SUSE Security Update: Security update for the Linux RT Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:3992-1
Rating:             important
References:         #1114648 #1141655 #1169514 #1190317 #1190523 
                    #1191790 #1191876 #1191961 #1192045 #1192048 
                    #1192273 #1192718 #1192750 #1192753 #1192781 
                    #1192802 #1192866 #1192906 #1192987 SLE-22573 
                    
Cross-References:   CVE-2021-0941 CVE-2021-20322 CVE-2021-31916
                    CVE-2021-34981
CVSS scores:
                    CVE-2021-0941 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-20322 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
                    CVE-2021-31916 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-31916 (SUSE): 6.8 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-34981 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Real Time Extension 12-SP5
______________________________________________________________________________

   An update that solves four vulnerabilities, contains one
   feature and has 15 fixes is now available.

Description:



   The SUSE Linux Enterprise 12 SP5 Real Time kernel was updated to receive
   various security and bugfixes.

   The following security bugs were fixed:

   - Unprivileged BPF has been disabled by default to reduce attack surface
     as too many security issues have happened in the past (jsc#SLE-22573)

     You can reenable via systemctl setting
   /proc/sys/kernel/unprivileged_bpf_disabled to 0.
   (kernel.unprivileged_bpf_disabled = 0)

   - CVE-2021-0941: In bpf_skb_change_head of filter.c, there is a possible
     out of bounds read due to a use after free. This could lead to local
     escalation of privilege with System execution privileges needed. User
     interaction is not needed for exploitation (bnc#1192045).
   - CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in
     list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module
     in the Linux kernel A bound check failure allowed an attacker with
     special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds
     memory leading to a system crash or a leak of internal kernel
     information. The highest threat from this vulnerability is to system
     availability (bnc#1192781).
   - CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less
     predictive to avoid information leaks about UDP ports in use.
     (bsc#1191790)
   - CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device
     fails. (bsc#1191961)

   The following non-security bugs were fixed:

   - arm64/sve: Use correct size when reinitialising SVE state (git-fixes).
   - arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
     (git-fixes).
   - bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22913)
   - bpf: Disallow unprivileged bpf by default (jsc#SLE-22913).
   - bpf: Fix potential race in tail call compatibility check (git-fixes).
   - bpf: Move owner type, jited info into array auxiliary data (bsc#1141655).
   - bpf: Use kvmalloc for map values in syscall (stable-5.14.16).
   - btrfs: fix memory ordering between normal and ordered work functions
     (git-fixes).
   - cifs: fix memory leak of smb3_fs_context_dup::server_hostname
     (bsc#1190317).
   - cifs: for compound requests, use open handle if possible (bsc#1190317).
   - cifs: release lock earlier in dequeue_mid error case (bsc#1190317).
   - config: disable unprivileged BPF by default (jsc#SLE-22913)
   - drivers: base: cacheinfo: Get rid of DEFINE_SMP_CALL_CACHE_FUNCTION()
     (git-fixes).
   - drm: fix spectre issue in vmw_execbuf_ioctl (bsc#1192802).
   - EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell
     (bsc#1114648).
   - elfcore: fix building with clang (bsc#1169514).
   - fuse: fix page stealing (bsc#1192718).
   - gigaset: fix spectre issue in do_data_b3_req (bsc#1192802).
   - hisax: fix spectre issues (bsc#1192802).
   - hysdn: fix spectre issue in hycapi_send_message (bsc#1192802).
   - i2c: synquacer: fix deferred probing (git-fixes).
   - ibmvnic: check failover_pending in login response (bsc#1190523
     ltc#194510).
   - ibmvnic: do not stop queue in xmit (bsc#1192273 ltc#194629).
   - ibmvnic: Process crqs after enabling interrupts (bsc#1192273 ltc#194629).
   - infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802).
   - iwlwifi: fix spectre issue in iwl_dbgfs_update_pm (bsc#1192802).
   - media: dvb_ca_en50221: prevent using slot_info for Spectre attacs
     (bsc#1192802).
   - media: dvb_ca_en50221: sanity check slot number from userspace
     (bsc#1192802).
   - media: wl128x: get rid of a potential spectre issue (bsc#1192802).
   - mm/hugetlb: initialize hugetlb_usage in mm_init (bsc#1192906).
   - mpt3sas: fix spectre issues (bsc#1192802).
   - net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() (bsc#1192802).
   - objtool: Support Clang non-section symbols in ORC generation
     (bsc#1169514).
   - osst: fix spectre issue in osst_verify_frame (bsc#1192802).
   - prctl: allow to setup brk for et_dyn executables (git-fixes).
   - printk/console: Allow to disable console output by using console="" or
     console=null (bsc#1192753).
   - printk: handle blank console arguments passed in (bsc#1192753).
   - printk: Remove printk.h inclusion in percpu.h (bsc#1192987).
   - Revert "ibmvnic: check failover_pending in login response" (bsc#1190523
     ltc#194510).
   - Revert "x86/kvm: fix vcpu-id indexed array sizes" (git-fixes).
   - scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe()
     (git-fixes).
   - scsi: BusLogic: Fix missing pr_cont() use (git-fixes).
   - scsi: core: Fix error handling of scsi_host_alloc() (git-fixes).
   - scsi: core: Fix spelling in a source code comment (git-fixes).
   - scsi: core: Only put parent device if host state differs from
     SHOST_CREATED (git-fixes).
   - scsi: core: Put .shost_dev in failure path if host state changes to
     RUNNING (git-fixes).
   - scsi: core: Retry I/O for Notify (Enable Spinup) Required error
     (git-fixes).
   - scsi: csiostor: Add module softdep on cxgb4 (git-fixes).
   - scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn()
     (git-fixes).
   - scsi: dc395: Fix error case unwinding (git-fixes).
   - scsi: FlashPoint: Rename si_flags field (git-fixes).
   - scsi: iscsi: Fix iface sysfs attr detection (git-fixes).
   - scsi: libsas: Use _safe() loop in sas_resume_port() (git-fixes).
   - scsi: mpt3sas: Fix error return value in _scsih_expander_add()
     (git-fixes).
   - scsi: qedf: Add pointer checks in qedf_update_link_speed() (git-fixes).
   - scsi: qedf: Fix error codes in qedf_alloc_global_queues() (git-fixes).
   - scsi: qedi: Fix error codes in qedi_alloc_global_queues() (git-fixes).
   - scsi: qla2xxx: Fix a memory leak in an error path of
     qla2x00_process_els() (git-fixes).
   - scsi: qla2xxx: Make sure that aborted commands are freed (git-fixes).
   - scsi: snic: Fix an error message (git-fixes).
   - scsi: ufs: ufshcd-pltfrm: Fix memory leak due to probe defer (git-fixes).
   - smb3: add additional null check in SMB2_ioctl (bsc#1190317).
   - smb3: add additional null check in SMB2_open (bsc#1190317).
   - smb3: add additional null check in SMB2_tcon (bsc#1190317).
   - soc: fsl: dpio: replace smp_processor_id with raw_smp_processor_id
     (git-fixes).
   - SUNRPC/auth: async tasks mustn't block waiting for memory (bsc#1191876
     bsc#1192866).
   - SUNRPC/call_alloc: async tasks mustn't block waiting for memory
     (bsc#1191876 bsc#1192866).
   - SUNRPC/xprt: async tasks mustn't block waiting for memory (bsc#1191876
     bsc#1192866).
   - SUNRPC: improve 'swap' handling: scheduling and PF_MEMALLOC (bsc#1191876
     bsc#1192866).
   - swiotlb-xen: avoid double free (git-fixes).
   - sysvipc/sem: mitigate semnum index against spectre v1 (bsc#1192802).
   - tracing: use %ps format string to print symbols (git-fixes).
   - tty: serial: fsl_lpuart: fix the wrong mapbase value (git-fixes).
   - Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
   - x86/xen: Mark cpu_bringup_and_idle() as dead_end_function (bsc#1169514).
   - x86/xen: Mark cpu_bringup_and_idle() as dead_end_function (git-fixes).
   - x86/Xen: swap NX determination and GDT setup on BSP (git-fixes).
   - xen-pciback: Fix return in pm_ctrl_init() (git-fixes).
   - xen-pciback: redo VF placement in the virtual topology (git-fixes).
   - xen/x86: fix PV trap handling on secondary processors (git-fixes).
   - xen: Fix implicit type conversion (git-fixes).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Real Time Extension 12-SP5:

