1.60. kernel
1.60.1. RHSA-2011:0927 - Important: kernel security and bug fix update
Important
This update has already been released as the security errata RHSA-2011:0927
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* An integer overflow flaw in
ib_uverbs_poll_cq()
could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)
* A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service. (CVE-2011-0695, Important)
* A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl
net.sctp.addip_enable
and auth_enable
variables were turned on (they are off by default). (CVE-2011-1573, Important)
* Flaws in the
AGPGART
driver implementation when handling certain IOCTL commands could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)
* An integer overflow flaw in
agp_allocate_memory()
could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important)
* A flaw allowed
napi_reuse_skb()
to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially-crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576, Moderate)
* An integer signedness error in
next_pidmap()
could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate)
* A flaw in the way the Xen hypervisor implementation handled CPUID instruction emulation during virtual machine exits could allow an unprivileged guest user to crash a guest. This only affects systems that have an Intel x86 processor with the Intel VT-x extension enabled. (CVE-2011-1936, Moderate)
* A flaw in
inet_diag_bc_audit()
could allow a local, unprivileged user to cause a denial of service (infinite loop). (CVE-2011-2213, Moderate)
* A missing initialization flaw in the XFS file system implementation could lead to an information leak. (CVE-2011-0711, Low)
* A flaw in
ib_uverbs_poll_cq()
could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low)
* A missing validation check was found in the signals implementation. A local, unprivileged user could use this flaw to send signals via the
sigqueueinfo
system call, with the si_code
set to SI_TKILL
and with spoofed process and user IDs, to other processes. Note: This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so. (CVE-2011-1182, Low)
* A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk containing specially-crafted partition tables. (CVE-2011-1776, Low)
* Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space. (CVE-2011-2492, Low)
Red Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695; Vasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and CVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki for reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213 and CVE-2011-0711; Julien Tinnes of the Google Security Team for reporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and Marek Kroemeke and Filip Palian for reporting CVE-2011-2492.
Bug fixes:
- BZ#709767
- Prior to this update, a race in the GFS2 glock state machine could cause nodes to become unresponsive. Specifically, all nodes but one would hang, waiting for a particular glock. All the waiting nodes had the
W
(Waiting) bit set. The remaining node had the glock in the Exclusive Mode (EX
) with no holder records. The race was caused by thePending Demote
bit, which could be set and then immediately reset by another process. With this update, thePending Demote
bit is properly handled, and GFS2 nodes no longer hang. - BZ#711519
- Multiple GFS2 nodes attempted to unlink, rename, or manipulate files at the same time, causing various forms of file system corruption, panics, and withdraws. This update adds multiple checks for
dinode
'si_nlink
value to assure inode operations such as link, unlink, or rename no longer cause the aforementioned problems. - BZ#713948
- Under certain circumstances, a command could be left unprocessed when using either the
cciss
or thehpsa
driver. This was because the HP Smart Array controller considered all commands to be completed when, in fact, some commands were still left in the completion queue. This could cause the file system to become read-only or panic and the whole system to become unstable. With this update, an extra read operation has been added to both of the aforementioned drivers, fixing this issue. - BZ#707899
- Hot removing a PCIe device and, consequently, hot plugging it again caused kernel panic. This was due to a PCI resource for the SR-IOV Virtual Function (vf) not being released after the hot removing, causing the memory area in the
pci_dev
struct to be used by another process. With this update, when a PCIe device is removed from a system, all resources are properly released; kernel panic no longer occurs. - BZ#710426
- The event device (
evdev
) failed to lock data structures when adding or removing input devices. As a result, kernel panic occurred in theevdev_release
function during a system restart. With this update, locking of data structures works as expected, and kernel panic no longer occurs. - BZ#703056
- Running a reboot test on an iSCSI root host resulted in kernel panic. When the
iscsi_tcp
module is destroying a connection it grabs thesk_callback_lock
and clears thesk_user_data/conn
pointer to signal that the callback functions should not execute the operation. However, some functions were not grabbing the lock, causing a NULL pointer kernel panic wheniscsi_sw_tcp_conn_restore_callbacks
was called and, consequently, one of the callbacks was called. With this update, the underlying source code has been modified to address this issue, and kernel panic no longer occurs. - BZ#712034
- The
mpt fusion
driver has been upgraded to version 3.4.17, which provides a number of bug fixes and enhancements over the previous version.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
1.60.2. RHSA-2011:0833 - Important: kernel security and bug fix update
Important
This update has already been released as the security errata RHSA-2011:0833
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* A flaw in the
dccp_rcv_state_process()
function could allow a remote attacker to cause a denial of service, even when the socket was already closed. (CVE-2011-1093, Important)
* Multiple buffer overflow flaws were found in the Linux kernel's Management Module Support for Message Passing Technology (MPT) based controllers. A local, unprivileged user could use these flaws to cause a denial of service, an information leak, or escalate their privileges. (CVE-2011-1494, CVE-2011-1495, Important)
* A missing validation of a null-terminated string data structure element in the
bnep_sock_ioctl()
function could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate)
* Missing error checking in the way page tables were handled in the Xen hypervisor implementation could allow a privileged guest user to cause the host, and the guests, to lock up. (CVE-2011-1166, Moderate)
* A flaw was found in the way the Xen hypervisor implementation checked for the upper boundary when getting a new event channel port. A privileged guest user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2011-1763, Moderate)
* The start_code and end_code values in
/proc/<pid>/stat
were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low)
* A missing initialization flaw in the
sco_sock_getsockopt()
function could allow a local, unprivileged user to cause an information leak. (CVE-2011-1078, Low)
* A missing validation of a null-terminated string data structure element in the
do_replace()
function could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080, Low)
* A buffer overflow flaw in the DEC Alpha OSF partition implementation in the Linux kernel could allow a local attacker to cause an information leak by mounting a disk that contains specially-crafted partition tables. (CVE-2011-1163, Low)
* Missing validations of null-terminated string data structure elements in the
do_replace()
, compat_do_replace()
, do_ipt_get_ctl()
, do_ip6t_get_ctl()
, and do_arpt_get_ctl()
functions could allow a local user who has the CAP_NET_ADMIN
capability to cause an information leak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, Low)
* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk that contains specially-crafted partition tables. (CVE-2011-1577, Low)
Red Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494 and CVE-2011-1495; Vasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1078, CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, and CVE-2011-1172; Kees Cook for reporting CVE-2011-0726; and Timo Warns for reporting CVE-2011-1163 and CVE-2011-1577.
