The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes. - CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest . - CVE-2018-10876: A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space function when mounting and operating a crafted ext4 image. - CVE-2018-10877: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs function when operating on a crafted ext4 filesystem image. - CVE-2018-10878: A flaw was found in the Linux kernel"s ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. - CVE-2018-10879: A flaw was found in the Linux kernel"s ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. - CVE-2018-10880: Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data. An attacker could use this to cause a system crash and a denial of service. - CVE-2018-10881: A flaw was found in the Linux kernel"s ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. - CVE-2018-10882: A flaw was found in the Linux kernel"s ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. - CVE-2018-10883: A flaw was found in the Linux kernel"s ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. - CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc in snd_rawmidi_input_params and snd_rawmidi_output_status which are part of snd_rawmidi_ioctl handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation . - CVE-2018-10938: A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM and NetLabel should be set up on a system before an attacker could leverage this flaw . - CVE-2018-10940: The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory . - CVE-2018-12896: An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun and siginfo::si_overrun, random. For example, a local user can cause a denial of service via crafted mmap, futex, timer_create, and timer_settime system calls . - CVE-2018-13093: There is a NULL pointer dereference and panic in lookup_slow on a NULL inode-gt;i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation . - CVE-2018-13094: An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode is called with a NULL bp . - CVE-2018-13095: A denial of service can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork . - CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup in fs/hfsplus/dir.c when opening a file in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory . - CVE-2018-14678: The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S did not properly maintain RBX, which allowed local users to cause a denial of service . Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges . - CVE-2018-15572: The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks . - CVE-2018-15594: arch/x86/kernel/paravirt.c mishandled certain indirect calls, which made it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests . - CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges . - CVE-2018-16658: An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 . - CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free via certain thread creation, map, unmap, invalidation, and dereference operations . - CVE-2018-6554: Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c allowed local users to cause a denial of service by repeatedly binding an AF_IRDA socket . - CVE-2018-6555: The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c allowed local users to cause a denial of service or possibly have unspecified other impact via an AF_IRDA socket . - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file . - CVE-2018-9363: A buffer overflow in bluetooth HID report processing could be used by malicious bluetooth devices to crash the kernel or potentially execute code . The following security bugs were fixed: - CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service or possibly have unspecified other impact by triggering a creation failure . The following non-security bugs were fixed: - atm: Preserve value of skb-gt;truesize when accounting to vcc . - bcache: avoid unncessary cache prefetch bch_btree_node_get . - bcache: calculate the number of incremental GC nodes according to the total of btree nodes . - bcache: display rate debug parameters to 0 when writeback is not running . - bcache: do not check return value of debugfs_create_dir . - bcache: finish incremental GC . - bcache: fix error setting writeback_rate through sysfs interface . - bcache: fix I/O significant decline while backend