SUSE-SU-2024:2184-1

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2021-46933: Fixed possible underflow in ffsdataclear() (bsc#1220487).
• CVE-2021-46955: Fixed an out-of-bounds read with openvswitch, when fragmenting IPv4 packets (bsc#1220513).
• CVE-2021-47074: Fixed memory leak in nvmeloopcreate_ctrl() (bsc#1220854).
• CVE-2021-47113: Abort btrfs rename_exchange if we fail to insert the second ref (bsc#1221543).
• CVE-2021-47131: Fixed a use-after-free after the TLS device goes down and up (bsc#1221545).
• CVE-2021-47206: Check return value after calling platformgetresource() (bsc#1222894).
• CVE-2021-47238: Fixed memory leak in ipmcadd1_src (bsc#1224847)
• CVE-2021-47245: Fixed out of bounds when parsing TCP options (bsc#1224838)
• CVE-2021-47246: Fixed page reclaim for dead peer hairpin (CVE-2021-47246 bsc#1224831).
• CVE-2021-47249: Fixed memory leak in rds_recvmsg (bsc#1224880)
• CVE-2021-47250: Fixed memory leak in netlblcipsov4add_std (bsc#1224827)
• CVE-2021-47265: Verify port when creating flow rule (bsc#1224957)
• CVE-2021-47277: Avoid speculation-based attacks from out-of-range memslot accesses (bsc#1224960).
• CVE-2021-47281: Fixed race of sndseqtimer_open() (bsc#1224983).
• CVE-2021-47334: Fixed two use after free in ibmasminitone (bsc#1225112).
• CVE-2021-47352: Add validation for used length (bsc#1225124).
• CVE-2021-47355: Fixed possible use-after-free in nicstar_cleanup() (bsc#1225141).
• CVE-2021-47357: Fixed possible use-after-free in iamoduleexit() (bsc#1225144).
• CVE-2021-47361: Fixed error handling in mcballocbus() (bsc#1225151).
• CVE-2021-47362: Update intermediate power state for SI (bsc#1225153).
• CVE-2021-47378: Destroy cm id before destroy qp to avoid use after free (bsc#1225201).
• CVE-2021-47383: Fixed out-of-bound vmalloc access in imageblit (bsc#1225208).
• CVE-2021-47397: Break out if skbheaderpointer returns NULL in sctprcvootb (bsc#1225082)
• CVE-2021-47401: Fixed stack information leak (bsc#1225242).
• CVE-2021-47423: Fixed file release memory leak (bsc#1225366).
• CVE-2021-47431: Fixed gart.bo pin_count leak (bsc#1225390).
• CVE-2021-47469: Add SPI fix commit to be ignored (bsc#1225347)
• CVE-2021-47483: Fixed possible double-free in regcacherbtreeexit() (bsc#1224907).
• CVE-2021-47496: Fix flipped sign in tlserrabort() calls (bsc#1225354)
• CVE-2021-47497: Fixed shift-out-of-bound (UBSAN) with byte size cells (bsc#1225355).
• CVE-2021-47500: Fixed trigger reference couting (bsc#1225360).
• CVE-2021-47509: Limit the period size to 16MB (bsc#1225409).
• CVE-2021-47511: Fixed negative period/buffer sizes (bsc#1225411).
• CVE-2021-47548: Fixed a possible array out-of=bounds (bsc#1225506)
• CVE-2022-48672: Fixed off-by-one error in unflattendtnodes() (CVE-2022-48672 bsc#1223931).
• CVE-2022-48686: Fixed UAF when detecting digest errors (bsc#1223948).
• CVE-2022-48697: Fixed a use-after-free (bsc#1223922).
• CVE-2022-48702: Fixed out of bounds access in sndemu10k1pcmchannelalloc() (bsc#1223923).
• CVE-2022-48704: Add a force flush to delay work when radeon (bsc#1223932)
• CVE-2022-48708: Fixed potential NULL dereference (bsc#1224942).
• CVE-2022-48710: Fixed a possible null pointer dereference (bsc#1225230).
• CVE-2023-1829: Fixed a use-after-free vulnerability in the control index filter (tcindex) (bsc#1210335).
• CVE-2023-42755: Check user supplied offsets (bsc#1215702).
• CVE-2023-52586: Fixed mutex lock in control vblank irq (bsc#1221081).
• CVE-2023-52655: Check packet for fixup for true limit (bsc#1217169).
• CVE-2023-52664: Eliminate double free in error handling logic (bsc#1224747).
• CVE-2023-52691: Fixed a double-free in sidpminit (bsc#1224607).
• CVE-2023-52698: Fixed memory leak in netlblcalipsoadd_pass() (bsc#1224621)
• CVE-2023-52730: Fixed possible resource leaks in some error paths (bsc#1224956).
