B.38. kernel
B.38.1. RHSA-2010:0842 — Important: kernel security and bug fix update
Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0842
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
[Updated 22 November 2010] The packages list in this erratum has been updated to include four missing debuginfo-common packages (one per architecture). No changes have been made to the original packages.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes
* Missing sanity checks in the Intel
i915
driver in the Linux kernel could allow a local, unprivileged user to escalate their privileges. (CVE-2010-2962, Important)
*
compat_alloc_user_space()
in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important)
* A buffer overflow flaw in
niu_get_ethtool_tcam_all()
in the niu
Ethernet driver in the Linux kernel, could allow a local user to cause a denial of service or escalate their privileges. (CVE-2010-3084, Important)
* A flaw in the IA32 system call emulation provided in 64-bit Linux kernels could allow a local user to escalate their privileges. (CVE-2010-3301, Important)
* A flaw in
sctp_packet_config()
in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service. (CVE-2010-3432, Important)
* A missing integer overflow check in
snd_ctl_new()
in the Linux kernel's sound subsystem could allow a local, unprivileged user on a 32-bit system to cause a denial of service or escalate their privileges. (CVE-2010-3442, Important)
* A flaw was found in
sctp_auth_asoc_get_hmac()
in the Linux kernel's SCTP implementation. When iterating through the hmac_ids
array, it did not reset the last id element if it was out of range. This could allow a remote attacker to cause a denial of service. (CVE-2010-3705, Important)
* A function in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was missing sanity checks, which could allow a local, unprivileged user to escalate their privileges. (CVE-2010-3904, Important)
* A flaw in
drm_ioctl()
in the Linux kernel's Direct Rendering Manager (DRM) implementation could allow a local, unprivileged user to cause an information leak. (CVE-2010-2803, Moderate)
* It was found that wireless drivers might not always clear allocated buffers when handling a driver-specific IOCTL information request. A local user could trigger this flaw to cause an information leak. (CVE-2010-2955, Moderate)
* A NULL pointer dereference flaw in
ftrace_regex_lseek()
in the Linux kernel's ftrace implementation could allow a local, unprivileged user to cause a denial of service. Note: The debugfs file system must be mounted locally to exploit this issue. It is not mounted by default. (CVE-2010-3079, Moderate)
* A flaw in the Linux kernel's packet writing driver could be triggered via the
PKT_CTRL_CMD_STATUS
IOCTL request, possibly allowing a local, unprivileged user with access to /dev/pktcdvd/control
to cause an information leak. Note: By default, only users in the cdrom group have access to /dev/pktcdvd/control
. (CVE-2010-3437, Moderate)
* A flaw was found in the way KVM (Kernel-based Virtual Machine) handled the reloading of
fs
and gs
segment registers when they had invalid selectors. A privileged host user with access to /dev/kvm
could use this flaw to crash the host. (CVE-2010-3698, Moderate)
Red Hat would like to thank Kees Cook for reporting CVE-2010-2962 and CVE-2010-2803; Ben Hawkes for reporting CVE-2010-3081 and CVE-2010-3301; Dan Rosenberg for reporting CVE-2010-3442, CVE-2010-3705, CVE-2010-3904, and CVE-2010-3437; and Robert Swiecki for reporting CVE-2010-3079.
Bug fixes
- BZ#632292
- When booting a Red Hat Enterprise Linux 5.5 kernel on a guest on an AMD host system running Red Hat Enterprise Linux 6, the guest kernel crashes due to an unsupported MSR (Model Specific Registers) read of the MSR_K7_CLK_CTL model. With this update, KVM support was added for the MSR_K7_CLK_CTL model specific register used in the AMD K7 CPU models, thus, the kernel crashes no longer occur.
