The SUSE Linux Enterprise 15 for Azure kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
CVE-2017-18551: An issue was discovered in drivers/i2c/i2c-core-smbus.c. There was an out of bounds write in the function i2csmbusxfer_emulated (bnc#1146163).
CVE-2017-18595: A double free may be caused by the function allocatetracebuffer in the file kernel/trace/trace.c (bnc#1149555).
CVE-2018-20976: An issue was discovered in fs/xfs/xfssuper.c. A use after free exists, related to xfsfsfillsuper failure (bnc#1146285).
CVE-2018-21008: A use-after-free could have been caused by the function rsimac80211detach in the file drivers/net/wireless/rsi/rsi91xmac80211.c (bnc#1149591).
CVE-2019-9456: In the Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have led to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1150025).
CVE-2019-9506: The Bluetooth BR/EDR specification up to and including version 5.1 permitted sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka 'KNOB') that could decrypt traffic and injected arbitrary ciphertext without the victim noticing (bnc#1137865 bnc#1146042).
CVE-2019-14814: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512).
CVE-2019-14814: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512).
CVE-2019-14816: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516).
CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel's KVM hypervisor implements the coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvmcoalescedmmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350).
CVE-2019-14835: A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could have used this flaw to increase their privileges on the host (bnc#1150112).
CVE-2019-15030: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check (bnc#1149713).
CVE-2019-15031: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via an interrupt. To exploit the vulnerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSRTMACTIVE was misused in arch/powerpc/kernel/process.c (bnc#1149713).
CVE-2019-15090: An issue was discovered in drivers/scsi/qedi/qedidbg.c in the qedidbg_* family of functions, there is an out-of-bounds read (bnc#1146399).
CVE-2019-15098: drivers/net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146378).
CVE-2019-15117: parseaudiomixer_unit in sound/usb/mixer.c in the Linux kernel mishandled a short descriptor, leading to out-of-bounds memory access (bnc#1145920).
CVE-2019-15118: checkinputterm in sound/usb/mixer.c mishandled recursion, leading to kernel stack exhaustion (bnc#1145922).
CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory (bnc#1146519).
CVE-2019-15212: An issue was discovered in the Linux kernel There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver (bnc#1146391 1146519).
CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver (bnc#1146391).
CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c (bnc#1146550).
CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver (bnc#1146425).
CVE-2019-15216: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1146361).
CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver (bnc#1146547).
CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver (bnc#1146413).
CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver (bnc#1146524).
CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver (bnc#1146526).
CVE-2019-15221: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver (bnc#1146529).
CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver (bnc#1146531).
CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)
CVE-2019-15290: There was a NULL pointer dereference caused by a malicious USB device in the ath6klusballocurbfrom_pipe function (bsc#1146543).
CVE-2019-15291: There was a NULL pointer dereference caused by a malicious USB device in the flexcopusbprobe function in the drivers/media/usb/b2c2/flexcop-usb.c driver (bnc#1146540).
CVE-2019-15292: There was a use-after-free in atalkprocexit, related to net/appletalk/atalkproc.c, net/appletalk/ddp.c, and net/appletalk/sysctlnet_atalk.c (bnc#1146678).
CVE-2019-15538: An issue was discovered in xfssetattrnonsize in fs/xfs/xfsiops.c in the Linux kernel XFS partially wedges when a chgrp fails on account of being out of disk quota. xfssetattrnonsize is failing to unlock the ILOCK after the xfsqmvopchown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS (bnc#1148093).
CVE-2019-15666: There was an out-of-bounds array access in _xfrmpolicyunlink, which will cause denial of service, because verifynewpolicyinfo in net/xfrm/xfrmuser.c mishandled directory validation (bnc#1148394).
CVE-2019-15902: Misuse of the upstream 'x86/ptrace: Fix possible spectre-v1 in ptracegetdebugreg()' commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376).
