SUSE: 2020:3715-1 important: the Linux Kernel
Summary
The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive
various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-15437: Fixed a null pointer dereference which could have
allowed local users to cause a denial of service(bsc#1179140).
- CVE-2020-27777: Restrict RTAS requests from userspace (bsc#1179107).
- CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could
have been used by local attackers to read privileged information or
potentially crash the kernel (bsc#1178589).
- CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could
have been used by local attackers to read kernel memory (bsc#1178886).
- CVE-2020-8694: Insufficient access control for some Intel(R) Processors may have allowed an authenticated user to potentially enable information
disclosure via local access (bsc#1170415).
- CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123).
- CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter()
(bsc#1178393).
- CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit()
(bsc#1178182).
The following non-security bugs were fixed:
- 9P: Cast to loff_t before multiplying (git-fixes).
- acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes).
- ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes).
- ACPI / extlog: Check for RDMSR failure (git-fixes).
- ACPI: GED: fix -Wformat (git-fixes).
- ACPI: NFIT: Fix comparison to '-ENXIO' (git-fixes).
- ACPI: video: use ACPI backlight for HP 635 Notebook (git-fixes).
- ALSA: ctl: fix error path at adding user-defined element set (git-fixes).
- ALSA: firewire: Clean up a locking issue in copy_resp_to_buf()
(git-fixes).
- ALSA: hda - Fix the return value if cb func is already registered
(git-fixes).
- ALSA: hda - Fix the return value if cb func is already registered
(git-fixes).
- ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link()
(git-fixes).
- ALSA: mixart: Fix mutex deadlock (git-fixes).
- ALSA: usb-audio: Fix potential use-after-free of streams (gix-fixes).
- arm64: KVM: Fix system register enumeration (bsc#1174726).
- arm64: Run ARCH_WORKAROUND_1 enabling code on all CPUs (git-fixes).
- arm/arm64: KVM: Add PSCI version selection API (bsc#1174726).
- ASoC: qcom: lpass-platform: Fix memory leak (git-fixes).
- ata: sata_rcar: Fix DMA boundary mask (git-fixes).
- ath10k: Acquire tx_lock in tx error paths (git-fixes).
- ath10k: fix VHT NSS calculation when STBC is enabled (git-fixes).
- ath10k: start recovery process when payload length exceeds max htc
length for sdio (git-fixes).
- batman-adv: set .owner to THIS_MODULE (git-fixes).
- Bluetooth: btusb: Fix and detect most of the Chinese Bluetooth
controllers (git-fixes).
- Bluetooth: hci_bcm: fix freeing not-requested IRQ (git-fixes).
- bpf: Zero-fill re-used per-cpu map element (git-fixes).
- btrfs: account ticket size at add/delete time (bsc#1178897).
- btrfs: add helper to obtain number of devices with ongoing dev-replace
(bsc#1178897).
- btrfs: check rw_devices, not num_devices for balance (bsc#1178897).
- btrfs: do not delete mismatched root refs (bsc#1178962).
- btrfs: fix btrfs_calc_reclaim_metadata_size calculation (bsc#1178897).
- btrfs: fix force usage in inc_block_group_ro (bsc#1178897).
- btrfs: fix invalid removal of root ref (bsc#1178962).
- btrfs: fix reclaim counter leak of space_info objects (bsc#1178897).
- btrfs: fix reclaim_size counter leak after stealing from global reserve
(bsc#1178897).
- btrfs: kill min_allocable_bytes in inc_block_group_ro (bsc#1178897).
- btrfs: rework arguments of btrfs_unlink_subvol (bsc#1178962).
- btrfs: split dev-replace locking helpers for read and write
(bsc#1178897).
- bus/fsl_mc: Do not rely on caller to provide non NULL mc_io (git-fixes).
- can: af_can: prevent potential access of uninitialized member in
canfd_rcv() (git-fixes).
- can: af_can: prevent potential access of uninitialized member in
can_rcv() (git-fixes).
- can: can_create_echo_skb(): fix echo skb generation: always use
skb_clone() (git-fixes).
- can: dev: __can_get_echo_skb(): fix real payload length return value for
RTR frames (git-fixes).
- can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ
context (git-fixes).
- can: dev: can_restart(): post buffer from the right context (git-fixes).
- can: gs_usb: fix endianess problem with candleLight firmware (git-fixes).
- can: m_can: fix nominal bitiming tseg2 min for version >= 3.1
(git-fixes).
- can: m_can: m_can_handle_state_change(): fix state change (git-fixes).
- can: m_can: m_can_stop(): set device to software init mode before
closing (git-fixes).
- can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to
can_put_echo_skb() (git-fixes).