Bug fixes:
- BZ#689699
- Under certain circumstances, a deadlock could occur between the
khubd
process of the USB stack and themodprobe
of theusb-storage
module. This was because thekhubd
process, when attempting to delete a usb device, waited for the reference count ofknode_bus
to be of value0
. However,modprobe
, when loading theusb-storage
module, scans all USB devices and increments the reference count, preventing thekhubd
process to continue. With this update, the underlying source code has been modified to address this issue, and a deadlock no longer occurs in the aforementioned case. - BZ#690795
- The
ext4
file system could end up corrupted after a power failure occurred even when file system barriers and local write cache was enabled. This was due to faulty barrier flag setting inWRITE_SYNC
requests. With this update, this issue has been fixed, andext4
file system corruption no longer occurs. - BZ#688855
- Due to incorrect ordering of
glock
s, a deadlock could occur in the code which reclaims unlinked inodes when multiple nodes were trying to deallocate the same unlinked inode. This update resolves the lock ordering issue, and unlinked inodes are now properly deallocated under all circumstances. - BZ#699609
- In a four node cluster environment, a deadlock could occur on machines in the cluster when the nodes accessed a GFS2 file system. This resulted in memory fragmentation which caused the number of network packet fragments in requests to exceed the network hardware limit. The network hardware firmware dropped the network packets exceeding this limit. With this update, the network packet fragmentation was reduced to the limit of the network hardware, no longer causing problems during memory fragmentation.
- BZ#692370
- Previously, some IBM storage arrays (IBM 1745 and 1746) could have stopped responding or fail to load to the device list of the
scsi_dh_rdac
kernel module. This occurred because thescsi_dh_rdac
device list did not contain these storage arrays. With this update, the arrays have been added to the list, and they are now detected and operate as expected. - BZ#693755
- In some cases the NFS server fails to notify NFSv4 clients about renames and unlinks done by non-NFS users of the server. An application on a client may then be able to open the file at its old location (read old cached data from it and perform read locks on it), long after the file no longer exists at that location on the server. To work around this issue, use NFSv3 instead of NFSv4. Alternatively, turn off support for leases by writing the value
0
to the/proc/sys/fs/leases-enable
file (ideally on boot, before the NFS server is started). This change prevents NFSv4 delegations from being given out, restoring correctness at the expense of some performance. - BZ#696503
- Under certain circumstances, a command could be left unprocessed when using either the
cciss
or thehpsa
driver. This was because the HP Smart Array controller considered all commands to be completed when, in fact, some commands were still left in the completion queue. This could cause the file system to become read-only or panic and the whole system to become unstable. With this update, an extra read operation has been added to both of the aforementioned drivers, fixing this issue. - BZ#696136
- This update fixes a bug in the way isochronous input data was returned to user space for
usbfs
(USB File System) transfers, resolving various audio issues. - BZ#690134
- Previously, on VMware, the time ran too fast on virtual machines with more than 4GHz TSC (Time Step Counter) processor frequency if they were using PIT/TSC based timekeeping. This was due to a calculation bug in the
get_hypervisor_cycles_per_sec
function. This update fixes the calculation, and timekeeping works correctly for such virtual machines - BZ#689808, BZ#689805
- For certain NICs, the
operstate
state (stored in, for example, the/sys/class/net/eth0/operstate
file) was showing theunknown
state even though the NIC was working properly. This was due to the fact that at the end of a probe operation, thenetif_carrier_off
was not being called. With this update, thenetif_carrier_off
is properly called after a probe operation, and theoperstate
state now correctly displays the operational state of an NIC. - BZ#688156
- Under certain circumstances, a crash in the kernel could occur due to a race condition in the
lockd_down
function, which did not wait for thelockd
process to come down. With this update, thelockd_down
function has been fixed, and the kernel no longer crashes. - BZ#693751
- Enabling the Header Splitting mode on all Intel 82599 10 Gigabit Ethernet hardware could lead to unpredictable behavior. With this update, the Header Splitting mode is never enabled on the aforementioned hardware. Additionally, this update fixes VM pool allocation issues based on MAC address filtering, and limits the scope of VF access to promiscuous mode.
