B.38.3. RHSA-2011:0283 — Moderate: kernel security, bug fix and enhancement update
Important
This update has already been released as the security errata RHSA-2011:0283
Updated kernel packages that resolve several security issues, fix various bugs and add enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes
* A divide-by-zero flaw was found in the
tcp_select_initial_window()
function in the Linux kernel's TCP
/IP
protocol suite implementation. A local, unprivileged user could use this flaw to trigger a denial of service by calling setsockopt()
with certain options. (CVE-2010-4165, Moderate)
* A use-after-free flaw in the
mprotect()
system call in the Linux kernel could allow a local, unprivileged user to cause a local denial of service. (CVE-2010-4169, Moderate)
* A flaw was found in the Linux kernel
execve()
system call implementation. A local, unprivileged user could cause large amounts of memory to be allocated but not visible to the OOM (Out of Memory) killer, triggering a denial of service. (CVE-2010-4243, Moderate)
Red Hat would like to thank Steve Chen for reporting CVE-2010-4165, and Brad Spengler for reporting CVE-2010-4243.
Bug fixes
- BZ#652720
- Prior to this update, a guest could use the
poll()
function to find out whether the host-side connection was open or closed. However, with aSIGIO
signal, this can be done asynchronously, without having to explicitly poll each port. With this update, aSIGIO
signal is sent for any host connect/disconnect events. Once theSIGIO
signal is received, the open/close status ofvirtio-serial
ports can be obtained using thepoll()
system call. - BZ#658854
- A Red Hat Enterprise Linux 6.0 host (with root on a local disk) with
dm-multipath
configured on multiple LUNs (Logical Unit Number) hit kernel panic (atscsi_error_handler
) with target controller faults during an I/O operation on thedm-multipath
devices. This was caused bymultipath
using theblk_abort_queue()
function to allow lower latency path deactivation. The call toblk_abort_queue
proved to be unsafe due to a race (betweenblk_abort_queue
andscsi_request_fn
). With this update, the race has been resolved and kernel panic no longer occurs on Red Hat Enterprise Linux 6.0 hosts. - BZ#658891
- Prior to this update, running context-switch intensive workloads on KVM guests resulted in a large number of exits (
kvm_exit
) due to control register (CR) accesses by the guest, thus, resulting in poor performance. This update includes a number of optimizations which allow the guest not to exit to the hypervisor in the aforementioned case and improve the overall performance. - BZ#659610
- Handling ALUA (Asymmetric Logical Unit Access) transitioning states did not work properly due to a faulty
SCSI
(Small Computer System Interface)ALUA
handler. With this update, optimized state transitioning prevents the aforementioned behavior. - BZ#660590
- Prior to this update, when using Red Hat Enterprise Linux 6 with a
qla4xxx
driver andFC
(Fibre Channel) drivers using thefc
class, a device might have been put in the offline state due to a transport problem. Once the transport problem was resolved, the device was not usable until a user manually corrected the state. This update enables the transition from the offline state to the running state, thus, fixing the problem. - BZ#661667
- The zfcpdump tool was not able to mount
ext4
file systems. Becauseext4
is the default file system on Red Hat Enterprise Linux 6, with this update,ext4
file system support was added for the zfcpdump tool. - BZ#661725
- The zfcpdump tool was not able to mount
ext2
file systems. With this update,ext2
file system support was added for the zfcpdump tool. - BZ#661730
- The lock reclaim operation on a Red Hat Enterprise Linux 6
NFSv4
client did not work properly when, after a server reboot, an I/O operation which resulted in aSTALE_STATEID
response was performed before theRENEW
call was sent to the server. This behavior was caused due to the improper use of the state flags. While investigating this bug, a different bug was discovered in the state recovery operation which resulted in a reclaim thread looping in thenfs4_reclaim_open_state()
function. With this update, both operations have been fixed and work as expected. - BZ#661731
- Prior to this update, the execve utility exhibited the following flaw. When an argument and any environment data were copied from an old task's user stack to the user stack of a newly-execve'd task, the kernel would not allow the process to be interrupted or rescheduled. Therefore, when the argument or environment string data was (abnormally) large, there was no "interactivity" with the process while the
execve()
function was transferring the data. With this update, fatal signals (like CTRL+c) can now be received and handled and a process is allowed to yield to higher priority processes during the data transfer. - BZ#661732
- The memory cgroup controller has its own Out of Memory routine (OOM killer) and kills a process at an OOM event. However, a race condition could cause the
pagefault_out_of_memory
function to be called after the memory cgroup's OOM. This invoked the generic OOM killer and apanic_on_oom
could occur. With this update, only the memory cgroup's OOM killer is invoked and used to kill a process should an OOM occur. - BZ#661737
