SUSE-SU-2019:13979-1

Описание

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2016-10741: fs/xfs/xfs_aops.c allowed local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure (bnc#1114920 bnc#1124010).
• CVE-2017-18360: In change_port_settings in drivers/usb/serial/io_ti.c local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates (bnc#1123706).
• CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).
• CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).
• CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).
• CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).
• CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).
• CVE-2019-7222: A information leak in exception handling in KVM could be used to expose host memory to guests. (bnc#1124735).

The following non-security bugs were fixed:

• aacraid: Fix memory leak in aac_fib_map_free (bsc#1115827).
• arcmsr: upper 32 of dma address lost (bsc#1115828).
• block/swim3: Fix -EBUSY error when re-opening device after unmount (bsc#1121997).
• block/swim: Fix array bounds check (Git-fix).
• btrfs: Enhance btrfs_trim_fs function to handle error better (Dependency for bsc#1113667).
• btrfs: Ensure btrfs_trim_fs can trim the whole filesystem (bsc#1113667).
• cpusets, isolcpus: exclude isolcpus from load balancing in cpusets (bsc#1119255).
• dasd: fix deadlock in dasd_times_out (bnc#1117943, LTC#174111).
• drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() (bsc#1104098).
• drm/ast: Remove existing framebuffers before loading driver (boo#1112963)
• drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock (bsc#1106886)
• ext4: add missing brelse() update_backups()'s error path (bsc#1117796).
• ext4: avoid buffer leak in ext4_orphan_add() after prior errors (bsc#1117802).
• ext4: avoid possible double brelse() in add_new_gdb() on error path (bsc#1118760).
• ext4: fix buffer leak in ext4_xattr_move_to_block() on error path (bsc#1117806).
• ext4: release bs.bh before re-using in ext4_xattr_block_find() (bsc#1117805).
• fbdev: fbcon: Fix unregister crash when more than one framebuffer (bsc#1106886)
• fbdev: fbmem: behave better with small rotated displays and many CPUs (bsc#1106886)
• Fix kabi break cased by NFS: Cache state owners after files are closed (bsc#1031572).
• fork: record start_time late (bsc#1121872).
• fscache: Fix dead object requeue (bsc#1107371).
• fscache: Fix race in fscache_op_complete() due to split atomic_sub & read (git-fixes).
• fs-cache: Move fscache_report_unexpected_submission() to make it more available (bsc#1107371).
• fs-cache: When submitting an op, cancel it if the target object is dying (bsc#1107371).
• fuse: Add missed unlock_page() to fuse_readpages_fill() (git-fixes).
• fuse: fix blocked_waitq wakeup (git-fixes).
• fuse: fix leaked notify reply (git-fixes).
• fuse: Fix oops at process_init_reply() (git-fixes).
• fuse: fix possibly missed wake-up after abort (git-fixes).
• fuse: umount should wait for all requests (git-fixes).
• igb: do not unmap NULL hw_addr (bsc#969471 bsc#969473 ) (bsc#1123702).
• igb: re-assign hw address pointer on reset after PCI error (bnc#1012382) (bsc#1123702).
• iommu/amd: Fix IOMMU page flush when detach device from a domain (bsc#1106105).
• kvm: x86: Fix the duplicated failure path handling in vmx_init (bsc#1104367).
• lib: add 'on'/'off' support to strtobool (bsc#1125931).
• megaraid_sas: Fix probing cards without io port (bsc#1115829).
• net/af_iucv: drop inbound packets with invalid flags (bnc#1114440, LTC#172679).
• net/af_iucv: fix skb handling on HiperTransport xmit error (bnc#1114440, LTC#172679).
• nfs: Cache state owners after files are closed (bsc#1031572).
• nfs: Do not drop CB requests with invalid principals (git-fixes).
• nfsv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args (git-fixes).
• nfsv4: Do not exit the state manager without clearing NFS4CLNT_MANAGER_RUNNING (git-fixes).
• nfsv4: Keep dropped state owners on the LRU list for a while (bsc#1031572).
• nlm: Ensure callback code also checks that the files match (git-fixes).
• ocfs2: fix three small problems in the patch (bsc#1086695)
• omap2fb: Fix stack memory disclosure (bsc#1106886)
• pci/ASPM: Fix link_state teardown on device removal (bsc#1109806).
• powerpc/fadump: handle crash memory ranges array index overflow (git-fixes).
• powerpc/fadump: Return error when fadump registration fails (git-fixes).
• powerpc/fadump: Unregister fadump on kexec down path (git-fixes).
• powerpc/traps: restore recoverability of machine_check interrupts (bsc#1094244).
• Revert 'NFS: Make close(2) asynchronous when closing NFS O_DIRECT files' (git-fixes).
• ring-buffer: Always reset iterator to reader page (bsc#1120107).
• ring-buffer: Fix first commit on sub-buffer having non-zero delta (bsc#1120077).
• ring-buffer: Fix infinite spin in reading buffer (bsc#1120107).
• ring-buffer: Have ring_buffer_iter_empty() return true when empty (bsc#1120107).
• ring-buffer: Mask out the info bits when returning buffer page length (bsc#1120094).
• ring-buffer: Up rb_iter_peek() loop count to 3 (bsc#1120105).
• rpm/modprobe-xen.conf: Add --ignore-install.
• s390: always save and restore all registers on context switch (git-fixes).
• s390/dasd: fix using offset into zero size array error (git-fixes).
• s390/decompressor: fix initrd corruption caused by bss clear (git-fixes).
• s390/qdio: do not release memory in qdio_setup_irq() (git-fixes).
• s390/qdio: reset old sbal_state flags (bnc#1114440, LTC#171525).
