Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
security and bugfixes.

The following security bugs were fixed:

• CVE-2017-5715: Systems with microprocessors utilizing speculative
  execution and indirect branch prediction may allow unauthorized
  disclosure of information to an attacker with local user access via a
  side-channel analysis (bnc#1068032).

  Enhancements and bugfixes over the previous fixes have been added to
  this kernel.

• CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have
  allowed local users to cause a denial of service by triggering an
  attempted use of the -INT_MIN value (bnc#1089608).

• CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in
  drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial
  of service (memory consumption) via many read accesses to files in the
  /sys/class/sas_phy directory, as demonstrated by the
  /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).

• CVE-2018-7566: There was a buffer overflow via an
  SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by
  a local user (bnc#1083483).

• CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function
  in the ALSA subsystem allowed attackers to gain privileges via
  unspecified vectors (bnc#1088260).

• CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel
  function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious
  NCPFS servers to crash the kernel or execute code (bnc#1086162).

• CVE-2017-13166: An elevation of privilege vulnerability in the kernel
  v4l2 video driver. (bnc#1072865).

• CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c
  allowed local users to cause a denial of service (BUG) by leveraging a
  race condition with __dm_destroy during creation and removal of DM
  devices (bnc#1083242).

• CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to
  disclose kernel memory addresses. Successful exploitation requires that
  a USB device is attached over IP (bnc#1078674).

• CVE-2017-18208: The madvise_willneed function in mm/madvise.c local
  users to cause a denial of service (infinite loop) by triggering use of
  MADVISE_WILLNEED for a DAX mapping (bnc#1083494).

• CVE-2017-16644: The hdpvr_probe function in
  drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a
  denial of service (improper error handling and system crash) or possibly
  have unspecified other impact via a crafted USB device (bnc#1067118).

• CVE-2018-6927: The futex_requeue function in kernel/futex.c in the Linux
  kernel might allow attackers to cause a denial of service (integer
  overflow) or possibly have unspecified other impact by triggering a
  negative wake or requeue value (bnc#1080757).

• CVE-2017-16914: The "stub_send_ret_submit()" function
  (drivers/usb/usbip/stub_tx.c) allowed attackers to cause a denial of
  service (NULL pointer dereference) via a specially crafted USB over IP
  packet (bnc#1078669).

• CVE-2016-7915: The hid_input_field function in drivers/hid/hid-core.c
  allowed physically proximate attackers to obtain sensitive information
  from kernel memory or cause a denial of service (out-of-bounds read) by
  connecting a device, as demonstrated by a Logitech DJ receiver
  (bnc#1010470).

• CVE-2015-5156: The virtnet_probe function in drivers/net/virtio_net.c
  attempted to support a FRAGLIST feature without proper memory
  allocation, which allowed guest OS users to cause a denial of service
  (buffer overflow and memory corruption) via a crafted sequence of
  fragmented packets (bnc#940776).

• CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions in
  block/bio.c did unbalanced refcounting when a SCSI I/O vector has small
  consecutive buffers belonging to the same page. The bio_add_pc_page
  function merges them into one, but the page reference is never dropped.
  This causes a memory leak and possible system lockup (exploitable
  against the host OS by a guest OS user, if a SCSI disk is passed through
  to a virtual machine) due to an out-of-memory condition (bnc#1062568).

• CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c)
  allowed attackers to cause a denial of service (out-of-bounds read) via
  a specially crafted USB over IP packet (bnc#1078673).

• CVE-2017-16913: The "stub_recv_cmd_submit()" function
  (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed
  attackers to cause a denial of service (arbitrary memory allocation) via
  a specially crafted USB over IP packet (bnc#1078672).

The following non-security bugs were fixed:

• af_iucv: enable control sends in case of SEND_SHUTDOWN (bnc#1085513,
  LTC#165135).
• cifs: fix buffer overflow in cifs_build_path_to_root() (bsc#1085113).
• drm/mgag200: fix a test in mga_vga_mode_valid() (bsc#1087092).
• hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
  (bnc#1013018).
• hrtimer: Reset hrtimer cpu base proper on CPU hotplug (bnc#1013018).
• ide-cd: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
• ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
• ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
• ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
• jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
  (git-fixes).
• kabi: x86/kaiser: properly align trampoline stack.
• keys: do not let add_key() update an uninstantiated key (bnc#1063416).
• keys: prevent creating a different user’s keyrings (bnc#1065999).
• leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
• mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
  (bnc#1039348).
• nfsv4: fix getacl head length estimation (git-fixes).
• pci: Use function 0 VPD for identical functions, regular VPD for others
  (bnc#943786 git-fixes).
• pipe: actually allow root to exceed the pipe buffer limits (git-fixes).
• posix-timers: Protect posix clock array access against speculation
  (bnc#1081358).
• powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032,
  bsc#1075088).
• qeth: repair SBAL elements calculation (bnc#1085513, LTC#165484).
• Revert "USB: cdc-acm: fix broken runtime suspend" (bsc#1067912)
• s390/qeth: fix underestimated count of buffer elements (bnc#1082091,
  LTC#164529).
• scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
• usbnet: Fix a race between usbnet_stop() and the BH (bsc#1083275).
• x86-64: Move the "user" vsyscall segment out of the data segment
  (bsc#1082424).
• x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).
• x86/kaiser: properly align trampoline stack (bsc#1087260).
• x86/retpoline: do not perform thunk calls in ring3 vsyscall code
  (bsc#1085331).
• xen/x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and
  sync_regs (bsc#909077).
• xen/x86/cpu: Check speculation control CPUID bit (bsc#1068032).
• xen/x86/cpu: Factor out application of forced CPU caps (bsc#1075994
  bsc#1075091).
• xen/x86/cpu: Fix bootup crashes by sanitizing the argument of the
  ‘clearcpuid=’ command-line option (bsc#1065600).
• xen/x86/cpu: Sync CPU feature flags late (bsc#1075994 bsc#1075091).
• xen/x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
• xen/x86/idle: Toggle IBRS when going idle (bsc#1068032).
• xen/x86/kaiser: Move feature detection up (bsc#1068032).
• xfs: check for buffer errors before waiting (bsc#1052943).
• xfs: fix allocbt cursor leak in xfs_alloc_ag_vextent_near (bsc#1087762).
• xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near
  (bsc#1087762).