- BZ#689700
- Prior to this update, if a CT/ELS pass-through command timed out, the QLogic 8Gb Fibre Channel adapter created a firmware dump. With this update, firmware dumps are no longer created when CT/ELS pass-through requests time out as a firmware dump is not necessary in this case.
- BZ#701222
- Configuring a network bridge with no STP (Spanning Tree Protocol) and a
0
forwarding delay could result in the flooding of all packets on the link for 20 seconds due to various issues in the source code. With this update, the underlying source code has been modified to address this issue, and a traffic flood on the network bridge no longer occurs. - BZ#699808
- Setting a DASD (Direct Access Storage Device) device offline while another process is trying to open that device caused a race in the
dasd_open
function. Thedasd_open
function tried to read a pointer from theprivate_data
field after the structure has already been freed, resulting in a dereference of an invalid pointer. With this update, the aforementioned pointer is now stored in a different structure; thus, preventing the race condition. - BZ#690239
GFS2
(Global File System 2) keeps track of the list of resource groups to allow better performance when allocating blocks. Previously, when the user created a large file inGFS2
,GFS2
could have run out of allocation space because it was confined to the recently-used resource groups. With this update,GFS2
uses the MRU (Most Recently Used) list instead of the list of the recently-used resource groups. The MRU list allowsGFS2
to use all available resource groups and if a large span of blocks is in use,GFS2
uses allocation blocks of another resource group.- BZ#696908
- A cpu mask that is being waited on after an IPI call was not the same cpu mask that was being passed into the IPI call function. This could result in not up-to-date values being stored in the cache. The loop in the
flush_tlb_others()
function waited for the cpu mask to be cleared, however, that cpu mask could have been incorrect. As a result, the system could become unresponsive. With this update, the cpu mask being waited on is the same cpu mask used in the IPI call function, and the system no longer hangs. - BZ#689339
- A buffer overflow flaw was found in the Linux kernel's Cluster IP hashmark target implementation. A local, unprivileged user could trigger this flaw and cause a local denial of service by editing files in the
/proc/net/ipt_CLUSTERIP/
directory. Note: On Red Hat Enterprise MRG, only root can write to files in the/proc/net/ipt_CLUSTERIP/
directory by default. This update corrects this issue as a preventative measure in case an administrator has changed the permissions on these files. Red Hat would like to thank Vasiliy Kulikov for reporting this issue. - BZ#696181
- Prior to this update, a FW/SW semaphore collision could lead to an link establishment failure on an SFP+ (Small Form-factor Pluggable) transceiver module. With this update, the underlying source code has been modified to address this issue, and SFP+ modules work as expected.
- BZ#699610
- The
kdump
kernel could fail when handling an IPI (Inter-processor interrupt) that was in-flight as the initial kernel crashed. This was due to an IPI-related data structure withinkdump
's kernel not being properly initialized, resulting in a dereference of an invalid pointer. This update addresses this issue, and thekdump
kernel no longer fails upon encountering an in-flight IPI. - BZ#679304
- Prior to this update, a collection of world-writable
sysfs
andprocfs
files allowed an unprivileged user to change various settings, change device hardware registers, and load certain firmware. With this update, permissions for these files have been changed. - BZ#697448
- An NFS server uses reference-counted structures, called
auth_domains
, to identify which group of clients (for example, 192.168.0.0/24 or *.foo.edu) the client who sent an RPC request belongs to. The server NLM code incorrectly took an extra reference of theauth_domain
associated with each NLM RPC request, and never dropped that reference. The reference count is an unsigned 32-bit value, so after 232 (about 4 billion) lock operations from the same client or group of clients, the reference count would overflow to 0, and the kernel would incorrectly think that theauth_domain
should be freed. As a result, the kernel would panic. This update removes the extra reference-count increment from the server NLM code, and the kernel no longer panics.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
1.60.3. RHSA-2011:0429 - Moderate: kernel security and bug fix update
Important
This update has already been released as the security errata RHSA-2011:0429
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* A missing boundary check was found in the
dvb_ca_ioctl()
function in the Linux kernel's av7110
module. On systems that use old DVB cards that require the av7110
module, a local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2011-0521, Important)
* An inconsistency was found in the interaction between the Linux kernel's method for allocating NFSv4 (Network File System version 4) ACL data and the method by which it was freed. This inconsistency led to a kernel panic which could be triggered by a local, unprivileged user with files owned by said user on an NFSv4 share. (CVE-2011-1090, Moderate)
* A NULL pointer dereference flaw was found in the Generic Receive Offload (GRO) functionality in the Linux kernel's networking implementation. If both GRO and promiscuous mode were enabled on an interface in a virtual LAN (VLAN), it could result in a denial of service when a malformed VLAN frame is received on that interface. (CVE-2011-1478, Moderate)
* A missing security check in the Linux kernel's implementation of the
install_special_mapping()
function could allow a local, unprivileged user to bypass the mmap_min_addr protection mechanism. (CVE-2010-4346, Low)
* An information leak was found in the Linux kernel's
task_show_regs()
implementation. On IBM S/390 systems, a local, unprivileged user could use this flaw to read /proc/<PID>/status
files, allowing them to discover the CPU register values of processes. (CVE-2011-0710, Low)
* A missing validation check was found in the Linux kernel's
mac_partition()
implementation, used for supporting file systems created on Mac OS operating systems. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially-crafted partitions. (CVE-2011-1010, Low)
Red Hat would like to thank Ryan Sweat for reporting CVE-2011-1478; Tavis Ormandy for reporting CVE-2010-4346; and Timo Warns for reporting CVE-2011-1010.