- BZ#633864
- Previously, the
s390
tape block driver crashed whenever it tried to switch the I/O scheduler. With this update, an official in-kernel API (elevator_change()
) is used to switch the I/O scheduler safely, thus, the crashes no longer occurs. - BZ#633865
- Previously, a kernel module not shipped by Red Hat was successfully loaded when the
FIPS
boot option was enabled. With this update, kernel self-integrity is improved by rejecting to load kernel modules which are not shipped by Red Hat when theFIPS
boot option is enabled. - BZ#633964
- A regression was discovered that caused kernel panic during the booting of any SGI UV100 and UV1000 system unless the
virtefi
command line option was passed to the kernel by GRUB. With this update, the need for thevirtefi
command line option is removed and the kernel will boots as expected without it. - BZ#633966
- Previously, a Windows XP host experienced the stop error screen (i.e. the "Blue Screen Of Death" error) when booted with the CPU mode name. With this update, a Windows XP host no longer experiences the aforementioned error due to added KVM (Kernel-based Virtual Machine) support for the MSR_EBC_FREQUENCY_ID model specific register.
- BZ#634973
- Previously the cxgb3 (Chelsio Communications T3 10Gb Ethernet) adapter experienced parity errors. With this update, the parity errors are correctly detected and the cxgb3 adapter successfully recovers from them.
- BZ#634984
- Systems with an updated Video BIOS for the AMD RS880 would not properly boot with KMS (Kernel mode-setting) enabled. With this update, the Video BIOS boots successfully when KMS is enabled.
- BZ#635951
- The zfcpdump (kdump) kernel on IBM System z could not be debugged using the dump analysis tool crash, because the
vmlinux
file in the kernel-kdump-debuginfo RPM did not contain DWARF debug information. With this update, theCONFIG_DEBUG_KERNEL
parameter is set to yes and the needed debug information is provided. - BZ#636116
- Previously, MADV_HUGEPAGE was missing in the
include/asm-generic/mman-common.h
file which caused madvise to fail to utilize TPH. With this update, the madvise option was removed from/sys/kernel/mm/redhat_transparent_hugepage/enabled
since MADV_HUGEPAGE was removed from themadvise
system call. - BZ#637087
- The kernel panicked when booting the kdump kernel on a
s390
system with an initramfs that contained an odd number of bytes. With this update, an initramfs with sufficient padding such that it contains an even number of bytes is generated, thus, the kernel no longer panics. - BZ#638973
- Previously, in order to install Snapshot 13, boot parameter
nomodeset xforcevesa
had to be added to the kernel command line, otherwise, the screen turned black and prevented the installation. With this update, the aforementioned boot parameter no longer has to be specified and the installation works as expected. - BZ#639412
- Previously, a write request may have merged with a discard request. This could have posed a potential risk for 3rd party drivers which could possibly issue a discard without waiting properly. With this update, discarding of write block I/O requests by preventing merges of discard and write requests in one block I/O has been introduced, thus, resolving the possible risks.
- BZ#641258, BZ#644037
- The
fork()
system call led to anrmap
walk finding the parenthuge-pmd
twice instead of once, thus causing a discrepancy between themapcount
andpage_mapcount
check, which could have led to erratic page counts for subpages. This fix ensures that thermap
walk is accurate when a process is forked, thus resolving the issue. - BZ#641454
- Running a fsstress test which issues various operations on a ext4 filesystem when
usrquota
is enabled, the following JBD (Journaling Block Device) error was output in/var/log/messages
:JBD: Spotted dirty metadata buffer (dev = sda10, blocknr = 17635). There's a risk of filesystem corruption in case of system crash.
With this update, by always journaling the quota file modification in an ext4 file system the aforementioned message no longer appears in the logs. - BZ#641455
- Previously, the destination MAC address validation was not checking for NPIV (N_Port ID Virtualization) addresses, which results in FCoE (Fibre Channel over Ethernet) frames being dropped. With this update, the destination MAC address check for FCoE frames has been modified so that multiple
N_port
IDs can be multiplexed on a single physicalN_port
. - BZ#641456
- During an installation through Cisco NPV (N port virtualization) to Brocade, adding a LUN (Logical Unit Number) throughdid not work properly. This was caused by the faulty resending of FLOGI (Fabric Login) when a Fibre Channel switch in the NPV mode rejected requests with zero Destination ID. With this update, the LUN is seen and able to be selected for installation.