devices registering . - bcache: free heap cache_set-gt;flush_btree in bch_journal_free . - bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section . - bcache: release dc-gt;writeback_lock properly in bch_writeback_thread . - bcache: set max writeback rate when I/O request is idle . - bcache: simplify the calculation of the total amount of flash dirty data . - ext4: check for allocation block validity with block group locked . - ext4: do not update checksum of new initialized bitmaps . - ext4: fix check to prevent initializing reserved inodes . - ext4: fix false negatives *and* false positives in ext4_check_descriptors . - ibmvnic: Include missing return code checks in reset function . - kABI: protect struct x86_emulate_ops . - kabi/severities: Ignore missing cpu_tss_tramp - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ . - kvm: MMU: always terminate page walks at level 1 . - kvm: MMU: simplify last_pte_bitmap . - kvm: nVMX: update last_nonleaf_level when initializing nested EPT . - kvm: VMX: fixes for vmentry_l1d_flush module parameter . - kvm: VMX: Work around kABI breakage in "enum vmx_l1d_flush_state" . - net: add skb_condense helper . - net: adjust skb-gt;truesize in pskb_expand_head . - net: adjust skb-gt;truesize in ___pskb_trim . - net: ena: Eliminate duplicate barriers on weakly-ordered archs . - net: ena: fix device destruction to gracefully free resources . - net: ena: fix driver when PAGE_SIZE == 64kB . - net: ena: fix incorrect usage of memory barriers . - net: ena: fix missing calls to READ_ONCE . - net: ena: fix missing lock during device destruction . - net: ena: fix potential double ena_destroy_device . - net: ena: fix surprise unplug NULL dereference kernel crash . - net: ena: Fix use of uninitialized DMA address bits field . - netfilter: xt_CT: fix refcnt leak on error path . - netlink: do not enter direct reclaim from netlink_trim . - nfs: Use an appropriate work queue for direct-write completion . - ovl: fix random return value on mount . - ovl: fix uid/gid when creating over whiteout . - ovl: modify ovl_permission to do checks on two inodes . - ovl: override creds with the ones from the superblock mounter . - powerpc: Avoid code patching freed init sections . - powerpc/livepatch: Fix livepatch stack access . - powerpc/modules: Do not try to restore r2 after a sibling call . - powerpc/tm: Avoid possible userspace r1 corruption on reclaim . - powerpc/tm: Fix userspace r13 corruption . - provide special timeout module parameters for EC2 . - stop_machine: Atomically queue and wake stopper threads . - stop_machine, sched: Fix migrate_swap vs. active_balance deadlock . - usbip: vhci_sysfs: fix potential Spectre v1 . - x86/entry/64: Remove %ebx handling from error_entry/exit . - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM . - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ . - x86/speculation/l1tf: Suggest what to do on systems with too much RAM . - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry . - x86: Drop kernel trampoline stack. It is involved in breaking kdump/kexec infrastucture. - xen: avoid crash in disable_hotplug_cpu . - xen/blkback: do not keep persistent grants too long . - xen/blkback: move persistent grants flags to bool . - xen/blkfront: cleanup stale persistent grants . - xen/blkfront: reorder tests in xlblk_init . - xfs: add a new xfs_iext_lookup_extent_before helper . - xfs: add asserts for the mmap lock in xfs_{insert,collapse}_file_space . - xfs: add a xfs_bmap_fork_to_state helper . - xfs: add a xfs_iext_update_extent helper . - xfs: add comments documenting the rebalance algorithm . - xfs: add some comments to xfs_iext_insert/xfs_iext_insert_node . - xfs: add xfs_trim_extent . - xfs: allow unaligned extent records in xfs_bmbt_disk_set_all . - xfs: borrow indirect blocks from freed extent when available . - xfs: cleanup xfs_bmap_last_before . - xfs: do not create overlapping extents in xfs_bmap_add_extent_delay_real . - xfs: do not rely on extent indices in xfs_bmap_collapse_extents . - xfs: do not rely on extent indices in xfs_bmap_insert_extents . - xfs: do not set XFS_BTCUR_BPRV_WASDEL in xfs_bunmapi . - xfs: during btree split, save new block key amp; ptr for future insertion . - xfs: factor out a helper to initialize a local format inode fork . - xfs: fix memory leak in xfs_iext_free_last_leaf . - xfs: fix number of