Lucene search

HistoryNov 15, 2021 - 12:00 a.m.

Security update for the Linux Kernel (important)






An update that solves 15 vulnerabilities and has 41 fixes
is now available.


The openSUSE Leap 15.2 kernel was updated to receive various security and

The following security bugs were fixed:

  • CVE-2018-13405: The inode_init_owner function in fs/inode.c allowed
    local users to create files with an unintended group ownership, in a
    scenario where a directory is SGID to a certain group and is writable by
    a user who is not a member of that group. Here, the non-member can
    trigger creation of a plain file whose group ownership is that group.
    The intended behavior was that the non-member can trigger creation of a
    directory (but not a plain file) whose group ownership is that group.
    The non-member can escalate privileges by making the plain file
    executable and SGID (bnc#1100416 bnc#1129735).
  • CVE-2021-33033: The Linux kernel had a use-after-free in cipso_v4_genopt
    in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for
    the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to
    writing an arbitrary value (bnc#1186109 bnc#1188876).
  • CVE-2021-34556: An unprivileged BPF program can obtain sensitive
    information from kernel memory via a Speculative Store Bypass
    side-channel attack because the protection mechanism neglects the
    possibility of uninitialized memory locations on the BPF stack
  • CVE-2021-35477: An unprivileged BPF program can obtain sensitive
    information from kernel memory via a Speculative Store Bypass
    side-channel attack because a certain preempting store operation did not
    necessarily occur before a store operation that has an
    attacker-controlled value (bnc#1188985).
  • CVE-2021-3655: Missing size validations on inbound SCTP packets may have
    allowed the kernel to read uninitialized memory (bnc#1188563
  • CVE-2021-3715: Fixed a use-after-free in route4_change() in
    net/sched/cls_route.c (bsc#1190349).
  • CVE-2021-3760: Fixed a use-after-free vulnerability with the
    ndev->rf_conn_info object (bsc#1190067).
  • CVE-2021-3772: Invalid chunks may be used to remotely remove existing
    associations (bsc#1190351).
  • CVE-2021-3896: Fixed a array-index-out-bounds in detach_capi_ctr in
    drivers/isdn/capi/kcapi.c (bsc#1191958).
  • CVE-2021-41864: prealloc_elems_and_freelist in kernel/bpf/stackmap.c
    allowed unprivileged users to trigger an eBPF multiplication integer
    overflow with a resultant out-of-bounds write (bnc#1191317).
  • CVE-2021-42008: The decode_data function in drivers/net/hamradio/6pack.c
    had a slab out-of-bounds write. Input from a process that has the
    CAP_NET_ADMIN capability can lead to root access (bnc#1191315).
  • CVE-2021-42252: An issue was discovered in aspeed_lpc_ctrl_mmap in
    drivers/soc/aspeed/aspeed-lpc-ctrl.c where local attackers were able to
    access the Aspeed LPC control interface could overwrite memory in the
    kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This
    occurs because a certain comparison uses values that are not memory
    sizes (bnc#1190479).
  • CVE-2021-42739: The firewire subsystem had a buffer overflow related to
    drivers/media/firewire/firedtv-avc.c and
    drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled
    bounds checking (bnc#1184673 bnc#1192036).
  • CVE-2021-42739: The firewire subsystem had a buffer overflow related to
    drivers/media/firewire/firedtv-avc.c and
    drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled
    bounds checking (bsc#1184673).
  • CVE-2021-43056: It allowed a malicious KVM guest to crash the host, when
    the host is running on Power8, due to an
    arch/powerpc/kvm/book3s_hv_rmhandlers.S implementation bug in the
    handling of the SRR1 register values (bnc#1192107).

The following non-security bugs were fixed:

