SUSE-SU-2019:1287-1

Описание

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.

Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)

• CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
• CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
• CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
• CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

This kernel update contains software mitigations for these issues, which also utilize CPU microcode updates shipped in parallel.

For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736

The following security bugs were fixed:

• CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network could use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. (bnc#1096748).
• CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. (bnc#1096748).
• CVE-2016-8636: Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c allowed local users to cause a denial of service (memory corruption), obtain sensitive information or possibly have unspecified other impact via a write or read request involving the 'RDMA protocol over infiniband' (aka Soft RoCE) technology (bnc#1024908).
• CVE-2017-18174: In the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free (bnc#1080533).
• CVE-2018-1091: In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service (bnc#1087231).
• CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which made a read() call to the /proc//cmdline (or /proc//environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks) (bnc#1093158).
• CVE-2019-11486: The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c has multiple race conditions (bnc#1133188).
• CVE-2019-3882: A flaw was found in the vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS) (bsc#1131427).
• CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).
• CVE-2017-17741: The KVM implementation allowed attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h (bnc#1073311).
• CVE-2019-9503, CVE-2019-8564: Multiple brcmfmac frame validation bypasses have been fixed (bnc#1132828, bnc#1132673).

The following non-security bugs were fixed:

• ACPI: acpi_pad: Do not launch acpi_pad threads on idle cpus (bsc#1113399).
• add mainline tags to four hyperv patches
• cpu/speculation: Add 'mitigations=' cmdline option (bsc#1112178).
• Drivers: hv: vmbus: Define an API to retrieve virtual processor index (bsc#1122822).
• Drivers: hv: vmbus: Define APIs to manipulate the event page (bsc#1122822).
• Drivers: hv: vmbus: Define APIs to manipulate the message page (bsc#1122822).++ kernel-source.spec (revision 4)Release: <RELEASE>.gbd4498d
• Drivers: hv: vmbus: Define APIs to manipulate the synthetic interrupt controller (bsc#1122822).
• hv: v4.12 API for hyperv-iommu (bsc#1122822).
• iommu/hyper-v: Add Hyper-V stub IOMMU driver (bsc#1122822).
• jump_label: remove bug.h, atomic.h dependencies for HAVE_JUMP_LABEL (bsc#1111331).
• kvm: x86: Report STIBP on GET_SUPPORTED_CPUID (bsc#1111331).
• locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a new <linux/bits.h> file (bsc#1111331).
• MDS: Add CVE refs
• net: ena: add functions for handling Low Latency Queues in ena_com (bsc#1129279).
• net: ena: add functions for handling Low Latency Queues in ena_netdev (bsc#1129279).
• net: ena: change rx copybreak default to reduce kernel memory pressure (bsc#1129279).
• net: ena: complete host info to match latest ENA spec (bsc#1129279).
• net: ena: enable Low Latency Queues (bsc#1129279).
• net: ena: explicit casting and initialization, and clearer error handling (bsc#1129279).
• net: ena: fix auto casting to boolean (bsc#1129279).
• net: ena: fix compilation error in xtensa architecture (bsc#1129279).
• net: ena: fix crash during ena_remove() (bsc#1129279).
• net: ena: fix crash during failed resume from hibernation (bsc#1129279).
• net: ena: fix indentations in ena_defs for better readability (bsc#1129279).
• net: ena: Fix Kconfig dependency on X86 (bsc#1129279).
• net: ena: fix NULL dereference due to untimely napi initialization (bsc#1129279).
• net: ena: fix race between link up and device initalization (bsc#1129279).
• net: ena: fix rare bug when failed restart/resume is followed by driver removal (bsc#1129279).
• net: ena: fix warning in rmmod caused by double iounmap (bsc#1129279).
• net: ena: introduce Low Latency Queues data structures according to ENA spec (bsc#1129279).
• net: ena: limit refill Rx threshold to 256 to avoid latency issues (bsc#1129279).
• net: ena: minor performance improvement (bsc#1129279).
• net: ena: remove ndo_poll_controller (bsc#1129279).
• net: ena: remove redundant parameter in ena_com_admin_init() (bsc#1129279).
• net: ena: update driver version from 2.0.1 to 2.0.2 (bsc#1129279).
• net: ena: update driver version from 2.0.2 to 2.0.3 (bsc#1129279).
• net: ena: update driver version to 2.0.1 (bsc#1129279).
• net: ena: use CSUM_CHECKED device indication to report skb's checksum status (bsc#1129279).
