B.38.6. RHSA-2011:0498 — Important: kernel security, bug fix and enhancement update
Important
This update has already been released as the security errata RHSA-2011:0498
Updated kernel packages that resolve several security issues, fix various bugs and add an enhancement are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes
* An integer overflow flaw in
ib_uverbs_poll_cq()
could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)
* An integer signedness flaw in
drm_modeset_ctl()
could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1013, Important)
* The Radeon GPU drivers in the Linux kernel were missing sanity checks for the Anti Aliasing (AA) resolve register values which could allow a local, unprivileged user to cause a denial of service or escalate their privileges on systems using a graphics card from the ATI Radeon R300, R400, or R500 family of cards. (CVE-2011-1016, Important)
* A flaw in
dccp_rcv_state_process()
could allow a remote attacker to cause a denial of service, even when the socket was already closed. (CVE-2011-1093, Important)
* A flaw in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl
net.sctp.addip_enable
and auth_enable
variables were turned on (they are off by default). (CVE-2011-1573, Important)
* A memory leak in the
inotify_init()
system call. In some cases, it could leak a group, which could allow a local, unprivileged user to eventually cause a denial of service. (CVE-2010-4250, Moderate)
* A missing validation of a null-terminated string data structure element in
bnep_sock_ioctl()
could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate)
* An information leak in
bcm_connect()
in the Controller Area Network (CAN) Broadcast Manager implementation could allow a local, unprivileged user to leak kernel mode addresses in /proc/net/can-bcm
. (CVE-2010-4565, Low)
* A flaw was found in the Linux kernel's Integrity Measurement Architecture (IMA) implementation. When SELinux was disabled, adding an IMA rule which was supposed to be processed by SELinux would cause
ima_match_rules()
to always succeed, ignoring any remaining rules. (CVE-2011-0006, Low)
* A missing initialization flaw in the XFS file system implementation could lead to an information leak. (CVE-2011-0711, Low)
* Buffer overflow flaws in
snd_usb_caiaq_audio_init()
and snd_usb_caiaq_midi_init()
could allow a local, unprivileged user with access to a Native Instruments USB audio device to cause a denial of service or escalate their privileges. (CVE-2011-0712, Low)
* The start_code and end_code values in
/proc/<PID>/stat
were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low)
* A flaw in
dev_load()
could allow a local user who has the CAP_NET_ADMIN
capability to load arbitrary modules from /lib/modules/
, instead of only netdev modules. (CVE-2011-1019, Low)
* A flaw in
ib_uverbs_poll_cq()
could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low)
* A missing validation of a null-terminated string data structure element in
do_replace()
could allow a local user who has the CAP_NET_ADMIN
capability to cause an information leak. (CVE-2011-1080, Low)
Red Hat would like to thank Vegard Nossum for reporting CVE-2010-4250; Vasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1019, and CVE-2011-1080; Dan Rosenberg for reporting CVE-2010-4565 and CVE-2011-0711; Rafael Dominguez Vega for reporting CVE-2011-0712; and Kees Cook for reporting CVE-2011-0726.
Bug fixes
- BZ#659572
- A flaw was found in the Linux kernel where, if used in conjunction with another flaw that can result in a kernel Oops, could possibly lead to privilege escalation. It does not affect Red Hat Enterprise Linux 6 as the
sysctl
panic_on_oops
variable is turned on by default. However, as a preventive measure if the variable is turned off by an administrator, this update addresses the issue. Red Hat would like to thank Nelson Elhage for reporting this vulnerability. - BZ#694073
- Under some circumstances, faulty logic in the system BIOS could report that ASPM (Active State Power Management) was not supported on the system, but leave ASPM enabled on a device. This could lead to AER (Advanced Error Reporting) errors that the kernel was unable to handle. With this update, the kernel proactively disables ASPM on devices when the BIOS reports that ASPM is not supported, safely eliminating the aforementioned issues.
- BZ#696487
- Prior to this update, adding a bond over a bridge inside a virtual guest caused the kernel to crash due to a NULL dereference. This update improves the tests for the presence of VLANs configured above bonding (additionally, this update fixes a regression introduced by the patch for BZ#633571) . The new logic determines whether a registration has occurred, instead of testing that the internal
vlan_list
of a bond is empty. Previously, the system panicked and crashed whenvlan_list
was not empty, but thevlgrp
pointer was stillNULL
. - BZ#698109
- During light or no network traffic, the active-backup interface bond using ARP monitoring with validation could go down and return due to an overflow or underflow of system timer interrupt ticks (jiffies). With this update, the jiffies calculation issues have been fixed and a bond interface works as expected.
