1.74.3. RHSA-2011:1212: Important: kernel security and bug fix update
Important
This update has already been released as the security errata RHSA-2011:1212.
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
A NULL pointer dereference flaw was found in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2011-2482, Important)
A flaw in the Linux kernel's client-side NFS Lock Manager (NLM) implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2491, Important)
Buffer overflow flaws in the Linux kernel's netlink-based wireless configuration interface implementation could allow a local user, who has the CAP_NET_ADMIN capability, to cause a denial of service or escalate their privileges on systems that have an active wireless interface. (CVE-2011-2517, Important)
A flaw was found in the way the Linux kernel's Xen hypervisor implementation emulated the SAHF instruction. When using a fully-virtualized guest on a host that does not use hardware assisted paging (HAP), such as those running CPUs that do not have support for (or those that have it disabled) Intel Extended Page Tables (EPT) or AMD Virtualization (AMD-V) Rapid Virtualization Indexing (RVI), a privileged guest user could trigger this flaw to cause the hypervisor to crash. (CVE-2011-2519, Moderate)
An off-by-one flaw was found in the
__addr_ok()
macro in the Linux kernel's Xen hypervisor implementation when running on 64-bit systems. A privileged guest user could trigger this flaw to cause the hypervisor to crash. (CVE-2011-2901, Moderate)
/proc/<PID>/io
is world-readable by default. Previously, these files could be read without any further restrictions. A local, unprivileged user could read these files, belonging to other, possibly privileged processes to gather confidential information, such as the length of a password used in a process. (CVE-2011-2495, Low)
Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491, and Vasiliy Kulikov of Openwall for reporting CVE-2011-2495.
Bug fixes:
- BZ#719746
- Prior to this update, a race condition in TIPC's (Transparent Inter-process Communication)
recv_msg
function caused kernel panic. This update modifies TIPC's socket locking logic, and kernel panic no longer occurs. - BZ#722855
- The RHSA-2009:1243 update introduced a regression in the way file locking on NFS (Network File System) was handled. This caused applications to hang if they made a lock request on a file on an NFS version 2 or 3 file system that was mounted with the
sec=krb5
option. With this update, the original behavior of using mixed RPC authentication flavors for NFS and locking requests has been restored. - BZ#726625
- An incorrect call to the
nfs4_drop_state_owner
function caused the NFSv4 state reclaimer thread to be stuck in an infinite loop while holding the Big Kernel Lock (BKL). With this update, the aforementioned call has been removed, thus, fixing this issue. - BZ#728163
- Certain systems do not correctly set the ACPI FADT APIC mode bit. They set the bit to "cluster" mode instead of "physical" mode which caused these systems to boot without the TSC. With this update, the ACPI FADT check has been removed due to its unreliability, thus, fixing this issue.
- BZ#712885
- A bug was found in the way the
x86_emulate()
function handled theIMUL
instruction in the Xen hypervisor. On systems without support for hardware assisted paging (HAP), such as those running CPUs that do not have support for (or those that have it disabled) Intel Extended Page Tables (EPT) or AMD Virtualization (AMD-V) Rapid Virtualization Indexing (RVI), this bug could cause fully-virtualized guests to crash or lead to silent memory corruption. In reported cases, this issue occurred when booting fully-virtualized Red Hat Enterprise Linux 6.1 guests with memory cgroups enabled on a Red Hat Enterprise Linux 5.7 host. - BZ#727592
- The fix provided in CVE-2010-3432 information in
sctp_packet_config()
, which is called before appending data chunks to a packet, was no longer reset, ultimately causing performance issues. With this update, packet information is reset after a packet transmit, thus, fixing the aforementioned performance issues. - BZ#721300
- Prior to this update, an attempt to use the
vfree()
function on avmalloc()
'ed area could result in a memory leak. With this update, the underlying source code has been modified to address this issue, and a memory leak no longer occurs. - BZ#727590
- A problem with the XFS dio error handling was discovered. If a misaligned write I/O operation was issued, XFS would return
-EINVAL
without unlocking the inode's mutex. This caused any further operations on the inode to become unresponsive. This update adds a missingmutex_unlock
operation to the dio error path, solving this issue. - BZ#726619
- Older versions of be2net cards firmware may not recognize certain commands and return illegal/unsupported errors, causing confusing error messages to appear in the logs. With this update, the driver handles these errors gracefully and does not log them.
- BZ#723552
- This patch fixes the inability of the be2net driver to work in a kdump environment. It clears an interrupt bit (in the card) that may be set while the driver is probed by the kdump kernel after a crash.
- BZ#726628
- When a block device object was allocated, the
bd_super
field was not being explicitly initialized toNULL
. Previous users of the block device object may have set thebd_super
field toNULL
when the object is released by calling thekill_block_super()
function. Some third party file systems do not always use this function and as a result thebd_super
field could have become uninitialized when the object was allocated again. This could cause a kernel panic in theblkdev_releasepage()
function when the uninitialisedbd_super
field was dereferenced. With this update, thebd_super
field is properly initialized in thebdget
function, and kernel panic no longer occurs. - BZ#727835
- Under some circumstances, error reports within the XFS file system could dereference a NULL pointer cause kernel panic. This update fixes the NULL pointer dereference, and kernel panic no longer occurs
- BZ#719930
- This update makes the size of the three DLM hash tables consistent: 1024 entries with a Red Hat Enterprise Linux 5-specific change to allocate the tables using
vmalloc
allowing a higher maximum size that can be allocated for these tables. This results in improved DLM/GFS performance when there are many locks being held (that is, many GFS files being used).
Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix these bugs. The system must be rebooted for this update to take effect.