• PCI: hv: Add vPCI version protocol negotiation (bnc#1043485, bsc#1122822).
• PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC (bnc#1034113, bsc#1122822).
• PCI: hv: Disable/enable IRQs rather than BH in hv_compose_msi_msg() (bnc#1094268, bsc#1122822).
• PCI: hv: Do not sleep in compose_msi_msg() (bsc#1082632, bsc#1122822).
• PCI: hv: Fix 2 hang issues in hv_compose_msi_msg() (bsc#1087659, bsc#1087906, bsc#1122822).
• PCI: hv: Fix a comment typo in _hv_pcifront_read_config() (bsc#1087659, bsc#1122822).
• PCI: hv: Fix comment formatting and use proper integer fields (bnc#1043485, bsc#1122822).
• PCI: hv: Only queue new work items in hv_pci_devices_present() if necessary (bsc#1087659, bsc#1122822).
• PCI: hv: Remove the bogus test in hv_eject_device_work() (bsc#1087659, bsc#1122822).
• PCI: hv: Serialize the present and eject work items (bsc#1087659, bsc#1122822).
• PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs (bnc#1043485, bsc#1122822).
• PCI: hv: Temporary own CPU-number-to-vCPU-number infra (bnc#1043485, bsc#1122822).
• PCI: hv: Use effective affinity mask (bsc#1109772, bsc#1122822).
• PCI: hv: Use page allocation for hbus structure (bnc#1043485, bsc#1122822).
• PCI: hv: Use vPCI protocol version 1.2 (bnc#1043485, bsc#1122822).
• pci-hyperv: increase HV_VP_SET_BANK_COUNT_MAX to handle 1792 vcpus (bsc#1122822).
• powerpc/64: Disable the speculation barrier from the command line (bsc#1068032).
• powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032, git-fixes).
• powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 (bsc#1068032, bsc#1080157, git-fixes).
• powerpc/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
• powerpc/tm: Add commandline option to disable hardware transactional memory (bsc#1118338).
• powerpc/tm: Add TM Unavailable Exception (bsc#1118338).
• powerpc/tm: Flip the HTM switch default to disabled (bsc#1125580).
• powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 (bsc#1131587).
• powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038 (bsc#1131587).
• s390: add explicit <linux/stringify.h> for jump label (bsc#1111331).
• sched/core: Optimize SCHED_SMT (bsc#1111331).
• sched/smt: Expose sched_smt_present static key (bsc#1106913).
• sched/smt: Make sched_smt_present track topology (bsc#1106913).
• sched/smt: Update sched_smt_present at runtime (bsc#1111331).
• scripts/git_sort/git_sort.py: Add fixes branch from mkp/scsi.git.
• scsi: ibmvscsi: Fix empty event pool access during host removal (bsc#1119019).
• scsi: storvsc: Reduce default ring buffer size to 128 Kbytes ().
• time: Introduce jiffies64_to_nsecs() (bsc#1113399).
• Use upstream variant of two pci-hyperv patches
• vti6: flush x-netns xfrm cache when vti interface is removed (bnc#1012382 bsc#1100152).
• x86/apic: Provide apic_ack_irq() (bsc#1122822).
• x86/bugs: Add AMD's variant of SSB_NO (bsc#1111331).
• x86/bugs: Rename SSBD_NO to SSB_NO (bsc#1111331).
• x86/cpu: Rename Merrifield2 to Moorefield (bsc#1111331).
• x86/cpu: Sanitize FAM6_ATOM naming (bsc#1111331).
• x86/Hyper-V: Set x2apic destination mode to physical when x2apic is available (bsc#1122822).
• x86/irq: implement irq_data_get_effective_affinity_mask() for v4.12 (bsc#1109772, bsc#1122822).
• x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests (bsc#1111331).
• x86/kvm/vmx: Add MDS protection when L1D Flush is not active (bsc#1111331).
• x86/msr-index: Cleanup bit defines (bsc#1111331).
• x86/speculation: Consolidate CPU whitelists (bsc#1111331).
• x86/speculation/mds: Add basic bug infrastructure for MDS (bsc#1111331).
• x86/speculation/mds: Add BUG_MSBDS_ONLY (bsc#1111331).
• x86/speculation/mds: Add mds_clear_cpu_buffers() (bsc#1111331).
• x86/speculation/mds: Add mds=full,nosmt cmdline option (bsc#1111331).
• x86/speculation/mds: Add mitigation control for MDS (bsc#1111331).
• x86/speculation/mds: Add mitigation mode VMWERV (bsc#1111331).
• x86/speculation/mds: Add 'mitigations=' support for MDS (bsc#1111331).
• x86/speculation/mds: Add SMT warning message (bsc#1111331).
• x86/speculation/mds: Add sysfs reporting for MDS (bsc#1111331).
• x86/speculation/mds: Clear CPU buffers on exit to user (bsc#1111331).
• x86/speculation/mds: Conditionally clear CPU buffers on idle entry (bsc#1111331).
• x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off (bsc#1111331).
• x86/speculation: Move arch_smt_update() call to after mitigation decisions (bsc#1111331).
• x86/speculation: Remove redundant arch_smt_update() invocation (bsc#1111331).
• x86/speculation: Rework SMT state change (bsc#1111331).
• x86/speculation: Simplify the CPU bug detection logic (bsc#1111331).
• x86/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
• x86: stop exporting msr-index.h to userland (bsc#1111331).
• xfrm6: call kfree_skb when skb is toobig (bnc#1012382 bsc#1100152).
• xfrm: fix missing dst_release() after policy blocking lbcast and multicast (bnc#1012382 bsc#1100152).