B.38.1. RHSA-2010:0842 — Important: kernel security and bug fix update
i915driver in the Linux kernel could allow a local, unprivileged user to escalate their privileges. (CVE-2010-2962, Important)
compat_alloc_user_space()in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important)
niuEthernet driver in the Linux kernel, could allow a local user to cause a denial of service or escalate their privileges. (CVE-2010-3084, Important)
sctp_packet_config()in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service. (CVE-2010-3432, Important)
snd_ctl_new()in the Linux kernel's sound subsystem could allow a local, unprivileged user on a 32-bit system to cause a denial of service or escalate their privileges. (CVE-2010-3442, Important)
sctp_auth_asoc_get_hmac()in the Linux kernel's SCTP implementation. When iterating through the
hmac_idsarray, it did not reset the last id element if it was out of range. This could allow a remote attacker to cause a denial of service. (CVE-2010-3705, Important)
drm_ioctl()in the Linux kernel's Direct Rendering Manager (DRM) implementation could allow a local, unprivileged user to cause an information leak. (CVE-2010-2803, Moderate)
ftrace_regex_lseek()in the Linux kernel's ftrace implementation could allow a local, unprivileged user to cause a denial of service. Note: The debugfs file system must be mounted locally to exploit this issue. It is not mounted by default. (CVE-2010-3079, Moderate)
PKT_CTRL_CMD_STATUSIOCTL request, possibly allowing a local, unprivileged user with access to
/dev/pktcdvd/controlto cause an information leak. Note: By default, only users in the cdrom group have access to
/dev/pktcdvd/control. (CVE-2010-3437, Moderate)
gssegment registers when they had invalid selectors. A privileged host user with access to
/dev/kvmcould use this flaw to crash the host. (CVE-2010-3698, Moderate)
- When booting a Red Hat Enterprise Linux 5.5 kernel on a guest on an AMD host system running Red Hat Enterprise Linux 6, the guest kernel crashes due to an unsupported MSR (Model Specific Registers) read of the MSR_K7_CLK_CTL model. With this update, KVM support was added for the MSR_K7_CLK_CTL model specific register used in the AMD K7 CPU models, thus, the kernel crashes no longer occur.
- Previously, the
s390tape block driver crashed whenever it tried to switch the I/O scheduler. With this update, an official in-kernel API (
elevator_change()) is used to switch the I/O scheduler safely, thus, the crashes no longer occurs.
- Previously, a kernel module not shipped by Red Hat was successfully loaded when the
FIPSboot option was enabled. With this update, kernel self-integrity is improved by rejecting to load kernel modules which are not shipped by Red Hat when the
FIPSboot option is enabled.
- A regression was discovered that caused kernel panic during the booting of any SGI UV100 and UV1000 system unless the
virteficommand line option was passed to the kernel by GRUB. With this update, the need for the
virteficommand line option is removed and the kernel will boots as expected without it.
- Previously, a Windows XP host experienced the stop error screen (i.e. the "Blue Screen Of Death" error) when booted with the CPU mode name. With this update, a Windows XP host no longer experiences the aforementioned error due to added KVM (Kernel-based Virtual Machine) support for the MSR_EBC_FREQUENCY_ID model specific register.
- Previously the cxgb3 (Chelsio Communications T3 10Gb Ethernet) adapter experienced parity errors. With this update, the parity errors are correctly detected and the cxgb3 adapter successfully recovers from them.
- Systems with an updated Video BIOS for the AMD RS880 would not properly boot with KMS (Kernel mode-setting) enabled. With this update, the Video BIOS boots successfully when KMS is enabled.
- The zfcpdump (kdump) kernel on IBM System z could not be debugged using the dump analysis tool crash, because the
vmlinuxfile in the kernel-kdump-debuginfo RPM did not contain DWARF debug information. With this update, the
CONFIG_DEBUG_KERNELparameter is set to yes and the needed debug information is provided.
- Previously, MADV_HUGEPAGE was missing in the
include/asm-generic/mman-common.hfile which caused madvise to fail to utilize TPH. With this update, the madvise option was removed from
/sys/kernel/mm/redhat_transparent_hugepage/enabledsince MADV_HUGEPAGE was removed from the
- The kernel panicked when booting the kdump kernel on a
s390system with an initramfs that contained an odd number of bytes. With this update, an initramfs with sufficient padding such that it contains an even number of bytes is generated, thus, the kernel no longer panics.
- Previously, in order to install Snapshot 13, boot parameter
nomodeset xforcevesahad to be added to the kernel command line, otherwise, the screen turned black and prevented the installation. With this update, the aforementioned boot parameter no longer has to be specified and the installation works as expected.
