Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

        SUSE Security Update: Security updates for the Linux Kernel
                             15 February 2018


        AusCERT Security Bulletin Summary

Product:           kernel
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Root Compromise        -- Existing Account
                   Access Privileged Data -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000004 CVE-2017-18079 CVE-2017-17806
                   CVE-2017-17805 CVE-2017-17741 CVE-2017-13215
                   CVE-2017-5715 CVE-2015-1142857 

Reference:         ASB-2018.0030

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for the Linux Kernel

Announcement ID:    SUSE-SU-2018:0437-1
Rating:             important
References:         #1012382 #1047626 #1068032 #1070623 #1073311 
                    #1073792 #1073874 #1075091 #1075908 #1075994 
                    #1076017 #1076110 #1076154 #1076278 #1077355 
                    #1077560 #1077922 #893777 #893949 #902893 
Cross-References:   CVE-2015-1142857 CVE-2017-13215 CVE-2017-17741
                    CVE-2017-17805 CVE-2017-17806 CVE-2017-18079
                    CVE-2017-5715 CVE-2018-1000004
Affected Products:
                    SUSE Linux Enterprise Server 12-LTSS
                    SUSE Linux Enterprise Module for Public Cloud 12

   An update that solves 8 vulnerabilities and has 13 fixes is
   now available.


   The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2017-5715: Systems with microprocessors utilizing speculative
     execution and indirect branch prediction may allow unauthorized
     of information to an attacker with local user access via a side-channel
      analysis (bnc#1068032).

     The previous fix using CPU Microcode has been complemented by building
   the Linux Kernel with return trampolines aka "retpolines".

   - CVE-2017-18079: drivers/input/serio/i8042.c allowed attackers to cause a
     denial of service (NULL pointer dereference and system crash) or
     possibly have unspecified other impact because the port->exists value
     can change after it is validated (bnc#1077922)
   - CVE-2015-1142857: Prevent guests from sending ethernet flow control
     pause frames via the PF (bnc#1077355)
   - CVE-2017-17741: KVM allowed attackers to obtain potentially sensitive
     information from kernel memory, aka a write_mmio stack-based
     out-of-bounds read (bnc#1073311)
   - CVE-2017-13215: Prevent elevation of privilege (bnc#1075908)
   - CVE-2018-1000004: Prevent race condition in the sound system, this could
     have lead a deadlock and denial of service condition (bnc#1076017)
   - CVE-2017-17806: The HMAC implementation did not validate that the
     underlying cryptographic hash algorithm is unkeyed, allowing a local
     attacker able to use the AF_ALG-based hash interface
     (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm
     (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by
     executing a crafted sequence of system calls that encounter a missing
     SHA-3 initialization (bnc#1073874)
   - CVE-2017-17805: The Salsa20 encryption algorithm did not correctly
     handle zero-length inputs, allowing a local attacker able to use the
     AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to
     cause a denial of service (uninitialized-memory free and kernel crash)
     or have unspecified other impact by executing a crafted sequence of
     system calls that use the blkcipher_walk API. Both the generic
     implementation (crypto/salsa20_generic.c) and x86 implementation
     (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable (bnc#1073792)

   The following non-security bugs were fixed:

