| Description: |
The SUSE Linux Enterprise 12 SP3 kernel was updated receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-43389: Fixed an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c (bnc#1191958). - CVE-2021-42739: The firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673). - CVE-2021-42008: Fixed a slab out-of-bounds write in the decode_data function in drivers/net/hamradio/6pack.c. Input from a process that had the CAP_NET_ADMIN capability could have lead to root access (bsc#1191315). - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bsc#1190159) - CVE-2021-3896: Fixed a array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c (bsc#1191958). - CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service by removing a MAX-3421 USB device in certain situations (bsc#1189291). - CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h incorrectly computed the access permissions of a shadow page, leading to a missing guest protection page fault (bsc#1189262). - CVE-2021-38160: Fixed a potential data corruption or data loss if the buf->len value exceeded the buffer size in drivers/char/virtio_console.c (bsc#1190117). - CVE-2021-3772: Fixed invalid chunks in SCTP that may be used to remotely remove existing associations (bsc#1190351). - CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067). - CVE-2021-37576: Fixed an issue on the powerpc platform, which allowed KVM guest OS users to cause host OS memory corruption via rtas_args.nargs (bsc#1188838). - CVE-2021-3753: Fixed a race out-of-bounds read in vt (bsc#1190025). - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-3732: Fixed an issue where mounting overlayfs inside an unprivileged user namespace could reveal files (bsc#1189706). - CVE-2021-3715: Fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349). - CVE-2021-37159: Fixed a use-after-free and a double free in hso_free_net_device in drivers/net/usb/hso.c (bnc#1188601). - CVE-2021-3679: A lack of CPU resource in the tracing module functionality was fixed. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bsc#1189057). - CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876). - CVE-2021-3655: Fixed a missing size validations on inbound SCTP packets, which may have allowed the kernel to read uninitialized memory (bsc#1188563). - CVE-2021-3653: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The issue could have allowed a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. (bsc#1189399). - CVE-2021-3640: Fixed a use-after-free vulnerability in sco_sock_sendmsg() (bsc#1188172). - CVE-2021-35477: Fixed Speculative Store Bypass side-channel attack on the BPF stack, because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value. (bnc#1188985). - CVE-2021-34556: Fixed Speculative Store Bypass side-channel attack on the BPF stack, because the protection mechanism neglects the possibility of uninitialized memory locations (bnc#1188983). - CVE-2021-33033: Fixed a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled (bsc#1186109). - CVE-2021-20265: Fixed flaw in the way memory resources were freed in the unix_stream_recvmsg function (bnc#1183089). - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bsc#1191193) - CVE-2020-14305: An out-of-bounds memory write flaw was fixed in the Voice Over IP H.323 connection tracking functionality for ipv6 port 1720. This flaw allowed an unauthenticated remote user to cause a denial of service. (bsc#1173346) - CVE-2020-12655: Fixed an issue with agf feeblocks verify in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c where an attacker may trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bnc#1171217). - CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. (bsc#1176724) - CVE-2018-3639: Fixed unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (bsc#1087082). - CVE-2018-16882: A use-after-free issue was found in the way the KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. A guest user/process could use this flaw to crash the host kernel resulting in a denial of service (bsc#1119934). - CVE-2018-13405: Fixed up non-directory creation in SGID directories (bsc#1190006). - CVE-2017-5753: Fixed speculative execution and branch prediction that may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bsc#1068032). - CVE-2017-17864: Fixed a pointer leak that mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information (bnc#1073928). - CVE-2017-17862: Fixed improper branch-pruning logic issue with the JIT compilers, could possibly be used by local users for denial of service (bnc#1073928).
The following non-security bugs were fixed:
- PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973). - bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425). - hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185727). - hv: mana: declare vzalloc (jsc#SLE-18779, bsc#1185726). - hv: mana: fake bitmap API (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185727). - mm: replace open coded page to virt conversion with page_to_virt() (jsc#SLE-18779, bsc#1185727). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185727). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185727). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185727). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185727). - net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191801). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185727). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185727). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185727). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185727). - nvme: update timeout module parameter type (bsc#1183275). - s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601). - s390/bpf: Fix branch shortening during codegen pass (bsc#1190601). - s390/bpf: Fix optimizing out zero-extensions (bsc#1190601). - s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601). - s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254, bsc#1190134). - scsi: sg: add sg_remove_request in sg_write (bsc#1171420 CVE2020-12770). - sctp: fully initialize v4 addr in some functions (bsc#1188563). - sctp: simplify addr copy (bsc#1188563).
|