Bug fixes:
- BZ#675909
- Deleting a file on a GFS2 file system caused the inode, which the deleted file previously occupied, to not be freed. Specifically, this only occurred when a file was deleted on a different inode than the inode that created it. The mechanism for ensuring that inodes are correctly deallocated when the final close occurs was dependent on a previously corrected bug (BZ#504188). In order to ensure that iopen glocks are not cached beyond the lifetime of the inode, and thus prevent deallocation by another inode in the cluster, this update marks the iopen glock as not to be cached during the inode disposal process.
- BZ#684128
- A call to the
HP_GETHOSTINFO
ioctl (I/O Control) in themptctl
module could result in the MPT (Message Passing Technology) fusion driver being reset due to erroneous detection of completed ioctl commands. With this update, the message context sent to themptctl
module is stored (previously, it was zeroed). When an ioctl command completes, the saved message context is used to recognize the completion of the message, thus resolving the faulty detection. - BZ#675664
- A bug was discovered in the bonding driver that occurred when using netpoll and changing, adding or removing slaves from a bond. The misuse of a per-cpu flag in the bonding driver during these operations at the wrong time could lead to the detection of an invalid state in the bonding driver, triggering kernel panic. With this update, the use of the aforementioned per-cpu flag has been corrected and a kernel panic no longer occurs.
- BZ#679747
- The fix introduced with BZ#560013 added a check for detection of the
northbridge
device into theamd_fixup_dcm()
function to make Red Hat Enterprise Linux 5 guests boot on a 5.4.z Xen hypervisor. However, the added check caused a kernel panic due to missing multi-node CPU topology detection on AMD CPU family 0x15 systems. To preserve backwards compatibility, the check has not been removed but is triggered only on AMD Magny-Cours systems. AMD family 0x15 systems do not require the aforementioned check because they are not supported as 5.4 Xen hypervisor hosts. For Xen hypervisor 5.5, this issue has been fixed, which makes the check obsolete. - BZ#674774
- The
bnx2i
drive could cause a system crash on IBM POWER7 systems. The driver's page tables were not set up properly on Big Endian machines, causing extended error handling (EEH) errors on PowerPC machines. With this update, the page tables are properly set up and a system crash no longer occurs in the aforementioned case. - BZ#675665
- Booting Red Hat Enterprise Linux 5 with the
crashkernel=X
parameter enabled for the kdump kernel does not always succeed. This is because the kernel may not be able to find a suitable memory range for the crashkernel due to the fragmentation of the physical memory. Similarly, if a user specifies the starting address of the reserved memory, the specified memory range may be occupied by other parts of the kernel (in this case, theinitrd
, i.e. initial ramdisk). This update adds two debugging kernel parameters (bootmem_debug
andignore_loglevel
) which allow to diagnose what causes the crashkernel to not be assigned enough memory. - BZ#680350
- Prior to this update, the following message was displayed when booting a Red Hat Enterprise Linux 5 system on a virtual guest:
WARNING calibrate_APIC_clock: the APIC timer calibration may be wrong.
This was due to theMAX_DIFFERENCE
parameter value (in the APIC calibration loop) of 1000 cycles being too aggressive for virtual guests. APIC (Advanced Programmable Interrupt Controllers) and TSC (Time Stamp Counter) reads normally take longer than 1000 cycles when performed from inside a virtual guest, due to processors being scheduled away from and then back onto the guest. With this update, theMAX_DIFFERENCE
parameter value has been increased to 10,000 for virtual guests. - BZ#681795
- For a device that used a Target Portal Group (TPG) ID which occupied the full 2 bytes in the RTPG (Report Target Port Groups) response (with either byte exceeding the maximum value that may be stored in a signed char), the kernel's calculated TPG ID would never match the
group_id
that it should. As a result, this signed char overflow also caused the ALUA handler to incorrectly identify the AAS (Asymmetric Access State) of the specified device as well as incorrectly interpret the supported AAS of the target. With this update, the aforementioned issue has been addressed and no longer occurs. - BZ#680043
- Setting the capture levels on the Line-In capture channel when using an ARX USB I/O sound card for recording and playback did not work properly. The set values were not persistent. With this update, the capture values are now cached in the
usb-audio
driver leaving the set capture levels unchanged. - BZ#683443
- A race could occur when an internal
multipath
structure (pgpath
) was freed before it was used to signal the path group initialization was complete (viapg_init_done
). This update includes a number of fixes that address this issue.multipath
is now increasingly robust when multipathd restarts are combined with I/O operations tomultipath
devices and storage failures. - BZ#677173
- Calling the
mptctl_fasync()
function to enable async notification caused thefasync_struct
data structure, which was allocated, to never be freed.fasync_struct
remained on the event list of themptctl
module even after a file was closed and released. After the file was closed,fasync_struct
had an invalid file pointer which was dereferenced when themptctl
module called thekill_fasync()