- BZ#641457
- Previously, timing issues could cause the FIP (FCoE Initialization Protocol) FLOGIs to timeout even if there were no problems. This caused the kernel to go into a non-FIP mode even though it should have been in the FIP mode. With this update, the timing issues no longer occur and the kernel no longer switches to the non-FIP mode when logging to the Fibre Channel Switch/Forwarder.
- BZ#641458
- Previously, the vmstat (virtual memory statistics) tool incorrectly reported the disk I/O as swap-in on ppc64 and other architectures that do not support the
TRANSPARENT_HUGEPAGE
configuration option in the kernel. With this update, the vmstat tool no longer reports incorrect statistics and works as expected. - BZ#641459
- Previously, building under memory pressure with KSM (Kernel Shared Memory) caused KSM to collapse with an internal compiler error indicating an error in swapping. With this update, data corruption during swapping no longer occurs.
- BZ#641460
- Occasionally, the
anon_vma
variable could contain the valuenull
in thepage_address_in_vma
function and cause kernel panic. With this update, kernel panic no longer occurs. - BZ#641483
- Previously, the
/proc/maps
file which is read by LVM2 (Logical Volume Manager 2) contained inconsistencies caused by LVM2 incorrectly deciding which memory tomlock
andmunlock
. With this update, LVM2 correctly decides between themlock
andmunlock
operations and no longer causes inconsistencies. - BZ#641907
- Systems that have an Emulex FC controller (with SLI-3 based firmware) installed could return a kernel panic during installation. With this update, kernel panic no longer occurs during installation.
- BZ#642043
- This update fixes the slow memory leak in the i915 module in DRM (Direct Rendering Manager) and GEM (Graphics Execution Manager).
- BZ#642045
- Previously, a race condition in the TTM (Translation Table Maps) module of the DRM (Direct Rendering Manager) between the object destruction thread and object eviction could result in a major loss of large objects reference counts. Consequently, this caused a major amount of memory leak. With this update, the race condition no longer occurs and any memory leaks are prevented.
- BZ#642679
- Previously, an operation such as
madvise(MADV_MERGEABLE)
may have split VMAs (Virtual Memory Area) without checking if any huge page had to be split into regular pages, leading to huge pages to be still mapped in VMA ranges that would not be large enough to fit huge pages. With this update, huge pages are checked whether they have been split when any VMA is being truncated. - BZ#642680
- Previously, accounting of reclaimable inodes did not work correctly. When an inode was reclaimed it was only deleted from the per-AG (per Allocation Group) tree. Neither the counter was decreased, nor was the parent tree's AG entry untagged properly. This caused the system to hang indefinitely. With this update, the accounting of reclaimable inodes works properly and the system remains responsive.
- BZ#644038
- A race condition occurred when Xen was presented with an inconsistent page type resulting in the crash of the kernel. With this update, the race condition is prevented and kernel crashes no longer occur.
- BZ#644636
- Previously, Red Hat Enterprise Linux 6 enabled the
CONFIG_IMA
option in the kernel. This caused the kernel to track all inodes in the system in a radix tree, leading to a huge waste of memory. With this update, an optimized version of a tree (rbtree) is used and memory is no longer wasted. - BZ#644926
- Previously, calling the
elevator_change
function immediately after theblk_init_queue
function resulted in a null pointer dereference. With this update, the null pointer dereference no longer occurs. - BZ#646994
- When booting the latest Red Hat Enterprise Linux 6 kernel (-78.el6), the system hanged shortly after the booting. Access to the file system died and the console started outputting soft lockup messages from the TTM code. With this update, the aforementioned behavior no longer occurs and the system boots as expected.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.