- In some cases, under a small system load involve some I/O operation, processes started to lock up in the
D
state (that is, became unresponsive). The system load could in some cases climb steadily. This was due to the way the event channel IRQ (Interrupt Request) was set up. Xen events behave like edge-triggered IRQs, however, the kernel was setting them up as level-triggered IRQs. As a result, any action using Xen event channels could lock up a process in theD
state. With this update, the handling has been changed from edge-triggered IRQs to level-triggered IRQs and process no longer lock up in theD
state. - BZ#662049
- When an
scsi
command timed out and thefcoe/libfc
driver aborted the command, a race could occur during the clean-up of the command which could result in kernel panic. With this update, the locking mechanism in the clean-up and abort paths was modified, thus, fixing the aforementioned issue. - BZ#662050
- The lack of synchronization between the clearing of the
QUEUE_FLAG_CLUSTER
flag and the setting of theno_cluster
flag in thequeue_limits
variable caused corruption of data. Note that this issue only occurred on hardware that did not support segment merging (that is, clustering). With this update, the synchronization between the aforementioned flags works as expected, thus, corruption of data no longer occurs. - BZ#662721
- The
virtio-console
device did not handle the hot-unplug operation properly. As a result,virtio-console
could access the memory outside the driver's memory area and cause kernel panic on the guest. With this update, multiple fixes to thevirtio-console
device resolved this issue and the hot-unplug operation works as expected. - BZ#662921
- Prior to this update, running the
hwclock --systohc
command could halt a running system. This was due to the interrupt transactions being looped back from a local IOH (Input/Output Hub), through the IOH to a local CPU (erroneously), which caused a conflict with I/O port operations and other transactions. With this update, the conflicts are avoided and the system continues to run after executing thehwclock --systohc
command. - BZ#666797
- An I/O operation could fast fail when using Device-Mapper Multipathing (
dm-multipath
) if the I/O operation could be retried by thescsi
layer. This prevented the multipath layer from starting its error recovery procedure and resulted in unnecessary log messages in the appropriate log files. This update includes a number of optimizations that resolve the aforementioned issue. - BZ#670421
- Outgoing packets were not fragmented after receiving the icmpv6 pkt-too-big message when using the
IPSecv6
tunnel mode. This was due to the lack ofIPv6
fragmentation support over anIPsec
tunnel. With this update,IPv6
fragmentation is fully supported and works as expected when using theIPSecv6
tunnel mode. - BZ#671342
- Bonding, when operating in the
ARP
monitoring mode, made erroneous assumptions regarding the ownership ofARP
frames when it received them for processing. Specifically, it was assumed that the bonding driver code was the only execution context which had access to theARP
frames network buffer data. As a result, an operation was attempted on the said buffer (specifically, to modify the size of the data buffer) which was forbidden by the kernel when a buffer was shared among several execution contexts. The result of such an operation on a shared buffer could lead to data corruption. Consequently, trying to prevent the corruption, the kernel panicked. This shared state in the network buffer could be forced to occur, for example, when running the tcpdump utility to monitor traffic on the bonding interface. Every buffer the bond interface received would be shared between the driver and thetcpdump
process, thus, resulting in the aforementioned kernel panic. With this update, for the particular affected path in the bonding driver, each inbound frame is checked whether it is in the shared state. In case a buffer is shared, a private copy is made for exclusive use by the bonding driver, thus, preventing the kernel panic. - BZ#673978
- For a device that used a Target Portal Group (TPG) ID which occupied the full 2 bytes in the RTPG (Report Target Port Groups) response (with either byte exceeding the maximum value that may be stored in a signed char), the kernel's calculated TPG ID would never match the
group_id
that it should. As a result, this signed char overflow also caused the ALUA handler to incorrectly identify the Asymmetric Access State (AAS) of the specified device as well as incorrectly interpret the supported AAS of the target. With this update, the aforementioned issue has been addressed and no longer occurs.
Enhancements
- BZ#674002
- The
ixgbe
driver has been updated to address various FCoE (Fibre Channel over Ethernet) issues related to Direct Data Placement (FCoE DDP). - BZ#664398
- The
qla2xxx
driver for QLogic Fibre Channel Host Bus Adapters (HBAs) has been updated to upstream version 8.03.05.01.06.1-k0, which provides a number of bug fixes and enhancements over the previous version.
Users should upgrade to these updated packages, which contain backported patches to correct these issues, fix these bugs, and add these enhancements. The system must be rebooted for this update to take effect.