- Previously, a write request may have merged with a discard request. This could have posed a potential risk for 3rd party drivers which could possibly issue a discard without waiting properly. With this update, discarding of write block I/O requests by preventing merges of discard and write requests in one block I/O has been introduced, thus, resolving the possible risks.
- BZ#641258, BZ#644037
fork()system call led to an
rmapwalk finding the parent
huge-pmdtwice instead of once, thus causing a discrepancy between the
page_mapcountcheck, which could have led to erratic page counts for subpages. This fix ensures that the
rmapwalk is accurate when a process is forked, thus resolving the issue.
- Running a fsstress test which issues various operations on a ext4 filesystem when
usrquotais enabled, the following JBD (Journaling Block Device) error was output in
JBD: Spotted dirty metadata buffer (dev = sda10, blocknr = 17635). There's a risk of filesystem corruption in case of system crash.With this update, by always journaling the quota file modification in an ext4 file system the aforementioned message no longer appears in the logs.
- Previously, the destination MAC address validation was not checking for NPIV (N_Port ID Virtualization) addresses, which results in FCoE (Fibre Channel over Ethernet) frames being dropped. With this update, the destination MAC address check for FCoE frames has been modified so that multiple
N_portIDs can be multiplexed on a single physical
- During an installation through Cisco NPV (N port virtualization) to Brocade, adding a LUN (Logical Unit Number) throughdid not work properly. This was caused by the faulty resending of FLOGI (Fabric Login) when a Fibre Channel switch in the NPV mode rejected requests with zero Destination ID. With this update, the LUN is seen and able to be selected for installation.
- Previously, timing issues could cause the FIP (FCoE Initialization Protocol) FLOGIs to timeout even if there were no problems. This caused the kernel to go into a non-FIP mode even though it should have been in the FIP mode. With this update, the timing issues no longer occur and the kernel no longer switches to the non-FIP mode when logging to the Fibre Channel Switch/Forwarder.
- Previously, the vmstat (virtual memory statistics) tool incorrectly reported the disk I/O as swap-in on ppc64 and other architectures that do not support the
TRANSPARENT_HUGEPAGEconfiguration option in the kernel. With this update, the vmstat tool no longer reports incorrect statistics and works as expected.
- Previously, building under memory pressure with KSM (Kernel Shared Memory) caused KSM to collapse with an internal compiler error indicating an error in swapping. With this update, data corruption during swapping no longer occurs.
- Occasionally, the
anon_vmavariable could contain the value
page_address_in_vmafunction and cause kernel panic. With this update, kernel panic no longer occurs.
- Previously, the
/proc/mapsfile which is read by LVM2 (Logical Volume Manager 2) contained inconsistencies caused by LVM2 incorrectly deciding which memory to
munlock. With this update, LVM2 correctly decides between the
munlockoperations and no longer causes inconsistencies.
- Systems that have an Emulex FC controller (with SLI-3 based firmware) installed could return a kernel panic during installation. With this update, kernel panic no longer occurs during installation.
- This update fixes the slow memory leak in the i915 module in DRM (Direct Rendering Manager) and GEM (Graphics Execution Manager).
- Previously, a race condition in the TTM (Translation Table Maps) module of the DRM (Direct Rendering Manager) between the object destruction thread and object eviction could result in a major loss of large objects reference counts. Consequently, this caused a major amount of memory leak. With this update, the race condition no longer occurs and any memory leaks are prevented.
- Previously, an operation such as
madvise(MADV_MERGEABLE)may have split VMAs (Virtual Memory Area) without checking if any huge page had to be split into regular pages, leading to huge pages to be still mapped in VMA ranges that would not be large enough to fit huge pages. With this update, huge pages are checked whether they have been split when any VMA is being truncated.
- Previously, accounting of reclaimable inodes did not work correctly. When an inode was reclaimed it was only deleted from the per-AG (per Allocation Group) tree. Neither the counter was decreased, nor was the parent tree's AG entry untagged properly. This caused the system to hang indefinitely. With this update, the accounting of reclaimable inodes works properly and the system remains responsive.
- A race condition occurred when Xen was presented with an inconsistent page type resulting in the crash of the kernel. With this update, the race condition is prevented and kernel crashes no longer occur.
- Previously, Red Hat Enterprise Linux 6 enabled the
CONFIG_IMAoption in the kernel. This caused the kernel to track all inodes in the system in a radix tree, leading to a huge waste of memory. With this update, an optimized version of a tree (rbtree) is used and memory is no longer wasted.
- Previously, calling the
elevator_changefunction immediately after the
blk_init_queuefunction resulted in a null pointer dereference. With this update, the null pointer dereference no longer occurs.
- When booting the latest Red Hat Enterprise Linux 6 kernel (-78.el6), the system hanged shortly after the booting. Access to the file system died and the console started outputting soft lockup messages from the TTM code. With this update, the aforementioned behavior no longer occurs and the system boots as expected.