Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081).
- CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343).
- CVE-2018-5390 aka 'SegmentSmack': The Linux Kernel can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (bnc#1102340).
- CVE-2018-5391 aka 'FragmentSmack': A flaw in the IP packet reassembly could be used by remote attackers to consume lots of CPU time (bnc#1103097).
- CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119).
- CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allowed userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE) (bnc#1102851 bnc#1103580).
- CVE-2018-9385: When printing the 'driver_override' option from with-in the amba driver, a very long line could expose one additional uninitialized byte (bnc#1100491).
- CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c had an integer overflow via a large relative timeout because ktime_add_safe is not used (bnc#1099924).
- CVE-2018-13405: The inode_init_owner function in fs/inode.c allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416).
- CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1098016 1100418).
- CVE-2018-5814: Multiple race condition errors when handling probe, disconnect, and rebind operations could be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets (bnc#1096480).
The following non-security bugs were fixed:
- Add support for 5,25,50, and 100G to 802.3ad bonding driver (bsc#1096978)
- bcache: add backing_request_endio() for bi_end_io (bsc#1064232).
- bcache: add CACHE_SET_IO_DISABLE to struct cache_set flags (bsc#1064232).
- bcache: add io_disable to struct cached_dev (bsc#1064232).
- bcache: add journal statistic (bsc#1076110).
- bcache: Add __printf annotation to __bch_check_keys() (bsc#1064232).
- bcache: add stop_when_cache_set_failed option to backing device (bsc#1064232).
- bcache: add wait_for_kthread_stop() in bch_allocator_thread() (bsc#1064232).
- bcache: Annotate switch fall-through (bsc#1064232).
- bcache: closures: move control bits one bit right (bsc#1076110).
- bcache: correct flash only vols (check all uuids) (bsc#1064232).
- bcache: count backing device I/O error for writeback I/O (bsc#1064232).
- bcache: do not attach backing with duplicate UUID (bsc#1076110).
- bcache: Fix a compiler warning in bcache_device_init() (bsc#1064232).
- bcache: fix cached_dev->count usage for bch_cache_set_error() (bsc#1064232).
- bcache: fix crashes in duplicate cache device register (bsc#1076110).
- bcache: fix error return value in memory shrink (bsc#1064232).
- bcache: fix for allocator and register thread race (bsc#1076110).
- bcache: fix for data collapse after re-attaching an attached device (bsc#1076110).
- bcache: fix high CPU occupancy during journal (bsc#1076110).
- bcache: Fix, improve efficiency of closure_sync() (bsc#1076110).
- bcache: fix inaccurate io state for detached bcache devices (bsc#1064232).
- bcache: fix incorrect sysfs output value of strip size (bsc#1064232).
- bcache: Fix indentation (bsc#1064232).
- bcache: fix kcrashes with fio in RAID5 backend dev (bsc#1076110).
- bcache: Fix kernel-doc warnings (bsc#1064232).
- bcache: fix misleading error message in bch_count_io_errors() (bsc#1064232).
- bcache: fix using of loop variable in memory shrink (bsc#1064232).
- bcache: fix writeback target calc on large devices (bsc#1076110).
- bcache: fix wrong return value in bch_debug_init() (bsc#1076110).
- bcache: mark closure_sync() __sched (bsc#1076110).
- bcache: move closure debug file into debug directory (bsc#1064232).
- bcache: properly set task state in bch_writeback_thread() (bsc#1064232).
- bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set (bsc#1064232).
- bcache: reduce cache_set devices iteration by devices_max_used (bsc#1064232).
- bcache: Reduce the number of sparse complaints about lock imbalances (bsc#1064232).
- bcache: Remove an unused variable (bsc#1064232).
- bcache: ret IOERR when read meets metadata error (bsc#1076110).
- bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n (bsc#1064232).
- bcache: return attach error when no cache set exist (bsc#1076110).
- bcache: segregate flash only volume write streams (bsc#1076110).
- bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error() (bsc#1064232).
- bcache: set dc->io_disable to true in conditional_stop_bcache_device() (bsc#1064232).
- bcache: set error_limit correctly (bsc#1064232).
- bcache: set writeback_rate_update_seconds in range [1, 60] seconds (bsc#1064232).
- bcache: stop bcache device when backing device is offline (bsc#1064232).
- bcache: stop dc->writeback_rate_update properly (bsc#1064232).
- bcache: stop writeback thread after detaching (bsc#1076110).
- bcache: store disk name in struct cache and struct cached_dev (bsc#1064232).
- bcache: Suppress more warnings about set-but-not-used variables (bsc#1064232).
- bcache: use pr_info() to inform duplicated CACHE_SET_IO_DISABLE set (bsc#1064232).
- bcache: Use PTR_ERR_OR_ZERO() (bsc#1076110).
- bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
- cifs: Check for timeout on Negotiate stage (bsc#1091171).
- cifs: fix bad/NULL ptr dereferencing in SMB2_sess_setup() (bsc#1090123).
- cpu/hotplug: Add sysfs state interface (bsc#1089343).
- cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
- cpu/hotplug: Split do_cpu_down() (bsc#1089343).
- ext4: fix unsupported feature message formatting (bsc#1098435).
- Hang/soft lockup in d_invalidate with simultaneous calls (bsc#1094248, bsc@1097140).
- ixgbe: fix possible race in reset subtask (bsc#1101557).
