| Description: |
The SUSE Linux Enterprise 12 SP3 Kernel for Teradata was updated to receive the following fixes:
The following security issues were fixed:
- CVE-2021-3347: An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458 (bsc#969755, bsc#1181349)
- CVE-2020-25211: In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff (bsc#1176395)
- CVE-2020-27673: An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271 (bsc#1177411)
- CVE-2020-29568: An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable (bsc#1179508)
- CVE-2020-29569: An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback (bsc#1179509)
- CVE-2020-0466: In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bsc#1180031)
- CVE-2020-0444: In audit_free_lsm_field of auditfilter.c, there is a possible bad kfree due to a logic error in audit_data_to_entry. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bsc#1180027)
- CVE-2020-36158: mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332 (bsc#1180559)
- CVE-2020-27825: A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat (bsc#1179960)
- CVE-2020-27068: In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation (bsc#1180086)
- CVE-2020-0465: In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bsc#1180029)
- CVE-2020-29660, CVE-2020-29661: A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24 (bsc#1179745)
- CVE-2020-27777: A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel (bsc#1179107, bsc#1179887)
- CVE-2020-11668: In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770 (bsc#1168952)
- CVE-2018-10902: It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bsc#1105322)
- CVE-2020-27786: A flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation (bsc#1179601)
- CVE-2020-15436: Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field (bsc#1173834, bsc#1179141)
- CVE-2020-15437: The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized (bsc#1179140)
- CVE-2020-28974: A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height (bsc#1178589)
- CVE-2020-25641: A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability (bsc#1177121)
- CVE-2020-28915: A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def (bsc#1178886)
- CVE-2020-25669: Input: sunkbd - avoid use-after-free in teardown paths (bsc#1178182)
- CVE-2020-25285: A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812 (bsc#1176485)
Regular bug fixes:
- mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() (bsc#1179204) - hv: v4.12 API for hyperv-iommu (fate#327171, bsc#1122822) - blacklist.conf: f10881a46f89 powerpc/rtas: Fix typo of ibm,open-errinjct in RTAS filter not relevant for 12-sp3-td as it doesn't build ppc - cgroup: Fix deadlock in cpu hotplug path (bsc#1012382, bsc#1180679) - HID: Fix slab-out-of-bounds read in hid_field_extract (bsc#1180052) - x86/Hyper-V/hv_apic: Build the Hyper-V APIC conditionally (git-fixes) - x86/Hyper-V/hv_apic: Include asm/apic.h (git-fixes) - x86/hyperv: Clarify comment on x2apic mode (git-fixes) - x86/hyperv: Make vapic support x2apic mode (git-fixes) - X86/Hyper-V: Enlighten APIC access (bsc#1107207) - hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306) - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306) - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306) - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306) - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306) - Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816) - Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175127) - PCI: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263) - scsi: storvsc: Reduce default ring buffer size to 128 Kbytes (fate#323887) - iommu/hyper-v: Add Hyper-V stub IOMMU driver (fate#327171, bsc#1122822) - x86/Hyper-V: Set x2apic destination mode to physical when x2apic is available (fate#327171, bsc#1122822) - Drivers: hv: vmbus: Check for ring when getting debug info (bsc#1126389) - Drivers: hv: vmbus: Offload the handling of channels to two workqueues (bsc#1130567) - scsi: storvsc: Fix a race in sub-channel creation that can cause panic (fate#323887) - Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() (bsc#1104098) - Drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind() (bsc#1130567) - Drivers: hv: vmbus: Fix the offer_in_progress in vmbus_process_offer() (bsc#1130567) - use upstream variant of pci-hyperv change (bsc#1094268) - x86/apic: Provide apic_ack_irq() (fate#327171, bsc#1122822) - hv_netvsc: Fix the return status in RX path (bsc#1118506) - hv_netvsc: use napi_schedule_irqoff (bsc#1118506) - hv_netvsc: fix race in napi poll when rescheduling (bsc#1118506) - PCI: hv: Use effective affinity mask (bsc#1109772) - Drivers: hv: vmbus: Fix bugs in rescind handling (bsc#1130567) - x86/vdso: Add VCLOCK_HVCLOCK vDSO clock read method (bsc#1133308) - x86/irq: implement irq_data_get_effective_affinity_mask() for v4.12 (bsc#1109772) - scsi: storvsc: Fix calculation of sub-channel count (bsc#1012382) - Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels (bsc#1012382) - Tools: hv: Fix a bug in the key delete code (bsc#1012382) - scsi: libiscsi: fix NOP race condition (bsc#1176481)
|