      zypper in -t patch SUSE-SLE-RT-12-SP5-2021-3992=1



Package List:

   - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64):

      cluster-md-kmp-rt-4.12.14-10.70.2
      cluster-md-kmp-rt-debuginfo-4.12.14-10.70.2
      dlm-kmp-rt-4.12.14-10.70.2
      dlm-kmp-rt-debuginfo-4.12.14-10.70.2
      gfs2-kmp-rt-4.12.14-10.70.2
      gfs2-kmp-rt-debuginfo-4.12.14-10.70.2
      kernel-rt-4.12.14-10.70.2
      kernel-rt-base-4.12.14-10.70.2
      kernel-rt-base-debuginfo-4.12.14-10.70.2
      kernel-rt-debuginfo-4.12.14-10.70.2
      kernel-rt-debugsource-4.12.14-10.70.2
      kernel-rt-devel-4.12.14-10.70.2
      kernel-rt-devel-debuginfo-4.12.14-10.70.2
      kernel-rt_debug-4.12.14-10.70.2
      kernel-rt_debug-debuginfo-4.12.14-10.70.2
      kernel-rt_debug-debugsource-4.12.14-10.70.2
      kernel-rt_debug-devel-4.12.14-10.70.2
      kernel-rt_debug-devel-debuginfo-4.12.14-10.70.2
      kernel-syms-rt-4.12.14-10.70.2
      ocfs2-kmp-rt-4.12.14-10.70.2
      ocfs2-kmp-rt-debuginfo-4.12.14-10.70.2

   - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch):

      kernel-devel-rt-4.12.14-10.70.2
      kernel-source-rt-4.12.14-10.70.2


References:

   https://www.suse.com/security/cve/CVE-2021-0941.html
   https://www.suse.com/security/cve/CVE-2021-20322.html
   https://www.suse.com/security/cve/CVE-2021-31916.html
   https://www.suse.com/security/cve/CVE-2021-34981.html
   https://bugzilla.suse.com/1114648
   https://bugzilla.suse.com/1141655
   https://bugzilla.suse.com/1169514
   https://bugzilla.suse.com/1190317
   https://bugzilla.suse.com/1190523
   https://bugzilla.suse.com/1191790
   https://bugzilla.suse.com/1191876
   https://bugzilla.suse.com/1191961
   https://bugzilla.suse.com/1192045
   https://bugzilla.suse.com/1192048
   https://bugzilla.suse.com/1192273
   https://bugzilla.suse.com/1192718
   https://bugzilla.suse.com/1192750
   https://bugzilla.suse.com/1192753
   https://bugzilla.suse.com/1192781
   https://bugzilla.suse.com/1192802
   https://bugzilla.suse.com/1192866
   https://bugzilla.suse.com/1192906
   https://bugzilla.suse.com/1192987