  • acpi/arm64: fix next_platform_timer() section mismatch error (git-fixes).
  • ACPI: bgrt: Fix CFI violation (git-fixes).
  • ACPI: fix NULL pointer dereference (git-fixes).
  • ACPI: Use DEVICE_ATTR_<RW|RO|WO> macros (git-fixes).
  • Add cherry-picked commit id to the usb hso fix (git-fixes)
  • Add obsolete_rebuilds_subpackage (boo#1172073 bsc#1191731).
  • ALSA: hda: avoid write to STATESTS if controller is in reset (git-fixes).
  • ALSA: hda/realtek: Add quirk for Clevo PC50HS (git-fixes).
  • ALSA: hda/realtek: Add quirk for Clevo X170KM-G (git-fixes).
  • ALSA: hda/realtek - ALC236 headset MIC recording issue (git-fixes).
  • ALSA: hda/realtek: Complete partial device name to avoid ambiguity
  • ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW
  • ALSA: seq: Fix a potential UAF by wrong private_free call order
  • ALSA: usb-audio: Add quirk for VF0770 (git-fixes).
  • ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset (git-fixes).
  • ASoC: DAPM: Fix missing kctl change notifications (git-fixes).
  • ASoC: wm8960: Fix clock configuration on slave mode (git-fixes).
  • ata: ahci_platform: fix null-ptr-deref in
    ahci_platform_enable_regulators() (git-fixes).
  • ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init()
  • audit: fix possible null-pointer dereference in audit_filter_rules
  • bfq: Remove merged request already in bfq_requests_merged()
  • blk: Fix lock inversion between ioc lock and bfqd lock (bsc#1191456).
  • blktrace: Fix uaf in blk_trace access after removing by sysfs
  • block: bfq: fix bfq_set_next_ioprio_data() (bsc#1191451).
  • bnxt_en: Fix TX timeout when TX ring size is set to the smallest
  • bpf: Add bpf_patch_call_args prototype to include/linux/bpf.h
  • bpf: Fix a typo of reuseport map in bpf.h (git-fixes).
  • bpf: Fix up bpf_skb_adjust_room helper’s skb csum setting (git-fixes).
  • can: dev: can_restart: fix use after free bug (git-fixes).
  • can: peak_pci: peak_pci_remove(): fix UAF (git-fixes).
  • can: peak_usb: fix use after free bugs (git-fixes).
  • can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE
    state notification (git-fixes).
  • can: rcar_can: fix suspend/resume (git-fixes).
  • can: ti_hecc: ti_hecc_probe(): add missed clk_disable_unprepare() in
    error path (git-fixes).
  • can: xilinx_can: handle failure cases of pm_runtime_get_sync (git-fixes).
  • cb710: avoid NULL pointer subtraction (git-fixes).
  • ceph: fix handling of “meta” errors (bsc#1192041).
  • ceph: skip existing superblocks that are blocklisted or shut down when
    mounting (bsc#1192040).
  • cfg80211: scan: fix RCU in cfg80211_add_nontrans_list() (git-fixes).
  • drm/amd/display: Pass PCI deviceid into DC (git-fixes).
  • drm/amdgpu: fix pin_count leak (git-fixes).
  • drm/msm/dsi: Fix an error code in msm_dsi_modeset_init() (git-fixes).
  • drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling
  • drm/msm: Fix null pointer dereference on pointer edp (git-fixes).
  • drm/nouveau/debugfs: fix file release memory leak (git-fixes).
  • drm/panel: olimex-lcd-olinuxino: select CRC32 (git-fixes).
  • e1000e: Fix packet loss on Tiger Lake and later (git-fixes).
  • e100: fix buffer overrun in e100_get_regs (git-fixes).
  • e100: fix length calculation in e100_get_regs_len (git-fixes).
  • e100: handle eeprom as little endian (git-fixes).
  • ext4: fix reserved space counter leakage (bsc#1191450).
  • ext4: report correct st_size for encrypted symlinks (bsc#1191449).
  • fscrypt: add fscrypt_symlink_getattr() for computing st_size
  • fs, mm: fix race in unlinking swapfile (bsc#1191455).
  • gpio: pca953x: Improve bias setting (git-fixes).
  • gve: Avoid freeing NULL pointer (git-fixes).
  • gve: Correct available tx qpl check (git-fixes).
  • gve: fix gve_get_stats() (git-fixes).
  • gve: Properly handle errors in gve_assign_qpl (bsc#1176940).
  • gve: report 64bit tx_bytes counter from gve_handle_report_stats()
  • HID: apple: Fix logical maximum and usage maximum of Magic Keyboard JIS
  • HID: betop: fix slab-out-of-bounds Write in betop_probe (git-fixes).
  • HID: u2fzero: ignore incomplete packets without data (git-fixes).