• CVE-2023-52732: Blocklist the kclient when receiving corrupted snap trace (bsc#1225222).
• CVE-2023-52747: Restore allocated resources on failed copyout (bsc#1224931)
• CVE-2023-52796: Add ipvlanroutev6_outbound() helper (bsc#1224930).
• CVE-2023-52821: Fixed a possible null pointer dereference (bsc#1225022).
• CVE-2023-52864: Fixed opening of char device (bsc#1225132).
• CVE-2023-52865: Add check for mtkallocclk_data (bsc#1225086).
• CVE-2023-52867: Fixed possible buffer overflow (bsc#1225009).
• CVE-2023-52875: Add check for mtkallocclk_data (bsc#1225096).
• CVE-2024-0639: Fixed a denial-of-service vulnerability due to a deadlock found in sctpautoasconf_init in net/sctp/socket.c (bsc#1218917).
• CVE-2024-26625: Call sock_orphan() at release time (bsc#1221086)
• CVE-2024-26775: Fixed potential deadlock at set_capacity (bsc#1222627).
• CVE-2024-26791: Fixed properly validate device names in btrfs (bsc#1222793)
• CVE-2024-26828: Fixed underflow in parseserverinterfaces() (bsc#1223084).
• CVE-2024-26846: Do not wait in vain when unloading module (bsc#1223023).
• CVE-2024-26874: Fixed a null pointer crash in (bsc#1223048)
• CVE-2024-26876: Fixed crash on irq during probe (bsc#1223119).
• CVE-2024-26900: Fixed kmemleak of rdev->serial (bsc#1223046).
• CVE-2024-26915: Reset IH OVERFLOW_CLEAR bit (bsc#1223207)
• CVE-2024-26921: Preserve kabi for sk_buff (bsc#1223138).
• CVE-2024-26957: Fixed reference counting on zcrypt card objects (bsc#1223666).
• CVE-2024-26958: Fixed UAF in direct writes (bsc#1223653).
• CVE-2024-26984: Fixed instmem race condition around ptr stores (bsc#1223633)
• CVE-2024-26996: Fixed UAF ncm object at re-bind after usb ep transport error (bsc#1223752).
• CVE-2024-27008: Fixed out of bounds access (CVE-2024-27008 bsc#1223802).
• CVE-2024-27062: Fixed nouveau lock inside client object tree (bsc#1223834).
• CVE-2024-27396: Fixed Use-After-Free in gtp_dellink (bsc#1224096).
• CVE-2024-27398: Fixed use-after-free bugs caused by scosocktimeout (bsc#1224174).
• CVE-2024-27401: Fixed user_length taken into account when fetching packet contents (bsc#1224181).
• CVE-2024-27419: Fixed data-races around sysctlnetbusy_read (bsc#1224759)
• CVE-2024-27436: Stop parsing channels bits when all channels are found (bsc#1224803).
• CVE-2024-35789: Check fast rx for non-4addr sta VLAN changes (bsc#1224749).
• CVE-2024-35791: Flush pages under kvm->lock to fix UAF in svmregisterenc_region() (bsc#1224725).
• CVE-2024-35809: Drain runtime-idle callbacks before driver removal (bsc#1224738).
• CVE-2024-35830: Register v4l2 async device only after successful setup (bsc#1224680).
• CVE-2024-35849: Fixed information leak in btrfsioctllogicaltoino() (bsc#1224733).
• CVE-2024-35877: Fixed VM_PAT handling in COW mappings (bsc#1224525).
• CVE-2024-35878: Prevent NULL pointer dereference in vsnprintf() (bsc#1224671).
• CVE-2024-35887: Fixed use-after-free bugs caused by ax25dsdel_timer (bsc#1224663)
• CVE-2024-35932: Do not check if plane->state->fb == state->fb (bsc#1224650).
• CVE-2024-35935: Handle path ref underflow in header iterateinoderef() (bsc#1224645)
• CVE-2024-35936: Add missing mutexunlock in btrfsrelocatesyschunks() (bsc#1224644)
• CVE-2024-35944: Fixed memcpy() run-time warning in dgdispatchas_host() (bsc#1224648).
• CVE-2024-35969: Fixed race condition between ipv6getifaddr and ipv6deladdr (bsc#1224580).
• CVE-2024-35982: Avoid infinite loop trying to resize local TT (bsc#1224566)
• CVE-2024-36029: Prevent access to suspended controller (bsc#1225708)

The following non-security bugs were fixed:

• afunix: annote lockless accesses to unixtotinflight & gcin_progress (bsc#1223384).
• afunix: Do not use atomic ops for unixsk(sk)->inflight (bsc#1223384).