function to report any events. The use of the invalid file pointer could result in a deadlock on the system because thesend_sigio()
function tried to acquire therwlock
in thef_owner
field of the previously closed file. With this update, a release callback function has been added for the file operations in themptctl
module.fasync_struct
is now properly freed when a file is closed, no longer causing a deadlock. - BZ#677172
- If an application opened a file with the
O_DIRECT
flag on an NFS client and performed write operations on it of size equal towsize
(size of the blocks of data passed between the client and the server), the NFS client sent two RPCs (Remote Procedure Calls) when only one RPC needed to be send. Write operations of size smaller thanwsize
worked as expected. With this update, write operations of size equal towsize
now work as expected and no longer cause the NFS client to send out unnecessary RPCs. - BZ#682673
- Booting a Red Hat Enterprise Linux 5.4 or later kernel failed (the system became unresponsive) due to the zeroing out of extra bytes of memory of the reset vector. The reset vector is comprised of two 16-bit registers (high and low). Instead of zeroing out 32-bits, the kernel was zeroing out 64-bits. On some machines this overwritten memory was used during the boot process, resulting in a hang. With this update, the
long
data type has been changed to the unsigned 32-bit data type; thus, resolving the issue. The Red Hat Enterprise Linux 5.4 and later kernel now boot as expected on the machines affected by this bug. - BZ#688312
- Prior to this update, a segmentation fault occurred when an application called VDSO's
gettimeofday
function due to erroneous exporting of thewall_to_monotonic
construct. With this update, thewall_to_monotonic
construct is correctly exported, and a crash no longer occurs.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
1.60.4. RHSA-2011:0303 - Moderate: kernel security and bug fix update
Important
This update has already been released as the security errata RHSA-2011:0303
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* A flaw was found in the Linux kernel's garbage collector for
AF_UNIX
sockets. A local, unprivileged user could use this flaw to trigger a denial of service (out-of-memory condition). (CVE-2010-4249, Moderate)
* A flaw was found in the Linux kernel's networking subsystem. If the number of packets received exceeded the receiver's buffer limit, they were queued in a backlog, consuming memory, instead of being discarded. A remote attacker could abuse this flaw to cause a denial of service (out-of-memory condition). (CVE-2010-4251, Moderate)
* A missing initialization flaw was found in the
ethtool_get_regs()
function in the Linux kernel's ethtool IOCTL
handler. A local user who has the CAP_NET_ADMIN
capability could use this flaw to cause an information leak. (CVE-2010-4655, Low)
Red Hat would like to thank Vegard Nossum for reporting CVE-2010-4249, and Kees Cook for reporting CVE-2010-4655.
Bug fixes:
- BZ#672253
- Prior to this update, the
/proc/diskstats
file showed erroneous values. This occurred when the kernel merged two I/O operations for adjacent sectors which were located on different disk partitions. Two merge requests were submitted for the adjacent sectors, the first request for the second partition and the second request for the first partition, which was then merged to the first request. The first submission of the merge request incremented thein_flight
value for the second partition. However, at the completion of the merge request, thein_flight
value of a different partition (the first one) was decremented. This resulted in the erroneous values displayed in the/proc/diskstats
file. With this update, the merging of two I/O operations which are located on different disk partitions has been fixed and works as expected. - BZ#669300
- When selecting a new window, the
tcp_select_window()
function tried not to shrink the offered window by using the maximum of the remaining offered window size and the newly calculated window size. The newly calculated window size was always a multiple of the window scaling factor, however, the remaining window size was not since it depended onrcv_wup/rcv_nxt
. As a result, a window was shrunk when it was scaled down. With this update, aligning the remaining window to the window scaling factor assures a window is no longer shrunk. - BZ#674273
- Prior to this update, the
be2net
driver failed to work with bonding, causing "flapping" errors (the interface switches between statesup
anddown
) in the active interface. This was due to the fact that thenetdev->trans_start
pointer in thebe_xmit
function was not updated. With this update, the aforementioned pointer has been properly updated and "flapping" errors no longer occur. - BZ#670824
- Outgoing packets were not fragmented after receiving the icmpv6 pkt-too-big message when using the
IPSecv6
tunnel mode. This was due to the lack ofIPv6
fragmentation support over anIPsec
tunnel. With this update,IPv6
fragmentation is fully supported and works as expected when using theIPSecv6
tunnel mode. - BZ#668976
- Using the
cciss
driver, when a TUR (Test Unit Ready) was executed, therq->bio
pointer in theblk_rq_bytes
function was of valuenull
, which resulted in a null pointer dereference, and, consequently, kernel panic occurred. With this update, therq->bio
pointer is used only when theblk_fs_request(rq)
condition is true, thus, kernel panic no longer occurs. - BZ#670807
- While bringing down an interface, the
e1000
driver failed to properly handle IRQs (Interrupt Requests), resulting in the reception of the following messages:irq NN: nobody cared...
