SUSE-SU-2024:3252-1

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2024-35965: Fix not validating setsockopt user input (bsc#1224579).
• CVE-2024-35933: Fixed a build regression (bsc#1224640).
• CVE-2024-43883: Do not drop references before new references are gained (bsc#1229707).
• CVE-2024-41062: Sync sock recv cb and release (bsc#1228576).
• CVE-2024-42259: Fix Virtual Memory mapping boundaries calculation (bsc#1229156)
• CVE-2024-43861: Fix memory leak for not ip packets (bsc#1229500).
• CVE-2024-43863: Fix a deadlock in dma buf fence polling (bsc#1229497)
• CVE-2024-41087: Fix double free on error (CVE-2024-41087,bsc#1228466).
• CVE-2024-43907: Fix the null pointer dereference in applystateadjust_rules (bsc#1229787).
• CVE-2024-43905: Fix the null pointer dereference for vega10_hwmgr (bsc#1229784).
• CVE-2024-43893: Check uartclk for zero to avoid divide by zero (bsc#1229759).
• CVE-2024-43900: Avoid use-after-free in loadfirmwarecb() (bsc#1229756).
• CVE-2024-43902: Add null checker before passing variables (bsc#1229767).
• CVE-2022-48920: Get rid of warning on transaction commit when using flushoncommit (bsc#1229658).
• CVE-2024-26812: Struct virqfd kABI workaround (bsc#1222808).
• CVE-2024-43882: Fixed ToCToU between perm check and set-uid/gid usage. (bsc#1229503)
• CVE-2024-43866: Always drain health in shutdown callback (bsc#1229495).
• CVE-2022-48910: Ensure we call ipv6mcdown() at most once (bsc#1229632)
• CVE-2023-52893: Fix null-deref in gsmigetvariable (bsc#1229535)
• CVE-2024-42155: Wipe copies of protected- and secure-keys (bsc#1228733).
• CVE-2022-48875: Initialize struct pn533outarg properly (bsc#1229516).
• CVE-2023-52907: Wait for outurb's completion in pn533usbsendframe() (bsc#1229526).
• CVE-2024-43871: Fix memory leakage caused by driver API devmfreepercpu() (bsc#1229490)
• CVE-2024-42158: Use kfree_sensitive() to fix Coccinelle warnings (bsc#1228720).
• CVE-2024-43872: Fix soft lockup under heavy CEQE load (bsc#1229489)
• CVE-2024-39489: Fix memleak in seg6hmacinit_algo (bsc#1227623)
• CVE-2024-42226: Prevent potential failure in handletxevent() for Transfer events without TRB (bsc#1228709).
• CVE-2024-42236: Prevent OOB read/write in usbstringcopy() (bsc#1228964).
• CVE-2024-42244: Fix crash on resume (bsc#1228967).
• CVE-2024-43879: Handle 2x996 RU allocation in cfg80211calculatebitrate_he() (bsc#1229482).
• CVE-2024-27011: Fix memleak in map from abort path (bsc#1223803).
• CVE-2024-36013: Fix slab-use-after-free in l2cap_connect() (bsc#1225578).
• CVE-2024-41020: Fix fcntl/close race recovery compat path (bsc#1228427).
• CVE-2024-41012: Remove locks reliably when fcntl/close race is detected (bsc#1228247).
• CVE-2024-26668: Reject configurations that cause integer overflow (bsc#1222335).
• CVE-2024-43819: Reject memory region operations for ucontrol VMs (bsc#1229290 git-fixes).
• CVE-2024-42157: Wipe sensitive data on failure (bsc#1228727 CVE-2024-42157 git-fixes).
• CVE-2021-47341: Fix use-after-free Read in kvmvmioctlunregistercoalesced_mmio (bsc#1224923).
• CVE-2024-43839: Adjust 'name' buf size of bnatcb and bnaccb structures (bsc#1229301).
• CVE-2022-48769: Avoid EFIv2 runtime services on Apple x86 machines (bsc#1226629).
• CVE-2024-43856: Fix call order in dmamfreecoherent (bsc#1229346).
• CVE-2024-36286: Acquire rcureadlock() in instancedestroyrcu() (bsc#1226801)
• CVE-2024-26851: Add protection for bmp length out of range (bsc#1223074)
• CVE-2024-40984: Revert 'ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.' (bsc#1227820).
