Security update for the Linux Kernel (important)

An update that solves 7 vulnerabilities and has 45 fixes is
now available.

Description:

The openSUSE Leap 15.0 was updated to receive various security and
bugfixes.

The following security bugs were fixed:

• CVE-2019-10638: A device can be tracked by an attacker using the IP ID
  values the kernel produces for connection-less protocols (e.g., UDP and
  ICMP). When such traffic is sent to multiple destination IP addresses,
  it is possible to obtain hash collisions (of indices to the counter
  array) and thereby obtain the hashing key (via enumeration). An attack
  may be conducted by hosting a crafted web page that uses WebRTC or gQUIC
  to force UDP traffic to attacker-controlled IP addresses (bnc#1140575).
• CVE-2019-10639: The Linux kernel allowed Information Exposure (partial
  kernel address disclosure), leading to a KASLR bypass. Specifically, it
  is possible to extract the KASLR kernel image offset using the IP ID
  values the kernel produces for connection-less protocols (e.g., UDP and
  ICMP). When such traffic is sent to multiple destination IP addresses,
  it is possible to obtain hash collisions (of indices to the counter
  array) and thereby obtain the hashing key (via enumeration). This key
  contains enough bits from a kernel address (of a static variable) so
  when the key is extracted (via enumeration), the offset of the kernel
  image is exposed. This attack can be carried out remotely, by the
  attacker forcing the target device to send UDP or ICMP (or certain
  other) traffic to attacker-controlled IP addresses. Forcing a server to
  send UDP traffic is trivial if the server is a DNS server. ICMP traffic
  is trivial if the server answers ICMP Echo requests (ping). For client
  targets, if the target visits the attacker’s web page, then WebRTC or
  gQUIC can be used to force UDP traffic to attacker-controlled IP
  addresses. NOTE: this attack against KASLR became viable in 4.1 because
  IP ID generation was changed to have a dependency on an address
  associated with a network namespace (bnc#1140577).
• CVE-2018-20836: There was a race condition in smp_task_timedout() and
  smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a
  use-after-free (bnc#1134395).
• CVE-2019-10126: A heap based buffer overflow in
  mwifiex_uap_parse_tail_ies function in
  drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory
  corruption and possibly other consequences (bnc#1136935).
• CVE-2019-11599: The coredump implementation in the Linux kernel did not
  use locking or other mechanisms to prevent vma layout or vma flags
  changes while it runs, which allowed local users to obtain sensitive
  information, cause a denial of service, or possibly have unspecified
  other impact by triggering a race condition with mmget_not_zero or
  get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c,
  fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c
  (bnc#1131645 1133738).
• CVE-2019-12614: An issue was discovered in dlpar_parse_cc_property in
  arch/powerpc/platforms/pseries/dlpar.c where there was an unchecked
  kstrdup of prop->name, which might allow an attacker to cause a denial
  of service (NULL pointer dereference and system crash) (bnc#1137194).
• CVE-2018-16871: A flaw was found in NFS where an attacker who is able to
  mount an exported NFS filesystem was able to trigger a null pointer
  dereference by an invalid NFS sequence. (bnc#1137103).

The following non-security bugs were fixed:

