The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. - CVE-2021-31916: An out-of-bounds memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability . - CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. - CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails . - CVE-2020-12655: An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767 . - CVE-2021-43389: There was an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c . - CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c called unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free . - CVE-2021-34556: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack . - CVE-2021-35477: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation did not necessarily occur before a store operation that has an attacker-controlled value . - CVE-2017-17862: kernel/bpf/verifier.c in the Linux kernel ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service . - CVE-2017-17864: kernel/bpf/verifier.c in the Linux kernel mishandled states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allowed local users to obtain potentially sensitive address information, aka a pointer leak . - CVE-2021-20265: A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allowed an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability . - CVE-2021-3772: Fixed sctp vtag check in sctp_sf_ootb . - CVE-2021-3655: Missing size validations on inbound SCTP packets may have allowed the kernel to read uninitialized memory . - CVE-2018-13405: The inode_init_owner function in fs/inode.c in the Linux kernel allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID . - CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev-rf_conn_info object . - CVE-2021-42739: The firewire subsystem in the Linux kernel has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking . - CVE-2021-3542: Fixed heap buffer overflow in firedtv driver . - CVE-2021-33033: The Linux kernel has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value . - CVE-2020-14305: An out-of-bounds memory write flaw was found in how the Linux kernel#8217;s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allowed an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability . - CVE-2021-3715: Fixed a use-after-free in route4_change in net/sched/cls_route.c . - CVE-2021-3896: Fixed a array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c . - CVE-2021-42008: The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access . - CVE-2020-3702: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic . - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel"s bluetooth module. - CVE-2021-40490: A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel - CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg in the bluetooth stack . - CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf-len value exceeding the buffer size in drivers/char/virtio_console.c - CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling . - CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files . - CVE-2021-3653: A flaw was found in the KVM"s AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB provided by the L1 guest to spawn/handle a nested guest . Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to enable AVIC support for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7 . - CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault . - CVE-2021-38204: drivers/usb/host/max3421-hcd.c in the Linux kernel allowed physically proximate attackers to cause a denial of service by removing a MAX-3421 USB device in certain situations . - CVE-2021-3679: A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users could use this flaw to starve the resources causing denial of service . - CVE-2018-16882: A use-after-free issue was found in the way the Linux kernel"s KVM hypervisor processed posted interrupts when nested virtualization is enabled. In nested_get_vmcs12_pages, in case of an error while processing posted interrupt address, it unmaps the "pi_desc_page" without resetting "pi_desc" descriptor address, which is later used in pi_test_and_clear_on. A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions and are vulnerable . - CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation . - CVE-2020-4788: IBM Power9 processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296 . - CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc in net/mac802154/llsec.c . - CVE-2021-37576: arch/powerpc/kvm/book3s_rtas.c in the Linux kernel on the powerpc platform allowed KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e . The following non-security bugs were fixed: - PCI: hv: Use expected affinity when unmasking IRQ . - SUNRPC: improve error response to over-size gss credential . - Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set - blacklist.conf: Drop a line that was added by mistake - bpf: Add kconfig knob for disabling unpriv bpf by default - bpf: Disallow unprivileged bpf by default . - bpf: properly enforce index mask to prevent out-of-bounds speculation . - config: disable unprivileged BPF by default - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode . - ftrace: Fix scripts/recordmcount.pl due to new binutils . - hv: mana: adjust mana_select_queue to old API . - hv: mana: declare vzalloc . - hv: mana: fake bitmap API . - hv: mana: remove netdev_lockdep_set_classes usage . - kABI: protect struct bpf_map . - mm: replace open coded page to virt conversion with page_to_virt . - net/mlx4_en: Avoid scheduling restart task if it is already running . - net/mlx4_en: Handle TX error CQE . - net: mana: Add WARN_ON_ONCE in case of CQE read overflow . - net: mana: Add a driver for Microsoft Azure Network Adapter . - net: mana: Add support for EQ sharing . - net: mana: Fix a memory leak in an error handling path in . - net: mana: Fix error handling in mana_create_rxq . - net: mana: Move NAPI from EQ to CQ . - net: mana: Use int to check the return value of mana_gd_poll_cq . - net: mana: fix PCI_HYPERV dependency . - net: mana: remove redundant initialization of variable err . - net: sched: sch_teql: fix null-pointer dereference . - s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant . - s390/bpf: Fix branch shortening during codegen pass . - s390/bpf: Fix optimizing out zero-extensions . - s390/bpf: Wrap JIT macro parameter usages in parentheses . - s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* . - scsi: sg: add sg_remove_request in sg_write . - sctp: check asoc peer.asconf_capable before processing asconf . - sctp: fully initialize v4 addr in some functions . - sctp: simplify addr copy . - x86/CPU: Add more Icelake model numbers . - x86/tlb: Flush global mappings when KAISER is disabled . Special Instructions and Notes: Please reboot the system after installing this update.