From b15f74e536b0e5335488090d3db9d771cc815fa6 Mon Sep 17 00:00:00 2001 From: Michal Koutný Date: Mar 27 2024 16:03:26 +0000 Subject: - Update patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch (git-fixes CVE-2021-46926 bsc#1220478). - Update patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch (git-fixes CVE-2021-47096 bsc#1220981). - Update patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch (git-fixes CVE-2021-47104 bsc#1220960). - Update patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch (git-fixes CVE-2021-47097 bsc#1220982). - Update patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch (git-fixes CVE-2021-47094 bsc#1221551). - Update patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch (git-fixes bsc#1196346 CVE-2021-47107 bsc#1220965). - Update patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch (git-fixes CVE-2021-47101 bsc#1220987). - Update patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch (git-fixes CVE-2021-47108 bsc#1220986). - Update patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch (git-fixes CVE-2021-47098 bsc#1220983). - Update patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch (git-fixes CVE-2021-47100 bsc#1220985). - Update patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch (bsc#1193490 CVE-2021-47095 bsc#1220979). - Update patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch (git-fixes CVE-2021-47091 bsc#1220959). - Update patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch (bsc#1217195 CVE-2021-46936 bsc#1220439). - Update patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch (git-fixes CVE-2021-47102 bsc#1221009). - Update patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock (git-fixes CVE-2021-46925 bsc#1220466). - Update patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch (git fixes (mm/gup) CVE-2021-46927 bsc#1220443). - Update patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch (git-fixes CVE-2021-47093 bsc#1220978). - Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch (CVE-2022-20154 bsc#1200599 CVE-2021-46929 bsc#1220482). - Update patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch (jsc#SLE-21844 CVE-2021-47087 bsc#1220954). - Update patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch (bsc#1209635 CVE-2022-4744 git-fixes CVE-2021-47082 bsc#1220969). - Update patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch (git-fixes CVE-2021-46933 bsc#1220487). - Update patches.suse/usb-mtu3-fix-list_head-check-warning.patch (git-fixes CVE-2021-46930 bsc#1220484). - Update patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch (git-fixes CVE-2021-47099 bsc#1220955). --- diff --git a/patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch b/patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch index fc4a225..9cdff10 100644 --- a/patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch +++ b/patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: 385f287f9853da402d94278e59f594501c1d1dad Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-46926 bsc#1220478 The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to diff --git a/patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch b/patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch index 7f8ca99..411ab8c 100644 --- a/patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch +++ b/patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch @@ -4,7 +4,7 @@ Date: Sat, 18 Dec 2021 13:39:25 +0100 Subject: [PATCH] ALSA: rawmidi - fix the uninitalized user_pversion Git-commit: 39a8fc4971a00d22536aeb7d446ee4a97810611b Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47096 bsc#1220981 The user_pversion was uninitialized for the user space file structure in the open function, because the file private structure use diff --git a/patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch b/patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch index b5193c6..4838a0c 100644 --- a/patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch +++ b/patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch @@ -6,7 +6,7 @@ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: v5.16-rc7 Git-commit: bee90911e0138c76ee67458ac0d58b38a3190f65 -References: git-fixes +References: git-fixes CVE-2021-47104 bsc#1220960 The wrong goto label was used for the error case and missed cleanup of the pkt allocation. diff --git a/patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch b/patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch index 9cc3a11..063926f 100644 --- a/patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch +++ b/patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch @@ -4,7 +4,7 @@ Date: Mon, 29 Nov 2021 00:08:13 -0800 Subject: [PATCH] Input: elantech - fix stack out of bound access in elantech_change_report_id() Git-commit: 1d72d9f960ccf1052a0630a68c3d358791dbdaaa Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47097 bsc#1220982 The array param[] in elantech_change_report_id() must be at least 3 bytes, because elantech_read_reg_params() is calling ps2_command() with diff --git a/patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch b/patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch index a17ae0a..0d4da73 100644 --- a/patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch +++ b/patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch @@ -1,6 +1,6 @@ Patch-mainline: v5.16-rc7 Git-commit: 3a0f64de479cae75effb630a2e0a237ca0d0623c -References: git-fixes +References: git-fixes CVE-2021-47094 bsc#1221551 From: Sean Christopherson Date: Tue, 14 Dec 2021 03:35:28 +0000 Subject: [PATCH] KVM: x86/mmu: Don't advance iterator after restart due to diff --git a/patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch b/patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch index afd866b..0eddcfb 100644 --- a/patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch +++ b/patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch @@ -3,7 +3,7 @@ Date: Thu, 16 Dec 2021 11:12:11 -0500 Subject: [PATCH] NFSD: Fix READDIR buffer overflow Git-commit: 53b1119a6e5028b125f431a0116ba73510d82a72 Patch-mainline: v5.16 -References: git-fixes bsc#1196346 +References: git-fixes bsc#1196346 CVE-2021-47107 bsc#1220965 If a client sends a READDIR count argument that is too small (say, zero), then the buffer size calculation in the new init_dirlist diff --git a/patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch b/patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch index 91c2597..02a8b41 100644 --- a/patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch +++ b/patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch @@ -4,7 +4,7 @@ Date: Tue, 21 Dec 2021 23:10:36 +0300 Subject: [PATCH] asix: fix uninit-value in asix_mdio_read() Git-commit: 8035b1a2a37a29d8c717ef84fca8fe7278bc9f03 Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47101 bsc#1220987 asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized. diff --git a/patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch b/patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch index ad75633..5a2bc61 100644 --- a/patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch +++ b/patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch @@ -4,7 +4,7 @@ Date: Thu, 28 Oct 2021 09:43:11 +0200 Subject: [PATCH] drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf Git-commit: 3b8e19a0aa3933a785be9f1541afd8d398c4ec69 Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47108 bsc#1220986 In commit 41ca9caaae0b ("drm/mediatek: hdmi: Add check for CEA modes only") a check diff --git a/patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch b/patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch index 45174bd..a394808 100644 --- a/patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch +++ b/patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch @@ -4,7 +4,7 @@ Date: Wed, 17 Nov 2021 09:51:47 -0800 Subject: [PATCH] hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations Git-commit: 55840b9eae5367b5d5b29619dc2fb7e4596dba46 Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47098 bsc#1220983 Commit b50aa49638c7 ("hwmon: (lm90) Prevent integer underflows of temperature calculations") addressed a number of underflow situations diff --git a/patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch b/patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch index 8e941a9..cd4d37a 100644 --- a/patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch +++ b/patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch @@ -3,7 +3,7 @@ Date: Tue, 21 Dec 2021 15:00:34 +0800 Subject: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Git-commit: ffb76a86f8096a8206be03b14adda6092e18e275 Patch-mainline: 5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47100 bsc#1220985 Hi, diff --git a/patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch b/patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch index e3c4c00..4a363f0 100644 --- a/patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch +++ b/patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch @@ -5,7 +5,7 @@ Subject: [PATCH] ipmi: ssif: initialize ssif_info->client early Git-commit: 34f35f8f14bc406efc06ee4ff73202c6fd245d15 Patch-mainline: v5.16-rc7 -References: bsc#1193490 +References: bsc#1193490 CVE-2021-47095 bsc#1220979 During probe ssif_info->client is dereferenced in error path. However, it is set when some of the error checking has already been done. This diff --git a/patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch b/patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch index 7f7a2f8..b289fce 100644 --- a/patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch +++ b/patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch @@ -4,7 +4,7 @@ Date: Mon, 20 Dec 2021 10:22:40 +0100 Subject: [PATCH] mac80211: fix locking in ieee80211_start_ap error path Git-commit: 87a270625a89fc841f1a7e21aae6176543d8385c Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47091 bsc#1220959 We need to hold the local->mtx to release the channel context, as even encoded by the lockdep_assert_held() there. Fix it. diff --git a/patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch b/patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch index 0dcb3ee..70d82cb 100644 --- a/patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch +++ b/patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch @@ -2,7 +2,7 @@ From e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 Mon Sep 17 00:00:00 2001 From: Muchun Song Date: Tue, 28 Dec 2021 18:41:45 +0800 Subject: [PATCH] net: fix use-after-free in tw_timer_handler -References: bsc#1217195 +References: bsc#1217195 CVE-2021-46936 bsc#1220439 Git-commit: e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 Patch-mainline: v5.16-rc8 diff --git a/patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch b/patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch index fb6c621..dc034c2 100644 --- a/patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch +++ b/patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch @@ -4,7 +4,7 @@ Date: Thu, 16 Dec 2021 19:17:14 +0200 Subject: [PATCH 5/8] net: marvell: prestera: fix incorrect structure access Git-commit: 2efc2256febf214e7b2bdaa21fe6c3c3146acdcb Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47102 bsc#1221009 In line: upper = info->upper_dev; diff --git a/patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock b/patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock index 5795f9d..f634c20 100644 --- a/patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock +++ b/patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock @@ -3,7 +3,7 @@ Date: Tue, 28 Dec 2021 17:03:25 +0800 Subject: net/smc: fix kernel panic caused by race of smc_sock Git-commit: 349d43127dac00c15231e8ffbcaabd70f7b0e544 Patch-mainline: v5.16-rc8 -References: git-fixes +References: git-fixes CVE-2021-46925 bsc#1220466 A crash occurs when smc_cdc_tx_handler() tries to access smc_sock but smc_release() has already freed it. diff --git a/patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch b/patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch index d1001ff..1207f3f 100644 --- a/patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch +++ b/patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch @@ -4,7 +4,7 @@ Date: Mon, 20 Dec 2021 19:58:56 +0000 Subject: [PATCH] nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert -References: git fixes (mm/gup) +References: git fixes (mm/gup) CVE-2021-46927 bsc#1220443 Patch-mainline: v5.16 Git-commit: 3a0152b219523227c2a62a0a122cf99608287176 diff --git a/patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch b/patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch index f344aac..7392905 100644 --- a/patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch +++ b/patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch @@ -4,7 +4,7 @@ Date: Wed, 22 Dec 2021 11:50:23 +0100 Subject: [PATCH] platform/x86: intel_pmc_core: fix memleak on registration failure Git-commit: 26a8b09437804fabfb1db080d676b96c0de68e7c Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47093 bsc#1220978 In case device registration fails during module initialisation, the platform device structure needs to be freed using platform_device_put() diff --git a/patches.suse/sctp-use-call_rcu-to-free-endpoint.patch b/patches.suse/sctp-use-call_rcu-to-free-endpoint.patch index e1dc8fe..24e5ae0 100644 --- a/patches.suse/sctp-use-call_rcu-to-free-endpoint.patch +++ b/patches.suse/sctp-use-call_rcu-to-free-endpoint.patch @@ -4,7 +4,7 @@ Date: Thu, 23 Dec 2021 13:04:30 -0500 Subject: [PATCH] sctp: use call_rcu to free endpoint Git-commit: 5ec7d18d1813a5bead0b495045606c93873aecbb Patch-mainline: v5.16-rc8 -References: CVE-2022-20154 bsc#1200599 +References: CVE-2022-20154 bsc#1200599 CVE-2021-46929 bsc#1220482 This patch is to delay the endpoint free by calling call_rcu() to fix another use-after-free issue in sctp_sock_dump(): diff --git a/patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch b/patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch index 8161b45..86cf315 100644 --- a/patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch +++ b/patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch @@ -3,7 +3,7 @@ Date: Thu, 16 Dec 2021 11:17:25 +0530 Subject: tee: optee: Fix incorrect page free bug Git-commit: 18549bf4b21c739a9def39f27dcac53e27286ab5 Patch-mainline: v5.16-rc7 -References: jsc#SLE-21844 +References: jsc#SLE-21844 CVE-2021-47087 bsc#1220954 Pointer to the allocated pages (struct page *page) has already progressed towards the end of allocation. It is incorrect to perform diff --git a/patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch b/patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch index 046432b..1a4e467 100644 --- a/patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch +++ b/patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch @@ -4,7 +4,7 @@ Date: Thu, 16 Dec 2021 13:25:32 -0500 Subject: [PATCH] tun: avoid double free in tun_free_netdev Git-commit: 158b515f703e75e7d68289bf4d98c664e1d632df Patch-mainline: v5.16-rc7 -References: bsc#1209635 CVE-2022-4744 git-fixes +References: bsc#1209635 CVE-2022-4744 git-fixes CVE-2021-47082 bsc#1220969 Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine diff --git a/patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch b/patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch index 5cae50d..b7e9dfa 100644 --- a/patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch +++ b/patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch @@ -4,7 +4,7 @@ Date: Sat, 18 Dec 2021 02:18:40 +0000 Subject: [PATCH] usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. Git-commit: b1e0887379422975f237d43d8839b751a6bcf154 Patch-mainline: v5.16-rc8 -References: git-fixes +References: git-fixes CVE-2021-46933 bsc#1220487 ffs_data_clear is indirectly called from both ffs_fs_kill_sb and ffs_ep0_release, so it ends up being called twice when userland closes ep0 diff --git a/patches.suse/usb-mtu3-fix-list_head-check-warning.patch b/patches.suse/usb-mtu3-fix-list_head-check-warning.patch index 06cc70b..f038173 100644 --- a/patches.suse/usb-mtu3-fix-list_head-check-warning.patch +++ b/patches.suse/usb-mtu3-fix-list_head-check-warning.patch @@ -4,7 +4,7 @@ Date: Sat, 18 Dec 2021 17:57:48 +0800 Subject: [PATCH] usb: mtu3: fix list_head check warning Git-commit: 8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf Patch-mainline: v5.16-rc8 -References: git-fixes +References: git-fixes CVE-2021-46930 bsc#1220484 This is caused by uninitialization of list_head. diff --git a/patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch b/patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch index 7b0ef96..04bf288 100644 --- a/patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch +++ b/patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch @@ -4,7 +4,7 @@ Date: Wed, 22 Dec 2021 19:39:52 +0100 Subject: [PATCH 26/37] veth: ensure skb entering GRO are not cloned. Git-commit: 9695b7de5b4760ed22132aca919570c0190cb0ce Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47099 bsc#1220955 After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"), if GRO is enabled on a veth device and TSO is disabled on the peer