SUSE 5181 Published by

A Linux Kernel security update has been released for SUSE Linux Enterprise and openSUSE Leap 15.3/15.4.



SUSE-SU-2022:2172-1: important: Security update for the Linux Kernel


SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________

Announcement ID: SUSE-SU-2022:2172-1
Rating: important
References: #1177282 #1184924 #1198924 #1199365 #1199482 #1200015 #1200143 #1200144 #1200206 #1200207 #1200249 #1200259 #1200263 #1200343 #1200494 #1200529 #1200604
Cross-References: CVE-2020-26541 CVE-2022-1012 CVE-2022-1966 CVE-2022-1974 CVE-2022-1975 CVE-2022-20141 CVE-2022-32250
CVSS scores:
CVE-2020-26541 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVE-2022-1012 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
CVE-2022-1966 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-1966 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-1974 (SUSE): 6.8 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-1975 (SUSE): 4.5 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVE-2022-20141 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-20141 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-32250 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-32250 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise Module for Public Cloud 15-SP3 SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP3SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
openSUSE Leap 15.3
______________________________________________________________________________

An update that solves 7 vulnerabilities and has 10 fixes is now available.

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated.

The following security bugs were fixed:

- CVE-2022-1012: Fixed a small table perturb size in the TCP source port generation algorithm which could leads to information leak. (bsc#1199482).
- CVE-2022-20141: Fixed an use after free due to improper locking. This bug could lead to local escalation of privilege when opening and closing
inet sockets with no additional execution privileges needed. (bnc#1200604)
- CVE-2022-32250: Fixed an use-after-free bug in the netfilter subsystem.This flaw allowed a local attacker with user access to cause a privilege
escalation issue. (bnc#1200015)
- CVE-2022-1975: Fixed a sleep-in-atomic bug that allows attacker to crash
linux kernel by simulating nfc device from user-space. (bsc#1200143) - CVE-2022-1974: Fixed an use-after-free that could causes kernel crash by
simulating an nfc device from user-space. (bsc#1200144) - CVE-2020-26541: Enforce the secure boot forbidden signature database (aka dbx) protection mechanism. (bnc#1177282)

The following non-security bugs were fixed:

- ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default (git-fixes).
- ACPI: sysfs: Fix BERT error region memory mapping (git-fixes). - ACPI: sysfs: Make sparse happy about address space in use (git-fixes). - ALSA: hda/conexant - Fix loopback issue with CX20632 (git-fixes). - ALSA: usb-audio: Optimize TEAC clock quirk (git-fixes). - ALSA: usb-audio: Set up (implicit) sync for Saffire 6 (git-fixes). - ALSA: usb-audio: Skip generic sync EP parse for secondary EP (git-fixes).
- ALSA: usb-audio: Workaround for clock setup on TEAC devices (git-fixes).
- arm64: dts: rockchip: Move drive-impedance-ohm to emmc phy on rk3399 (git-fixes)
- ASoC: dapm: Do not fold register value changes into notifications (git-fixes).
- ASoC: max98357a: remove dependency on GPIOLIB (git-fixes). - ASoC: rt5645: Fix errorenous cleanup order (git-fixes). - ASoC: tscs454: Add endianness flag in snd_soc_component_driver (git-fixes).
- ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files (git-fixes).- ath9k: fix QCA9561 PA bias level (git-fixes).
- b43: Fix assigning negative value to unsigned variable (git-fixes). - b43legacy: Fix assigning negative value to unsigned variable (git-fixes).
- blk-mq: fix tag_get wait task can't be awakened (bsc#1200263). - blk-mq: Fix wrong wakeup batch configuration which will cause hang (bsc#1200263).
- block: fix bio_clone_blkg_association() to associate with proper blkcg_gq (bsc#1200259).
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249). - certs/blacklist_hashes.c: fix const confusion in certs blacklist (git-fixes).
- cfg80211: set custom regdomain after wiphy registration (git-fixes). - clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value (git-fixes).
- clocksource/drivers/sp804: Avoid error on multiple instances (git-fixes).
- dma-buf: fix use of DMA_BUF_SET_NAME_{A,B} in userspace (git-fixes). - dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type
(git-fixes).
- drivers: i2c: thunderx: Allow driver to work with ACPI defined TWSI controllers (git-fixes).
- drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop() (git-fixes).
- drivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop() (git-fixes).
- drivers: tty: serial: Fix deadlock in sa1100_set_termios() (git-fixes).- drivers: usb: host: Fix deadlock in oxu_bus_suspend() (git-fixes). - drm: imx: fix compiler warning with gcc-12 (git-fixes). - drm: msm: fix error check return value of irq_of_parse_and_map() (git-fixes).
- drm/amdgpu/cs: make commands with 0 chunks illegal behaviour (git-fixes).
- drm/amdgpu/smu10: fix SoC/fclk units in auto mode (git-fixes). - drm/amdgpu/ucode: Remove firmware load type check in
amdgpu_ucode_free_bo (git-fixes).
- drm/atomic: Force bridge self-refresh-exit on CRTC switch (git-fixes). - drm/bridge: analogix_dp: Support PSR-exit to disable transition (git-fixes).
- drm/i915: Fix -Wstringop-overflow warning in call to
intel_read_wm_latency() (git-fixes).
- drm/i915: fix i915_globals_exit() section mismatch error (git-fixes). - drm/i915: Update TGL and RKL DMC firmware versions (bsc#1198924). - drm/i915/reset: Fix error_state_read ptr + offset use (git-fixes). - drm/komeda: return early if drm_universal_plane_init() fails (git-fixes).
- drm/msm/dsi: fix address for second DSI PHY on SDM660 (git-fixes). - drm/plane: Move range check for format_count earlier (git-fixes). - drm/radeon: fix a possible null pointer dereference (git-fixes). - drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes (git-fixes).
- efi: Add missing prototype for efi_capsule_setup_info (git-fixes). - efi: Do not import certificates from UEFI Secure Boot for T2 Macs (git-fixes).
- fbcon: Consistently protect deferred_takeover with console_lock() (git-fixes).
- ftrace: Clean up hash direct_functions on register failures (git-fixes).
- HID: bigben: fix slab-out-of-bounds Write in bigben_probe (git-fixes). - HID: multitouch: Add support for Google Whiskers Touchpad (git-fixes). - hwmon: Make chip parameter for with_info API mandatory (git-fixes). - i2c: cadence: Increase timeout per message if necessary (git-fixes). - i2c: ismt: Provide a DMA buffer for Interrupt Cause Logging (git-fixes).
- iio: dummy: iio_simple_dummy: check the return value of kstrdup() (git-fixes).
- Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag (git-fixes).
- Input: goodix - fix spurious key release events (git-fixes). - ipw2x00: Fix potential NULL dereference in libipw_xmit() (git-fixes). - irqchip: irq-xtensa-mx: fix initial IRQ affinity (git-fixes). - irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x (git-fixes).
- irqchip/aspeed-i2c-ic: Fix irq_of_parse_and_map() return value (git-fixes).
- irqchip/exiu: Fix acknowledgment of edge triggered interrupts (git-fixes).
- iwlwifi: mvm: fix assert 1F04 upon reconfig (git-fixes). - KVM: fix wrong exception emulation in check_rdtsc (git-fixes). - KVM: nVMX: Invalidate all roots when emulating INVVPID without EPT (git-fixes).
- KVM: nVMX: Query current VMCS when determining if MSR bitmaps are in use
(git-fixes).
- KVM: nVMX: Set LDTR to its architecturally defined value on nested VM-Exit (git-fixes).
- KVM: nVMX: Unconditionally clear nested.pi_pending on nested VM-Enter (git-fixes).
- KVM: s390: pv: add macros for UVC CC values (git-fixes). - KVM: s390: pv: avoid double free of sida page (git-fixes). - KVM: s390: pv: avoid stalls for kvm_s390_pv_init_vm (git-fixes). - KVM: s390: vsie/gmap: reduce gmap_rmap overhead (git-fixes). - KVM: VMX: Flush all EPTP/VPID contexts on remote TLB flush (git-fixes).- KVM: VMX: Use current VMCS to query WAITPKG support for MSR emulation (git-fixes).
- KVM: x86: clflushopt should be treated as a no-op by emulation (git-fixes).
- KVM: x86: Do not force set BSP bit when local APIC is managed by userspace (git-fixes).
- KVM: x86: Fix emulation in writing cr8 (git-fixes).
- KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce (git-fixes).
- KVM: x86: Immediately reset the MMU context when the SMM flag is cleared
(git-fixes).