With this update, the driver'sdown
flag is set later in the process of bringing down an interface, specifically, after all timers have exited, preventing the IRQ handler from being called and exiting early without handling the IRQ. - BZ#671340
- A formerly introduced patch that provided extended
PCI
config space access on AMD systems caused thelpfc
driver to fail when it tried to initialize hardware. On kernel-xen, Hypervisor trapped the aforementioned accesses and truncated them, causing thelpfc
driver to fail to initialize hardware. Note that this issue was only observed when using thelpfc
driver with the following parameters:Vendor_ID=0x10df
,Device_ID=0xf0e5
. With this update, the part of the patch related to kernel-xen that was causing the failures was removed and thelpfc
driver now works as expected. - BZ#670797
- Prior to this update, kernel panic occurred in the
kfree()
due to a race condition in theacpi_bus_receive_event()
function. Theacpi_bus_receive_event()
function left theacpi_bus_event_list
list attribute unlocked between checking it whether it was empty and calling thekfree()
function on it. With this update, a check was added after the lock has been lifted in order to prevent the race and the calling of thekfree()
function on an empty list. - BZ#673984
- Prior to this update, a
rhev-agent
could not be started due to missing a /dev/virtio-ports/ directory. This was due to the fact that theudev
utility does not parse theKOBJ_CHANGE
event. With this update, theKOBJ_ADD
event is invoked instead and so that symlinks in/dev/virtio-ports
are created when a port name is obtained. - BZ#678613
- VDSO (Virtual Dynamically-linked Shared Object) kernel variables must be exported in
vextern.h
, otherwise they end up as undefined pointers. When calling the VDSOgettimeofday()
function in Red Hat Enterprise Linux 5, a missing declaration lead to a segmentation fault. With this update, thesysctl_vsyscall
system call is properly exported and segmentation faults no longer occur. - BZ#673983
- Using a virtio serial port from an application, filling it until the
write
command returns-EAGAIN
and then executing aselect
command for thewrite
command caused theselect
command to not return any values, when using the virtio serial port in a non-blocking mode. When used in a blocking mode, thewrite
command waited until the host indicated it used up the buffers. This was due to the fact that the poll operation waited for theport->waitqueue
pointer, however, nothing woke thewaitqueue
when there was room again in the queue. With this update, the queue is woken via host notifications so that buffers consumed by the host can be reclaimed, the queue freed, and the applicationwrite
operations may proceed again.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
1.60.5. RHSA-2011:0017 - Important: Red Hat Enterprise Linux 5.6 kernel security and bug fix update
Important
This update has already been released as the security errata RHSA-2011:0017
Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 5. This is the sixth regular update.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* A NULL pointer dereference flaw was found in the
igb
driver in the Linux kernel. If both the Single Root I/O Virtualization (SR-IOV) feature and promiscuous mode were enabled on an interface using igb
, it could result in a denial of service when a tagged VLAN packet is received on that interface. (CVE-2010-4263, Important)
* A missing sanity check was found in
vbd_create()
in the Xen hypervisor implementation. As CD-ROM drives are not supported by the blkback
back-end driver, attempting to use a virtual CD-ROM drive with blkback
could trigger a denial of service (crash) on the host system running the Xen hypervisor. (CVE-2010-4238, Moderate)
* A flaw was found in the Linux kernel
execve()
system call implementation. A local, unprivileged user could cause large amounts of memory to be allocated but not visible to the OOM (Out of Memory) killer, triggering a denial of service. (CVE-2010-4243, Moderate)
* A flaw was found in
fixup_page_fault()
in the Xen hypervisor implementation. If a 64-bit para-virtualized guest accessed a certain area of memory, it could cause a denial of service on the host system running the Xen hypervisor. (CVE-2010-4255, Moderate)
* A missing initialization flaw was found in the
bfa
driver used by Brocade Fibre Channel Host Bus Adapters. A local, unprivileged user could use this flaw to cause a denial of service by reading a file in the /sys/class/fc_host/host#/statistics/
directory. (CVE-2010-4343, Moderate)
* Missing initialization flaws in the Linux kernel could lead to information leaks. (CVE-2010-3296, CVE-2010-3877, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, CVE-2010-4158, Low)
Red Hat would like to thank Kosuke Tatsukawa for reporting CVE-2010-4263; Vladymyr Denysov for reporting CVE-2010-4238; Brad Spengler for reporting CVE-2010-4243; Dan Rosenberg for reporting CVE-2010-3296, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, and CVE-2010-4158; Vasiliy Kulikov for reporting CVE-2010-3877; and Kees Cook for reporting CVE-2010-4072.
Bug Fixes:
- BZ#659571
- A flaw was found in the Linux kernel where, if used in conjunction with another flaw that can result in a kernel Oops, could possibly lead to privilege escalation. It does not affect Red Hat Enterprise Linux 5 as the
sysctl
panic_on_oops
variable is turned on by default. However, as a preventive measure if the variable is turned off by an administrator, this update addresses the issue. Red Hat would like to thank Nelson Elhage for reporting this vulnerability. - BZ#647297
- Performing a Direct IO write operation to a file on an NFS mount did not work. With this update, the minor error in the source code was fixed and the Direct IO operation works as expected.
- BZ#638753
- Previously, writing multiple files in parallel could result in uncontrollable fragmentation of the files. With this update, the methods of controlling fragmentation work as expected.
