B.38.2. RHSA-2011:0007 — Important: kernel security and bug fix update
Important
This update has already been released as the security errata RHSA-2011:0007
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* Buffer overflow in
eCryptfs. When /dev/ecryptfs has world writable permissions (which it does not, by default, on Red Hat Enterprise Linux 6), a local, unprivileged user could use this flaw to cause a denial of service or possibly escalate their privileges. (CVE-2010-2492, Important)
* Integer overflow in the
RDS protocol implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-3865, Important)
* Missing boundary checks in the
PPP over L2TP sockets implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4160, Important)
* NULL pointer dereference in the
igb driver. If both Single Root I/O Virtualization (SR-IOV) and promiscuous mode were enabled on an interface using igb, it could result in a denial of service when a tagged VLAN packet is received on that interface. (CVE-2010-4263, Important)
* Missing initialization flaw in the
XFS file system implementation, and in the network traffic policing implementation, could allow a local, unprivileged user to cause an information leak. (CVE-2010-3078, CVE-2010-3477, Moderate)
* NULL pointer dereference in the Open Sound System compatible sequencer driver could allow a local, unprivileged user with access to
/dev/sequencer to cause a denial of service. /dev/sequencer is only accessible to root and users in the audio group by default. (CVE-2010-3080, Moderate)
* Flaw in the ethtool IOCTL handler could allow a local user to cause an information leak. (CVE-2010-3861, Moderate)
* Flaw in
bcm_connect() in the Controller Area Network (CAN) Broadcast Manager. On 64-bit systems, writing the socket address may overflow the procname character array. (CVE-2010-3874, Moderate)
* Flaw in the module for monitoring the sockets of
INET transport protocols could allow a local, unprivileged user to cause a denial of service. (CVE-2010-3880, Moderate)
* Missing boundary checks in the block layer implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4162, CVE-2010-4163, CVE-2010-4668, Moderate)
* NULL pointer dereference in the Bluetooth
HCI UART driver could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4242, Moderate)
* Flaw in the Linux kernel CPU time clocks implementation for the POSIX clock interface could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4248, Moderate)
* Flaw in the garbage collector for
AF_UNIX sockets could allow a local, unprivileged user to trigger a denial of service. (CVE-2010-4249, Moderate)
* Missing upper bound integer check in the AIO implementation could allow a local, unprivileged user to cause an information leak. (CVE-2010-3067, Low)
* Missing initialization flaws could lead to information leaks. (CVE-2010-3298, CVE-2010-3876, CVE-2010-4072, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, CVE-2010-4158, Low)
* Missing initialization flaw in KVM could allow a privileged host user with access to
/dev/kvm to cause an information leak. (CVE-2010-4525, Low)
Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492; Thomas Pollet for reporting CVE-2010-3865; Dan Rosenberg for reporting CVE-2010-4160, CVE-2010-3078, CVE-2010-3874, CVE-2010-4162, CVE-2010-4163, CVE-2010-3298, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, and CVE-2010-4158; Kosuke Tatsukawa for reporting CVE-2010-4263; Tavis Ormandy for reporting CVE-2010-3080 and CVE-2010-3067; Kees Cook for reporting CVE-2010-3861 and CVE-2010-4072; Nelson Elhage for reporting CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; Vegard Nossum for reporting CVE-2010-4249; Vasiliy Kulikov for reporting CVE-2010-3876; and Stephan Mueller of atsec information security for reporting CVE-2010-4525.
Bug fixes:
- BZ#655122
- When building kernel modules against the full Red Hat Enterprise Linux 6 source tree (instead of just kernel-devel), modules would be signed by a locally generated key. However, Red Hat Enterprise Linux 6 refused to load modules created in this way as it did not recognize the key. This update disables module signing while building out-of-tree modules, thus, in the aforementioned case, kernel module loading works as expected.
