SUSE-SU-2025:4123-1

This update for the SUSE Linux Enterprise kernel 4.12.14-122.231 fixes various security issues

The following security issues were fixed:

• CVE-2022-48956: ipv6: avoid use-after-free in ip6_fragment() (bsc#1232637).
• CVE-2022-49014: net: tun: Fix use-after-free in tun_detach() (bsc#1232818).
• CVE-2022-49053: scsi: target: tcmu: Fix possible page UAF (bsc#1237930).
• CVE-2022-49080: mm/mempolicy: fix mpol_new leak in shared_policy_replace (bsc#1238324).
• CVE-2022-49179: block, bfq: don't move oom_bfqq (bsc#1241331).
• CVE-2022-49465: blk-throttle: set BIO_THROTTLED when bio has been throttled (bsc#1238920).
• CVE-2022-49545: ALSA: usb-audio: cancel pending work at closing a MIDI substream (bsc#1238730).
• CVE-2022-49563: crypto: qat - add param check for RSA (bsc#1238788).
• CVE-2022-49564: crypto: qat - add param check for DH (bsc#1238790).
• CVE-2022-50252: igb: Do not free q_vector unless new one was allocated (bsc#1249847).
• CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).
• CVE-2024-45016: netem: fix return value if duplicate enqueue fails (bsc#1230998).
• CVE-2024-46818: drm/amd/display: check gpio_id before used as array index (bsc#1231204).
• CVE-2024-47674: mm: avoid leaving partial pfn mappings around in error case (bsc#1231676).
• CVE-2024-47684: tcp: check skb is non-NULL in tcp_rto_delta_us() (bsc#1231993).
• CVE-2024-47706: block, bfq: fix possible UAF for bfqq->bic with merge chain (bsc#1231943).
• CVE-2024-49860: ACPI: sysfs: validate return type of _STR method (bsc#1231862).
• CVE-2024-50115: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory (bsc#1233019).
• CVE-2024-50125: Bluetooth: SCO: Fix UAF on sco_sock_timeout (bsc#1232929).
• CVE-2024-50154: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink() (bsc#1233072).
• CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233712).
• CVE-2024-50279: dm cache: fix out-of-bounds access to the dirty bitset when resizing (bsc#1233708).
• CVE-2024-50301: security/keys: fix slab-out-of-bounds in key_task_permission (bsc#1233680).
• CVE-2024-50302: HID: core: zero-initialize the report buffer (bsc#1233679).
• CVE-2024-53104: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format (bsc#1236783).
• CVE-2024-53146: NFSD: prevent a potential integer overflow (bsc#1234854).
• CVE-2024-53156: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() (bsc#1234847).
• CVE-2024-53168: sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket (bsc#1243650).
• CVE-2024-53173: NFSv4.0: Fix a use-after-free problem in the asynchronous open() (bsc#1234892).
• CVE-2024-53214: vfio/pci: Properly hide first-in-list PCIe extended capability (bsc#1235005).
• CVE-2024-56600: net: inet6: do not leave a dangling sk pointer in inet6_create() (bsc#1235218).
• CVE-2024-56601: net: inet: do not leave a dangling sk pointer in inet_create() (bsc#1235231).
• CVE-2024-56605: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() (bsc#1235062).
• CVE-2024-56650: netfilter: x_tables: fix LED ID check in led_tg_check() (bsc#1235431).
• CVE-2024-56664: bpf, sockmap: fix race between element replace and close() (bsc#1235250).
• CVE-2024-57893: ALSA: seq: oss: fix races at processing SysEx messages (bsc#1235921).
• CVE-2024-57996: net_sched: sch_sfq: don't allow 1 packet limit (bsc#1239077).
• CVE-2024-8805: BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability (bsc#1240840).
• CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1245797).
• CVE-2025-21772: partitions: mac: fix handling of bogus partition table (bsc#1238912).
• CVE-2025-21791: vrf: use RCU protection in l3mdev_l3_out() (bsc#1240744).
• CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
• CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1245776).
• CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1245793).
• CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1245775).
• CVE-2025-38079: crypto: algif_hash - fix double free in hash_accept (bsc#1245218).
• CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245350).
• CVE-2025-38177: kernel: sch_hfsc: make hfsc_qlen_notify() idempotent (bsc#1246356).
• CVE-2025-38181: calipso: fix null-ptr-deref in calipso_req_{set,del}attr() (bsc#1246001).
• CVE-2025-38212: ipc: fix to protect IPCS lookups using RCU (bsc#1246030).
• CVE-2025-38477: net/sched: sch_qfq: Fix race condition on qfq_aggregate (bsc#1247315).
• CVE-2025-38494: HID: core: do not bypass hid_hw_raw_request (bsc#1247350).
• CVE-2025-38495: HID: core: ensure the allocated report buffer can contain the reserved report ID (bsc#1247351).
• CVE-2025-38498: do_change_type(): refuse to operate on unmounted/not ours mounts (bsc#1247499).
• CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
• CVE-2025-38617: net/packet: fix a race in packet_set_ring() and packet_notifier() (bsc#1249208).
• CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1249207).
• CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).