- can: peak_canfd: pucan_handle_can_rx(): fix echo management when
loopback is on (git-fixes).
- can: peak_usb: add range checking in decode operations (git-fixes).
- can: peak_usb: fix potential integer overflow on shift of a int
(git-fixes).
- can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping
(git-fixes).
- can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes).
- ceph: add check_session_state() helper and make it global (bsc#1179259).
- ceph: check session state after bumping session->s_seq (bsc#1179259).
- ceph: fix race in concurrent __ceph_remove_cap invocations (bsc#1178635).
- cifs: Fix incomplete memory allocation on setxattr path (bsc#1179211).
- cifs: remove bogus debug code (bsc#1179427).
- cifs: Return the error from crypt_message when enc/dec key not found
(bsc#1179426).
- clk: ti: clockdomain: fix static checker warning (git-fixes).
- Convert trailing spaces and periods in path components (bsc#1179424).
- crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes).
- debugfs: Fix module state check condition (git-fixes).
- docs: ABI: stable: remove a duplicated documentation (git-fixes).
- docs: ABI: sysfs-c2port: remove a duplicated entry (git-fixes).
- dpaa_eth: fix the RX headroom size alignment (git-fixes).
- drbd: code cleanup by using sendpage_ok() to check page for
kernel_sendpage() (bsc#1172873).
- Drivers: hv: vmbus: Remove the unused "tsc_page" from struct hv_context
(git-fixes).
- drm/amd/display: Do not invoke kgdb_breakpoint() unconditionally
(git-fixes).
- drm/amd/display: HDMI remote sink need mode validation for Linux
(git-fixes).
- drm/amdgpu: do not map BO in reserved region (git-fixes).
- drm/bridge/synopsys: dsi: add support for non-continuous HS clock
(git-fixes).
- drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working
correctly (git-fixes).
- drm/i915: Break up error capture compression loops with cond_resched()
(git-fixes).
- drm/i915: Force VT'd workarounds when running as a guest OS (git-fixes).
- drm/i915/gvt: Set ENHANCED_FRAME_CAP bit (git-fixes).
- drm/imx: tve remove extraneous type qualifier (git-fixes).
- drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind()
(git-fixes).
- drm/ttm: fix eviction valuable range check (git-fixes).
- drm/vc4: drv: Add error handding for bind (git-fixes).
- Drop sysctl files for dropped archs, add ppc64le and arm64
(bsc#1178838). Also fix the ppc64 page size.
- efi: cper: Fix possible out-of-bounds access (git-fixes).
- efi/efivars: Add missing kobject_put() in sysfs entry creation error
path (git-fixes).
- efi/esrt: Fix reference count leak in esre_create_sysfs_entry
(git-fixes).
- efi: provide empty efi_enter_virtual_mode implementation (git-fixes).
- efivarfs: fix memory leak in efivarfs_create() (git-fixes).
- efivarfs: Replace invalid slashes with exclamation marks in dentries
(git-fixes).
- efivarfs: revert "fix memory leak in efivarfs_create()" (git-fixes).
- efi/x86: Do not panic or BUG() on non-critical error conditions
(git-fixes).
- efi/x86: Free efi_pgd with free_pages() (bsc#1112178).
- efi/x86: Ignore the memory attributes table on i386 (git-fixes).
- efi/x86: Map the entire EFI vendor string before copying it (git-fixes).
- fs/proc/array.c: allow reporting eip/esp for all coredumping threads
(bsc#1050549).
- ftrace: Fix recursion check for NMI test (git-fixes).
- ftrace: Handle tracing when switching between context (git-fixes).
- fuse: fix page dereference after free (bsc#1179213).
- futex: Do not enable IRQs unconditionally in put_pi_state()
(bsc#1067665).
- futex: Handle transient "ownerless" rtmutex state correctly
(bsc#1067665).
- hv_balloon: disable warning when floor reached (git-fixes).
- hv_netvsc: Add XDP support (bsc#1177819, bsc#1177820).
- hv_netvsc: deal with bpf API differences in 4.12 (bsc#1177819,
bsc#1177820).
- hv_netvsc: Fix XDP refcnt for synthetic and VF NICs (bsc#1177819,
bsc#1177820).
- hv_netvsc: make recording RSS hash depend on feature flag (bsc#1178853,
bsc#1178854).
- hv_netvsc: record hardware hash in skb (bsc#1178853, bsc#1178854).
- hyperv_fb: Update screen_info after removing old framebuffer
(bsc#1175306).