• CVE-2024-26677: Blacklist e7870cf13d20 ('rxrpc: Fix delayed ACKs to not set the reference serial number') (bsc#1222387)
• CVE-2024-42280: Fix a use after free in hfcmulti_tx() (bsc#1229388)
• CVE-2024-42284: Return non-zero value from tipcudpaddr2str() on error (bsc#1229382)
• CVE-2024-42312: Always initialize iuid/igid (bsc#1229357)
• CVE-2024-42310: Fix null pointer dereference in cdvintellvdsgetmodes (bsc#1229358)
• CVE-2024-42309: Fix null pointer dereference in psbintellvdsgetmodes (bsc#1229359)
• CVE-2024-43854: Initialize integrity buffer to zero before writing it to media (bsc#1229345)
• CVE-2024-42322: Properly dereference pe in ipvsadd_service (bsc#1229347)
• CVE-2024-42301: Fix the array out-of-bounds risk (bsc#1229407).
• CVE-2024-42285: Fix a use-after-free related to destroying CM IDs (bsc#1229381)
• CVE-2024-43831: Handle invalid decoder vsi (bsc#1229309).
• CVE-2024-42281: Fix a segment issue when downgrading gso_size (bsc#1229386).
• CVE-2024-42271: Fixed a use after free in iucvsockclose(). (bsc#1229400)
• CVE-2024-38618: Set lower bound of start tick time (bsc#1226754).
• CVE-2024-41035: Fix duplicate endpoint bug by clearing reserved bits in the descriptor (bsc#1228485)
• CVE-2024-42162: Account for stopped queues when reading NIC stats (bsc#1228706).
• CVE-2023-52708: Fix error handling in mmcspiprobe() (bsc#1225483).
• CVE-2021-47549: Fix UAF in satafslportstop when rmmod satafsl (bsc#1225508).
• CVE-2021-47373: Fix potential VPE leak on error (bsc#1225190).
• CVE-2021-47425: Fix resource leak in reconfiguration device addition (bsc#1225223).
• CVE-2024-42246: Remap EPERM in case of connection failure in xstcpsetup_socket (bsc#1228989).
• CVE-2024-41098: Fix null pointer dereference on error (bsc#1228467).
• CVE-2021-4440: Drop USERGS_SYSRET64 paravirt call (bsc#1227069).
• CVE-2022-48786: Remove vsock from connected table when connect is interrupted by a signal (bsc#1227996).
• CVE-2024-42232: Fixed a race between delayedwork() and cephmonc_stop(). (bsc#1228959)
• CVE-2024-35915: Fix uninit-value in ncidevup and ncintfpacket (git-fixes CVE-2024-35915 bsc#1224479).
• CVE-2024-38662: Cover verifier checks for mutating sockmap/sockhash (bsc#1226885).
• CVE-2024-42110: Move ntbnetdevrxhandler() to call netifrx() from _netifrx() (bsc#1228501).
• CVE-2024-42148: Fix multiple UBSAN array-index-out-of-bounds (bsc#1228487).
• CVE-2024-42106: Initialize pad field in struct inetdiagreq_v2 (bsc#1228493).
• CVE-2022-48865: Fix kernel panic when enabling bearer (bsc#1228065).
• CVE-2024-41068: Fix sclp_init() cleanup on failure (bsc#1228579).
• CVE-2024-42082: Remove WARN() from _xdpregmemmodel() (bsc#1228482).
• CVE-2024-42090: Fix deadlock in createpinctrl() when handling -EPROBEDEFER (bsc#1228449).
• CVE-2024-42101: Fix null pointer dereference in nouveauconnectorget_modes (bsc#1228495).
• CVE-2024-42228: Using uninitialized value *size when calling amdgpuvcecs_reloc (bsc#1228667).
• CVE-2021-47257: Fix null deref in parse dev addr (bsc#1224896).
• CVE-2022-48751: Transitional solution for clcsock race issue (bsc#1226653).

The following non-security bugs were fixed:

• arm64: ACPI: NUMA: initialize all values of acpiearlynode_map to (git-fixes)
• Bluetooth: L2CAP: Fix deadlock (git-fixes).
• btrfs: fix processing of delayed tree block refs during backref walking (bsc#1228982).
• btrfs: Remove unused opkey var from adddelayed_refs (bsc#1228982).
• cgroup/cpuset: Prevent UAF in proccpusetshow() (bsc#1228801).