• s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function (bnc#1114440, LTC#172682).
• s390/qeth: fix length check in SNMP processing (bnc#1117943, LTC#173657).
• s390: qeth: Fix potential array overrun in cmd/rc lookup (bnc#1114440, LTC#172682).
• s390/qeth: invoke softirqs after napi_schedule() (git-fixes).
• s390/qeth: remove outdated portname debug msg (bnc#1117943, LTC#172960).
• s390/qeth: sanitize strings in debug messages (bnc#1117943, LTC#172960).
• sched, isolcpu: make cpu_isolated_map visible outside scheduler (bsc#1119255).
• scsi: aacraid: Fix typo in blink status (bsc#1115830).
• scsi: aacraid: Reorder Adapter status check (bsc#1115830).
• scsi: aic94xx: fix an error code in aic94xx_init() (bsc#1115831).
• scsi: bfa: integer overflow in debugfs (bsc#1115832).
• scsi: esp_scsi: Track residual for PIO transfers (bsc#1115833).
• scsi: fas216: fix sense buffer initialization (bsc#1115834).
• scsi: libfc: Revert ' libfc: use offload EM instance again instead jumping to next EM' (bsc#1115835).
• scsi: libsas: fix ata xfer length (bsc#1115836).
• scsi: libsas: fix error when getting phy events (bsc#1115837).
• scsi: lpfc: Do not return internal MBXERR_ERROR code from probe function (bsc#1115838).
• scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough) devices (bsc#1115839).
• scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression (bsc#1115839).
• scsi: qla2xxx: Fix ISP recovery on unload (bsc#1115840).
• scsi: qla2xxx: shutdown chip if reset fail (bsc#1115841).
• scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()' (bsc#1115842).
• scsi: scsi_dh_emc: return success in clariion_std_inquiry() (bsc#1115843).
• scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path (git-fixes).
• scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown (bsc#1123505, LTC#174581).
• sg: fix dxferp in from_to case (bsc#1115844).
• sunrpc: Fix a potential race in xprt_connect() (git-fixes).
• svc: Avoid garbage replies when pc_func() returns rpc_drop_reply (git-fixes).
• svcrpc: do not leak contexts on PROC_DESTROY (git-fixes).
• tracepoints: Do not trace when cpu is offline (bsc#1120109).
• tracing: Add #undef to fix compile error (bsc#1120226).
• tracing: Allow events to have NULL strings (bsc#1120056).
• tracing: Do not add event files for modules that fail tracepoints (bsc#1120086).
• tracing: Fix check for cpu online when event is disabled (bsc#1120109).
• tracing: Fix regex_match_front() to not over compare the test string (bsc#1120223).
• tracing/kprobes: Allow to create probe with a module name starting with a digit (bsc#1120336).
• tracing: Move mutex to protect against resetting of seq data (bsc#1120217).
• tracing: probeevent: Fix to support minus offset from symbol (bsc#1120347).
• usb: keyspan: fix overrun-error reporting (bsc#1114672).
• usb: keyspan: fix tty line-status reporting (bsc#1114672).
• usb: option: fix Cinterion AHxx enumeration (bsc#1114672).
• usb: serial: ark3116: fix open error handling (bsc#1114672).
• usb: serial: ch341: fix control-message error handling (bsc#1114672).
• usb: serial: ch341: fix initial modem-control state (bsc#1114672).
• usb: serial: ch341: fix modem-status handling (bsc#1114672).
• usb: serial: ch341: fix open and resume after B0 (bsc#1114672).
• usb: serial: ch341: fix resume after reset (bsc#1114672).
• usb: serial: ch341: fix type promotion bug in ch341_control_in() (bsc#1114672).
• usb: serial: cyberjack: fix NULL-deref at open (bsc#1114672).
• usb: serial: fix tty-device error handling at probe (bsc#1114672).
• usb: serial: ftdi_sio: fix modem-status error handling (bsc#1114672).
• usb: serial: io_ti: fix another NULL-deref at open (bsc#1114672).
• usb: serial: io_ti: fix NULL-deref at open (bsc#1114672).
• usb: serial: keyspan_pda: verify endpoints at probe (bsc#1114672).
• usb: serial: kl5kusb105: abort on open exception path (bsc#1114672).
• usb: serial: kl5kusb105: fix open error path (bsc#1114672).
• usb: serial: kobil_sct: fix NULL-deref in write (bsc#1114672).
• usb: serial: mct_u232: fix modem-status error handling (bsc#1114672).
• usb: serial: omninet: fix NULL-derefs at open and disconnect.
• usb: serial: pl2303: fix NULL-deref at open (bsc#1114672).
• usb: serial: ti_usb_3410_5052: fix NULL-deref at open (bsc#1114672).
• vmcore: Remove 'weak' from function declarations (git-fixes).
• x86, kvm: Remove incorrect redundant assembly constraint (bnc#931850).
• x86/mm: Simplify p[g4um]xen: d_page() macros (bnc#1087081, bnc#1104684).
• xen: kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
• xen: x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104684, bnc#1104818).
• xen/x86/mm: Prevent kernel Oops in PTDUMP code with HIGHPTE=y (bsc#1106105).
• xen/x86/mm: Set IBPB upon context switch (bsc#1068032).
• xen/x86/process: Re-export start_thread() (bsc#1110006).
• xen/x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536).
• xen/x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1087081).
• xen/x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
• xen/x86/traps: add missing kernel CR3 switch in bad_iret path (bsc#1098658).
• xfrm: use complete IPv6 addresses for hash (bsc#1109330).
• xfs: do not BUG() on mixed direct and mapped I/O (bsc#1114920).
• xfs: fix the logspace waiting algorithm (bsc#1122874).
• xfs: stop searching for free slots in an inode chunk when there are none (bsc#1115007).
• xfs: validate sb_logsunit is a multiple of the fs blocksize (bsc#1115038).