- KVM: x86: Inject #GP if guest attempts to toggle CR4.LA57 in 64-bit mode
(git-fixes).
- KVM: x86: Mark CR4.TSD as being possibly owned by the guest (git-fixes).
- KVM: x86: Migrate the PIT only if vcpu0 is migrated, not any BSP (git-fixes).
- KVM: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode (git-fixes).
- KVM: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode (git-fixes).
- KVM: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU (git-fixes).
- KVM: x86/emulator: Defer not-present segment check in
__load_segment_descriptor() (git-fixes).
- KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[] (git-fixes).
- mac80211: upgrade passive scan to active scan on DFS channels after beacon rx (git-fixes).
- md: fix an incorrect NULL check in does_sb_need_changing (git-fixes). - md: fix an incorrect NULL check in md_reload_sb (git-fixes). - media: cx25821: Fix the warning when removing the module (git-fixes). - media: netup_unidvb: Do not leak SPI master in probe error path (git-fixes).
- media: pci: cx23885: Fix the error handling in cx23885_initdev() (git-fixes).
- media: venus: hfi: avoid null dereference in deinit (git-fixes). - misc: rtsx: set NULL intfdata when probe fails (git-fixes). - mmc: block: Fix CQE recovery reset success (git-fixes). - mmc: jz4740: Apply DMA engine limits to maximum segment size (git-fixes).
- modpost: fix removing numeric suffixes (git-fixes).
- modpost: fix undefined behavior of is_arm_mapping_symbol() (git-fixes).- mt76: check return value of mt76_txq_send_burst in
mt76_txq_schedule_list (git-fixes).
- mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue (git-fixes).
- net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg (git-fixes).
- net: rtlwifi: properly check for alloc_workqueue() failure (git-fixes).- nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION (git-fixes).
- nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION (git-fixes).
- nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling (git-fixes).
- NFS: Do not report ENOSPC write errors twice (git-fixes). - nfsd: Fix null-ptr-deref in nfsd_fill_super() (git-fixes). - PCI: hv: Fix NUMA node assignment when kernel boots with custom NUMA topology (bsc#1199365).
- pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards (git-fixes). - pinctrl: sunxi: fix f1c100s uart2 function (git-fixes). - platform/chrome: cros_ec_proto: Send command again when timeout occurs (git-fixes).
- platform/x86: wmi: Fix driver->notify() vs ->probe() race (git-fixes). - platform/x86: wmi: Replace read_takes_no_args with a flags field (git-fixes).
- PM / devfreq: rk3399_dmc: Disable edev on remove() (git-fixes). - powerpc/rtas: Allow ibm,platform-dump RTAS call with null buffer address
(bsc#1200343 ltc#198477).
- raid5: introduce MD_BROKEN (git-fixes).
- random: Add and use pr_fmt() (bsc#1184924).
- random: remove unnecessary unlikely() (bsc#1184924).
- rtl818x: Prevent using not initialized queues (git-fixes). - rtlwifi: Use pr_warn instead of WARN_ONCE (git-fixes). - s390: fix detection of vector enhancements facility 1 vs. vector packeddecimal facility (git-fixes).
- s390: fix strrchr() implementation (git-fixes).
- s390/cio: dont call css_wait_for_slow_path() inside a lock (git-fixes).- s390/cio: Fix the "type" field in s390_cio_tpi tracepoint (git-fixes). - s390/crypto: fix scatterwalk_unmap() callers in AES-GCM (git-fixes). - s390/ctcm: fix potential memory leak (git-fixes).
- s390/ctcm: fix variable dereferenced before check (git-fixes). - s390/dasd: fix data corruption for ESE devices (bsc#1200207 LTC#198454).
- s390/dasd: Fix read for ESE with blksize 4k (bsc#1200206 LTC#198455). - s390/dasd: Fix read inconsistency for ESE DASD devices (bsc#1200206 LTC#198455).
- s390/dasd: prevent double format of tracks for ESE devices (bsc#1200207LTC#198454).
- s390/ftrace: fix ftrace_update_ftrace_func implementation (git-fixes). - s390/lcs: fix variable dereferenced before check (git-fixes). - s390/mcck: fix invalid KVM guest condition check (git-fixes). - s390/mcck: isolate SIE instruction when setting CIF_MCCK_GUEST flag (git-fixes).
- s390/nmi: handle guarded storage validity failures for KVM guests (git-fixes).
- s390/nmi: handle vector validity failures for KVM guests (git-fixes). - s390/pv: fix the forcing of the swiotlb (git-fixes).
- s390/qdio: cancel the ESTABLISH ccw after timeout (git-fixes). - s390/qdio: fix roll-back after timeout on ESTABLISH ccw (git-fixes). - s390/vfio-ap: fix circular lockdep when setting/clearing crypto masks (git-fixes).
- serial: msm_serial: disable interrupts in __msm_console_write() (git-fixes).
- spi: Introduce device-managed SPI controller allocation (git-fixes). - spi: spi-rspi: Remove setting {src,dst}_{addr,addr_width} based on DMA direction (git-fixes).
- spi: stm32-qspi: Fix wait_cmd timeout in APM mode (git-fixes). - staging: rtl8712: fix uninit-value in r871xu_drv_init() (git-fixes). - staging: rtl8712: fix uninit-value in usb_read8() and friends (git-fixes).
- tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator (git-fixes).
- tty: Fix a possible resource leak in icom_probe (git-fixes). - tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() (git-fixes).
- usb: core: hcd: Add support for deferring roothub registration (git-fixes).
- usb: dwc2: gadget: do not reset gadget's driver->bus (git-fixes). - usb: hcd-pci: Fully suspend across freeze/thaw cycle (git-fixes). - usb: host: isp116x: check return value after calling
platform_get_resource() (git-fixes).
- usb: new quirk for Dell Gen 2 devices (git-fixes).
- usb: serial: option: add Quectel BG95 modem (git-fixes). - vfio-ccw: Check initialized flag in cp_init() (git-fixes). - vfio/ccw: Remove unneeded GFP_DMA (git-fixes).
- video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove() (git-fixes).
- virtio/s390: implement virtio-ccw revision 2 correctly (git-fixes). - vringh: Fix loop descriptors check in the indirect cases (git-fixes). - watchdog: wdat_wdt: Stop watchdog when rebooting the system (git-fixes).

Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:

zypper in -t patch openSUSE-SLE-15.3-2022-2172=1

- SUSE Linux Enterprise Module for Public Cloud 15-SP3:

zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2022-2172=1

Package List:

- openSUSE Leap 15.3 (noarch):

kernel-devel-azure-5.3.18-150300.38.62.1
kernel-source-azure-5.3.18-150300.38.62.1

- openSUSE Leap 15.3 (x86_64):

cluster-md-kmp-azure-5.3.18-150300.38.62.1
cluster-md-kmp-azure-debuginfo-5.3.18-150300.38.62.1
dlm-kmp-azure-5.3.18-150300.38.62.1
dlm-kmp-azure-debuginfo-5.3.18-150300.38.62.1
gfs2-kmp-azure-5.3.18-150300.38.62.1
gfs2-kmp-azure-debuginfo-5.3.18-150300.38.62.1
kernel-azure-5.3.18-150300.38.62.1
kernel-azure-debuginfo-5.3.18-150300.38.62.1
kernel-azure-debugsource-5.3.18-150300.38.62.1
kernel-azure-devel-5.3.18-150300.38.62.1
kernel-azure-devel-debuginfo-5.3.18-150300.38.62.1
kernel-azure-extra-5.3.18-150300.38.62.1
kernel-azure-extra-debuginfo-5.3.18-150300.38.62.1
kernel-azure-livepatch-devel-5.3.18-150300.38.62.1
kernel-azure-optional-5.3.18-150300.38.62.1
kernel-azure-optional-debuginfo-5.3.18-150300.38.62.1 kernel-syms-azure-5.3.18-150300.38.62.1
kselftests-kmp-azure-5.3.18-150300.38.62.1
kselftests-kmp-azure-debuginfo-5.3.18-150300.38.62.1
ocfs2-kmp-azure-5.3.18-150300.38.62.1
ocfs2-kmp-azure-debuginfo-5.3.18-150300.38.62.1
reiserfs-kmp-azure-5.3.18-150300.38.62.1
reiserfs-kmp-azure-debuginfo-5.3.18-150300.38.62.1

- SUSE Linux Enterprise Module for Public Cloud 15-SP3 (x86_64):
kernel-azure-5.3.18-150300.38.62.1
kernel-azure-debuginfo-5.3.18-150300.38.62.1
kernel-azure-debugsource-5.3.18-150300.38.62.1
kernel-azure-devel-5.3.18-150300.38.62.1
kernel-azure-devel-debuginfo-5.3.18-150300.38.62.1
kernel-syms-azure-5.3.18-150300.38.62.1

- SUSE Linux Enterprise Module for Public Cloud 15-SP3 (noarch):
kernel-devel-azure-5.3.18-150300.38.62.1
kernel-source-azure-5.3.18-150300.38.62.1

References:

  https://www.suse.com/security/cve/CVE-2020-26541.html
  https://www.suse.com/security/cve/CVE-2022-1012.html
  https://www.suse.com/security/cve/CVE-2022-1966.html
  https://www.suse.com/security/cve/CVE-2022-1974.html
  https://www.suse.com/security/cve/CVE-2022-1975.html
  https://www.suse.com/security/cve/CVE-2022-20141.html
  https://www.suse.com/security/cve/CVE-2022-32250.html
  https://bugzilla.suse.com/1177282
  https://bugzilla.suse.com/1184924
  https://bugzilla.suse.com/1198924
  https://bugzilla.suse.com/1199365
  https://bugzilla.suse.com/1199482
  https://bugzilla.suse.com/1200015
  https://bugzilla.suse.com/1200143
  https://bugzilla.suse.com/1200144
  https://bugzilla.suse.com/1200206
  https://bugzilla.suse.com/1200207
  https://bugzilla.suse.com/1200249
  https://bugzilla.suse.com/1200259
  https://bugzilla.suse.com/1200263
  https://bugzilla.suse.com/1200343
  https://bugzilla.suse.com/1200494
  https://bugzilla.suse.com/1200529
  https://bugzilla.suse.com/1200604