The SUSE Linux Enterprise 15 SP1 Azure kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
CVE-2017-18551: An issue was discovered in drivers/i2c/i2c-core-smbus.c. There was an out of bounds write in the function i2csmbusxfer_emulated (bnc#1146163).
CVE-2017-18595: A double free may be caused by the function allocatetracebuffer in the file kernel/trace/trace.c (bnc#1149555).
CVE-2018-20976: An issue was discovered in fs/xfs/xfssuper.c. A use after free exists, related to xfsfsfillsuper failure (bnc#1146285).
CVE-2018-21008: A use-after-free could have been caused by the function rsimac80211detach in the file drivers/net/wireless/rsi/rsi91xmac80211.c (bnc#1149591).
CVE-2019-10207: A local denial of service using HCIUARTSETPROTO/HCIUARTMRVL was fixed (bnc#1123959 bnc#1142857).
CVE-2019-11477: Jonathan Looney discovered that the TCPSKBCB(skb)->tcpgsosegs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bnc#1132686 bnc#1137586).
CVE-2019-14814: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512).
CVE-2019-14814: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512).
CVE-2019-14816: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516).
CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel's KVM hypervisor implements the coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvmcoalescedmmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350).
CVE-2019-14835: A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could have used this flaw to increase their privileges on the host (bnc#1150112).
CVE-2019-15030: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check (bnc#1149713).
CVE-2019-15031: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via an interrupt. To exploit the vulnerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSRTMACTIVE was misused in arch/powerpc/kernel/process.c (bnc#1149713).
CVE-2019-15090: An issue was discovered in drivers/scsi/qedi/qedidbg.c in the qedidbg_* family of functions, there is an out-of-bounds read (bnc#1146399).
CVE-2019-15098: drivers/net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146378).
CVE-2019-15099: drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146368).
CVE-2019-15117: parseaudiomixer_unit in sound/usb/mixer.c in the Linux kernel mishandled a short descriptor, leading to out-of-bounds memory access (bnc#1145920).
CVE-2019-15118: checkinputterm in sound/usb/mixer.c mishandled recursion, leading to kernel stack exhaustion (bnc#1145922).
CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory (bnc#1146519).
CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver (bnc#1146391).
CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c (bnc#1146550).
CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver (bnc#1146425).
CVE-2019-15216: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1146361).
CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver (bnc#1146547).
CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver (bnc#1146413).
CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver (bnc#1146524).
CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver (bnc#1146526).
CVE-2019-15221: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver (bnc#1146529).
CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver (bnc#1146531).
CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)
CVE-2019-15290: There was a NULL pointer dereference caused by a malicious USB device in the ath6klusballocurbfrom_pipe function (bsc#1146543).
CVE-2019-15291: There was a NULL pointer dereference caused by a malicious USB device in the flexcopusbprobe function in the drivers/media/usb/b2c2/flexcop-usb.c driver (bnc#1146540).
CVE-2019-15292: There was a use-after-free in atalkprocexit, related to net/appletalk/atalkproc.c, net/appletalk/ddp.c, and net/appletalk/sysctlnet_atalk.c (bnc#1146678).
CVE-2019-15538: An issue was discovered in xfssetattrnonsize in fs/xfs/xfsiops.c in the Linux kernel XFS partially wedges when a chgrp fails on account of being out of disk quota. xfssetattrnonsize is failing to unlock the ILOCK after the xfsqmvopchown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS (bnc#1148093).
CVE-2019-15666: There was an out-of-bounds array access in _xfrmpolicyunlink, which will cause denial of service, because verifynewpolicyinfo in net/xfrm/xfrmuser.c mishandled directory validation (bnc#1148394).
CVE-2019-15902: Misuse of the upstream 'x86/ptrace: Fix possible spectre-v1 in ptracegetdebugreg()' commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376).
CVE-2019-15917: There was a use-after-free issue when hciuartregisterdev() fails in hciuartsetproto() in drivers/bluetooth/hci_ldisc.c (bnc#1149539).
CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free (bnc#1149552).
CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free. (bnc#1149626).
CVE-2019-15921: There was a memory leak issue when idralloc() fails in genlregister_family() in net/netlink/genetlink.c (bnc#1149602).
CVE-2019-15924: fm10kinitmodule in drivers/net/ethernet/intel/fm10k/fm10kmain.c had a NULL pointer dereference because there was no -ENOMEM upon an allocworkqueue failure (bnc#1149612).
CVE-2019-15926: An out-of-bounds access existed in the functions ath6klwmipstreamtimeouteventrx and ath6klwmicacevent_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c (bnc#1149527).
CVE-2019-15927: An issue was discovered in the Linux kernel An out-of-bounds access exists in the function buildaudioprocunit in the file sound/usb/mixer.c (bnc#1149522).
CVE-2019-9456: In the Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have led to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1150025).