The following non security issues were fixed:

• Add the git commit and branch to the package description (bsc#920633)
• Fix description in rpm spec file Spec file description mentions initial kGraft patch which is only true for real initial patch. Make it more neutral. (bsc#930408)
• Mark the module as supported (bsc#904970)
• Provide common kallsyms wrapper API With bsc#1103203, the need for disambiguating between a multiply defined symbol arose. This is something the kallsyms_lookup_name() based code snippet we used to copy&paste to every individual CVE fix can't handle. Implement a proper wrapper API for doing the kallsyms lookups.
• Require exact kernel version in the patch (bsc#920615)
• Revert 'Require exact kernel version in the patch' This needs to be done differently, so that modprobe --force works as expected. (bsc#920615) This reverts commit c62c11aecd4e3f8822e1b835fea403acc3148c5a.
• Set immediate flag for the initial patch Setting immediate to true will simplify installation of the initial patch and possibly also of the further updates. (bsc#907150)
• The stubs' signatures have changed: each argument used to get mapped to either long or long long, but on x86_64, the stubs are now receiving a single struct pt_regs only -- it's their responsibility to extract the arguments as appropriate. In order to not require each and every live patch touching syscalls to include an insane amount of ifdeffery, provide a set of #defines hiding it: 1.) KLP_SYSCALL_SYM(name) expands to the syscall stub name for 64 bits as defined by _SYSCALL_DEFINEx(x, _name, ...). 2.) If the architeture requires 32bit specific stubs for syscalls sharing a common implementation between 32 and 64bits, the KLP_ARCH_HAS_SYSCALL_COMPAT_STUBS macro is defined. 3.) If KLP_ARCH_HAS_SYSCALL_COMPAT_STUBS is defined, then KLP_SYSCALL_COMPAT_STUB_SYM(name) expands to the syscall stub name for 32 bits as defined by _SYSCALL_DEFINEx(x, _name, ...). 4.) For syscalls not sharing a common implementation between 32 and 64 bits, i.e. those defined by COMPAT_SYSCALL_DEFINEx(), the macro KLP_COMPAT_SYSCALL_SYM(name) expands to the stub name defined as defined by COMPAT_SYSCALL_DEFINEx(x, _name, ...). 5.) Finally, for hiding differences between the signatures, provide the macro KLP_SYSCALL_DECLx(x, sym, ...) which expands to a declaration of sym, with the x arguments either mapped to long resp. long long each, or collapsed to a single struct pt_regs argument as appropriate for the architecture. Note that these macros are defined as appropriate on kernels before and after 4.17, so that live patch code can be shared. (bsc#1149841)
• bsc#1249208: fix livepatching target module name (bsc#1252946)
• uname_patch: convert to the syscall stub wrapper macros from klp_syscalls.h In order to make the live patch to the newuname() syscall work on kernels >= 4.17 again, convert it to the KLP_SYSCALL_*() wrapper macros provided by klp_syscalls.h. (bsc#1149841)