- IB/core: Set qp->real_qp before it may be accessed (bsc#1111666)
- IB/hfi1: Add missing INVALIDATE opcodes for trace (bsc#1111666)
- IB/hfi1: Add RcvShortLengthErrCnt to hfi1stats (bsc#1111666)
- IB/hfi1: Add software counter for ctxt0 seq drop (bsc#1111666)
- IB/hfi1: Avoid hardlockup with flushlist_lock (bsc#1111666)
- IB/hfi1: Check for error on call to alloc_rsm_map_table (bsc#1111666)
- IB/hfi1: Close PSM sdma_progress sleep window (bsc#1111666)
- IB/hfi1: Define variables as unsigned long to fix KASAN warning
(bsc#1111666)
- IB/hfi1: Ensure full Gen3 speed in a Gen4 system (bsc#1111666)
- IB/hfi1: Fix Spectre v1 vulnerability (bsc#1111666)
- IB/hfi1: Handle port down properly in pio (bsc#1111666)
- IB/hfi1: Handle wakeup of orphaned QPs for pio (bsc#1111666)
- IB/hfi1: Insure freeze_work work_struct is canceled on shutdown
(bsc#1111666)
- IB/hfi1, qib: Ensure RCU is locked when accessing list (bsc#1111666)
- IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM
(bsc#1111666)
- IB/hfi1: Remove unused define (bsc#1111666)
- IB/hfi1: Silence txreq allocation warnings (bsc#1111666)
- IB/hfi1: Validate page aligned for a given virtual address (bsc#1111666)
- IB/hfi1: Wakeup QPs orphaned on wait list after flush (bsc#1111666)
- IB/ipoib: drop useless LIST_HEAD (bsc#1111666)
- IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start (bsc#1111666)
- IB/iser: Fix dma_nents type definition (bsc#1111666)
- IB/iser: Pass the correct number of entries for dma mapped SGL
(bsc#1111666)
- IB/mad: Fix use-after-free in ib mad completion handling (bsc#1111666)
- IB/mlx4: Fix leak in id_map_find_del (bsc#1111666)
- IB/mlx4: Fix memory leak in add_gid error flow (bsc#1111666)
- IB/mlx4: Fix race condition between catas error reset and aliasguid
flows (bsc#1111666)
- IB/mlx4: Follow mirror sequence of device add during device removal
(bsc#1111666)
- IB/mlx4: Remove unneeded NULL check (bsc#1111666)
- IB/mlx5: Add missing XRC options to QP optional params mask (bsc#1111666)
- IB/mlx5: Compare only index part of a memory window rkey (bsc#1111666)
- IB/mlx5: Do not override existing ip_protocol (bsc#1111666)
- IB/mlx5: Fix clean_mr() to work in the expected order (bsc#1111666)
- IB/mlx5: Fix implicit MR release flow (bsc#1111666)
- IB/mlx5: Fix outstanding_pi index for GSI qps (bsc#1111666)
- IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification
(bsc#1111666)
- IB/mlx5: Fix unreg_umr to ignore the mkey state (bsc#1111666)
- IB/mlx5: Improve ODP debugging messages (bsc#1111666)
- IB/mlx5: Move MRs to a kernel PD when freeing them to the MR cache
(bsc#1111666)
- IB/mlx5: Prevent concurrent MR updates during invalidation (bsc#1111666)
- IB/mlx5: Reset access mask when looping inside page fault handler
(bsc#1111666)
- IB/mlx5: Set correct write permissions for implicit ODP MR (bsc#1111666)
- IB/mlx5: Use direct mkey destroy command upon UMR unreg failure
(bsc#1111666)
- IB/mlx5: Use fragmented QP's buffer for in-kernel users (bsc#1111666)
- IB/mlx5: WQE dump jumps over first 16 bytes (bsc#1111666)
- IB/qib: Fix an error code in qib_sdma_verbs_send() (bsc#1111666)
- IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value (bsc#1111666)
- IB/qib: Remove a set-but-not-used variable (bsc#1111666)
- IB/rdmavt: Convert timers to use timer_setup() (bsc#1111666)
- IB/rdmavt: Fix alloc_qpn() WARN_ON() (bsc#1111666)
- IB/rdmavt: Reset all QPs when the device is shut down (bsc#1111666)
- IB/rxe: Fix incorrect cache cleanup in error flow (bsc#1111666)
- IB/rxe: Make counters thread safe (bsc#1111666)
- IB/umad: Avoid additional device reference during open()/close()
(bsc#1111666)
- IB/umad: Avoid destroying device while it is accessed (bsc#1111666)
- IB/umad: Do not check status of nonseekable_open() (bsc#1111666)
- IB/umad: Fix kernel crash while unloading ib_umad (bsc#1111666)
- IB/umad: Refactor code to use cdev_device_add() (bsc#1111666)
- IB/umad: Simplify and avoid dynamic allocation of class (bsc#1111666)
- IB/usnic: Fix out of bounds index check in query pkey (bsc#1111666)
- IB/uverbs: Fix OOPs upon device disassociation (bsc#1111666)
- iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting
tablet-mode (git-fixes).
- iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum
(git-fixes).
- inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill()
(git-fixes).
- Input: adxl34x - clean up a data type in adxl34x_probe() (git-fixes).
- ipmi: use vzalloc instead of kmalloc for user creation (bsc#1178607).
- iw_cxgb4: fix ECN check on the passive accept (bsc#1111666)
- iw_cxgb4: only reconnect with MPAv1 if the peer aborts (bsc#1111666)
- kABI: add back flush_dcache_range (jsc#SLE-16402 jsc#SLE-16497
bsc#1176109 ltc#187964).
- kthread_worker: prevent queuing delayed work from timer_fn when it is
being canceled (git-fixes).
- KVM: arm64: Add missing #include of
References
#1050549 #1058115 #1067665 #1111666 #1112178
#1167030 #1170139 #1170415 #1170446 #1170630
#1172542 #1172873 #1174726 #1175306 #1175916
#1176109 #1176855 #1176907 #1176983 #1177304
#1177397 #1177703 #1177805 #1177808 #1177809
#1177819 #1177820 #1178123 #1178182 #1178393
#1178589 #1178591 #1178607 #1178635 #1178669
#1178686 #1178700 #1178765 #1178838 #1178853
#1178854 #1178878 #1178886 #1178897 #1178940
#1178962 #1179107 #1179140 #1179211 #1179213
#1179259 #1179424 #1179426 #1179427 #927455
Cross- CVE-2020-15437 CVE-2020-25668 CVE-2020-25669
CVE-2020-25704 CVE-2020-27777 CVE-2020-28915
CVE-2020-28974 CVE-2020-8694
Affected Products:
SUSE Linux Enterprise Server 12-SP5
https://www.suse.com/security/cve/CVE-2020-15437.html
https://www.suse.com/security/cve/CVE-2020-25668.html
https://www.suse.com/security/cve/CVE-2020-25669.html
https://www.suse.com/security/cve/CVE-2020-25704.html
https://www.suse.com/security/cve/CVE-2020-27777.html
https://www.suse.com/security/cve/CVE-2020-28915.html
https://www.suse.com/security/cve/CVE-2020-28974.html
https://www.suse.com/security/cve/CVE-2020-8694.html
https://bugzilla.suse.com/1050549
https://bugzilla.suse.com/1058115
https://bugzilla.suse.com/1067665
https://bugzilla.suse.com/1111666
https://bugzilla.suse.com/1112178
https://bugzilla.suse.com/1167030
https://bugzilla.suse.com/1170139
https://bugzilla.suse.com/1170415
https://bugzilla.suse.com/1170446
https://bugzilla.suse.com/1170630
https://bugzilla.suse.com/1172542
https://bugzilla.suse.com/1172873
https://bugzilla.suse.com/1174726
https://bugzilla.suse.com/1175306
https://bugzilla.suse.com/1175916
https://bugzilla.suse.com/1176109
https://bugzilla.suse.com/1176855
https://bugzilla.suse.com/1176907
https://bugzilla.suse.com/1176983
https://bugzilla.suse.com/1177304
https://bugzilla.suse.com/1177397
https://bugzilla.suse.com/1177703
https://bugzilla.suse.com/1177805
https://bugzilla.suse.com/1177808
https://bugzilla.suse.com/1177809
https://bugzilla.suse.com/1177819
https://bugzilla.suse.com/1177820
https://bugzilla.suse.com/1178123
https://bugzilla.suse.com/1178182
https://bugzilla.suse.com/1178393
https://bugzilla.suse.com/1178589
https://bugzilla.suse.com/1178591
https://bugzilla.suse.com/1178607
https://bugzilla.suse.com/1178635
https://bugzilla.suse.com/1178669
https://bugzilla.suse.com/1178686
https://bugzilla.suse.com/1178700
https://bugzilla.suse.com/1178765
https://bugzilla.suse.com/1178838
https://bugzilla.suse.com/1178853
https://bugzilla.suse.com/1178854
https://bugzilla.suse.com/1178878
https://bugzilla.suse.com/1178886
https://bugzilla.suse.com/1178897
https://bugzilla.suse.com/1178940
https://bugzilla.suse.com/1178962
https://bugzilla.suse.com/1179107
https://bugzilla.suse.com/1179140
https://bugzilla.suse.com/1179211
https://bugzilla.suse.com/1179213
https://bugzilla.suse.com/1179259
https://bugzilla.suse.com/1179424
https://bugzilla.suse.com/1179426
https://bugzilla.suse.com/1179427
https://bugzilla.suse.com/927455