CVE-2019-9506: The Bluetooth BR/EDR specification up to and including version 5.1 permitted sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka 'KNOB') that could decrypt traffic and injected arbitrary ciphertext without the victim noticing (bnc#1137865 bnc#1146042).
cifs: Fix stack out-of-bounds in smb{2,3}createlease_buf() (bsc#1051510, bsc#1144333).
cifs: fix strcat buffer overflow and reduce raciness in smb21setoplock_level() (bsc#1144333).
cifs: Fix to use kmemcachefree() instead of kfree() (bsc#1144333).
cifs: Fix trace command logging for SMB2 reads and writes (bsc#1144333).
cifs: fix typo in cifs_dbg (bsc#1144333).
cifs: fix typo in debug message with struct field ia_valid (bsc#1144333).
cifs: fix uninitialized ptr deref in smb2 signing (bsc#1144333).
cifs: Fix use-after-free in SMB2_read (bsc#1144333).
cifs: Fix use-after-free in SMB2_write (bsc#1144333).
cifs: Fix use after free of a midqentry (bsc#1112903, bsc#1144333).
cifs: fix use-after-free of the lease keys (bsc#1144333).
cifs: Fix validation of signed data in smb2 (bsc#1144333).
cifs: Fix validation of signed data in smb3+ (bsc#1144333).
cifs: fix wrapping bugs in num_entries() (bsc#1051510, bsc#1144333).
cifs: flush before set-info if we have writeable handles (bsc#1144333).
cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class (bsc#1051510, bsc#1144333).
cifs: handle large EA requests more gracefully in smb2+ (bsc#1144333).
RDMA/hns: Modify ba page size for cqe (bsc#1104427).
RDMA/hns: Remove set but not used variable 'fclrwritefail_flag' (bsc#1104427).
RDMA/hns: Remove unnecessary print message in aeq (bsc#1104427 ).
RDMA/hns: Replace magic numbers with #defines (bsc#1104427 ).
RDMA/hns: reset function when removing module (bsc#1104427 ).
RDMA/hns: Set reset flag when hw resetting (bsc#1104427 ).
RDMA/hns: Use %pK format pointer print (bsc#1104427 ).
refresh: soc: fsl: guts: Add definition for LX2160A ().
regmap: fix bulk writes on paged registers (bsc#1051510).
regulator: lm363x: Fix off-by-one nvoltages for lm3632 ldovpos/ldo_vneg (bsc#1051510).
regulator: qcomspmi: Fix math of spmiregulatorsetvoltagetimesel (bsc#1051510).
Remove ifdef since SMB3 (and later) now STRONGLY preferred (bsc#1051510, bsc#1144333).
Revert 'Bluetooth: validate BLE connection interval updates' (bsc#1051510).
Revert 'cfg80211: fix processing world regdomain when non modular' (bsc#1051510).
Revert 'dm bufio: fix deadlock with loop device' (git fixes).
Revert i915 userptr page lock patch (bsc#1145051) This patch potentially causes a deadlock between kcompactd, as reported on 5.3-rc3. Revert it until a proper fix is found.
Revert 'mwifiex: fix system hang problem after resume' (bsc#1051510).
Revert 'net: ena: ethtool: add extra properties retrieval via getprivflags' (bsc#1139020 bsc#1139021).
Revert patches.suse/0001-blk-wbt-Avoid-lock-contention-and-thundering-herd-is.patch (bsc#1141543) As we see stalls / crashes recently with the relevant code path, revert this patch tentatively.
Revert 'scsi: prefix header search paths with $(srctree)/ (bsc#1136346' This reverts commit 5f679430713da59f5367aa9499e544e6187ac17c. Reverting this commit fixes build for me.
Revert 'scsi: ufs: disable vccq if it's not needed by UFS device' (git-fixes).
rpmsg: added MODULEALIAS for rpmsgchar (bsc#1051510).
rpmsg: smd: do not use mananged resources for endpoints and channels (bsc#1051510).
rpmsg: smd: fix memory leak on channel create (bsc#1051510).
rsi: improve kernel thread handling to fix kernel panic (bsc#1051510).
rslib: Fix decoding of shortened codes (bsc#1051510).
rslib: Fix handling of of caller provided syndrome (bsc#1051510).
rtc: pcf8523: do not return invalid date when battery is low (bsc#1051510).
rtc: pcf8563: Clear event flags and disable interrupts before requesting irq (bsc#1051510).
scsi: qla2xxx: Declare the fourth qldumpbuffer() argument const (bsc#1143706).
scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe (bsc#1082635 bsc#1141340 bsc#1143706).
scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Do not corrupt vha->plogiacklist (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Do not corrupt vha->plogiacklist (bsc#1143706).
scsi: qla2xxx: Downgrade driver to 10.01.00.19-k There are upstream bug reports against 10.01.00.19-k which haven't been resolved. Also the newer version failed to get a proper review. For time being it's better to got with the older version and do not introduce new bugs.
scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Enable type checking for the SRB free and done callback functions (bsc#1123034 bsc#1131304 bsc#1127988).
scsi: qla2xxx: Enable type checking for the SRB free and done callback functions (bsc#1143706).
scsitransportfc: complete requests from ->timeout (bsc#1142076).
scsi: ufs: Avoid runtime suspend possibly being blocked forever (git-fixes).
scsi: ufs: Check that space was properly alloced in copyqueryresponse (git-fixes).
scsi: ufs: Fix NULL pointer dereference in ufshcdconfigvreg_hpm() (git-fixes).
scsi: ufs: Fix RXTERMINATIONFORCE_ENABLE define value (git-fixes).
scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 (git-fixes).
scsi: use dmagetcache_alignment() as minimum DMA alignment (git-fixes).
scsi: virtio_scsi: do not send sc payload with tmfs (git-fixes).
sctp: change to hold sk after auth shkey is created successfully (networking-stable-190702).
sctp: fix the transport errorcount check (networking-stable-1908_21).
sdhci-fujitsu: add support for setting the CMDDATDELAY attribute (bsc#1145256).
secure boot lockdown: Fix-up backport of /dev/mem access restriction The upstream-submitted patch set has evolved over time, align our patches (contents and description) to reflect the current status as far as /dev/mem access is concerned.