SUSE-SU-2023:2805-1

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2017-5753: Fixed spectre vulnerability in prlimit (bsc#1209256).
• CVE-2022-3566: Fixed race condition in the TCP Handler (bsc#1204405).
• CVE-2022-45884: Fixed a use-after-free in dvbdev.c, related to dvbregisterdevice dynamically allocating fops (bsc#1205756).
• CVE-2022-45885: Fixed a race condition in dvb_frontend.c that could cause a use-after-free when a device is disconnected (bsc#1205758).
• CVE-2022-45886: Fixed a .disconnect versus dvbdeviceopen race condition in dvb_net.c that lead to a use-after-free (bsc#1205760).
• CVE-2022-45887: Fixed a memory leak in ttusbdec.c caused by the lack of a dvbfrontend_detach call (bsc#1205762).
• CVE-2022-45919: Fixed a use-after-free in dvbcaen50221.c that could occur if there is a disconnect after an open, because of the lack of a wait_event (bsc#1205803).
• CVE-2023-0590: Fixed race condition in qdisc_graft() (bsc#1207795).
• CVE-2023-1077: Fixed a type confusion in picknextrt_entity(), that could cause memory corruption (bsc#1208600).
• CVE-2023-1095: Fixed a NULL pointer dereference in nf_tables due to zeroed list head (bsc#1208777).
• CVE-2023-1118: Fixed a use-after-free bugs caused by enetxirqsim() in media/rc (bsc#1208837).
• CVE-2023-1249: Fixed a use-after-free flaw in the core dump subsystem that allowed a local user to crash the system (bsc#1209039).
• CVE-2023-1380: Fixed a slab-out-of-bound read problem in brcmfgetassoc_ies() (bsc#1209287).
• CVE-2023-1390: Fixed remote DoS vulnerability in tipclinkxmit() (bsc#1209289).
• CVE-2023-1513: Fixed an uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak (bsc#1209532).
• CVE-2023-1611: Fixed an use-after-free flaw in btrfssearchslot (bsc#1209687).
• CVE-2023-1670: Fixed a use after free in the Xircom 16-bit PCMCIA Ethernet driver. A local user could use this flaw to crash the system or potentially escalate their privileges on the system (bsc#1209871).
• CVE-2023-1989: Fixed a use after free in btsdio_remove (bsc#1210336).
• CVE-2023-1990: Fixed a use after free in ndlc_remove (bsc#1210337).
• CVE-2023-1998: Fixed a use after free during login when accessing the shost ipaddress (bsc#1210506).
• CVE-2023-2124: Fixed an out-of-bound access in the XFS subsystem that could have lead to denial-of-service or potentially privilege escalation (bsc#1210498).
• CVE-2023-2162: Fixed an use-after-free flaw in iscsiswtcpsessioncreate (bsc#1210647).
• CVE-2023-2194: Fixed an out-of-bounds write vulnerability in the SLIMpro I2C device driver (bsc#1210715).
• CVE-2023-23454: Fixed a type-confusion in the CBQ network scheduler (bsc#1207036).
• CVE-2023-23455: Fixed a denial of service inside atmtcenqueue in net/sched/schatm.c because of type confusion (non-negative numbers can sometimes indicate a TCACT_SHOT condition rather than valid classification results) (bsc#1207125).
• CVE-2023-2513: Fixed a use-after-free vulnerability in the ext4 filesystem (bsc#1211105).
• CVE-2023-28328: Fixed a denial of service issue in az6027 driver in drivers/media/usb/dev-usb/az6027.c (bsc#1209291).
• CVE-2023-28464: Fixed user-after-free that could lead to privilege escalation in hciconncleanup in net/uetooth/hci_conn.c (bsc#1209052).
• CVE-2023-28772: Fixed buffer overflow in seqbufputmemhex in lib/seqbuf.c (bsc#1209549).
• CVE-2023-30772: Fixed race condition and resultant use-after-free in da9150chargerremove (bsc#1210329).
• CVE-2023-3090: Fixed a heap out-of-bounds write in the ipvlan network driver (bsc#1212842).
• CVE-2023-3141: Fixed a use-after-free flaw in r592_remove in drivers/memstick/host/r592.c, that allowed local attackers to crash the system at device disconnect (bsc#1212129).
• CVE-2023-31436: Fixed an out-of-bounds write in qfqchangeclass() because lmax can exceed QFQMINLMAX (bsc#1210940).
• CVE-2023-3159: Fixed use-after-free issue in driver/firewire in outboundphypacket_callback (bsc#1212128).
• CVE-2023-3161: Fixed shift-out-of-bounds in fbconsetfont() (bsc#1212154).
• CVE-2023-32269: Fixed a use-after-free in afnetrom.c, related to the fact that accept() was also allowed for a successfully connected AFNETROM socket (bsc#1211186).
• CVE-2023-35824: Fixed a use-after-free in dm1105_remove in drivers/media/pci/dm1105/dm1105.c (bsc#1212501).