• afunix: Replace BUGON() with WARNONONCE() (bsc#1223384).
• ASoC: tracing: Export SNDSOCDAPMDIROUT to its value (git-fixes).
• assocarray: Fix BUGON during garbage collect.
• autofs: fix a leak in autofsexpireindirect() (git-fixes)
• Bluetooth: btusb: Some Qualcomm Bluetooth adapters stop working (git-fixes).
• btrfs: avoid null pointer dereference on fsinfo when calling btrfscrit (git-fixes)
• btrfs: check if root is readonly while setting security xattr (git-fixes)
• btrfs: defrag: use btrfsmodoutstandingextents in clusterpagesfordefrag (git-fixes)
• btrfs: do not get an EINTR during drop_snapshot for reloc (git-fixes)
• btrfs: do not stop integrity writeback too early (git-fixes)
• btrfs: Explicitly handle btrfsupdateroot failure (git-fixes)
• btrfs: fail mount when sb flag is not in BTRFSSUPERFLAG_SUPP (git-fixes)
• btrfs: fix btrfsprevleaf() to not return the same key twice (git-fixes)
• btrfs: fix deadlock when writing out space cache (git-fixes)
• Btrfs: fix incorrect {node,sector}size endianness from BTRFSIOCFS_INFO (git-fixes)
• btrfs: fix lockdep splat and potential deadlock after failure running delayed items (git-fixes)
• btrfs: fix lost error handling when looking up extended ref on log replay (git-fixes)
• btrfs: Fix NULL pointer exception in findbiostripe (git-fixes)
• btrfs: Fix out of bounds access in btrfssearchslot (git-fixes)
• btrfs: fix race when deleting quota root from the dirty cow roots list (git-fixes)
• btrfs: fix rangeend calculation in extentwritelockedrange (git-fixes)
• btrfs: fix return value mixup in btrfsgetextent (git-fixes)
• btrfs: fix unaligned access in readdir (git-fixes)
• btrfs: limit device extents to the device size (git-fixes)
• btrfs: prevent to set invalid default subvolid (git-fixes)
• btrfs: record delayed inode root in transaction (git-fixes)
• btrfs: scrub: reject unsupported scrub flags (git-fixes)
• btrfs: send: ensure send_fd is writable (git-fixes)
• btrfs: send: in case of IO error log it (git-fixes)
• btrfs: send: limit number of clones and allocated memory size (git-fixes)
• btrfs: sysfs: use NOFS for device creation (git-fixes) Adjustment: add #include
• btrfs: tree-checker: add missing return after error in root_item (git-fixes)
• btrfs: tree-checker: add missing returns after data_ref alignment checks (git-fixes)
• btrfs: tree-checker: do not error out if extent ref hash does not match (git-fixes)
• btrfs: tree-checker: fix inline ref size in error messages (git-fixes)
• btrfs: tree-checker: Fix misleading group system information (git-fixes)
• btrfs: undo writable superblocke when sprouting fails (git-fixes)
• btrfs: validate qgroup inherit for SNAPCREATEV2 ioctl (git-fixes)
• ecryptfs: fix a memory leak bug in ecryptfsinitmessaging() (git-fixes)
• ecryptfs: fix a memory leak bug in parsetag1_packet() (git-fixes)
• ecryptfs: fix kernel panic with null dev_name (git-fixes)
• ecryptfs: Fix typo in message (git-fixes)
• epcreatewakeup_source(): dentry name can change under you (git-fixes)
• exportfsdecodefh(): negative pinned may become positive without the parent locked (git-fixes)
• fscrypt: clean up some BUG_ON()s in block encryption/decryption (git-fixes)
• fs/proc/procsysctl.c: fix the default values of iuid/i_gid on /proc/sys inodes (git-fixes)
• ila: do not generate empty messages in ilaxlatnlcmdget_mapping() (git-fixes).
• ipv4, ipv6: Fix handling of transhdrlen in _ip{,6}append_data() (git-fixes).
• kprobes: Fix possible use-after-free issue on kprobe registration (git-fixes).
• KVM: s390: Check kvm pointer when testing KVMCAPS390HPAGE1M (git-fixes bsc#1225059).
• l2tp: pass correct message length to ip6appenddata (git-fixes).
• lib/mpi: use kcalloc in mpi_resize (git-fixes).
• list: fix a data-race around ep->rdllist (git-fixes).
• livepatch: Fix missing newline character in klpresolvesymbols() (bsc#1223539).
• mass-cve: Add convenience KBUILD_USER environment variable
• mass-cve: Always use bash in Makefile Some constrcts are just too convenient to leave them in favor of POSIX'd /bin/sh. Switch to explicit bash.