- BZ#691777
- In certain network setups (specifically, using VLAN on certain NICs where packets are sent through the VLAN GRO rx path), sending packets from an active ethernet port to another inactive ethernet port could affect the network's bridge and cause the bridge to acquire a wrong bridge port. This resulted in all packets not being passed along in the network. With this update, the underlying source code has been modified to address this issue, and network traffic works as expected.
- BZ#698114, BZ#696889
- Deleting a
SCSI
(Small Computer System Interface) device attached to a device handler caused applications running in user space, which were performing I/O operations on that device, to become unresponsive. This was due to the fact that theSCSI
device handler's activation did not propagate theSCSI
device deletion via an error code and a callback to the Device-Mapper Multipath. With this update, deletion of anSCSI
device attached to a device handler is properly handled and no longer causes certain applications to become unresponsive. - BZ#683440
- Systems Management Applications using the libsmbios package could become unresponsive on Dell PowerEdge servers (specifically, Dell PowerEdge 2970 and Dell PowerEdge SC1435). The
dcdbas
driver can perform an I/O write operation which causes an SMI (System Management Interrupt) to occur. However, the SMI handler processed the SMI well after theoutb
function was processed, which caused random failures resulting in the aforementioned hang. With this update, the underlying source code has been modified to address this issue, and systems management applications using the libsmbios package no longer become unresponsive. - BZ#670850
- Invoking an EFI (Extensible Firmware Interface) call caused a restart or a failure to boot to occur on a system with more than 512GB of memory because the EFI page tables did not map the whole kernel space. EFI page tables used only one PGD (Page Global Directory) entry to map the kernel space; thus, virtual addresses higher than
PAGE_OFFSET
+ 512GB could not be accessed. With this update, EFI page tables map the whole kernel space. - BZ#683820
- Enabling the Header Splitting mode on all Intel 82599 10 Gigabit Ethernet hardware could lead to unpredictable behavior. With this update, the Header Splitting mode is never enabled on the aforementioned hardware.
- BZ#670114
- The
ixgbe
driver has been upgraded to upstream version 3.0.12, which provides a number of bug fixes and enhancements over the previous version. - BZ#670110
- If an Intel 82598 10 Gigabit Ethernet Controller was configured in a way that caused peer-to-peer traffic to be sent to the Intel X58 I/O hub (IOH), a PCIe credit starvation problem occurred. As a result, the system would hang. With this update, the system continues to work and does not hang.
- BZ#683817
- The ALSA HDA audio driver has been updated to improve support for new chipsets and HDA audio codecs.
- BZ#689341
- A buffer overflow flaw was found in the Linux kernel's Cluster IP hashmark target implementation. A local, unprivileged user could trigger this flaw and cause a local denial of service by editing files in the
/proc/net/ipt_CLUSTERIP/
directory. Note: On Red Hat Enterprise 6, only root can write to files in the/proc/net/ipt_CLUSTERIP/
directory by default. This update corrects this issue as a preventative measure in case an administrator has changed the permissions on these files. Red Hat would like to thank Vasiliy Kulikov for reporting this issue. - BZ#684275
- Using the
pam_tty_audit.so
module (which enables or disables TTY auditing for specified users) in the/etc/pam.d/sudo
file and in the/etc/pam.d/system-auth
file when the audit package is not installed resulted in soft lock-ups on CPUs. As a result, the kernel became unresponsive. This was due to the kernel exiting immediately after TTY auditing was disabled, without emptying the buffer, which caused the kernel to spin in a loop, copying 0 bytes at each iteration and attempting to push each time without any effect. With this update, a locking mechanism is introduced to prevent the aforementioned behavior. - BZ#679306
- Prior to this update, a collection of world-writable
sysfs
andprocfs
files allowed an unprivileged user to change various settings, change device hardware registers, and load certain firmware. With this update, permissions for these files have been changed. - BZ#694186
- A previously introduced patch could cause
kswapd
(the kernel's memory reclaim daemon) to enter an infinite loop, consuming 100% of the CPU it is running on. This happened becausekswapd
incorrectly stayed awake for an unreclaimable zone. This update addresses this issue, andkswapd
no longer consumes 100% of the CPU it is running on. - BZ#695322
- If an error occurred during an I/O operation, the
SCSI
driver reset themegaraid_sas
controller to restore it to normal state. However, on Red Hat Enterprise Linux 6, the waiting time to allow a full reset completion for themegaraid_sas
controller was too short. The driver incorrectly recognized the controller as stalled, and, as a result, the system stalled as well. With this update, more time is given to the controller to properly restart, thus, the controller operates as expected after being reset.
Enhancement
- BZ#683810
- This update provides VLAN null tagging support (
VLAN ID 0
can be used in tags).
Users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. The system must be rebooted for this update to take effect.