• char: tpm: Protect tpmpmsuspend with locks (bsc#1082555).
• cpu/SMT: Enable SMT only if a core is online (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes).
• fuse: Initialize beyond-EOF page contents before setting uptodate (bsc#1229457).
• genirq: Delay deactivation in free_irq() (git-fixes).
• genirq: Make sure the initial affinity is not empty (git-fixes).
• genirq/genericchip: Make irqremovegenericchip() irqdomain aware (git-fixes).
• genirq/ipi: Fix NULL pointer deref in irqdatagetaffinitymask() (git-fixes).
• genirq/irqdesc: Do not try to remove non-existing sysfs files (git-fixes).
• genirq/irqdomain: Check pointer in irqdomainallocirqshierarchy() (git-fixes).
• genirq/msi: Activate Multi-MSI early when MSIFLAGACTIVATE_EARLY is set (git-fixes).
• genirq/msi: Ensure deactivation on teardown (git-fixes).
• genirq/proc: Reject invalid affinity masks (again) (git-fixes).
• gsskrb5: Fix the error handling path for cryptosyncskciphersetkey (git-fixes).
• ip6_tunnel: Fix broken GRO (bsc#1226323).
• irqdomain: Drop bogus fwspec-mapping error handling (git-fixes).
• irqdomain: Fix association race (git-fixes).
• irqdomain: Fix domain registration race (git-fixes).
• irqdomain: Fix mapping-creation race (git-fixes).
• irqdomain: Fixed unbalanced fwnode get and put (git-fixes).
• irqdomain: Look for existing mapping only once (git-fixes).
• irqdomain: Refactor _irqdomainallocirqs() (git-fixes).
• kABI: do not change return type of tpmtisupdate_timeouts (bsc#1082555).
• kABI: do not rename tpmdoselftest, tpmpcrreaddev, and tpm1getcap (bsc#1082555).
• kABI: Do not rename tpm_getcap (bsc#1082555).
• kABI: genirq: Delay deactivation in free_irq() (kabi git-fixes).
• kABI: Hide the new lastcc member in a hole in struct tpmchip (bsc#1082555).
• kABI: Instead of changing the pcr argument type add a local variable of the desired type, and assign it from the actual argument (bsc#1082555).
• kABI: no need to store the tpm long long duration in tpm_chip struct, it is an arbitrary hardcoded value (bsc#1082555).
• kABI: re-export tpm2calcordinal_duration (bsc#1082555).
• kABI: tpm-interface: Hide new include from genksyms (bsc#1082555).
• kABI: tpm2-space: Do not add bufsize to struct tpmspace (bsc#1082555).
• kabi/severities: Ignore tpmtransmitcmd and tpmtiscore_init (bsc#1082555).
• KVM: s390: Do not report unusabled IDs via KVMCAPMAXVCPUID (git-fixes bsc#1229222).
• memcg: protect concurrent access to memcgroupidr (git-fixes).
• net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings (bsc#1229154).
• net: mana: Fix race on per-CQ variable napi work_done (bsc#1229154).
• netfilter: nfconntrackh323: restore boundary check correctness (bsc#1223074)
• netfilter: nfcth323: Convert CHECK_BOUND macro to function (bsc#1223074)
• netfilter: nfcth323: Extend nfh323error_boundary to work on bits as well (bsc#1223074)
• netfilter: nfcth323: Out Of Bound Read in Netfilter Conntrack (bsc#1223074)
• nfc: nci: Fix handling of zero-length payload packets in ncirxwork() (git-fixes).
• nfc: nci: Fix kcov check in ncirxwork() (git-fixes).
• nfc: nci: Fix uninit-value in ncirxwork (git-fixes).
• powerpc/topology: Check if a core is online (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes).
• s390/uv: Panic for set and remove shared access UVC errors (git-fixes bsc#1229229).
• scsi: target: core: Silence the message about unknown VPD pages (bsc#1221252 bsc#1229462).
• tpmtiscore: Turn on the TPM before probing IRQ's (bsc#1082555).
• tpm_tis: Add a check for invalid status (bsc#1082555).
• tpm_tis: Explicitly check for error code (bsc#1082555).
• tpmtis: Fix an error handling path in 'tpmtiscoreinit()' (bsc#1082555).
• tpm_tis: Resend command to recover from data transfer errors (bsc#1082555).
