1.110.  kernel

a NULL pointer dereference flaw was found in the sctp_rcv_ootb() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2010-0008, Important)

a missing boundary check was found in the do_move_pages() function in the memory migration functionality in the Linux kernel. A local user could use this flaw to cause a local denial of service or an information leak. (CVE-2010-0415, Important)

a NULL pointer dereference flaw was found in the ip6_dst_lookup_tail() function in the Linux kernel. An attacker on the local network could trigger this flaw by sending IPv6 traffic to a target system, leading to a system crash (kernel OOPS) if dst->neighbour is NULL on the target system when receiving an IPv6 packet. (CVE-2010-0437, Important)

a NULL pointer dereference flaw was found in the ext4 file system code in the Linux kernel. A local attacker could use this flaw to trigger a local denial of service by mounting a specially-crafted, journal-less ext4 file system, if that file system forced an EROFS error. (CVE-2009-4308, Moderate)

an information leak was found in the print_fatal_signal() implementation in the Linux kernel. When /proc/sys/kernel/print-fatal-signals is set to 1 (the default value is 0), memory that is reachable by the kernel could be leaked to user-space. This issue could also result in a system crash. Note that this flaw only affected the i386 architecture. (CVE-2010-0003, Moderate)

missing capability checks were found in the ebtables implementation, used for creating an Ethernet bridge firewall. This could allow a local, unprivileged user to bypass intended capability restrictions and modify ebtables rules. (CVE-2010-0007, Low)

a bug prevented Wake on LAN (WoL) being enabled on certain Intel hardware. (BZ#543449)

a race issue in the Journaling Block Device. (BZ#553132)

Prior to this update, user data corruption could occur when a 64-bit system was in the 32-bit compatibility mode. Specifically, programs compiled on an x86 system that called sched_rr_get_interval() were silently corrupted. This was due to the kernel filling data beyond the end of a timespec structure because the size of the structure is different between 32-bit and 64-bit systems. With this update, this issue has been fixed by calling sys32_sched_rr_get_interval() instead of sys_sched_rr_get_interval() when sched_rr_get_interval() is called, and user data corruption no longer occurs. (BZ#557684)

the RHSA-2010:0019 update introduced a regression, preventing WoL from working for network devices using the e1000e driver. (BZ#559335)

adding a bonding interface in mode balance-alb to a bridge was not functional. (BZ#560588)

some KVM (Kernel-based Virtual Machine) guests experienced slow performance (and possibly a crash) after suspend/resume. (BZ#560640)

on some systems, VF cannot be enabled in dom0. (BZ#560665)

on systems with certain network cards, a system crash occurred after enabling GRO. (BZ#561417)

for x86 KVM guests with pvclock enabled, the boot clocks were registered twice, possibly causing KVM to write data to a random memory area during the guest's life. (BZ#561454)

serious performance degradation for 32-bit applications, that map (mmap) thousands of small files, when run on a 64-bit system. (BZ#562746)

improved kexec/kdump handling. Previously, on some systems under heavy load, kexec/kdump was not functional. (BZ#562772)

dom0 was unable to boot when using the Xen hypervisor on a system with a large number of logical CPUs. (BZ#562777)

a fix for a bug that could potentially cause file system corruption. (BZ#564281)

a bug caused infrequent cluster issues for users of GFS2. (BZ#564288)

gfs2_delete_inode failed on read-only file systems. (BZ#564290)

the possibility of a timeout value overflow was found in the Linux kernel high-resolution timers functionality, hrtimers. This could allow a local, unprivileged user to execute arbitrary code, or cause a denial of service (kernel panic). (CVE-2007-5966, Important)

a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially-crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important)

Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than could be handled, which could lead to a remote denial of service or code execution. (CVE-2009-1389, Important)

the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2009-1895, Important)

Ramon de Carvalho Valle reported two flaws in the Linux kernel eCryptfs implementation. A local attacker with permissions to perform an eCryptfs mount could modify the metadata of the files in that eCrypfts mount to cause a buffer overflow, leading to a denial of service or privilege escalation. (CVE-2009-2406, CVE-2009-2407, Important)