  • HID: usbhid: free raw_report buffers in usbhid_stop (git-fixes).
  • HID: wacom: Add new Intuos BT (CTL-4100WL/CTL-6100WL) device IDs
  • hso: fix bailout in error case of probe (git-fixes).
  • i2c: acpi: fix resource leak in reconfiguration device addition
  • i40e: Fix ATR queue selection (git-fixes).
  • i40e: fix endless loop under rtnl (git-fixes).
  • i40e: Fix freeing of uninitialized misc IRQ vector (git-fixes).
  • iavf: fix double unlock of crit_lock (git-fixes).
  • ice: Add missing E810 device ids (jsc#SLE-7966 bsc#1157177).
  • ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition (bsc#1191241).
  • iio: adc128s052: Fix the error handling path of ‘adc128_probe()’
  • iio: adc: aspeed: set driver data when adc probe (git-fixes).
  • iio: dac: ti-dac5571: fix an error code in probe() (git-fixes).
  • iio: light: opt3001: Fixed timeout error when 0 lux (git-fixes).
  • iio: mtk-auxadc: fix case IIO_CHAN_INFO_PROCESSED (git-fixes).
  • iio: ssp_sensors: add more range checking in ssp_parse_dataframe()
  • iio: ssp_sensors: fix error code in ssp_print_mcu_debug() (git-fixes).
  • Input: snvs_pwrkey - add clk handling (git-fixes).
  • Input: xpad - add support for another USB ID of Nacon GC-100 (git-fixes).
  • ionic: do not remove netdev->dev_addr when syncing uc list (bsc#1167773).
  • ipv6/netfilter: Discard first fragment not including all headers
  • IPv6: reply ICMP error if the first fragment do not include all headers
  • isdn: cpai: check ctr->cnr to avoid array index out of bound (git-fixes).
  • isdn: mISDN: Fix sleeping function called from invalid context
  • ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup (git-fixes).
  • kabi: block: Fix kabi of blk_mq_sched_try_insert_merge() (bsc#1191456).
  • kernel-binary.spec: Do not sign kernel when no key provided
  • KVM: PPC: Book3S HV Nested: Reflect guest PMU in-use to L0 when guest
    SPRs are live (bsc#1156395).
  • KVM: PPC: Book3S HV Nested: Sanitise H_ENTER_NESTED TM state
  • KVM: PPC: Book3S HV: Save host FSCR in the P7/8 path (bsc#1065729).
  • KVM: PPC: Book3S HV: Tolerate treclaim. in fake-suspend mode changing
    registers (bsc#1156395).
  • KVM: PPC: Fix clearing never mapped TCEs in realmode (bsc#1156395).
  • KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak (bsc#1156395).
  • lan78xx: select CRC32 (git-fixes).
  • libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870 SSD
  • mac80211: check return value of rhashtable_init (git-fixes).
  • mac80211: Drop frames from invalid MAC address in ad-hoc mode
  • mei: me: add Ice Lake-N device id (git-fixes).
  • mlx5: count all link events (git-fixes).
  • mlxsw: thermal: Fix out-of-bounds memory accesses (git-fixes).
  • mmc: dw_mmc: exynos: fix the finding clock sample value (git-fixes).
  • mmc: meson-gx: do not use memcpy_to/fromio for dram-access-quirk
  • mmc: vub300: fix control-message timeouts (git-fixes).
  • net/af_unix: fix a data-race in unix_dgram_poll (bsc#1154353).
  • net: batman-adv: fix error handling (git-fixes).
  • net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size()
  • net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
  • net: cdc_eem: fix tx fixup skb leak (git-fixes).
  • net: cdc_ncm: correct overhead in delayed_ndp_size (git-fixes).
  • netfilter: conntrack: collect all entries in one cycle (bsc#1173604).
  • net: hns3: fix vf reset workqueue cannot exit (bsc#1154353).
  • net: hso: add failure handler for add_net_device (git-fixes).
  • net: hso: fix NULL-deref on disconnect regression (git-fixes).
  • net: hso: fix null-ptr-deref during tty device unregistration
  • net: ipv6: Discard next-hop MTU less than minimum link MTU (bsc#1191241).
  • net: lan78xx: fix division by zero in send path (git-fixes).
  • net: mana: Fix error handling in mana_create_rxq() (git-fixes,
  • net/mlx4_en: Do not allow aRFS for encapsulated packets (git-fixes).
  • net/mlx4_en: Resolve bad operstate value (git-fixes).
  • net/mlx5e: Mutually exclude RX-FCS and RX-port-timestamp (git-fixes).
  • net/mlx5: Fix unpublish devlink parameters (jsc#SLE-8464).
  • net/mlx5: FWTrace, cancel work on alloc pd error flow (git-fixes).
