Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-3348: Fixed a use-after-free in nbd_add_socket() that could be triggered by local attackers (with access to the nbd device) via an I/O request (bnc#1181504).
- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).
- CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).
- CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).
- CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).
- CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).
- CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).
- CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).
- CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).
- CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).
- CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).
- CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).
- CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).
- CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).
- CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).
- CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).
- CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).
The following non-security bugs were fixed:
- blk-mq: improve heavily contended tag case (bsc#1178198).
- debugfs_lookup(): switch to lookup_one_len_unlocked() (bsc#1171979).
- epoll: Keep a reference on files added to the check list (bsc#1180031).
- fix regression in 'epoll: Keep a reference on files added to the check list' (bsc#1180031, git-fixes).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1149032).
- futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032).
- futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
- futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032).
- futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032).
- futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032).
- futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032).
- futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032).
- HID: Fix slab-out-of-bounds read in hid_field_extract (bsc#1180052).
- iommu/vt-d: Do not dereference iommu_device if IOMMU_API is not built (bsc#1181001, jsc#ECO-3191).
- iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181001, jsc#ECO-3191).
- kABI: Fix kABI for extended APIC-ID support (bsc#1181001, jsc#ECO-3191).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#1149032).
- md/bitmap: fix memory leak of temporary bitmap (bsc#1163727).
- md/bitmap: md_bitmap_get_counter returns wrong blocks (bsc#1163727).
- md/bitmap: md_bitmap_read_sb uses wrong bitmap blocks (bsc#1163727).
- md/cluster: block reshape with remote resync job (bsc#1163727).
- md/cluster: fix deadlock when node is doing resync job (bsc#1163727).
- md-cluster: Fix potential error pointer dereference in resize_bitmaps() (bsc#1163727).
- md-cluster: fix rmmod issue when md_cluster convert bitmap to none (bsc#1163727).
- md-cluster: fix safemode_delay value when converting to clustered bitmap (bsc#1163727).
- md-cluster: fix wild pointer of unlock_all_bitmaps() (bsc#1163727).
- Move upstreamed bt fixes into sorted section
- nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
- net/x25: prevent a couple of overflows (bsc#1178590).
- NFS: mark nfsiod as CPU_INTENSIVE (bsc#1177304).
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032).
- s390/dasd: fix hanging device offline processing (bsc#1144912).
- scsi: ibmvfc: Avoid link down on FS9100 canister reboot (bsc#1176962 ltc#188304).
- scsi: ibmvfc: Use compiler attribute defines instead of attribute() (bsc#1176962 ltc#188304).
- SUNRPC: cache: ignore timestamp written to 'flush' file (bsc#1178036).
- x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1181001, jsc#ECO-3191).
- x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181001, jsc#ECO-3191).
- x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181001, jsc#ECO-3191).
- x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001, jsc#ECO-3191).
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001, jsc#ECO-3191).
- x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181001, jsc#ECO-3191).
- x86/tracing: Introduce a static key for exception tracing (bsc#1179895).
- x86/traps: Simplify pagefault tracing logic (bsc#1179895).
- xfrm: Fix memleak on xfrm state destroy (bsc#1158775).
Список пакетов
Image SLES12-SP4-Azure-BYOS
Image SLES12-SP4-EC2-HVM-BYOS
Image SLES12-SP4-GCE-BYOS
Image SLES12-SP4-OCI-BYOS
Image SLES12-SP4-SAP-Azure
Image SLES12-SP4-SAP-Azure-BYOS
Image SLES12-SP4-SAP-Azure-LI-BYOS-Production
Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production
Image SLES12-SP4-SAP-EC2-HVM
Image SLES12-SP4-SAP-EC2-HVM-BYOS
Image SLES12-SP4-SAP-GCE
Image SLES12-SP4-SAP-GCE-BYOS
Image SLES12-SP4-SAP-OCI-BYOS
SUSE Linux Enterprise High Availability Extension 12 SP4
SUSE Linux Enterprise Live Patching 12 SP4
SUSE Linux Enterprise Server 12 SP4-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP4
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 9
Ссылки
- Link for SUSE-SU-2021:0434-1
- E-Mail link for SUSE-SU-2021:0434-1
- SUSE Security Ratings
- SUSE Bug 1144912
- SUSE Bug 1149032
- SUSE Bug 1158775
- SUSE Bug 1163727
- SUSE Bug 1171979
- SUSE Bug 1176395
- SUSE Bug 1176846
- SUSE Bug 1176962
- SUSE Bug 1177304
- SUSE Bug 1177666
- SUSE Bug 1178036
- SUSE Bug 1178182
- SUSE Bug 1178198
- SUSE Bug 1178372
- SUSE Bug 1178589
- SUSE Bug 1178590
- SUSE Bug 1178684
Описание
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
Затронутые продукты
Ссылки
- CVE-2019-20934
- SUSE Bug 1179663
- SUSE Bug 1179666
Описание
In audit_free_lsm_field of auditfilter.c, there is a possible bad kfree due to a logic error in audit_data_to_entry. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-150693166References: Upstream kernel
Затронутые продукты
Ссылки
- CVE-2020-0444
- SUSE Bug 1180027
- SUSE Bug 1180028
Описание
In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-162844689References: Upstream kernel
Затронутые продукты
Ссылки
- CVE-2020-0465
- SUSE Bug 1180029
- SUSE Bug 1180030
Описание
In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147802478References: Upstream kernel
Затронутые продукты
Ссылки
- CVE-2020-0466
- SUSE Bug 1180031
- SUSE Bug 1180032
- SUSE Bug 1199255
- SUSE Bug 1200084
Описание
Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.