   - bcache allocator: send discards with correct size (bsc#1047626).
   - bcache.txt: standardize document format (bsc#1076110).
   - bcache: Abstract out stuff needed for sorting (bsc#1076110).
   - bcache: Add a cond_resched() call to gc (bsc#1076110).
   - bcache: Add a real GC_MARK_RECLAIMABLE (bsc#1076110).
   - bcache: Add bch_bkey_equal_header() (bsc#1076110).
   - bcache: Add bch_btree_keys_u64s_remaining() (bsc#1076110).
   - bcache: Add bch_keylist_init_single() (bsc#1047626).
   - bcache: Add btree_insert_node() (bnc#951638).
   - bcache: Add btree_map() functions (bsc#1047626).
   - bcache: Add btree_node_write_sync() (bsc#1076110).
   - bcache: Add explicit keylist arg to btree_insert() (bnc#951638).
   - bcache: Add make_btree_freeing_key() (bsc#1076110).
   - bcache: Add on error panic/unregister setting (bsc#1047626).
   - bcache: Add struct bset_sort_state (bsc#1076110).
   - bcache: Add struct btree_keys (bsc#1076110).
   - bcache: Allocate bounce buffers with GFP_NOWAIT (bsc#1076110).
   - bcache: Avoid deadlocking in garbage collection (bsc#1076110).
   - bcache: Avoid nested function definition (bsc#1076110).
   - bcache: Better alloc tracepoints (bsc#1076110).
   - bcache: Better full stripe scanning (bsc#1076110).
   - bcache: Bkey indexing renaming (bsc#1076110).
   - bcache: Break up struct search (bsc#1076110).
   - bcache: Btree verify code improvements (bsc#1076110).
   - bcache: Bypass torture test (bsc#1076110).
   - bcache: Change refill_dirty() to always scan entire disk if necessary
   - bcache: Clean up cache_lookup_fn (bsc#1076110).
   - bcache: Clean up keylist code (bnc#951638).
   - bcache: Convert bch_btree_insert() to bch_btree_map_leaf_nodes()
   - bcache: Convert bch_btree_read_async() to bch_btree_map_keys()
   - bcache: Convert btree_insert_check_key() to btree_insert_node()
   - bcache: Convert btree_iter to struct btree_keys (bsc#1076110).
   - bcache: Convert bucket_wait to wait_queue_head_t (bnc#951638).
   - bcache: Convert debug code to btree_keys (bsc#1076110).
   - bcache: Convert gc to a kthread (bsc#1047626).
   - bcache: Convert sorting to btree_keys (bsc#1076110).
   - bcache: Convert try_wait to wait_queue_head_t (bnc#951638).
   - bcache: Convert writeback to a kthread (bsc#1076110).
   - bcache: Correct return value for sysfs attach errors (bsc#1076110).
   - bcache: Debug code improvements (bsc#1076110).
   - bcache: Delete some slower inline asm (bsc#1047626).
   - bcache: Do bkey_put() in btree_split() error path (bsc#1076110).
   - bcache: Do not bother with bucket refcount for btree node allocations
   - bcache: Do not reinvent the wheel but use existing llist API
   - bcache: Do not return -EINTR when insert finished (bsc#1076110).
   - bcache: Do not touch bucket gen for dirty ptrs (bsc#1076110).
   - bcache: Do not use op->insert_collision (bsc#1076110).
   - bcache: Drop some closure stuff (bsc#1076110).
   - bcache: Drop unneeded blk_sync_queue() calls (bsc#1047626).
   - bcache: Explicitly track btree node's parent (bnc#951638).
   - bcache: Fix a bug recovering from unclean shutdown (bsc#1047626).
   - bcache: Fix a bug when detaching (bsc#951638).
   - bcache: Fix a journal replay bug (bsc#1076110).
   - bcache: Fix a journalling performance bug (bnc#893777).
   - bcache: Fix a journalling reclaim after recovery bug (bsc#1047626).
   - bcache: Fix a lockdep splat (bnc#893777).
   - bcache: Fix a lockdep splat in an error path (bnc#951638).
   - bcache: Fix a null ptr deref in journal replay (bsc#1047626).
   - bcache: Fix a race when freeing btree nodes (bsc#1076110).
   - bcache: Fix a shutdown bug (bsc#951638).
   - bcache: Fix an infinite loop in journal replay (bsc#1047626).
   - bcache: Fix another bug recovering from unclean shutdown (bsc#1076110).
   - bcache: Fix another compiler warning on m68k (bsc#1076110).
   - bcache: Fix auxiliary search trees for key size > cacheline size
   - bcache: Fix bch_ptr_bad() (bsc#1047626).
   - bcache: Fix building error on MIPS (bsc#1076110).
   - bcache: Fix dirty_data accounting (bsc#1076110).
   - bcache: Fix discard granularity (bsc#1047626).
   - bcache: Fix flash_dev_cache_miss() for real this time (bsc#1076110).
   - bcache: Fix for can_attach_cache() (bsc#1047626).
   - bcache: Fix heap_peek() macro (bsc#1047626).
   - bcache: Fix leak of bdev reference (bsc#1076110).
   - bcache: Fix more early shutdown bugs (bsc#951638).
   - bcache: Fix moving_gc deadlocking with a foreground write (bsc#1076110).
   - bcache: Fix moving_pred() (bsc#1047626).
   - bcache: Fix sysfs splat on shutdown with flash only devs (bsc#951638).
   - bcache: Fix to remove the rcu_sched stalls (bsc#1047626).
   - bcache: Have btree_split() insert into parent directly (bsc#1076110).
   - bcache: Improve bucket_prio() calculation (bsc#1047626).