The following non-security bugs were fixed:

• Do not sign the vanilla kernel (bsc#1209008).
• Drop dvb-core fix patch due to regression (bsc#1205758).
• Revert CVE-2018-20784 due to regression (bsc#1126703).
• binfmt_elf: Take the mmap lock when walking the VMA list (bsc#1209039 CVE-2023-1249).
• bluetooth: Fix double free in hciconncleanup (bsc#1209052 CVE-2023-28464).
• bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work (CVE-2023-1989 bsc#1210336).
• btrfs: fix race between quota disable and quota assign ioctls (CVE-2023-1611 bsc#1209687).
• do not fallthrough in cbqclassify and stop on TCACT_SHOT (bsc#1207036 CVE-2023-23454 bsc#1207125 CVE-2023-23455).
• ext4: add EXT4INODEHASXATTRSPACE macro in xattr.h (bsc#1206878).
• ext4: fix use-after-free in ext4xattrset_entry (bsc#1206878 bsc#1211105 CVE-2023-2513).
• fbcon: Check font dimension limits (CVE-2023-3161 bsc#1212154).
• firewire: fix potential uaf in outboundphypacket_callback() (CVE-2023-3159 bsc#1212128).
• fix a mistake in the CVE-2023-0590 / bsc#1207795 backport
• i2c: xgene-slimpro: Fix out-of-bounds bug in xgeneslimproi2c_xfer() (bsc#1210715 CVE-2023-2194).
• ipv6: raw: Deduct extension header length in rawv6pushpending_frames (bsc#1207168).
• ipvlan:Fix out-of-bounds caused by unclear skb->cb (bsc#1212842 CVE-2023-3090).
• kernel/sys.c: fix potential Spectre v1 issue (bsc#1209256 CVE-2017-5753).
• kvm: initialize all of the kvm_debugregs structure before sending it to userspace (bsc#1209532 CVE-2023-1513).
• media: dm1105: Fix use after free bug in dm1105_remove due to race condition (bsc#1212501 CVE-2023-35824).
• media: dvb-core: Fix use-after-free due on race condition at dvb_net (CVE-2022-45886 bsc#1205760).
• media: dvb-core: Fix use-after-free due to race at dvbregisterdevice() (CVE-2022-45884 bsc#1205756).
• media: dvb-core: Fix use-after-free due to race condition at dvbcaen50221 (CVE-2022-45919 bsc#1205803).
• media: dvb-core: Fix use-after-free on race condition at dvb_frontend (CVE-2022-45885 bsc#1205758).
• media: dvb-usb: az6027: fix null-ptr-deref in az6027i2cxfer() (bsc#1209291 CVE-2023-28328).
• media: dvb_frontend: kABI workaround (CVE-2022-45885 bsc#1205758).
• media: dvb_net: kABI workaround (CVE-2022-45886 bsc#1205760).
• media: dvbdev: fix error logic at dvbregisterdevice() (CVE-2022-45884 bsc#1205756).
• media: rc: Fix use-after-free bugs caused by enetxirqsim() (CVE-2023-1118 bsc#1208837).
• media: ttusb-dec: fix memory leak in ttusbdecexit_dvb() (CVE-2022-45887 bsc#1205762).
• memstick: r592: Fix UAF bug in r592_remove due to race condition (CVE-2023-3141 bsc#1212129 bsc#1211449).
• net: sched: schqfq: prevent slab-out-of-bounds in qfqactivate_agg (bsc#1210940 CVE-2023-31436).
• netfilter: nf_tables: fix null deref due to zeroed list head (CVE-2023-1095 bsc#1208777).
• netrom: Fix use-after-free caused by accept on already connected socket (bsc#1211186 CVE-2023-32269).
• nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition (git-fixes bsc#1210337 CVE-2023-1990).
• power: supply: da9150: Fix use after free bug in da9150chargerremove due to race condition (CVE-2023-30772 bsc#1210329).
• prlimit: do_prlimit needs to have a speculation check (bsc#1209256 CVE-2017-5753).
• sched/rt: picknextrtentity(): check listentry (bsc#1208600 CVE-2023-1077).
• scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress (bsc#1210647 CVE-2023-2162).
• seqbuf: Fix overflow in seqbufputmemhex() (bsc#1209549 CVE-2023-28772).
• tcp: Fix data races around icsk->icskafops (bsc#1204405 CVE-2022-3566).
• tipc: fix NULL deref in tipclinkxmit() (bsc#1209289 CVE-2023-1390).
• wifi: brcmfmac: slab-out-of-bounds read in brcmfgetassoc_ies() (bsc#1209287 CVE-2023-1380).
• x86/speculation: Allow enabling STIBP with legacy IBRS (bsc#1210506 CVE-2023-1998).
• xfs: verify buffer contents when we skip log replay (bsc#1210498 CVE-2023-2124).
• xirc2pscs: Fix use after free bug in xirc2psdetach (bsc#1209871 CVE-2023-1670).