• 6lowpan: Off by one handling ->nexthdr (bsc#1051510).
• added De0-Nanos-SoC board support (and others based on Altera SOC).
• Add sample kernel-default-base spec file (FATE#326579, jsc#SLE-4117,
  jsc#SLE-3853, bsc#1128910).
• Add sample kernel-default-base spec file (jsc#SLE-4117, jsc#SLE-3853,
  bsc#1128910).
• af_key: unconditionally clone on broadcast (bsc#1051510).
• alsa: firewire-lib/fireworks: fix miss detection of received MIDI
  messages (bsc#1051510).
• alsa: hda - Force polling mode on CNL for fixing codec communication
  (bsc#1051510).
• alsa: hda/realtek: Add quirks for several Clevo notebook barebones
  (bsc#1051510).
• alsa: hda/realtek - Change front mic location for Lenovo M710q
  (bsc#1051510).
• alsa: line6: Fix write on zero-sized buffer (bsc#1051510).
• alsa: seq: fix incorrect order of dest_client/dest_ports arguments
  (bsc#1051510).
• alsa: usb-audio: fix sign unintended sign extension on left shifts
  (bsc#1051510).
• apparmor: enforce nullbyte at end of tag string (bsc#1051510).
• audit: fix a memory leak bug (bsc#1051510).
• ax25: fix inconsistent lock state in ax25_destroy_timer (bsc#1051510).
• blk-mq: free hw queue’s resource in hctx’s release handler (bsc#1140637).
• block: Fix a NULL pointer dereference in generic_make_request()
  (bsc#1139771).
• bluetooth: Fix faulty expression for minimum encryption key size check
  (bsc#1140328).
• can: af_can: Fix error path of can_init() (bsc#1051510).
• can: flexcan: fix timeout when set small bitrate (bsc#1051510).
• can: purge socket error queue on sock destruct (bsc#1051510).
• ceph: flush dirty inodes before proceeding with remount (bsc#1140405).
• cfg80211: fix memory leak of wiphy device name (bsc#1051510).
• clk: rockchip: Turn on “aclk_dmac1” for suspend on rk3288 (bsc#1051510).
• clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
  (bsc#1051510).
• coresight: etb10: Fix handling of perf mode (bsc#1051510).
• coresight: etm4x: Add support to enable ETMv4.2 (bsc#1051510).
• cpu/topology: Export die_id (jsc#SLE-5454).
• crypto: algapi - guard against uninitialized spawn list in
  crypto_remove_spawns (bsc#1133401).
• crypto: cryptd - Fix skcipher instance memory leak (bsc#1051510).
• crypto: user - prevent operating on larval algorithms (bsc#1133401).
• device core: Consolidate locking and unlocking of parent and device
  (bsc#1106383).
• dmaengine: imx-sdma: remove BD_INTR for channel0 (bsc#1051510).
• dm, dax: Fix detection of DAX support (bsc#1139782).
• doc: Cope with the deprecation of AutoReporter (bsc#1051510).
• Do not provide kernel-default from kernel-default-base (boo#1132154,
  bsc#1106751).
• Do not provide kernel-default-srchash from kernel-default-base.
• Do not restrict NFSv4.2 on openSUSE (bsc#1138719).
• driver core: Establish order of operations for device_add and device_del
  via bitflag (bsc#1106383).
• driver core: Probe devices asynchronously instead of the driver
  (bsc#1106383).
• drivers/base: Introduce kill_device() (bsc#1139865).
• drivers/base: kABI fixes for struct device_private (bsc#1106383).
• drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var
  (bsc#1051510).
• drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error
  handling path in ‘rio_dma_transfer()’ (bsc#1051510).
• drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()
  (bsc#1051510).
• drivers: thermal: tsens: Do not print error message on -EPROBE_DEFER
  (bsc#1051510).
• drm/arm/hdlcd: Allow a bit of clock tolerance (bsc#1051510).
• drm/i915/gvt: ignore unexpected pvinfo write (bsc#1051510).
• EDAC/mc: Fix edac_mc_find() in case no device is found (bsc#1114279).
• ftrace/x86: Remove possible deadlock between register_kprobe() and
  ftrace_run_update_code() (bsc#1071995).
• ftrace/x86: Remove possible deadlock between register_kprobe() and
  ftrace_run_update_code() (bsc#1071995 fate#323487).
• genirq: Prevent use-after-free and work list corruption (bsc#1051510).
• genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent()
  (bsc#1051510).
• genwqe: Prevent an integer overflow in the ioctl (bsc#1051510).
• hwmon/coretemp: Cosmetic: Rename internal variables to zones from
  packages (jsc#SLE-5454).
• hwmon/coretemp: Support multi-die/package (jsc#SLE-5454).