   - bcache: Improve priority_stats (bsc#1047626).
   - bcache: Incremental gc (bsc#1076110).
   - bcache: Insert multiple keys at a time (bnc#951638).
   - bcache: Kill bch_next_recurse_key() (bsc#1076110).
   - bcache: Kill btree_io_wq (bsc#1076110).
   - bcache: Kill bucket->gc_gen (bsc#1076110).
   - bcache: Kill dead cgroup code (bsc#1076110).
   - bcache: Kill op->cl (bsc#1076110).
   - bcache: Kill op->replace (bsc#1076110).
   - bcache: Kill sequential_merge option (bsc#1076110).
   - bcache: Kill unaligned bvec hack (bsc#1076110).
   - bcache: Kill unused freelist (bsc#1076110).
   - bcache: Make bch_keylist_realloc() take u64s, not nptrs (bsc#1076110).
   - bcache: Make gc wakeup sane, remove set_task_state() (bsc#1076110).
   - bcache: Minor btree cache fix (bsc#1047626).
   - bcache: Minor fixes from kbuild robot (bsc#1076110).
   - bcache: Move insert_fixup() to btree_keys_ops (bsc#1076110).
   - bcache: Move keylist out of btree_op (bsc#1047626).
   - bcache: Move sector allocator to alloc.c (bsc#1076110).
   - bcache: Move some stuff to btree.c (bsc#1076110).
   - bcache: Move spinlock into struct time_stats (bsc#1076110).
   - bcache: New writeback PD controller (bsc#1047626).
   - bcache: PRECEDING_KEY() (bsc#1047626).
   - bcache: Performance fix for when journal entry is full (bsc#1047626).
   - bcache: Prune struct btree_op (bsc#1076110).
   - bcache: Pull on disk data structures out into a separate header
   - bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power
     of two (bsc#1076110).
   - bcache: Really show state of work pending bit (bsc#1076110).
   - bcache: Refactor bset_tree sysfs stats (bsc#1076110).
   - bcache: Refactor journalling flow control (bnc#951638).
   - bcache: Refactor read request code a bit (bsc#1076110).
   - bcache: Refactor request_write() (bnc#951638).
   - bcache: Remove deprecated create_workqueue (bsc#1076110).
   - bcache: Remove redundant block_size assignment (bsc#1047626).
   - bcache: Remove redundant parameter for cache_alloc() (bsc#1047626).
   - bcache: Remove redundant set_capacity (bsc#1076110).
   - bcache: Remove unnecessary check in should_split() (bsc#1076110).
   - bcache: Remove/fix some header dependencies (bsc#1047626).
   - bcache: Rename/shuffle various code around (bsc#1076110).
   - bcache: Rework allocator reserves (bsc#1076110).
   - bcache: Rework btree cache reserve handling (bsc#1076110).
   - bcache: Split out sort_extent_cmp() (bsc#1076110).
   - bcache: Stripe size isn't necessarily a power of two (bnc#893949).
   - bcache: Trivial error handling fix (bsc#1047626).
   - bcache: Update continue_at() documentation (bsc#1076110).
   - bcache: Use a mempool for mergesort temporary space (bsc#1076110).
   - bcache: Use blkdev_issue_discard() (bnc#951638).
   - bcache: Use ida for bcache block dev minor (bsc#1047626).
   - bcache: Use uninterruptible sleep in writeback (bsc#1076110).
   - bcache: Zero less memory (bsc#1076110).
   - bcache: add a comment in journal bucket reading (bsc#1076110).
   - bcache: add mutex lock for bch_is_open (bnc#902893).
   - bcache: allows use of register in udev to avoid "device_busy" error
   - bcache: bcache_write tracepoint was crashing (bsc#1076110).
   - bcache: bch_(btree|extent)_ptr_invalid() (bsc#1076110).
   - bcache: bch_allocator_thread() is not freezable (bsc#1047626).
   - bcache: bch_gc_thread() is not freezable (bsc#1047626).
   - bcache: bch_writeback_thread() is not freezable (bsc#1076110).
   - bcache: btree locking rework (bsc#1076110).
   - bcache: bugfix - gc thread now gets woken when cache is full
   - bcache: bugfix - moving_gc now moves only correct buckets (bsc#1047626).
   - bcache: bugfix for race between moving_gc and bucket_invalidate
   - bcache: check ca->alloc_thread initialized before wake up it
   - bcache: check return value of register_shrinker (bsc#1076110).
   - bcache: cleaned up error handling around register_cache() (bsc#1047626).
   - bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing
     device (bsc#1047626).
   - bcache: correct cache_dirty_target in __update_writeback_rate()
   - bcache: defensively handle format strings (bsc#1047626).
   - bcache: do not embed 'return' statements in closure macros (bsc#1076110).
   - bcache: do not subtract sectors_to_gc for bypassed IO (bsc#1076110).
   - bcache: do not write back data if reading it failed (bsc#1076110).
   - bcache: documentation formatting, edited for clarity, stripe alignment
     notes (bsc#1076110).
   - bcache: documentation updates and corrections (bsc#1076110).
   - bcache: explicitly destroy mutex while exiting (bsc#1076110).
   - bcache: fix BUG_ON due to integer overflow with GC_SECTORS_USED
   - bcache: fix a comments typo in bch_alloc_sectors() (bsc#1076110).