CVE-2019-15917: There was a use-after-free issue when hciuartregisterdev() fails in hciuartsetproto() in drivers/bluetooth/hci_ldisc.c (bnc#1149539).
CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free (bnc#1149552).
CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free. (bnc#1149626).
CVE-2019-15921: There was a memory leak issue when idralloc() fails in genlregister_family() in net/netlink/genetlink.c (bnc#1149602).
CVE-2019-15924: fm10kinitmodule in drivers/net/ethernet/intel/fm10k/fm10kmain.c had a NULL pointer dereference because there was no -ENOMEM upon an allocworkqueue failure (bnc#1149612).
CVE-2019-15926: An out-of-bounds access existed in the functions ath6klwmipstreamtimeouteventrx and ath6klwmicacevent_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c (bnc#1149527).
CVE-2019-15927: An issue was discovered in the Linux kernel An out-of-bounds access exists in the function buildaudioprocunit in the file sound/usb/mixer.c (bnc#1149522).
Revert 'scsi: ufs: disable vccq if it's not needed by UFS device' (git-fixes).
Revert i915 userptr page lock patch (bsc#1145051)
Revert patches.suse/0001-blk-wbt-Avoid-lock-contention-and-thundering-herd-is.patch (bsc#1141543) As we see stalls / crashes recently with the relevant code path, revert this patch tentatively.
SMB3.1.1 dialect is no longer experimental (bsc#1051510, bsc#1144333).
SMB3.1.1: Add GCM crypto to the encrypt and decrypt functions (bsc#1144333).
SMB311: Fix reconnect (bsc#1051510, bsc#1144333).
SMB311: Improve checking of negotiate security contexts (bsc#1051510, bsc#1144333).
SMB3: Add SMB3.1.1 GCM to negotiated crypto algorigthms (bsc#1144333).
SMB3: Add defines for new negotiate contexts (bsc#1144333).
SMB3: Add handling for different FSCTL access flags (bsc#1144333).
SMB3: Add support for multidialect negotiate (SMB2.1 and later) (bsc#1051510, bsc#1144333).
SMB3: Allow SMB3 FSCTL queries to be sent to server from tools (bsc#1144333).
SMB3: Allow persistent handle timeout to be configurable on mount (bsc#1144333).
SMB3: Backup intent flag missing for directory opens with backupuid mounts (bsc#1051510, bsc#1144333).
SMB3: Backup intent flag missing from compounded ops (bsc#1144333).
SMB3: Clean up query symlink when reparse point (bsc#1144333).
SMB3: Do not ignore OSYNC/ODSYNC and O_DIRECT flags (bsc#1085536, bsc#1144333).
SMB3: Fix 3.11 encryption to Windows and handle encrypted smb3 tcon (bsc#1051510, bsc#1144333).
SMB3: Fix SMB3.1.1 guest mounts to Samba (bsc#1051510, bsc#1144333).
SMB3: Fix deadlock in validate negotiate hits reconnect (bsc#1144333).
cifs: Fix memory leak in smb2setea() (bsc#1051510, bsc#1144333).
cifs: Fix missing putxid in cifsfilestrictmmap (bsc#1087092, bsc#1144333).
cifs: Fix potential OOB access of lock element array (bsc#1051510, bsc#1144333).
cifs: Fix separator when building path from dentry (bsc#1051510, bsc#1144333).
cifs: Fix slab-out-of-bounds in sendsetinfo() on SMB2 ACE setting (bsc#1144333).
cifs: Fix slab-out-of-bounds when tracing SMB tcon (bsc#1144333).
cifs: Fix stack out-of-bounds in smb{2,3}createlease_buf() (bsc#1051510, bsc#1144333).
cifs: Fix to use kmemcachefree() instead of kfree() (bsc#1144333).
cifs: Fix use after free of a midqentry (bsc#1112903, bsc#1144333).