Konstantin Khlebnikov discovered a race condition in the ptrace implementation in the Linux kernel. This race condition can occur when the process tracing and the process being traced participate in a core dump. A local, unprivileged user could use this flaw to trigger a deadlock, resulting in a partial denial of service. (CVE-2009-1388, Moderate)

possible host (dom0) crash when installing a Xen para-virtualized guest while another para-virtualized guest was rebooting. (BZ#497812)

no audit record for a directory removal if the directory and its subtree were recursively watched by an audit rule. (BZ#507561)

page caches in memory can be freed up using the Linux kernel's drop_caches feature. If drop_pagecache_sb() and prune_icache() ran concurrently, however, a missing test in drop_pagecache_sb() could cause a kernel panic. For example, running echo 1 > /proc/sys/vm/drop_caches or sysctl -w vm.drop_caches=1 on systems under high memory load could cause a kernel panic or system hang. With this update, the missing test has been added and the drop_caches feature frees up page caches properly. Consequently these system failures no longer occur, even under high memory load. (BZ#503692)

on 32-bit systems, core dumps for some multithreaded applications did not include all thread information. (BZ#505322)

a stack buffer used by get_event_name() was not large enough for the nul terminator sprintf() writes. This could lead to an invalid pointer or kernel panic. (BZ#506906)

when using the aic94xx driver, a system with SATA drives may not boot due to a bug in libsas. (BZ#506029)

incorrect stylus button handling when moving it away then returning it to the tablet for Wacom Cintiq 21UX and Intuos tablets. (BZ#508275)

CPU "soft lockup" messages and possibly a system hang on systems with certain Broadcom network devices and running the Linux kernel from the kernel-xen package. (BZ#503689)

on 64-bit PowerPC, getitimer() failed for programs using the ITIMER_REAL timer and that were also compiled for 64-bit systems (this caused such programs to abort). (BZ#510018)

write operations could be blocked even when using O_NONBLOCK. (BZ#510239)

enabling MSI on systems with VIA VT3364 chipsets caused a kernel panic or system hang during installation of Red Hat Enterprise Linux or subsequent booting of the operating system. MSI was enabled by default during boot and the "pci=nomsi" boot option to disable MSI was required on Red Hat Enterprise Linux 5.2 and later to avoid this bug. With this update, the kernel automatically disables MSI on VIA VT3364 chipsets during boot. The "pci=nomsi" boot option is no longer required to install or boot Red Hat Enterprise Linux successfully. (BZ#507529)

shutting down, destroying, or migrating Xen guests with large amounts of memory could cause other guests to be temporarily unresponsive. (BZ#512311)

HugeTLBFS (Translation Look-Aside Buffer File System) allows much larger page sizes than standard 4-kilobyte pages. The kernel's virtual memory subsystem uses these pages to map between real and virtual memory address spaces, and HugeTLBFS allows for significant performance increases for memory-intensive applications under heavy load. When a file existing on the HugeTLB file system was accessed simultaneously by two separate processes, the system become unresponsive and eventually a soft lockup occurred. These updated packages correct this issue so that simultaneous access of a single file on a HugeTLB file system is no longer problematic. (BZ#510235)

RHSA-2009-1106 included a fix for a rare race condition (BZ#486921). This earlier race condition occurred if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2). Unfortunately, the fix included with RHSA-2009-1106 introduced a new, very small, race condition which presented if the system was swapping heavily or heavily reproducing the conditions that were the cause of BZ#48692. With this update, the parent pte is not set to writable if the src pte is unmapped by the VM, preventing the race condition from occurring. (BZ#507297)

the copy_hugetlb_page_range() function assumed it was safe to drop the source mm->page_table_lock before calling hugetlb_cow(). As a consequence a kernel panic occurred when a particular multi-threaded application did Direct IO on a HUGEPAGE-mapped file region and created new processes. With this update, copy_hugetlb_page_range() calls hugetlb_cow() with the locks held, ensuring the panic does not occur. (BZ#508030)

several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1439, CVE-2009-1633, Important)

the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate)

Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate)

a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate)

a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low)

a race in the NFS client between destroying cached access rights and unmounting an NFS file system could have caused a system crash. "Busy inodes" messages may have been logged. (BZ#498653)

nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium®-based systems. (BZ#500349)

LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults. (BZ#500120)

ptrace_do_wait() reported tasks were stopped each time the process doing the trace called wait(), instead of reporting it once. (BZ#486945)

epoll_wait() may have caused a system lockup and problems for applications. (BZ#497322)

missing capabilities could possibly allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. (BZ#497271)

on NFS mounted file systems, heavy write loads may have blocked nfs_getattr() for long periods, causing commands that use stat(2), such as ls, to hang. (BZ#486926)

in rare circumstances, if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2), the buffer storing the result of the I/O may have ended up with invalid data. (BZ#486921)

when using GFS2, gfs2_quotad may have entered an uninterpretable sleep state. (BZ#501742)

with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#499783)

the "-fwrapv" flag was added to the gcc build options to prevent gcc from optimizing away wrapping. (BZ#501751)

a kernel panic when enabling and disabling iSCSI paths. (BZ#502916)

using the Broadcom NetXtreme BCM5704 network device with the tg3 driver caused high system load and very bad performance. (BZ#502837)

"/proc/[pid]/maps" and "/proc/[pid]/smaps" can only be read by processes able to use the ptrace() call on a given process; however, certain information from "/proc/[pid]/stat" and "/proc/[pid]/wchan" could be used to reconstruct memory maps. (BZ#499546)

a logic error was found in the do_setlk() function of the Linux kernel Network File System (NFS) implementation. If a signal interrupted a lock request, the local POSIX lock was incorrectly created. This could cause a denial of service on the NFS server if a file descriptor was closed before its corresponding lock request returned. (CVE-2008-4307, Important)

a deficiency was found in the Linux kernel system call auditing implementation on 64-bit systems. This could allow a local, unprivileged user to circumvent a system call audit configuration, if that configuration filtered based on the "syscall" number or arguments. (CVE-2009-0834, Important)

the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important)

a flaw was found in the ecryptfs_write_metadata_to_contents() function of the Linux kernel eCryptfs implementation. On systems with a 4096 byte page-size, this flaw may have caused 4096 bytes of uninitialized kernel memory to be written into the eCryptfs file headers, leading to an information leak. Note: Encrypted files created on systems running the vulnerable version of eCryptfs may contain leaked data in the eCryptfs file headers. This update does not remove any leaked data. Refer to the Knowledgebase article in the References section for further information. (CVE-2009-0787, Moderate)

the Linux kernel implementation of the Network File System (NFS) did not properly initialize the file name limit in the nfs_server data structure. This flaw could possibly lead to a denial of service on a client mounting an NFS share. (CVE-2009-1336, Moderate)

the enic driver (Cisco 10G Ethernet) did not operate under virtualization. (BZ#472474)

network interfaces using the IBM eHEA Ethernet device driver could not be successfully configured under low-memory conditions. (BZ#487035)

bonding with the "arp_validate=3" option may have prevented fail overs. (BZ#488064)

when running under virtualization, the acpi-cpufreq module wrote "Domain attempted WRMSR" errors to the dmesg log. (BZ#488928)

NFS clients may have experienced deadlocks during unmount. (BZ#488929)

the ixgbe driver double counted the number of received bytes and packets. (BZ#489459)

the Wacom Intuos3 Lens Cursor device did not work correctly with the Wacom Intuos3 12x12 tablet. (BZ#489460)

on the Itanium® architecture, nanosleep() caused commands which used it, such as sleep and usleep, to sleep for one second more than expected. (BZ#490434)

a panic and corruption of slab cache data structures occurred on 64-bit PowerPC systems when clvmd was running. (BZ#491677)

the NONSTOP_TSC feature did not perform correctly on the Intel® microarchitecture (Nehalem) when running in 32-bit mode. (BZ#493356)

keyboards may not have functioned on IBM eServer System p machines after a certain point during installation or afterward. (BZ#494293)

using Device Mapper Multipathing with the qla2xxx driver resulted in frequent path failures. (BZ#495635)

if the hypervisor was booted with the dom0_max_vcpus parameter set to less than the actual number of CPUs in the system, and the cpuspeed service was started, the hypervisor could crash. (BZ#495931)

using Openswan to provide an IPsec virtual private network eventually resulted in a CPU soft lockup and a system crash. (BZ#496044)

it was possible for posix_locks_deadlock() to enter an infinite loop (under the BKL), causing a system hang. (BZ#496842)

memory leaks were found on some error paths in the icmp_send() function in the Linux kernel. This could, potentially, cause the network connectivity to cease. (CVE-2009-0778, Important)