• mass-cve: Fail early without data files curl >$@ would create/update the file even if download fails. Use explicit argument to prevent continuation with empty cve2bugzilla file.
• mass-cve: Fix update detection with packed-refs Per-branch files are thing of the past, git may non-deterministically pack the ref files. Therefore use the timestamp of the whole packed-ref file (better false positive detection of update than breakage or false negative). Add unified approach to read packed-refs regardless of KSOURCE_GIT worktree or not.
• mass-cve: Make BRANCH mandatory
• mass-cve: Use dedicated worktree for reference updates So that any checkout in KSOURCE_GIT is not changed.
• net: 9p: avoid freeing uninit memory in p9pdu_vreadf (git-fixes).
• netfilter: nfqueue: augment nfqacfg_policy (git-fixes).
• netfilter: nft_compat: explicitly reject ERROR and standard target (git-fixes).
• netfilter: x_tables: set module owner for icmp(6) matches (git-fixes).
• net/smc: fix fallback failed while sendmsg with fastopen (git-fixes).
• net: tcp: fix unexcepted socket die when snd_wnd is 0 (git-fixes).
• net/tls: Remove the context from the list in tlsdevicedown (bsc#1221545).
• net: usb: ax88179_178a: stop lying about skb->truesize (git-fixes).
• net: usb: smsc95xx: stop lying about skb->truesize (git-fixes).
• net: usb: sr9700: stop lying about skb->truesize (git-fixes).
• net: vmxnet3: Fix NULL pointer dereference in vmxnet3rqrx_complete() (bsc#1223360).
• nfc: change order inside nfcseio error path (git-fixes).
• powerpc/pseries/lparcfg: drop error message from guest name lookup (bsc#1187716 ltc#193451 git-fixes).
• ppdev: Add an error check in register_device (git-fixes).
• printk: Disable passing console lock owner completely during panic() (bsc#1197894).
• printk: Update @consolemayschedule in consoletrylockspinning() (bsc#1223969).
• rds: avoid unenecessary cong_update in loop transport (git-fixes).
• rds: ib: Fix missing call to rdsibdevput in rdsibsetupqp (git-fixes).
• ring-buffer: Clean ringbufferpoll_wait() error return (git-fixes).
• ring-buffer: Fix a race between readers and resize checks (bsc#1222893).
• rxrpc: Do not put crypto buffers on the stack (git-fixes).
• rxrpc: Fix a memory leak in rxkadverifyresponse() (git-fixes).
• rxrpc: Provide a different lockdep key for call->user_mutex for kernel calls (git-fixes).
• rxrpc: The mutex lock returned by rxrpcacceptcall() needs releasing (git-fixes).
• rxrpc: Work around usercopy check (git-fixes).
• s390/cpum_cf: make crypto counters upward compatible across machine types (bsc#1224347).
• s390/pci: fix max size calculation in zpcimemcpytoio() (git-fixes bsc#1225062).
• scripts/check-kernel-fix: add -F parameter
• scripts/check-kernel-fix: avoid rechecking child branches when parents are OK Topological sorted dependency tree allows to optimize check-kernel-fixe in cases where parent already has the fix. There is not reason to check branches which merge from that branch as they will get the fix eventually.
• scripts/check-kernel-fix: print a message when no action is needed. Script exits without printing anything about the actions necessary in non-verbose mode. This can be confusing to a beginner user.
• scripts/common-functions: foreachbuild_branch traverse branches in dependency topo sorted list
• scripts/common-functions: There are cases where Fixes tag is incorrect. Example would be bsc1223062 comment 3.
• scripts/cve_tools: Update README Issue was fixed in ad3235427c3
• scripts/gitsort/gitsort.py: add rafael/linux-pm.git#linux-next to remotes
• scripts/log2: Fix References: update detection The following change -REferences: git-fixes +REferences: git-fixes bsc#123456 (note the typo in E) will not be detected as a reference update and generates a commit message like
• scripts/PMU: Always use 12 digits for abbreviated hash references Kernel developers tend to use 12 digits for abbreviated hash references as this is mandatory for upstream work. Enforce this count in PMU for consistency.
• tcp: tcpmakesynack() can be called from process context (git-fixes).
• tls: Fix context leak on tlsdevicedown (bsc#1221545).
• tracing: Fix blocked reader of snapshot buffer (git-fixes).
• tracing: hide unused ftraceeventid_fops (git-fixes).
• tracing: Use .flush() call to wake up readers (git-fixes).
• tracing: Use strncpy instead of memcpy when copying comm in trace.c (git-fixes).
• tty/sysrq: replace smpprocessorid() with get_cpu() (bsc#1223540).
• usb: aqc111: stop lying about skb->truesize (git-fixes).
• wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
• wifi: radiotap: fix kernel-doc notation warnings (git-fixes).