records handling in xfs_iext_split_leaf . - xfs: handle indlen shortage on delalloc extent merge . - xfs: handle zero entries case in xfs_iext_rebalance_leaf . - xfs: improve kmem_realloc . - xfs: inline xfs_shift_file_space into callers . - xfs: introduce the xfs_iext_cursor abstraction . - xfs: iterate over extents in xfs_bmap_extents_to_btree . - xfs: iterate over extents in xfs_iextents_copy . - xfs: make better use of the "state" variable in xfs_bmap_del_extent_real . - xfs: merge xfs_bmap_read_extents into xfs_iread_extents . - xfs: move pre/post-bmap tracing into xfs_iext_update_extent . - xfs: move some code around inside xfs_bmap_shift_extents . - xfs: move some more code into xfs_bmap_del_extent_real . - xfs: move xfs_bmbt_irec and xfs_exntst_t to xfs_types.h . - xfs: move xfs_iext_insert tracepoint to report useful information . - xfs: new inode extent list lookup helpers . - xfs: pass an on-disk extent to xfs_bmbt_validate_extent . - xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_lookup_eq . - xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_update . - xfs: pass struct xfs_bmbt_irec to xfs_bmbt_validate_extent . - xfs: provide helper for counting extents from if_bytes . - xfs: refactor delalloc accounting in xfs_bmap_add_extent_delay_real . - xfs: refactor delalloc indlen reservation split into helper . - xfs: refactor dir2 leaf readahead shadow buffer cleverness . - xfs: refactor xfs_bmap_add_extent_delay_real . - xfs: refactor xfs_bmap_add_extent_hole_delay . - xfs: refactor xfs_bmap_add_extent_hole_real . - xfs: refactor xfs_bmap_add_extent_unwritten_real . - xfs: refactor xfs_bunmapi_cow . - xfs: refactor xfs_del_extent_real . - xfs: remove a duplicate assignment in xfs_bmap_add_extent_delay_real . - xfs: remove all xfs_bmbt_set_* helpers except for xfs_bmbt_set_all . - xfs: remove a superflous assignment in xfs_iext_remove_node . - xfs: Remove dead code from inode recover function . - xfs: remove if_rdev . - xfs: remove prev argument to xfs_bmapi_reserve_delalloc . - xfs: remove support for inlining data/extents into the inode fork . - xfs: remove the never fully implemented UUID fork format . - xfs: remove the nr_extents argument to xfs_iext_insert . - xfs: remove the nr_extents argument to xfs_iext_remove . - xfs: remove XFS_BMAP_MAX_SHIFT_EXTENTS . - xfs: remove XFS_BMAP_TRACE_EXLIST . - xfs: remove xfs_bmbt_get_state . - xfs: remove xfs_bmse_shift_one . - xfs: rename bno to end in __xfs_bunmapi . - xfs: repair malformed inode items during log recovery . - xfs: replace xfs_bmbt_lookup_ge with xfs_bmbt_lookup_first . - xfs: replace xfs_qm_get_rtblks with a direct call to xfs_bmap_count_leaves . - xfs: rewrite getbmap using the xfs_iext_* helpers . - xfs: rewrite xfs_bmap_count_leaves using xfs_iext_get_extent . - xfs: rewrite xfs_bmap_first_unused to make better use of xfs_iext_get_extent . - xfs: simplify the xfs_getbmap interface . - xfs: simplify validation of the unwritten extent bit . - xfs: split indlen reservations fairly when under reserved . - xfs: split xfs_bmap_shift_extents . - xfs: switch xfs_bmap_local_to_extents to use xfs_iext_insert . - xfs: treat idx as a cursor in xfs_bmap_add_extent_delay_real . - xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_delay . - xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_real . - xfs: treat idx as a cursor in xfs_bmap_add_extent_unwritten_real . - xfs: treat idx as a cursor in xfs_bmap_collapse_extents . - xfs: treat idx as a cursor in xfs_bmap_del_extent_* . - xfs: update freeblocks counter after extent deletion . - xfs: update got in xfs_bmap_shift_update_extent . - xfs: use a b+tree for the in-core extent list . - xfs: use correct state defines in xfs_bmap_del_extent_{cow,delay} . - xfs: use new extent lookup helpers in xfs_bmapi_read . - xfs: use new extent lookup helpers in xfs_bmapi_write . - xfs: use new extent lookup helpers in __xfs_bunmapi . - xfs: use the state defines in xfs_bmap_del_extent_real . - xfs: use xfs_bmap_del_extent_delay for the data fork as well . - xfs: use xfs_iext_*_extent helpers in xfs_bmap_shift_extents . - xfs: use xfs_iext_*_extent helpers in xfs_bmap_split_extent_at . - xfs: use xfs_iext_get_extent instead of open coding it . - xfs: use xfs_iext_get_extent in xfs_bmap_first_unused . Special Instructions and Notes: Please reboot the system after installing this update.