Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).
- CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).
- CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).
- CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).
- CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).
- CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).
- CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).
- CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).
- CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).
- CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).
- CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).
- CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).
- CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).
- CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).
- CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).
- CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).
The following non-security bugs were fixed:
- cifs: do not revalidate mountpoint dentries (bsc#1177440).
- cifs: fix potential use-after-free in cifs_echo_request() (bsc#1139944).
- cifs: ignore revalidate failures in case of process gets signaled (bsc#1177440).
- epoll: Keep a reference on files added to the check list (bsc#1180031).
- fix regression in 'epoll: Keep a reference on files added to the check list' (bsc#1180031, git-fixes).
- futex: Avoid freeing an active timer (bsc#969755).
- futex: Avoid violating the 10th rule of futex (bsc#969755).
- futex: Change locking rules (bsc#969755).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#969755).
- futex: Drop hb->lock before enqueueing on the rtmutex (bsc#969755).
- futex: Fix incorrect should_fail_futex() handling (bsc#969755).
- futex: Fix more put_pi_state() vs. exit_pi_state_list() races (bsc#969755).
- futex: Fix OWNER_DEAD fixup (bsc#969755).
- futex: Fix pi_state->owner serialization (bsc#969755).
- futex: Fix small (and harmless looking) inconsistencies (bsc#969755).
- futex: Futex_unlock_pi() determinism (bsc#969755).
- futex: Handle early deadlock return correctly (bsc#969755).
- futex: Handle transient 'ownerless' rtmutex state correctly (bsc#969755).
- futex: Pull rt_mutex_futex_unlock() out from under hb->lock (bsc#969755).
- futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock() (bsc#969755).
- futex: Rework inconsistent rt_mutex/futex_q state (bsc#969755).
- futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() (bsc#969755).
- futex,rt_mutex: Introduce rt_mutex_init_waiter() (bsc#969755).
- futex,rt_mutex: Provide futex specific rt_mutex API (bsc#969755).
- futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() (bsc#969755).
- HID: Fix slab-out-of-bounds read in hid_field_extract (bsc#1180052).
- IB/hfi1: Clean up hfi1_user_exp_rcv_setup function (bsc#1179878).
- IB/hfi1: Clean up pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Fix the bail out code in pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Move structure definitions from user_exp_rcv.c to user_exp_rcv.h (bsc#1179878).
- IB/hfi1: Name function prototype parameters (bsc#1179878).
- IB/hfi1: Use filedata rather than filepointer (bsc#1179878).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#969755).
- mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() (bsc#1179204).
- scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1178272).
- Use r3 instead of r13 for l1d fallback flush in do_uaccess_fush (bsc#1181096 ltc#190883).
- video: hyperv_fb: include vmalloc.h (bsc#1175306).
Список пакетов
HPE Helion OpenStack 8
SUSE Enterprise Storage 5
SUSE Linux Enterprise High Availability Extension 12 SP3
SUSE Linux Enterprise Server 12 SP3-BCL
SUSE Linux Enterprise Server 12 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP3
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud Crowbar 8
Ссылки
- Link for SUSE-SU-2021:0452-1
- E-Mail link for SUSE-SU-2021:0452-1
- SUSE Security Ratings
- SUSE Bug 1105322
- SUSE Bug 1105323
- SUSE Bug 1139944
- SUSE Bug 1168952
- SUSE Bug 1173942
- SUSE Bug 1175306
- SUSE Bug 1176395
- SUSE Bug 1176485
- SUSE Bug 1177440
- SUSE Bug 1177666
- SUSE Bug 1178182
- SUSE Bug 1178272
- SUSE Bug 1178589
- SUSE Bug 1178886
- SUSE Bug 1179107
- SUSE Bug 1179140
- SUSE Bug 1179141
Описание
It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation.
