1.74.2. RHSA-2011:1479: Important: kernel security, bug fix, and enhancement update


This update has already been released as the security errata RHSA-2011:1479.
Updated kernel packages that fix multiple security issues, several bugs, and add an enhancement are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes:

Using PCI passthrough without interrupt remapping support allowed Xen hypervisor guests to generate MSI interrupts and thus potentially inject traps. A privileged guest user could use this flaw to crash the host or possibly escalate their privileges on the host. The fix for this issue can prevent PCI passthrough working and guests starting. Refer to Red Hat Bugzilla bug 715555 for details. (CVE-2011-1898, Important)
A flaw was found in the way CIFS (Common Internet File System) shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate)
A NULL pointer dereference flaw was found in the way the Linux kernel's key management facility handled user-defined key types. A local, unprivileged user could use the keyctl utility to cause a denial of service. (CVE-2011-4110, Moderate)
A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)
A NULL pointer dereference flaw was found in the Linux kernel's HFS file system implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains a specially-crafted HFS file system with a corrupted MDB extent record. (CVE-2011-2203, Low)
The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low)
Red Hat would like to thank Yogesh Sharma for reporting CVE-2011-3363; Peter Huewe for reporting CVE-2011-1162; Clement Lecigne for reporting CVE-2011-2203; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494.

Bug fixes:

Previously, when the iput() function was called while it held the nfs_access_lru lock could result in problems since iput() can sleep, and it can also attempt to allocate memory. This update removes an optimisation that is not present in the mainline kernel series. Now, iput() is never called while holding a spinlock in the nfs_access_cache_shrinker() function, thus preventing this bug.
Under certain circumstances, a deadlock could occur between the khubd process of the USB stack and the modprobe of the usb-storage module. This was because the khubd process, when attempting to delete a USB device, waited for the reference count of knode_bus to be of value 0. However, modprobe, when loading the usb-storage module, scans all USB devices and increments the reference count, preventing the khubd process from continuing. With this update, the underlying source code has been modified to address this issue, and a deadlock no longer occurs in the described scenario.
A previously applied patch (introduced as a fix in CVE-2011-1898) prevented PCI pass-through inside the assign_device domctl via a security check. Because the security check was not included in the test_assign_device domctl, qemu-dm could not handle any failures in the test_assign_device domctl, ultimately causing an HVM guest to have a partly accessible PCI device, which in come cases resulted in a crash of the host machine. With this update, the security check introduced in CVE-2011-1898 has been replicated in the test_assign_device domctl, thus fixing this issue.
In error recovery, most SCSI error recovery stages send a TUR (Test Unit Ready) command for every bad command when a driver error handler reports success. When several bad commands pointed to a same device, the device was probed multiple times. When the device was in a state where it did not respond to commands even after a recovery function returned success, the error handler had to wait for the commands to time out. This significantly impeded the recovery process. With this update, SCSI mid-layer error routines to send test commands have been fixed to respond once per device instead of once per bad command, thus reducing error recovery time considerably.
When an INIT_ACK packet is sent with no STATE COOKIE mandatory parameter, the expected abort error cause is Mandatory Parameter missing. Previously, the Invalid mandatory parameter error cause was given instead. With this update, a bug in the sctp_process_missing_param() function has been fixed and now, correct error cause value for missing parameters is set in the described scenario.
When a COOKIE_ACK message with a packet length smaller then the chunk length defined was received, SCTP (Stream Control Transmission Protocol) sent an ABORT message with incorrectly encoded PROTOCOL VIOLATION error cause. With this update, the underlying code has been fixed and the ABORT message is now encoded properly in the described scenario.
Due to a regression, the byte count on the wrong buffer was adjusted to account for endian differences. This resulted in the wrong buffer length being passed to the callers on big endian machines, which in turn resulted in data returned from the server being incorrectly rejected with "Invalid transact2 SMB: " error messages. This bug was first reported on the 64-bit PowerPC architecture. With this update, the correct buffer length is now passed in the described scenario.
Previously, if a connect change occurs on a USB device, it is reported the same way as a disconnect. As a consequence, the "hub 1-1.6:1.0: Cannot enable port X. Maybe the USB cable is bad?" were issued by the dmesg utility when a low speed USB device was connected to port X. With this update, the port reset code in the hub driver has been changed, code of the usb_reset_device() function has been fixed to prevent the routine from futilely retrying the reset after a disconnect has occurred, and no error messages are now returned in the described scenario.
The operational state of a network device, represented by the value in /sys/class/net/eth<X>/operstate, was not initialized by default and reported unknown when the network device was up and was using the tg3 driver. This update fixes the tg3 driver to properly set the operstate value.
The be2net driver does not use lock-less Tx paths and its xmit() function is protected by the netif_tx_lock spinlock; as are the set_multicast_list() and set_rx_mode() functions. This configuration setup involves sending a message to the card firmware and getting a reply back, which involves delay up to several miliseconds long. As a consequence, the requeue counter increased by high numbers. With this update, the NETIF_F_LLTX feature has been enabled and locking of own Tx paths has been implemented. Now, only small portions of multicast configuration needs to be locked in the described scenario.
Prior to this update, the ndisc_send_skb() function was using an incorrect macro to increment the ICMP6 statistics. As a result, an out-of-bound element in an array which resides in the size-128 slab pool was incremented, causing data corruption. If the array was near the end of the slab page, user data corruption could occur. This update fixes the above-mentioned function to use the correct macro for incrementing the ICMP6 statistics, and data corruption no longer occurs.
A previously introduced patch reduced the size of the DMA zone under the Xen hypervisor. Consequently, drivers trying to allocate contiguous memory with the dma_alloc_coherent() API often had their requests fail. This resulted in BIOS update failures on some systems with large flash memory. With this update, the zone restriction in dma_alloc_coherent() is relaxed, thus fixing this issue.
When the hangcheck timer expires and tries to reboot the machine, it stops all other CPUs in the configuration. However, the CPU that stops the other CPUs is still enabled for interrupts. Consequently, I/O or external interrupts might arrive at the local CPU and the corresponding interrupt handler might try to acquire a lock. Previously, if a remote CPU was holding the lock while the local CPU stopped it, the result was a deadlock. The system became unresponsive instead of performing a reboot. With this update, interrupts are disabled before stopping remote CPUs and the hangs no longer occur in the described scenario.
On IBM System z, if a Linux instance with large amounts of anonymous memory runs into a memory shortage the first time, all pages on the active or inactive lists are considered referenced. This causes the memory management on IBM System z to do a full check over all page cache pages and start writeback for all of them. As a consequence, the system became temporarily unresponsive when the described situation occurred. With this update, only pages with active mappers are checked and the page scan now does not cause the hangs.
Previously, kernel was allowed to reduce the number of unnecessary commit calls by skipping the commit when there was a large number of outstanding pages being written. However, that test did not properly handle the edge case when the number of commits (ncommit) was zero. Consequently, inodes sometimes remained on the sb->s_dirty list and could not be freed by the inode cache shrinker. As a result, the nfs_inode_cache structure grew very large over time. With this update, the call to the nfs_write_inode() function is immediately returned when commit == 0, thus fixing this bug.
A previous kernel patch removed a call in the nfs_file_release() function to the filemap_fdatawrite() function. Consequently, data written to a NFS file, which had been mapped into memory via the mmap() function and not yet flushed to the backing device, were lost as soon as the file was closed. This update adds the filemap_fdatawrite() call back to the nfs_file_flush() function, which fixes this regression.
The Xen network back-end driver was supposed to turn on all of its possible features until it negotiated with the front-end. However, after the negotiation, it did not disable the features declined by the front-end. This caused Windows guest using the xenpv-win network driver to not be able to transmit data to the host over TCP. This update properly disables the features which are not supported by the front-end.


This update improves the performance of delete/unlink operations in a GFS2 file system containing large files by adding a layer of metadata read-ahead for indirect blocks.
Users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. The system must be rebooted for this update to take effect.