  • net: usb: Fix uninit-was-stored issue in asix_read_phy_addr()
  • NFC: digital: fix possible memory leak in digital_in_send_sdd_req()
  • NFC: digital: fix possible memory leak in digital_tg_listen_mdaa()
  • nfc: fix error handling of nfc_proto_register() (git-fixes).
  • nfc: port100: fix using -ERRNO as command type mask (git-fixes).
  • nfs: dir_cookie is a pointer to the cookie in older kernels, not the
    cookie itself. (bsc#1191628 bsc#1192549).
  • NFS: Do uncached readdir when we’re seeking a cookie in an empty page
    cache (bsc#1191628).
  • nvme: add command id quirk for apple controllers (git-fixes).
  • nvme-fc: avoid race between time out and tear down (bsc#1185762).
  • nvme-fc: remove freeze/unfreeze around update_nr_hw_queues (bsc#1185762).
  • nvme-fc: update hardware queues before using them (bsc#1185762).
  • nvme-pci: Fix abort command id (git-fixes).
  • nvme-pci: fix error unwind in nvme_map_data (bsc#1191934).
  • nvme-pci: refactor nvme_unmap_data (bsc#1191934).
  • ocfs2: fix data corruption after conversion from inline format
  • pata_legacy: fix a couple uninitialized variable bugs (git-fixes).
  • PCI: Fix pci_host_bridge struct device release/free handling (git-fixes).
  • phy: mdio: fix memory leak (git-fixes).
  • platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call
  • platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from
    run_smbios_call (git-fixes).
  • platform/x86: intel_scu_ipc: Update timeout value in comment (git-fixes).
  • powerpc/bpf: Fix BPF_MOD when imm == 1 (bsc#1065729).
  • powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 (bsc#1065729).
  • powerpc/bpf: Use bctrl for making function calls (bsc#1065729).
  • powerpc/lib: Fix emulate_step() std test (bsc#1065729).
  • powerpc/pseries: Fix build error when NUMA=n (bsc#1190620 ltc#194498
  • powerpc/xive: Discard disabled interrupts in get_irqchip_state()
    (bsc#1085030 git-fixes).
  • pseries/eeh: Fix the kdump kernel crash during eeh_pseries_init
  • ptp_pch: Load module automatically if ID matches (git-fixes).
  • ptp_pch: Restore dependency on PCI (git-fixes).
  • qed: Fix missing error code in qed_slowpath_start() (git-fixes).
  • qed: Handle management FW error (git-fixes).
  • qed: rdma - do not wait for resources under hw error recovery flow
  • regmap: Fix possible double-free in regcache_rbtree_exit() (git-fixes).
  • rpm: use _rpmmacrodir (boo#1191384)
  • scsi: lpfc: Allow fabric node recovery if recovery is in progress before
    devloss (bsc#1192145).
  • scsi: lpfc: Allow PLOGI retry if previous PLOGI was aborted
  • scsi: lpfc: Correct sysfs reporting of loop support after SFP status
    change (bsc#1192145).
  • scsi: lpfc: Fix link down processing to address NULL pointer dereference
  • scsi: lpfc: Fix memory overwrite during FC-GS I/O abort handling
  • scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine (bsc#1192145).
  • scsi: lpfc: Revert LOG_TRACE_EVENT back to LOG_INIT prior to
    driver_resource_setup() (bsc#1192145).
  • scsi: lpfc: Update lpfc version to (bsc#1192145).
  • scsi: lpfc: Wait for successful restart of SLI3 adapter during host
    sg_reset (bsc#1192145).
  • scsi: qla2xxx: Add debug print of 64G link speed (bsc#1190941).
  • scsi: qla2xxx: Add host attribute to trigger MPI hang (bsc#1190941).
  • scsi: qla2xxx: Add support for mailbox passthru (bsc#1190941).
  • scsi: qla2xxx: Adjust request/response queue size for 28xx (bsc#1190941).
  • scsi: qla2xxx: Call process_response_queue() in Tx path (bsc#1190941).
  • scsi: qla2xxx: Changes to support FCP2 Target (bsc#1190941).
  • scsi: qla2xxx: Changes to support kdump kernel (bsc#1190941).
  • scsi: qla2xxx: Changes to support kdump kernel for NVMe BFS
  • scsi: qla2xxx: Check for firmware capability before creating QPair
  • scsi: qla2xxx: Display 16G only as supported speeds for 3830c card
  • scsi: qla2xxx: Do not call fc_block_scsi_eh() during bus reset
  • scsi: qla2xxx: edif: Add N2N support for EDIF (bsc#1190941).
  • scsi: qla2xxx: edif: Do secure PLOGI when auth app is present
  • scsi: qla2xxx: edif: Fix EDIF enable flag (bsc#1190941).
