in the function i2csmbusxfer_emulated (bnc#1146163).
CVE-2019-15118: checkinputterm in sound/usb/mixer.c mishandled recursion, leading to kernel stack exhaustion (bnc#1145922).
CVE-2019-15117: parseaudiomixer_unit in sound/usb/mixer.c mishandled a short descriptor, leading to out-of-bounds memory access (bnc#1145920).
CVE-2019-10207: Fix a NULL pointer dereference in hci_uart bluetooth driver (bsc#1142857 bsc#1123959).
cifs: Fix stack out-of-bounds in smb{2,3}createlease_buf() (bsc#1051510, bsc#1144333).
cifs: fix strcat buffer overflow and reduce raciness in smb21setoplock_level() (bsc#1144333).
cifs: Fix to use kmemcachefree() instead of kfree() (bsc#1144333).
cifs: Fix trace command logging for SMB2 reads and writes (bsc#1144333).
cifs: fix typo in cifs_dbg (bsc#1144333).
cifs: fix typo in debug message with struct field ia_valid (bsc#1144333).
cifs: fix uninitialized ptr deref in smb2 signing (bsc#1144333).
cifs: Fix use-after-free in SMB2_read (bsc#1144333).
cifs: Fix use-after-free in SMB2_write (bsc#1144333).
cifs: Fix use after free of a midqentry (bsc#1112903, bsc#1144333).
cifs: fix use-after-free of the lease keys (bsc#1144333).
cifs: Fix validation of signed data in smb2 (bsc#1144333).
cifs: Fix validation of signed data in smb3+ (bsc#1144333).
cifs: fix wrapping bugs in num_entries() (bsc#1051510, bsc#1144333).
cifs: flush before set-info if we have writeable handles (bsc#1144333).
cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class (bsc#1051510, bsc#1144333).
cifs: handle large EA requests more gracefully in smb2+ (bsc#1144333).
jbd2: flush_descriptor(): Do not decrease buffer head's ref count (bsc#1143843).
jbd2: introduce jbd2_inode dirty range scoping (bsc#1148616).
kABI: Fix kABI for 'struct amd_iommu' (bsc#1145010).
kABI: media: em28xx: fix handler for vidiocsinput() (bsc#1051510). fixes kABI
kABI: media: em28xx: stop rewriting device's struct (bsc#1051510). fixes kABI
kabi/severities: Whitelist a couple of xive functions xivecleanupirqdata and xivenativepopulateirq_data are exported by the xive interupt controller driver and used by KVM. I do not expect any out-of-tree driver can sanely use these.
kasan: remove redundant initialization of variable 'real_size' (git fixes).
scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Do not corrupt vha->plogiacklist (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Downgrade driver to 10.01.00.19-k There are upstream bug reports against 10.01.00.19-k which haven't been resolved. Also the newer version failed to get a proper review. For time being it's better to got with the older version and do not introduce new bugs.
scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Enable type checking for the SRB free and done callback functions (bsc#1123034 bsc#1131304 bsc#1127988).
scsitransportfc: complete requests from ->timeout (bsc#1142076).
scsi: ufs: Avoid runtime suspend possibly being blocked forever (git-fixes).
scsi: ufs: Check that space was properly alloced in copyqueryresponse (git-fixes).
scsi: ufs: Fix NULL pointer dereference in ufshcdconfigvreg_hpm() (git-fixes).
scsi: ufs: Fix RXTERMINATIONFORCE_ENABLE define value (git-fixes).
scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 (git-fixes).
scsi: use dmagetcache_alignment() as minimum DMA alignment (git-fixes).
scsi: virtio_scsi: do not send sc payload with tmfs (git-fixes).
sctp: change to hold sk after auth shkey is created successfully (networking-stable-190702).
sctp: fix the transport errorcount check (networking-stable-1908_21).
secure boot lockdown: Fix-up backport of /dev/mem access restriction. The upstream-submitted patch set has evolved over time, align our patches (contents and description) to reflect the current status as far as /dev/mem access is concerned.