Chris Evans reported a deficiency in the clone() system call when called with the CLONE_PARENT flag. This flaw permits the caller (the parent process) to indicate an arbitrary signal it wants to receive when its child process exits. This could lead to a denial of service of the parent process. (CVE-2009-0028, Moderate)

an off-by-one underflow flaw was found in the eCryptfs subsystem. This could potentially cause a local denial of service when the readlink() function returned an error. (CVE-2009-0269, Moderate)

a deficiency was found in the Remote BIOS Update (RBU) driver for Dell systems. This could allow a local, unprivileged user to cause a denial of service by reading zero bytes from the image_type or packet_size files in "/sys/devices/platform/dell_rbu/". (CVE-2009-0322, Moderate)

an inverted logic flaw was found in the SysKonnect FDDI PCI adapter driver, allowing driver statistics to be reset only when the CAP_NET_ADMIN capability was absent (local, unprivileged users could reset driver statistics). (CVE-2009-0675, Moderate)

the sock_getsockopt() function in the Linux kernel did not properly initialize a data structure that can be directly returned to user-space when the getsockopt() function is called with SO_BSDCOMPAT optname set. This flaw could possibly lead to memory disclosure. (CVE-2009-0676, Moderate)

the ext2 and ext3 file system code failed to properly handle corrupted data structures, leading to a possible local denial of service when read or write operations were performed on a specially-crafted file system. (CVE-2008-3528, Low)

a deficiency was found in the libATA implementation. This could, potentially, lead to a local denial of service. Note: by default, the "/dev/sg*" devices are accessible only to the root user. (CVE-2008-5700, Low)

a bug in aic94xx may have caused kernel panics during boot on some systems with certain SATA disks. (BZ#485909)

a word endianness problem in the qla2xx driver on PowerPC-based machines may have corrupted flash-based devices. (BZ#485908)

a memory leak in pipe() may have caused a system deadlock. The workaround in Section 1.5, Known Issues, of the Red Hat Enterprise Linux 5.3 Release Notes Updates, which involved manually allocating extra file descriptors to processes calling do_pipe, is no longer necessary. (BZ#481576)

CPU soft-lockups in the network rate estimator. (BZ#481746)

bugs in the ixgbe driver caused it to function unreliably on some systems with 16 or more CPU cores. (BZ#483210)

the iwl4965 driver may have caused a kernel panic. (BZ#483206)

a bug caused NFS attributes to not update for some long-lived NFS mounted file systems. (BZ#483201)

unmounting a GFS2 file system may have caused a panic. (BZ#485910)

a bug in ptrace() may have caused a panic when single stepping a target. (BZ#487394)

on some 64-bit systems, notsc was incorrectly set at boot, causing slow gettimeofday() calls. (BZ#488239)

do_machine_check() cleared all Machine Check Exception (MCE) status registers, preventing the BIOS from using them to determine the cause of certain panics and errors. (BZ#490433)

scaling problems caused performance problems for LAPI applications. (BZ#489457)

a panic may have occurred on systems using certain Intel WiFi Link 5000 products when booting with the RF Kill switch on. (BZ#489846)

the TSC is invariant with C/P/T states, and always runs at constant frequency from now on. (BZ#489310)

a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important)

a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important)

a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important)

the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low)

a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low)

when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target.

the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value.

nfs_create_rpc_client was called with a "flavor" parameter which was usually ignored and ended up unconditionally creating the RPC client with an AUTH_UNIX flavor. This caused problems on AUTH_GSS mounts when the credentials needed to be refreshed. The credops did not match the authorization type, which resulted in the credops dereferencing an incorrect part of the AUTH_UNIX rpc_auth struct.

when copy_user_c terminated prematurely due to reading beyond the end of the user buffer and the kernel jumped to the exception table entry, the rsi register was not cleared. This resulted in exiting back to user code with garbage in the rsi register.

the hexdump data in s390dbf traces was incomplete. The length of the data traced was incorrect and the SAN payload was read from a different place then it was written to.

when using connected mode (CM) in IPoIB on ehca2 hardware, it was not possible to transmit any data.

when an application called fork() and pthread_create() many times and, at some point, a thread forked a child and then attempted to call the setpgid() function, then this function failed and returned and ESRCH error value.

a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important)

a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important)

in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running "cman_tool kill -n [nodename]". (BZ#515432)