- BZ#643815
- With this update, the upper limit of the
log_mtts_per_segvariable was increased from five to seven, increasing the amount of memory that can be registered. As a result, the Mellanox driver (mlx4) can now use up to 64 GB of physical memory for RDMA (remote direct memory access). This provides better scalability for example when using the Mellanox adapter in NFS/RDMA, or on machines with a lot of physical memory. - BZ#648408
- Due to a mix-up between
FMODE_andO_flags, anNFSv4client could get aWRITElock on a file that anotherNFSv4client already had aREADlock on. As a result, data could be corrupted. With this update,FMODE_andO_flags are properly handled and getting aWRITElock fails in the aforementioned case. - BZ#649436
- Booting Red Hat Enterprise Linux 6 debug kernel on a system with the Dell PowerEdge RAID Controller H700 adapter caused the
megaraid_sasdriver to reset the controller multiple times leading to a faulty controller state. On rebooting the system, the faulty controller state could cause the firmware to detect an incorrect memory condition. This could be especially confusing since the message could be a faulty DIMM (Dual In-line Memory Module) condition prompting the administrator to replace the DIMMs. This occurred due to a leak in themfi_sgldma'ed frame when the firmware supported IEEE frames. Themfi_sglwould draw memory from the slab cache and any use of freed memory would result in incorrect pages being read in the ISR (Interrupt Service Routine). This caused the controller resets and the ensuing DIMM error condition. This update fixes the leak inmfi_sglwhen the firmware supports IEEE frames. Faulty controller states and faulty DIMM conditions no longer occur. - BZ#653900
- Running VDSM and performing an
lvextendoperation during an intensive Virtual Guest power up caused this operation to fail. Sincelvextendwas blocked, all components became non-responsive:vgsandlvscommands froze the session, Virtual Guests became Paused or Not Responding. This was caused due to a faulty use of a lock. With this update, performing anlvextendoperation works as expected. - BZ#651996
- Due to a faulty memory allocator, on Non-Uniform Memory Architecture (NUMA) platforms, an OOM (Out Of Memory) condition would occur when a user changed a cpuset's
/etc/dev/memsfile (list of memory nodes in that cpuset) even though the specified node had enough free memory. With this update, the memory allocator no longer causes an OOM condition when a node has enough free memory. - BZ#653340
- When using a VIRT-IO (Virtual Input/Output) NIC (Network Interface Controller), its state was reported as unknown instead of its real state (up or down). This was due to the fact that the device could not report the state status. With this update, when a device is not capable of reporting the current state, it is assumed the state is up or the state is read from the config file.
- BZ#658879
- A previously released patch fixed the external module compiling when using the full source tree, however, it was discovered it resulted in breaking the build in the kernel-devel only case. With this update, the patch has been fixed to avoid any external module compiling errors.
- BZ#647391
- Running certain workload tests on a NUMA (Non-Uniform Memory Architecture) system could cause kernel panic at
mm/migrate.c:113. This was due to a false positive BUG_ON. With this update, the false positive BUG_ON has been removed. - BZ#659611
- Updated partner qualification injecting target faults uncovered a flaw where the Emulex
lpfcdriver would incorrectly panic due to a nullpnodedereference. This update addresses the issue and was tested successfully under the same test conditions without the panic occurring. - BZ#660589
- Updated partner qualification injecting controller faults uncovered a flaw where the Emulex
lpfcdriver panicked during error handling. With this update, kernel panic no longer occurs. - BZ#660244
- Updated partner qualification injecting controller faults uncovered a flaw where Fibre Channel ports would go offline while testing with Emulex LPFC controllers due to a faulty LPFC heartbeat functionality. This update changes the default behavior of the LPFC heartbeat to
off. - BZ#660591
- When configuring an SIT (Simple Internet Transition) tunnel while a remote address is configured, kernel panic occurred, caused by an execution of a
NULLheader_opspointer in theneigh_update_hhs()function. With this update, a check is introduced that makes sure theheader_opspointer is not of the valueNULL, thus, kernel panic no longer occurs.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