• tpmtis: reserve chip for duration of tpmtiscoreinit (bsc#1082555).
• tpmtis: Use tpmchip{start,stop} decoration inside tpmtis_resume (bsc#1082555).
• tpm, tpm_tis: Avoid cache incoherency in test for interrupts (bsc#1082555).
• tpm, tpm_tis: Claim locality before writing interrupt registers (bsc#1082555).
• tpm, tpmtis: Claim locality before writing TPMINT_ENABLE register (bsc#1082555).
• tpm, tpm_tis: Claim locality when interrupts are reenabled on resume (bsc#1082555).
• tpm, tpmtis: correct tpmtis_flags enumeration values (bsc#1082555).
• tpm, tpmtis: Decorate tpmgettimeouts() with requestlocality() (bsc#1082555).
• tpm, tpmtis: Decorate tpmtisgeninterrupt() with request_locality() (bsc#1082555).
• tpm, tpmtis: Disable interrupts if tpmtisprobeirq() failed (bsc#1082555).
• tpm, tpm_tis: Do not skip reset of original interrupt vector (bsc#1082555).
• tpm, tpmtis: Extend locality handling to TPM2 in tpmtisgeninterrupt() (bsc#1082555).
• tpm, tpm_tis: Only handle supported interrupts (bsc#1082555).
• tpm, tpmtis: Reserve locality in tpmtis_resume() (bsc#1082555).
• tpm, tpm: Implement usage counter for locality (bsc#1082555).
• tpm, tpmrm: Mark tpmrm_write as static (bsc#1082555).
• tpm: access command header through struct in tpmtrytransmit() (bsc#1082555).
• tpm: Actually fail on TPM errors during 'get random' (bsc#1082555).
• tpm: Add a flag to indicate TPM power is managed by firmware (bsc#1082555).
• tpm: add ptr to the tpmspace struct to filepriv (bsc#1082555).
• tpm: add support for nonblocking operation (bsc#1082555).
• tpm: add support for partial reads (bsc#1082555).
• tpm: add tpmautostartup() into tpm-interface.c (bsc#1082555).
• tpm: add tpmcalcordinal_duration() wrapper (bsc#1082555).
• tpm: Allow system suspend to continue when TPM suspend fails (bsc#1082555).
• tpm: clean up tpmtrytransmit() error handling flow (bsc#1082555).
• tpm: declare struct tpm_header (bsc#1082555).
• tpm: do not return bool from update_timeouts (bsc#1082555).
• tpm: encapsulate tpmdevtransmit() (bsc#1082555).
• tpm: factor out tpm 1.x duration calculation to tpm1-cmd.c (bsc#1082555).
• tpm: factor out tpm 1.x pm suspend flow into tpm1-cmd.c (bsc#1082555).
• tpm: factor out tpmgettimeouts() (bsc#1082555).
• tpm: factor out tpm_startup function (bsc#1082555).
• tpm: factor out tpm1getrandom into tpm1-cmd.c (bsc#1082555).
• tpm: fix an invalid condition in tpmcommonpoll (bsc#1082555).
• tpm: fix Atmel TPM crash caused by too frequent queries (bsc#1082555).
• tpm: Fix buffer access in tpm2gettpm_pt() (bsc#1082555).
• tpm: fix buffer type in tpmtransmitcmd (bsc#1082555).
• tpm: fix byte order related arithmetic inconsistency in tpm_getcap() (bsc#1082555).
• tpm: Fix error handling in async work (bsc#1082555).
• tpm: fix invalid locking in NONBLOCKING mode (bsc#1082555).
• tpm: fix invalid return value in pubek_show() (bsc#1082555).
• tpm: fix NPE on probe for missing device (bsc#1082555).
• tpm: Fix null pointer dereference on chip register error path (bsc#1082555).
• tpm: Fix TIS locality timeout problems (bsc#1082555).
• tpm: Handle negative priv->responselen in tpmcommon_read() (bsc#1082555).
• tpm: introduce tpmchipstart() and tpmchipstop() (bsc#1082555).
• tpm: migrate pubekshow to struct tpmbuf (bsc#1082555).
• tpm: migrate tpm2getrandom() to use struct tpm_buf (bsc#1082555).
• tpm: migrate tpm2gettpmpt() to use struct tpmbuf (bsc#1082555).