• hwmon: (k10temp) 27C Offset needed for Threadripper2 (FATE#327735).
• hwmon: (k10temp) Add Hygon Dhyana support (FATE#327735).
• hwmon: (k10temp) Add support for AMD Ryzen w/ Vega graphics
  (FATE#327735).
• hwmon: (k10temp) Add support for family 17h (FATE#327735).
• hwmon: (k10temp) Add support for Stoney Ridge and Bristol Ridge CPUs
  (FATE#327735).
• hwmon: (k10temp) Add support for temperature offsets (FATE#327735).
• hwmon: (k10temp) Add temperature offset for Ryzen 1900X (FATE#327735).
• hwmon: (k10temp) Add temperature offset for Ryzen 2700X (FATE#327735).
• hwmon: (k10temp) Correct model name for Ryzen 1600X (FATE#327735).
• hwmon: (k10temp) Display both Tctl and Tdie (FATE#327735).
• hwmon: (k10temp) Fix reading critical temperature register
  (FATE#327735).
• hwmon: (k10temp) Make function get_raw_temp static (FATE#327735).
• hwmon: (k10temp) Move chip specific code into probe function
  (FATE#327735).
• hwmon: (k10temp) Only apply temperature offset if result is positive
  (FATE#327735).
• hwmon: (k10temp) Support all Family 15h Model 6xh and Model 7xh
  processors (FATE#327735).
• hwmon: k10temp: Support Threadripper 2920X, 2970WX; simplify offset
  table (FATE#327735).
• hwmon: (k10temp) Use API function to access System Management Network
  (FATE#327735).
• hwmon/k10temp, x86/amd_nb: Consolidate shared device IDs ().
• hwmon/k10temp, x86/amd_nb: Consolidate shared device IDs (FATE#327735).
• i2c: acorn: fix i2c warning (bsc#1135642).
• i2c-piix4: Add Hygon Dhyana SMBus support (FATE#327735).
• ibmveth: Update ethtool settings to reflect virtual properties
  (bsc#1136157, LTC#177197).
• input: synaptics - enable SMBus on ThinkPad E480 and E580 (bsc#1051510).
• input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
  (bsc#1051510).
• Install extra rpm scripts for kernel subpackaging (FATE#326579,
  jsc#SLE-4117, jsc#SLE-3853, bsc#1128910).
• Install extra rpm scripts for kernel subpackaging (jsc#SLE-4117,
  jsc#SLE-3853, bsc#1128910).
• kabi fixup blk_mq_register_dev() (bsc#1140637).
• kabi: x86/topology: Add CPUID.1F multi-die/package support
  (jsc#SLE-5454).
• kabi: x86/topology: Define topology_logical_die_id() (jsc#SLE-5454).
• kvm: x86: Include CPUID leaf 0x8000001e in kvm’s supported CPUID
  (bsc#1114279).
• kvm: x86: Include multiple indices with CPUID leaf 0x8000001d
  (bsc#1114279).
• libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk
  (bsc#1051510).
• libnvdimm/bus: Prevent duplicate device_unregister() calls (bsc#1139865).
• libnvdimm, pfn: Fix over-trim in trim_pfn_device() (bsc#1140719).
• mac80211: Do not use stack memory with scatterlist for GMAC
  (bsc#1051510).
• mac80211: drop robust management frames from unknown TA (bsc#1051510).
• mac80211: handle deauthentication/disassociation from TDLS peer
  (bsc#1051510).
• media: v4l2-ioctl: clear fields in s_parm (bsc#1051510).
• mISDN: make sure device name is NUL terminated (bsc#1051510).
• mmc: core: Prevent processing SDIO IRQs when the card is suspended
  (bsc#1051510).
• module: Fix livepatch/ftrace module text permissions race (bsc#1071995).
• module: Fix livepatch/ftrace module text permissions race (bsc#1071995
  fate#323487).
• net: mvpp2: prs: Fix parser range for VID filtering (bsc#1098633).
• net: mvpp2: prs: Use the correct helpers when removing all VID filters
  (bsc#1098633).
• net: mvpp2: Use strscpy to handle stat strings (bsc#1098633).
• nfit/ars: Allow root to busy-poll the ARS state machine (bsc#1140814).
• nfit/ars: Avoid stale ARS results (jsc#SLE-5433).
• nfit/ars: Introduce scrub_flags (jsc#SLE-5433).
• ntp: Allow TAI-UTC offset to be set to zero (bsc#1135642).
• nvme: copy MTFA field from identify controller (bsc#1140715).
• nvme-rdma: fix double freeing of async event data (bsc#1120423).
• nvme-rdma: fix possible double free of controller async event buffer
  (bsc#1120423).
• ocfs2: try to reuse extent block in dealloc without meta_alloc
  (bsc#1128902).
• pci: PM: Skip devices in D0 for suspend-to-idle (bsc#1051510).
• pci: rpadlpar: Fix leaked device_node references in add/remove paths
  (bsc#1051510).
• perf/x86/intel/cstate: Support multi-die/package (jsc#SLE-5454).
• perf/x86/intel/rapl: Cosmetic rename internal variables in response to