- BZ#637764
- In an active/backup bonding network interface with vlans on top of it, when a link failed over, it took a minute for the multicast domain to be rejoined. This was caused by the driver not sending any IGMP join packets. With this update, the driver sends IGMP join packets and the multicast domain is rejoined immediately.
- BZ#636198
- With this update, the upper limit of the
log_mtts_per_seg
variable was increased from five to seven, increasing the amount of memory that can be registered. Machines with larger memory are now able to register more memory. - BZ#630129
- Recently applied patch introduced a bug, which caused the Xen guest networking not to work properly on 64-bit Itanium processors. However, this bug also revealed an issue, which may have led to a data corruption. With this update, both errors have been fixed, and Xen virtual guest networking now works as expected.
- BZ#629773
- Previously, migrating a hardware virtual machine (HVM) guest with both, UP and PV drivers, may have caused the guest to stop responding. With this update, HVM guest migration works as expected.
- BZ#624068
- Running the Virtual Desktop Server Manager (VDSM) and performing an
lvextend
operation during an intensive Virtual Guest power up caused this operation to fail. Sincelvextend
was blocked, all components became non-responsive:vgs
andlvs
commands froze the session, Virtual Guests became Paused or Not Responding. This was caused by a faulty use of a lock. With this update, performing anlvextend
operation works as expected. - BZ#620508
- Previously, running the
dd
command on an iSCSI device with theqla3xxx
driver may have caused the system to crash. This error has been fixed, and running thedd
command on such device no longer crashes the system. - BZ#620502
- Previously, a large number of Red Hat Enterprise Linux NFS clients mounting a NFSv4 share from a server would show the following log messages repeatedly and could no longer access the share from the server:
NFS: v4 server returned a bad sequence-id error!
With this update, the error is no longer returned. - BZ#619466
- Prior to this update,
ccw_device_set_options()
indasd_generic_probe()
unset theCWDEV_ALLOW_FORCE
flag set indasd_eckd_probe()
. As a result, the unconditional reserve was not allowed on ECKD direct access storage devices (DASDs). With this update, the flags are set only in discipline specific probe functions. - BZ#619465
- To build the CCW requests, the direct access storage device (DASD) reserve and release ioctl system calls use a preallocated memory pool of the respective device. Previously, this pool may have been emptied due to lack of memory, causing such system calls to fail. With this update, a memory is preallocated for each of these requests, and ioctl calls now work as expected.
- BZ#619070
- Previously, using 802.3ad link aggregation did not work properly when using the ixgbe driver. This was caused due to an inability to form 802.3ad-based bonds. With this update, the issue causing 802.3ad link aggregation to not work properly has been fixed.
- BZ#608109
- Previously, disks were spinning up for devices in an Active/Passive array on standby path side. This caused long boot up times which resulted in SD devices to be all created before multipath was ready. With this update, a disk is not spun up if returning
NOT_READY
on standby path. - BZ#602402
- Upon startup, the
bnx2x
network driver experienced a panic dump when more than one network interface was configured to start up at boot time. With this update, statistics counter initialization for function IDs greater than1
has been disabled, with the result thatbnx2x
no longer panic dumps when more than one interface has theONBOOT=yes
directive set. - BZ#601391
- Previously, receiving eight or more different types of ICMP packets corrupted the kernel memory. This was caused by a flaw in the
net/ipv4/proc.c
file. With this update, kernel memory is no longer corrupted when receiving eight or more different types of ICMP packets. - BZ#590763
- Input/output errors can occur due to temporary failures, such as multipath errors or losing network contact with an iSCSI server. In these cases, virtual memory attempts to retry the
readpage()
function on the memory page. However, thedo_generic_file_read()
function did not clearPG_error
, which resulted in the system being unable to use the data in the page cache page, even if subsequentreadpage()
calls succeeded. With this update, thedo_generic_file_read()
function properly clearsPG_error
so that the page cache can be utilized in the case of input/output errors. - BZ#586416
- The
e1000
ande1000e
drivers for Intel PRO/1000 network devices were updated with an enhanced algorithm for adaptive interrupt modulation in the Red Hat Enterprise Linux 5.1 release. WhenInterruptThrottleRate
was set to1
(thus enabling the new adaptive mode), certain traffic patterns could have caused high CPU usage. This update provides a way to setInterruptThrottleRate
to4
, which switches the mode back to the simpler and non-adaptive algorithm. Doing so may decrease CPU usage by thee1000
ande1000e
drivers depending on traffic patterns.Note: you can change theInterruptThrottleRate
setting using the ethtool utility by running the following command:ethtool -C ethX rx-usecs 4
- BZ#582321
- When an NFS server exported a file system with an explicit
fsid=[file_system_ID]
, an NFS client mounted that file system on one mount point and a subdirectory of that file system on a separate mount point, then if the server re-exported that file system after un-exporting and unmounting it, it was possible for the NFS client to unmount those mount points and receive the following error message:"VFS: Busy inodes after unmount..."