   - bcache: fix a livelock when we cause a huge number of cache misses
   - bcache: fix bch_hprint crash and improve output (bsc#1076110).
   - bcache: fix crash in bcache_btree_node_alloc_fail tracepoint
   - bcache: fix crash on shutdown in passthrough mode (bsc#1076110).
   - bcache: fix for gc and write-back race (bsc#1076110).
   - bcache: fix for gc and writeback race (bsc#1047626).
   - bcache: fix for gc crashing when no sectors are used (bsc#1047626).
   - bcache: fix lockdep warnings on shutdown (bsc#1047626).
   - bcache: fix race of writeback thread starting before complete
     initialization (bsc#1076110).
   - bcache: fix sequential large write IO bypass (bsc#1076110).
   - bcache: fix sparse non static symbol warning (bsc#1076110).
   - bcache: fix typo in bch_bkey_equal_header (bsc#1076110).
   - bcache: fix uninterruptible sleep in writeback thread (bsc#1076110).
   - bcache: fix use-after-free in btree_gc_coalesce() (bsc#1076110).
   - bcache: fix wrong cache_misses statistics (bsc#1076110).
   - bcache: gc does not work when triggering by manual command (bsc#1076110).
   - bcache: implement PI controller for writeback rate (bsc#1076110).
   - bcache: increase the number of open buckets (bsc#1076110).
   - bcache: initialize dirty stripes in flash_dev_run() (bsc#1076110).
   - bcache: kill closure locking code (bsc#1076110).
   - bcache: kill closure locking usage (bnc#951638).
   - bcache: kill index() (bsc#1047626).
   - bcache: kthread do not set writeback task to INTERUPTIBLE (bsc#1076110).
   - bcache: only permit to recovery read error when cache device is clean
   - bcache: partition support: add 16 minors per bcacheN device
   - bcache: pr_err: more meaningful error message when nr_stripes is invalid
   - bcache: prevent crash on changing writeback_running (bsc#1076110).
   - bcache: rearrange writeback main thread ratelimit (bsc#1076110).
   - bcache: recover data from backing when data is clean (bsc#1076110).
   - bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
   - bcache: remove nested function usage (bsc#1076110).
   - bcache: remove unused parameter (bsc#1076110).
   - bcache: rewrite multiple partitions support (bsc#1076110).
   - bcache: safeguard a dangerous addressing in closure_queue (bsc#1076110).
   - bcache: silence static checker warning (bsc#1076110).
   - bcache: smooth writeback rate control (bsc#1076110).
   - bcache: stop moving_gc marking buckets that can't be moved (bsc#1047626).
   - bcache: try to set b->parent properly (bsc#1076110).
   - bcache: update bch_bkey_try_merge (bsc#1076110).
   - bcache: update bio->bi_opf bypass/writeback REQ_ flag hints
   - bcache: update bucket_in_use in real time (bsc#1076110).
   - bcache: update document info (bsc#1076110).
   - bcache: use kmalloc to allocate bio in bch_data_verify() (bsc#1076110).
   - bcache: use kvfree() in various places (bsc#1076110).
   - bcache: use llist_for_each_entry_safe() in __closure_wake_up()
   - bcache: wait for buckets when allocating new btree root (bsc#1076110).
   - bcache: writeback rate clamping: make 32 bit safe (bsc#1076110).
   - bcache: writeback rate shouldn't artifically clamp (bsc#1076110).
   - fork: clear thread stack upon allocation (bsc#1077560).
   - gcov: disable for COMPILE_TEST (bnc#1012382).
   - kaiser: Set _PAGE_NX only if supported (bnc#1012382, bnc#1076154).
   - kaiser: Set _PAGE_NX only if supported (bnc#1012382, bnc#1076278).
   - md: more open-coded offset_in_page() (bsc#1076110).
   - nfsd: do not share group_info among threads (bsc@1070623).
   - sysfs/cpu: Add vulnerability folder (bnc#1012382).
   - sysfs: spectre_v2, handle spec_ctrl (bsc#1075994 bsc#1075091).
   - x86/cpu: Implement CPU vulnerabilites sysfs functions (bnc#1012382).
   - x86/cpufeatures: Add X86_BUG_CPU_INSECURE (bnc#1012382).
   - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (bnc#1012382).
   - x86/cpufeatures: Make CPU bugs sticky (bnc#1012382).
   - x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN (bnc#1012382).
   - x86/retpolines/spec_ctrl: disable IBRS on !SKL if retpolines are active
   - x86/spectre_v2: fix ordering in IBRS initialization (bsc#1075994
   - x86/spectre_v2: nospectre_v2 means nospec too (bsc#1075994 bsc#1075091).

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-2018-301=1

   - SUSE Linux Enterprise Module for Public Cloud 12:

      zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-301=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):


   - SUSE Linux Enterprise Server 12-LTSS (noarch):


   - SUSE Linux Enterprise Server 12-LTSS (x86_64):


   - SUSE Linux Enterprise Server 12-LTSS (s390x):


   - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64):




- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967