• tpm: migrate tpm2probe() to use struct tpmbuf (bsc#1082555).
• tpm: migrate tpm2shutdown() to use struct tpmbuf (bsc#1082555).
• tpm: move TPM 1.2 code of tpmpcrextend() to tpm1pcrextend() (bsc#1082555).
• tpm: move tpm 1.x selftest code from tpm-interface.c tpm1-cmd.c (bsc#1082555).
• tpm: move TPM space code out of tpm_transmit() (bsc#1082555).
• tpm: move tpm_getcap to tpm1-cmd.c (bsc#1082555).
• tpm: move tpmvalidatecommmand() to tpm2-space.c (bsc#1082555).
• tpm: move tpm1pcrextend to tpm1-cmd.c (bsc#1082555).
• tpm: Prevent hwrng from activating during resume (bsc#1082555).
• tpm: print tpm2commitspace() error inside tpm2commitspace() (bsc#1082555).
• tpm: remove @flags from tpm_transmit() (bsc#1082555).
• tpm: remove @space from tpm_transmit() (bsc#1082555).
• tpm: remove struct tpmpcrextendin (bsc#1082555).
• tpm: Remove tpmdevwq_lock (bsc#1082555).
• tpm: remove TPMTRANSMITUNLOCKED flag (bsc#1082555).
• tpm: rename tpmchipfindget() to tpmfindgetops() (bsc#1082555).
• tpm: replace TPMTRANSMITRAW with TPMTRANSMITNESTED (bsc#1082555).
• tpm: Replace WARNONCE() with deverronce() in tpmtis_status() (bsc#1082555).
• tpm: return 0 from pcrsshow() when tpm1pcr_read() fails (bsc#1082555).
• tpm: Revert 'tpmtiscore: Set TPMCHIPFLAG_IRQ before probing for interrupts' (bsc#1082555).
• tpm: Revert 'tpmtiscore: Turn on the TPM before probing IRQ's' (bsc#1082555).
• tpm: Revert 'tpmtis: reserve chip for duration of tpmtiscoreinit' (bsc#1082555).
• tpm: take TPM chip power gating out of tpm_transmit() (bsc#1082555).
• tpm: tpmcrb: Add the missed acpiput_table() to fix memory leak (bsc#1082555).
• tpm: tpmtis: Add the missed acpiput_table() to fix memory leak (bsc#1082555).
• tpm: tpmvtpmproxy: fix a race condition in /dev/vtpmx creation (bsc#1082555).
• tpm: tpm1biosmeasurements_next should increase position index (bsc#1082555).
• tpm: tpm1: rewrite tpm1getrandom() using tpm_buf structure (bsc#1082555).
• tpm: turn on TPM on suspend for TPM 1.x (bsc#1082555).
• tpm: Unify the mismatching TPM space buffer sizes (bsc#1082555).
• tpm: use tpmbuf in tpmtransmit_cmd() as the IO parameter (bsc#1082555).
• tpm: use tpm_msleep() value as max delay (bsc#1082555).
• tpm: use tpmtryget_ops() in tpm-sysfs.c (bsc#1082555).
• tpm: use u32 instead of int for PCR index (bsc#1082555).
• tpm: vtpm_proxy: Avoid reading host log when using a virtual device (bsc#1082555).
• tpm: vtpm_proxy: Prevent userspace from sending driver command (bsc#1082555).
• tpm: Wrap the buffer from the caller to tpmbuf in tpmsend() (bsc#1082555).
• tpm/tpmcrb: Fix error message in _crbrelinquishlocality() (bsc#1082555).
• tpm1: implement tpm1pcrreaddev() using tpmbuf structure (bsc#1082555).
• tpm1: reimplement SAVESTATE using tpm_buf (bsc#1082555).
• tpm1: reimplement tpm1continueselftest() using tpm_buf (bsc#1082555).
• tpm1: rename tpm1pcrreaddev to tpm1pcr_read() (bsc#1082555).
• tpm2: add longer timeouts for creation commands (bsc#1082555).
• vfio/pci: fix potential memory leak in vfiointxenable() (git-fixes).
• vsock: correct removal of socket from the list (bsc#1227996).
• xfs: fix getfsmap reporting past the last rt extent (git-fixes).
• xfs: Fix the owner setting issue for rmap query in xfs fsmap (git-fixes).
• xfs: fix uninitialized variable access (git-fixes).