Затронутые продукты
Ссылки
- CVE-2018-10902
- SUSE Bug 1105322
- SUSE Bug 1105323
Описание
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
Затронутые продукты
Ссылки
- CVE-2019-20934
- SUSE Bug 1179663
- SUSE Bug 1179666
Описание
In audit_free_lsm_field of auditfilter.c, there is a possible bad kfree due to a logic error in audit_data_to_entry. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-150693166References: Upstream kernel
Затронутые продукты
Ссылки
- CVE-2020-0444
- SUSE Bug 1180027
- SUSE Bug 1180028
Описание
In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-162844689References: Upstream kernel
Затронутые продукты
Ссылки
- CVE-2020-0465
- SUSE Bug 1180029
- SUSE Bug 1180030
Описание
In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147802478References: Upstream kernel
Затронутые продукты
Ссылки
- CVE-2020-0466
- SUSE Bug 1180031
- SUSE Bug 1180032
- SUSE Bug 1199255
- SUSE Bug 1200084
Описание
In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.
Затронутые продукты
Ссылки
- CVE-2020-11668
- SUSE Bug 1168952
- SUSE Bug 1173942
Описание
Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.
Затронутые продукты
Ссылки
- CVE-2020-15436
- SUSE Bug 1179141
Описание
The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.
Затронутые продукты
Ссылки
- CVE-2020-15437
- SUSE Bug 1179140
Описание
In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
Затронутые продукты
Ссылки
- CVE-2020-25211
- SUSE Bug 1176395
- SUSE Bug 1192356
Описание
A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812.
Затронутые продукты
Ссылки
- CVE-2020-25285
- SUSE Bug 1176485
Описание
A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free.
Затронутые продукты
Ссылки
- CVE-2020-25669
- SUSE Bug 1178182
Описание
Product: AndroidVersions: Android kernelAndroid ID: A-127973231References: Upstream kernel
Затронутые продукты
Ссылки
- CVE-2020-27068
- SUSE Bug 1180086
Описание
A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.
Затронутые продукты
Ссылки
- CVE-2020-27777
- SUSE Bug 1179107
- SUSE Bug 1179419
- SUSE Bug 1200343
- SUSE Bug 1220060
Описание
A flaw was found in the Linux kernel's implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Затронутые продукты
Ссылки
- CVE-2020-27786
- SUSE Bug 1179601
- SUSE Bug 1179616
Описание
A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.
Затронутые продукты
Ссылки
- CVE-2020-27825
- SUSE Bug 1179960
- SUSE Bug 1179961
Описание
A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.
Затронутые продукты
Ссылки
- CVE-2020-27835
- SUSE Bug 1179878
Описание
A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.
Затронутые продукты
Ссылки
- CVE-2020-28915
- SUSE Bug 1178886
Описание
A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.
Затронутые продукты
Ссылки
- CVE-2020-28974
- SUSE Bug 1178589
Описание
An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable.
Затронутые продукты
Ссылки
- CVE-2020-29568
- SUSE Bug 1179508
Описание
An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
Затронутые продукты
Ссылки
- CVE-2020-29569
- SUSE Bug 1179509
- SUSE Bug 1180008
Описание
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.
Затронутые продукты
Ссылки
- CVE-2020-29660
- SUSE Bug 1179745
- SUSE Bug 1179877
Описание
A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
Затронутые продукты
Ссылки
- CVE-2020-29661
- SUSE Bug 1179745
- SUSE Bug 1179877
- SUSE Bug 1214268
- SUSE Bug 1218966
Описание
mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
Затронутые продукты
Ссылки
- CVE-2020-36158
- SUSE Bug 1180559
- SUSE Bug 1180562
Описание
IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.
Затронутые продукты
Ссылки
- CVE-2020-4788
- SUSE Bug 1177666
- SUSE Bug 1181158
Описание
An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
Затронутые продукты
Ссылки
- CVE-2021-3347
- SUSE Bug 1181349
- SUSE Bug 1181553
- SUSE Bug 1190859