- ixgbe: Refactor queue disable logic to take completion time into account (bsc#1101557).
- ixgbe: Reorder Tx/Rx shutdown to reduce time needed to stop device (bsc#1101557).
- ixgbe: use atomic bitwise operations when handling reset requests (bsc#1101557).
- kabi/severities: add PASS to drivers/md/bcache/*, no one uses bcache kernel module.
- procfs: add tunable for fd/fdinfo dentry retention (bsc#1086652).
- sched/sysctl: Check user input value of sysctl_sched_time_avg (bsc#1100089).
- signals: avoid unnecessary taking of sighand->siglock (bsc#1096130).
- x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343).
- x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343).
- x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (bsc#1089343). Update config files.
- x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343).
- x86/cpu/common: Provide detect_ht_early() (bsc#1089343).
- x86/cpu/intel: Evaluate smp_num_siblings early (bsc#1089343).
- x86/cpu: Remove the pointless CPU printout (bsc#1089343).
- x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343).
- x86/mm: Simplify p[g4um]d_page() macros (1087081).
- x86/pti: do not report XenPV as vulnerable (bsc#1097551).
- x86/smpboot: Do not use smp_num_siblings in __max_logical_packages calculation (bsc#1089343).
- x86/smp: Provide topology_is_primary_thread() (bsc#1089343).
- x86/topology: Add topology_max_smt_threads() (bsc#1089343).
- x86/topology: Provide topology_smt_supported() (bsc#1089343).
- xen/grant-table: log the lack of grants (bnc#1085042).
Список пакетов
SUSE Enterprise Storage 4
SUSE Linux Enterprise High Availability Extension 12 SP2
SUSE Linux Enterprise Server 12 SP2-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE OpenStack Cloud 7
Ссылки
- Link for SUSE-SU-2018:2344-1
- E-Mail link for SUSE-SU-2018:2344-1
- SUSE Security Ratings
- SUSE Bug 1064232
- SUSE Bug 1076110
- SUSE Bug 1083635
- SUSE Bug 1085042
- SUSE Bug 1086652
- SUSE Bug 1087081
- SUSE Bug 1089343
- SUSE Bug 1090123
- SUSE Bug 1091171
- SUSE Bug 1094248
- SUSE Bug 1096130
- SUSE Bug 1096480
- SUSE Bug 1096978
- SUSE Bug 1097140
- SUSE Bug 1097551
- SUSE Bug 1098016
- SUSE Bug 1098425
Описание
The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).
Затронутые продукты
Ссылки
- CVE-2017-18344
- SUSE Bug 1087082
- SUSE Bug 1102851
- SUSE Bug 1103203
- SUSE Bug 1103580
- SUSE Bug 1215674
Описание
The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used.
Затронутые продукты
Ссылки
- CVE-2018-13053
- SUSE Bug 1099924
- SUSE Bug 1115893
Описание
The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.
Затронутые продукты
Ссылки
- CVE-2018-13405
- SUSE Bug 1087082
- SUSE Bug 1100416
- SUSE Bug 1129735
- SUSE Bug 1195161
- SUSE Bug 1198702
Описание
An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used.
Затронутые продукты
Ссылки
- CVE-2018-13406
- SUSE Bug 1098016
- SUSE Bug 1100418
- SUSE Bug 1115893
Описание
drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial of service (use-after-free).
Затронутые продукты
Ссылки
- CVE-2018-14734
- SUSE Bug 1103119
- SUSE Bug 1131390
Описание
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
Затронутые продукты
Ссылки
- CVE-2018-3620
- SUSE Bug 1087078
- SUSE Bug 1087081
- SUSE Bug 1089343
- SUSE Bug 1090340
- SUSE Bug 1091107
- SUSE Bug 1099306
- SUSE Bug 1104894
- SUSE Bug 1136865
- SUSE Bug 1201877
Описание
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.
Затронутые продукты
Ссылки
- CVE-2018-3646
- SUSE Bug 1087078
- SUSE Bug 1087081
- SUSE Bug 1089343
- SUSE Bug 1091107
- SUSE Bug 1099306
- SUSE Bug 1104365
- SUSE Bug 1104894
- SUSE Bug 1106548
- SUSE Bug 1113534
- SUSE Bug 1136865
- SUSE Bug 1178658
- SUSE Bug 1201877
Описание
Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.
Затронутые продукты
Ссылки
- CVE-2018-5390
- SUSE Bug 1087082
- SUSE Bug 1102340
- SUSE Bug 1102682
- SUSE Bug 1103097
- SUSE Bug 1103098
- SUSE Bug 1156434
Описание
The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.
Затронутые продукты
Ссылки
- CVE-2018-5391
- SUSE Bug 1087082
- SUSE Bug 1102340
- SUSE Bug 1103097
- SUSE Bug 1103098
- SUSE Bug 1108654
- SUSE Bug 1114071
- SUSE Bug 1121102
- SUSE Bug 1134140
- SUSE Bug 1181460
Описание
In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets.
Затронутые продукты
Ссылки
- CVE-2018-5814
- SUSE Bug 1087082
- SUSE Bug 1096480
- SUSE Bug 1133319
Описание
In driver_override_store of bus.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-74128061 References: Upstream kernel.
Затронутые продукты
Ссылки
- CVE-2018-9385
- SUSE Bug 1100491