Затронутые продукты
Ссылки
- CVE-2020-15436
- SUSE Bug 1179141
Описание
The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.
Затронутые продукты
Ссылки
- CVE-2020-15437
- SUSE Bug 1179140
Описание
In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
Затронутые продукты
Ссылки
- CVE-2020-25211
- SUSE Bug 1176395
- SUSE Bug 1192356
Описание
A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a local user to crash the system.
Затронутые продукты
Ссылки
- CVE-2020-25639
- SUSE Bug 1176846
Описание
A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free.
Затронутые продукты
Ссылки
- CVE-2020-25669
- SUSE Bug 1178182
Описание
Product: AndroidVersions: Android kernelAndroid ID: A-127973231References: Upstream kernel
Затронутые продукты
Ссылки
- CVE-2020-27068
- SUSE Bug 1180086
Описание
A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.
Затронутые продукты
Ссылки
- CVE-2020-27777
- SUSE Bug 1179107
- SUSE Bug 1179419
- SUSE Bug 1200343
- SUSE Bug 1220060
Описание
A flaw was found in the Linux kernel's implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Затронутые продукты
Ссылки
- CVE-2020-27786
- SUSE Bug 1179601
- SUSE Bug 1179616
Описание
A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.
Затронутые продукты
Ссылки
- CVE-2020-27825
- SUSE Bug 1179960
- SUSE Bug 1179961
Описание
A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.
Затронутые продукты
Ссылки
- CVE-2020-27835
- SUSE Bug 1179878
Описание
In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.
Затронутые продукты
Ссылки
- CVE-2020-28374
- SUSE Bug 1178372
- SUSE Bug 1178684
- SUSE Bug 1180676
Описание
A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.
Затронутые продукты
Ссылки
- CVE-2020-28915
- SUSE Bug 1178886
Описание
A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.
Затронутые продукты
Ссылки
- CVE-2020-28974
- SUSE Bug 1178589
Описание
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.
Затронутые продукты
Ссылки
- CVE-2020-29371
- SUSE Bug 1179429
Описание
An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable.
Затронутые продукты
Ссылки
- CVE-2020-29568
- SUSE Bug 1179508
Описание
An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
Затронутые продукты
Ссылки
- CVE-2020-29569
- SUSE Bug 1179509
- SUSE Bug 1180008
Описание
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.
Затронутые продукты
Ссылки
- CVE-2020-29660
- SUSE Bug 1179745
- SUSE Bug 1179877
Описание
A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
Затронутые продукты
Ссылки
- CVE-2020-29661
- SUSE Bug 1179745
- SUSE Bug 1179877
- SUSE Bug 1214268
- SUSE Bug 1218966
Описание
mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
Затронутые продукты
Ссылки
- CVE-2020-36158
- SUSE Bug 1180559
- SUSE Bug 1180562
Описание
IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.
Затронутые продукты
Ссылки
- CVE-2020-4788
- SUSE Bug 1177666
- SUSE Bug 1181158
Описание
An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
Затронутые продукты
Ссылки
- CVE-2021-3347
- SUSE Bug 1181349
- SUSE Bug 1181553
- SUSE Bug 1190859
Описание
nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.
Затронутые продукты
Ссылки
- CVE-2021-3348
- SUSE Bug 1181504
- SUSE Bug 1181645