  multi-die/pkg support (jsc#SLE-5454).
• perf/x86/intel/rapl: Support multi-die/package (jsc#SLE-5454).
• perf/x86/intel/uncore: Cosmetic renames in response to multi-die/pkg
  support (jsc#SLE-5454).
• perf/x86/intel/uncore: Support multi-die/package (jsc#SLE-5454).
• powercap/intel_rapl: Simplify rapl_find_package() (jsc#SLE-5454).
• powercap/intel_rapl: Support multi-die/package (jsc#SLE-5454).
• powercap/intel_rapl: Update RAPL domain name and debug messages
  (jsc#SLE-5454).
• powerpc/perf: Add PM_LD_MISS_L1 and PM_BR_2PATH to power9 event list
  (bsc#1137728, LTC#178106).
• powerpc/perf: Add POWER9 alternate PM_RUN_CYC and PM_RUN_INST_CMPL
  events (bsc#1137728, LTC#178106).
• powerpc/rtas: retry when cpu offline races with suspend/migration
  (bsc#1140428, LTC#178808).
• ppp: mppe: Add softdep to arc4 (bsc#1088047).
• qmi_wwan: add network device usage statistics for qmimux devices
  (bsc#1051510).
• qmi_wwan: add support for QMAP padding in the RX path (bsc#1051510).
• qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode
  (bsc#1051510).
• qmi_wwan: extend permitted QMAP mux_id value range (bsc#1051510).
• rapidio: fix a NULL pointer dereference when create_workqueue() fails
  (bsc#1051510).
• ras/CEC: Convert the timer callback to a workqueue (bsc#1114279).
• ras/CEC: Fix binary search function (bsc#1114279).
• Refresh patches.fixes/scsi-Introduce-scsi_start_queue.patch
  (bsc#1119532).
• Remove the previous subpackage infrastructure. This partially reverts
  commit 9b3ca32c11854156b2f950ff5e26131377d8445e (“Add
  kernel-subpackage-build.spec (FATE#326579).”)
• Replace the bluetooth fix with the upstream commit (bsc#1135556)
• Revert “Drop multiversion(kernel) from the KMP template ()”
  (bsc#1109137).
• Revert “Drop multiversion(kernel) from the KMP template (fate#323189)”
  (bsc#1109137). This reverts commit
  71504d805c1340f68715ad41958e5ef35da2c351.
• Revert “KMPs: obsolete older KMPs of the same flavour (bsc#1127155,
  bsc#1109137).”
• Revert “KMPs: provide and conflict a kernel version specific KMP name”
• Revert “Revert “Drop multiversion(kernel) from the KMP template ()””
• Revert “Revert “Drop multiversion(kernel) from the KMP template
  (fate#323189)”” This feature was requested for SLE15 but aws reverted
  in packaging and master.
• Revert “s390/jump_label: Use “jdd” constraint on gcc9 (bsc#1138589).”
• Revert “Sign non-x86 kernels when possible (boo#1134303)” This reverts
  commit bac621c6704610562ebd9e74ae5ad85ca8025681.
• Revert “svm: Fix AVIC incomplete IPI emulation” (bsc#1140133).
• rpm: Add arm64 dtb-allwinner subpackage 4.10 added
  arch/arm64/boot/dts/allwinner/.
• rpm: Add arm64 dtb-zte subpackage 4.9 added arch/arm64/boot/dts/zte/.
• rpm/kernel-binary.spec.in: Add back kernel-binary-base subpackage
  (jsc#SLE-3853).
• rpm/kernel-binary.spec.in: Build livepatch support in SUSE release
  projects (bsc#1124167).
• rpm/kernel-subpackage-build: handle arm kernel zImage.
• rpm/kernel-subpackage-spec: only provide firmware actually present in
  subpackage.
• rpm/package-descriptions: fix typo in kernel-azure
• rpm/post.sh: correct typo in err msg (bsc#1137625)
• s390/dasd: fix using offset into zero size array error (bsc#1051510).
• s390/jump_label: Use “jdd” constraint on gcc9 (bsc#1138589).
• s390/qeth: fix race when initializing the IP address table (bsc#1051510).
• s390/qeth: fix VLAN attribute in bridge_hostnotify udev event
  (bsc#1051510).
• s390/setup: fix early warning messages (bsc#1051510).
• s390/virtio: handle find on invalid queue gracefully (bsc#1051510).
• sbitmap: fix improper use of smp_mb__before_atomic() (bsc#1140658).
• scripts/git_sort/git_sort.py: add djbw/nvdimm nvdimm-pending.
• scripts/git_sort/git_sort.py: add nvdimm/libnvdimm-fixes
• scsi: core: add new RDAC LENOVO/DE_Series device (bsc#1132390).
• scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending()
  (bsc#1140727).
• scsi: qla2xxx: Fix FC-AL connection target discovery (bsc#1094555).
• scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS
  routines (bsc#1140728).
• scsi: qla2xxx: Fix N2N target discovery with Local loop (bsc#1094555).
• scsi: target/iblock: Fix overrun in WRITE SAME emulation (bsc#1140424).
• scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() (bsc#1135296).
• scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from
  port_remove (bsc#1051510).
• scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host
  (bsc#1051510).
• scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP
  devices (bsc#1051510).
• scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only
  sdevs) (bsc#1051510).
• smb3: Fix endian warning (bsc#1137884).
• soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
  (bsc#1051510).
• soc: rockchip: Set the proper PWM for rk3288 (bsc#1051510).
• staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest
  (bsc#1051510).
• svm: Add warning message for AVIC IPI invalid target (bsc#1140133).
• svm: Fix AVIC incomplete IPI emulation (bsc#1140133).
• sysctl: handle overflow in proc_get_long (bsc#1051510).
• thermal: rcar_gen3_thermal: disable interrupt in .remove (bsc#1051510).
• thermal/x86_pkg_temp_thermal: Cosmetic: Rename internal variables to
  zones from packages (jsc#SLE-5454).
• thermal/x86_pkg_temp_thermal: Support multi-die/package (jsc#SLE-5454).
• tmpfs: fix link accounting when a tmpfile is linked in (bsc#1051510).
• tmpfs: fix uninitialized return value in shmem_link (bsc#1051510).
• topology: Create core_cpus and die_cpus sysfs attributes (jsc#SLE-5454).
• topology: Create package_cpus sysfs attribute (jsc#SLE-5454).
• tracing/snapshot: Resize spare buffer if size changed (bsc#1140726).
• Trim build dependencies of sample subpackage spec file (FATE#326579,
  jsc#SLE-4117, jsc#SLE-3853, bsc#1128910).
• Trim build dependencies of sample subpackage spec file (jsc#SLE-4117,
  jsc#SLE-3853, bsc#1128910).
• tty: max310x: Fix external crystal register setup (bsc#1051510).
• usb: chipidea: udc: workaround for endpoint conflict issue (bsc#1135642).
• usb: dwc2: host: Fix wMaxPacketSize handling (fix webcam regression)
  (bsc#1135642).
• usb: Fix chipmunk-like voice when using Logitech C270 for recording
  audio (bsc#1051510).
• usbnet: ipheth: fix racing condition (bsc#1051510).
• usb: serial: fix initial-termios handling (bsc#1135642).
• usb: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode
  (bsc#1051510).
• usb: serial: option: add Telit 0x1260 and 0x1261 compositions
  (bsc#1051510).
• usb: serial: pl2303: add Allied Telesis VT-Kit3 (bsc#1051510).
• usb: serial: pl2303: fix tranceiver suspend mode (bsc#1135642).
• usb: usb-storage: Add new ID to ums-realtek (bsc#1051510).
• usb: xhci: avoid null pointer deref when bos field is NULL (bsc#1135642).
• vfio: ccw: only free cp on final interrupt (bsc#1051510).
• vlan: disable SIOCSHWTSTAMP in container (bsc#1051510).
• x86/amd_nb: Add support for Raven Ridge CPUs ().
• x86/amd_nb: Add support for Raven Ridge CPUs (FATE#327735).
• x86/CPU/AMD: Do not force the CPB cap when running under a hypervisor
  (bsc#1114279).
• x86/cpufeatures: Carve out CQM features retrieval (jsc#SLE-5382).
• x86/cpufeatures: Combine word 11 and 12 into a new scattered features
  word (jsc#SLE-5382).
• x86/cpufeatures: Enumerate the new AVX512 BFLOAT16 instructions
  (jsc#SLE-5382).
• x86/CPU/hygon: Fix phys_proc_id calculation logic for multi-die
  processors ().
• x86/CPU/hygon: Fix phys_proc_id calculation logic for multi-die
  processors (fate#327735).
• x86/mce: Fix machine_check_poll() tests for error types (bsc#1114279).
• x86/microcode, cpuhotplug: Add a microcode loader CPU hotplug callback
  (bsc#1114279).
• x86/microcode: Fix microcode hotplug state (bsc#1114279).
• x86/microcode: Fix the ancient deprecated microcode loading method
  (bsc#1114279).
• x86/mm/mem_encrypt: Disable all instrumentation for early SME setup
  (bsc#1114279).
• x86/smpboot: Rename match_die() to match_pkg() (jsc#SLE-5454).
• x86/speculation/mds: Revert CPU buffer clear on double fault exit
  (bsc#1114279).
• x86/topology: Add CPUID.1F multi-die/package support (jsc#SLE-5454).
• x86/topology: Create topology_max_die_per_package() (jsc#SLE-5454).
• x86/topology: Define topology_die_id() (jsc#SLE-5454).
• x86/topology: Define topology_logical_die_id() (jsc#SLE-5454).

Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.0:

  zypper in -t patch openSUSE-2019-1716=1