cifs: Fix use-after-free in SMB2_read (bsc#1144333).
cifs: Fix use-after-free in SMB2_write (bsc#1144333).
cifs: Fix validation of signed data in smb2 (bsc#1144333).
cifs: Fix validation of signed data in smb3+ (bsc#1144333).
cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class (bsc#1051510, bsc#1144333).
cifs: In Kconfig CONFIGCIFSPOSIX needs depends on legacy (insecure cifs) (bsc#1144333).
cifs: Limit memory used by lock request calls to a page (bsc#1144333).
cifs: Make devname param optional in cifscomposemount_options() (bsc#1144333).
cifs: Make sure all data pages are signed correctly (bsc#1144333).
cifs: Make use of DFS cache to get new DFS referrals (bsc#1144333).
cifs: Minor Kconfig clarification (bsc#1144333).
cifs: OFD locks do not conflict with eachothers (bsc#1051510, bsc#1144333).
cifs: Only free DFS target list if we actually got one (bsc#1144333).
cifs: Properly handle auto disabling of serverino option (bsc#1144333).
cifs: Refactor out cifs_mount() (bsc#1144333).
cifs: Save TTL value when parsing DFS referrals (bsc#1144333).
cifs: Select all required crypto modules (bsc#1085536, bsc#1144333).
jbd2: flush_descriptor(): Do not decrease buffer head's ref count (bsc#1143843).
jbd2: introduce jbd2_inode dirty range scoping (bsc#1148616).
kABI: Fix kABI for 'struct amd_iommu' (bsc#1145010).
kABI: media: em28xx: fix handler for vidiocsinput() (bsc#1051510). fixes kABI
kABI: media: em28xx: stop rewriting device's struct (bsc#1051510). fixes kABI
kabi/severities: Whitelist a couple of xive functions xivecleanupirqdata and xivenativepopulateirq_data are exported by the xive interupt controller driver and used by KVM. I do not expect any out-of-tree driver can sanely use these.
kasan: remove redundant initialization of variable 'real_size' (git fixes).
scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Do not corrupt vha->plogiacklist (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Downgrade driver to 10.01.00.19-k There are upstream bug reports against 10.01.00.19-k which haven't been resolved. Also the newer version failed to get a proper review. For time being it's better to got with the older version and do not introduce new bugs.
scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Enable type checking for the SRB free and done callback functions (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Fix DMA error when the DIF sg buffer crosses 4GB boundary (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: ufs: Avoid runtime suspend possibly being blocked forever (git-fixes).
scsi: ufs: Check that space was properly alloced in copyqueryresponse (git-fixes).
scsi: ufs: Fix NULL pointer dereference in ufshcdconfigvreg_hpm() (git-fixes).
scsi: ufs: Fix RXTERMINATIONFORCE_ENABLE define value (git-fixes).
scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 (git-fixes).
scsi: use dmagetcache_alignment() as minimum DMA alignment (git-fixes).
scsi: virtio_scsi: do not send sc payload with tmfs (git-fixes).
scsitransportfc: complete requests from ->timeout (bsc#1142076).
sctp: change to hold sk after auth shkey is created successfully (networking-stable-190702).
sctp: fix the transport errorcount check (networking-stable-1908_21).
secure boot lockdown: Fix-up backport of /dev/mem access restriction. The upstream-submitted patch set has evolved over time, align our patches (contents and description) to reflect the current status as far as /dev/mem access is concerned.
set CONFIGFBHYPERV=m to avoid conflict with efifb (bsc#1145134)
signal/cifs: Fix cifsputtcpsession to call sendsig instead of force_sig (bsc#1144333).
sis900: fix TX completion (bsc#1051510).
sky2: Disable MSI on ASUS P6T (bsc#1142496).
sky2: Disable MSI on yet another ASUS boards (P6Xxxx) (bsc#1051510).
slip: make slhc_free() silently accept an error pointer (bsc#1051510).