Additionally, it was possible to crash the NFS client's kernel in this situation. - BZ#579711
- The
timer_interrupt()
routine did not scale lost real ticks to logical ticks correctly. This could have caused time drift for 64-bit Red Hat Enterprise Linux 5: KVM (Kernel-based Virtual Machine) guests that were booted with thedivider=x
kernel parameter set to a value greater than 1.warning: many lost ticks
messages may have been logged on the affected guest systems. - BZ#578531
- An attempt to create a VLAN interface on a bond of two
bnx2
adapters in two switch configurations resulted in a soft lockup after a few seconds. This was caused by an incorrect use of a bonding pointer. With this update, soft lockups no longer occurs and creating a VLAN interface works as expected. - BZ#578261
- When the Stream Control Transmission Protocol (SCTP) kernel code attempted to check a non-blocking flag, it could have dereferenced a
NULL
file pointer due to the fact that in-kernel sockets created with thesock_create_kern()
function may not have a file structure and descriptor allocated to them. The kernel would crash as a result of the dereference. With this update, SCTP ensures that the file is valid before attempting to set a timeout, thus preventing a possibleNULL
dereference and consequent kernel crash. - BZ#576709
- A host could crash during an SAN (storage area network) installation when using the Cisco
fnic
driver. During driver initialization, an error in thefnic
driver caused it to flush the wrong queue. The flush code could then incorrectly access the memory and crash the host. With this update, the error in thefnic
driver has been fixed and crashed no longer occur. - BZ#576246
- When the
power_meter
module was unloaded or its initialization failed, a backtrace message was written to/var/log/dmesg
that warned about a missingrelease()
function. This error was harmless, and no longer occurs with this update. - BZ#575799
- Attempting to boot the x86 kernel on AMD Magny-Cours systems could result in a kernel panic. This was caused by the inability to handle kernel
NULL
pointer dereference in a virtual address. This update fixes the aforementioned issue and kernel panic no longer occurs on AMD Magny-Cours systems. - BZ#571544
- Hot-adding memory to a system with 4 GB of RAM caused problems with 32-bit DMA devices, which led to the system becoming unresponsive. With this update, the user is warned that more than 4 GB of RAM is being added to the system; however, memory exceeding 4 GB is not registered by the system.
- BZ#570824
- Red Hat Enterprise Linux 5.4 SMP guests running on the Red Hat Enterprise Virtualization Hypervisor may have experienced inconsistent time, such as the clock drifting backwards. This could have caused some applications to become unresponsive.
- BZ#570645
- When a system was configured using channel bonding in
mode=0
(round-robin balancing) with multicast, IGMP traffic was transmitted via a single interface. If that interface failed (due to a port, NIC or cable failure, for example), IGMP was not transmitted via another port in the group, thus resulting in packets for the previously-registered multicast group not being routed correctly. - BZ#570000
- On certain platforms, the
mptsas
driver could return the following kernel warning messages:kernel unaligned access to 0xe0000034f327f0ff, ip=0xa0000002040c4870 kernel unaligned access to 0xe0000034f327cbff, ip=0xa0000002040c4870 kernel unaligned access to 0xe00000300c9581ff, ip=0xa0000002040c4870
These messages did not indicate a serious error. With this update, the data alignment issue has been fixed and the aforementioned kernel warning messages are no longer returned. - BZ#567479
- The Red Hat Enterprise Linux 5.5 kernel contained a fix for Bugzilla issue number 548657 which introduced a regression in file locking behavior that presented with the General Parallel File System (GPFS). This update removes the redundant locking code.
- BZ#567428
- Kernel panic occurred on a Red Hat Enterprise Linux 5.5 FC host with a QLogic 8G FC adapter (QLE2562) while running IO with target controller faults. With this update, kernel panic no longer occurs in the aforementioned case.
- BZ#564249
- A bug was found in the way the
megaraid_sas
driver (for SAS based RAID controllers) handled physical disks and management IOCTLs (Input/Output Control). All physical disks were exported to the disk layer, allowing an oops inmegasas_complete_cmd_dpc()
when completing the IOCTL command if a timeout occurred. One possible trigger for this bug was running mkfs. This update resolves this issue by updating the megaraid_sas driver to version 4.31. - BZ#563546
- Some BIOS implementations initialized interrupt remapping hardware in a way that Xen did not expect. Consequently, a system could hang during boot, returning the following error message:
(XEN) [VT-D]intremap.c:73: remap_entry_to_ioapic_rte: index (74) is larger than remap table entry size (55)!
This update introduces an array to record the index for each IOAPIC pin, thus, theformat
bit (which was causing the unexpected interrupt remapping) does not need to be checked. As a result, the system no longer hangs during boot. - BZ#560540
- Previously, system board iomem resources, which were enumerated using the PNP Motherboard resource descriptions, were not recognized and taken into consideration when gathering resource information. This could have caused MMIO-based requests to receive allocations that were not valid. With this update, system board iomem resources are correctly recognized when gathering resource information.
- BZ#554706
- The
cnic
parts resets could cause a deadlock when thebnx2
device was enslaved in a bonding device and that device had an associated VLAN. - BZ#504188
- In a two node cluster, moving 100 files between two folders using the lock master was nearly instantaneous. However, not using the lock master resulted in a considerably worse performance on both, GFS1 (Global File System 1) and GFS2 (Global File System 2) file systems. With this update, not using the lock master does not lead to worsened performance on either of the aforementioned file systems.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.