  • scsi: qla2xxx: edif: Fix returnvar.cocci warnings (bsc#1190941).
  • scsi: qla2xxx: edif: Fix stale session (bsc#1190941).
  • scsi: qla2xxx: edif: Reject AUTH ELS on session down (bsc#1190941).
  • scsi: qla2xxx: edif: Use link event to wake up app (bsc#1190941).
  • scsi: qla2xxx: Fix crash in NVMe abort path (bsc#1190941).
  • scsi: qla2xxx: Fix excessive messages during device logout (bsc#1190941).
  • scsi: qla2xxx: Fix hang during NVMe session tear down (bsc#1190941).
  • scsi: qla2xxx: Fix hang on NVMe command timeouts (bsc#1190941).
  • scsi: qla2xxx: Fix kernel crash when accessing port_speed sysfs file
  • scsi: qla2xxx: Fix NPIV create erroneous error (bsc#1190941).
  • scsi: qla2xxx: Fix NVMe | FCP personality change (bsc#1190941).
  • scsi: qla2xxx: Fix NVMe retry (bsc#1190941).
  • scsi: qla2xxx: Fix NVMe session down detection (bsc#1190941).
  • scsi: qla2xxx: Fix port type info (bsc#1190941).
  • scsi: qla2xxx: Fix unsafe removal from linked list (bsc#1190941).
  • scsi: qla2xxx: Fix use after free in eh_abort path (bsc#1190941).
  • scsi: qla2xxx: Move heartbeat handling from DPC thread to workqueue
  • scsi: qla2xxx: Open-code qla2xxx_eh_device_reset() (bsc#1190941).
  • scsi: qla2xxx: Open-code qla2xxx_eh_target_reset() (bsc#1190941).
  • scsi: qla2xxx: Remove redundant initialization of pointer req
  • scsi: qla2xxx: Restore initiator in dual mode (bsc#1190941).
  • scsi: qla2xxx: Show OS name and version in FDMI-1 (bsc#1190941).
  • scsi: qla2xxx: Suppress unnecessary log messages during login
  • scsi: qla2xxx: Sync queue idx with queue_pair_map idx (bsc#1190941).
  • scsi: qla2xxx: Update version to (bsc#1190941).
  • scsi: qla2xxx: Update version to (bsc#1190941).
  • scsi: qla2xxx: Update version to (bsc#1190941).
  • scsi: qla2xxx: Use scsi_cmd_to_rq() instead of scsi_cmnd.request
  • sctp: check asoc peer.asconf_capable before processing asconf
  • soc: qcom: mdt_loader: Drop PT_LOAD check on hash segment (git-fixes).
  • spi: spi-nxp-fspi: do not depend on a specific node name erratum
    workaround (git-fixes).
  • tpm: ibmvtpm: Avoid error message when process gets signal while waiting
  • USB: cdc-acm: clean up probe error labels (git-fixes).
  • USB: cdc-acm: fix minor-number release (git-fixes).
  • usb: hso: fix error handling code of hso_create_net_device (git-fixes).
  • usb: hso: remove the bailout parameter (git-fixes).
  • usb: musb: dsps: Fix the probe error path (git-fixes).
  • USB: serial: option: add prod. id for Quectel EG91 (git-fixes).
  • USB: serial: option: add Quectel EC200S-CN module support (git-fixes).
  • USB: serial: option: add Telit LE910Cx composition 0x1204 (git-fixes).
  • USB: serial: qcserial: add EM9191 QDL support (git-fixes).
  • USB: xhci: dbc: fix tty registration race (git-fixes).
  • video: fbdev: gbefb: Only instantiate device when built for IP32
  • virtio: write back F_VERSION_1 before validate (git-fixes).
  • watchdog: orion: use 0 for unset heartbeat (git-fixes).
  • x86/pat: Pass valid address to sanitize_phys() (bsc#1152489).
  • x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions
  • x86/resctrl: Free the ctrlval arrays when domain_setup_mon_state() fails
  • xen: fix setting of max_pfn in shared_info (git-fixes).
  • xen: reset legacy rtc flag for PV domU (git-fixes).
  • xfs: ensure that the inode uid/gid match values match the icdinode ones
  • xfs: fix log intent recovery ENOSPC shutdowns when inactivating inodes
  • xfs: merge the projid fields in struct xfs_icdinode (bsc#1190006).
  • xfs: remove the icdinode di_uid/di_gid members (bsc#1190006).
  • xhci: Enable trust tx length quirk for Fresco FL11 USB controller
  • xhci: Fix command ring pointer corruption while aborting a command
  • xhci: guard accesses to ep_state in xhci_endpoint_reset() (git-fixes).
  • xhci: guard accesses to ep_state in xhci_endpoint_reset() (git-fixes).

Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.2:

    zypper in -t patch openSUSE-2021-1477=1

openSUSE Leap15.2noarch< - openSUSE Leap 15.2 (noarch):- openSUSE Leap 15.2 (noarch):.noarch.rpm
openSUSE Leap15.2x86_64< - openSUSE Leap 15.2 (x86_64):- openSUSE Leap 15.2 (x86_64):.x86_64.rpm