B.38.2. RHSA-2011:0007 — Important: kernel security and bug fix update

Important

This update has already been released as the security errata RHSA-2011:0007
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* Buffer overflow in eCryptfs. When /dev/ecryptfs has world writable permissions (which it does not, by default, on Red Hat Enterprise Linux 6), a local, unprivileged user could use this flaw to cause a denial of service or possibly escalate their privileges. (CVE-2010-2492, Important)
* Integer overflow in the RDS protocol implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-3865, Important)
* Missing boundary checks in the PPP over L2TP sockets implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4160, Important)
* NULL pointer dereference in the igb driver. If both Single Root I/O Virtualization (SR-IOV) and promiscuous mode were enabled on an interface using igb, it could result in a denial of service when a tagged VLAN packet is received on that interface. (CVE-2010-4263, Important)
* Missing initialization flaw in the XFS file system implementation, and in the network traffic policing implementation, could allow a local, unprivileged user to cause an information leak. (CVE-2010-3078, CVE-2010-3477, Moderate)
* NULL pointer dereference in the Open Sound System compatible sequencer driver could allow a local, unprivileged user with access to /dev/sequencer to cause a denial of service. /dev/sequencer is only accessible to root and users in the audio group by default. (CVE-2010-3080, Moderate)
* Flaw in the ethtool IOCTL handler could allow a local user to cause an information leak. (CVE-2010-3861, Moderate)
* Flaw in bcm_connect() in the Controller Area Network (CAN) Broadcast Manager. On 64-bit systems, writing the socket address may overflow the procname character array. (CVE-2010-3874, Moderate)
* Flaw in the module for monitoring the sockets of INET transport protocols could allow a local, unprivileged user to cause a denial of service. (CVE-2010-3880, Moderate)
* Missing boundary checks in the block layer implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4162, CVE-2010-4163, CVE-2010-4668, Moderate)
* NULL pointer dereference in the Bluetooth HCI UART driver could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4242, Moderate)
* Flaw in the Linux kernel CPU time clocks implementation for the POSIX clock interface could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4248, Moderate)
* Flaw in the garbage collector for AF_UNIX sockets could allow a local, unprivileged user to trigger a denial of service. (CVE-2010-4249, Moderate)
* Missing upper bound integer check in the AIO implementation could allow a local, unprivileged user to cause an information leak. (CVE-2010-3067, Low)
* Missing initialization flaw in KVM could allow a privileged host user with access to /dev/kvm to cause an information leak. (CVE-2010-4525, Low)
Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492; Thomas Pollet for reporting CVE-2010-3865; Dan Rosenberg for reporting CVE-2010-4160, CVE-2010-3078, CVE-2010-3874, CVE-2010-4162, CVE-2010-4163, CVE-2010-3298, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, and CVE-2010-4158; Kosuke Tatsukawa for reporting CVE-2010-4263; Tavis Ormandy for reporting CVE-2010-3080 and CVE-2010-3067; Kees Cook for reporting CVE-2010-3861 and CVE-2010-4072; Nelson Elhage for reporting CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; Vegard Nossum for reporting CVE-2010-4249; Vasiliy Kulikov for reporting CVE-2010-3876; and Stephan Mueller of atsec information security for reporting CVE-2010-4525.
Bug fixes:
BZ#655122
When building kernel modules against the full Red Hat Enterprise Linux 6 source tree (instead of just kernel-devel), modules would be signed by a locally generated key. However, Red Hat Enterprise Linux 6 refused to load modules created in this way as it did not recognize the key. This update disables module signing while building out-of-tree modules, thus, in the aforementioned case, kernel module loading works as expected.
BZ#643815
With this update, the upper limit of the log_mtts_per_seg variable was increased from five to seven, increasing the amount of memory that can be registered. As a result, the Mellanox driver (mlx4) can now use up to 64 GB of physical memory for RDMA (remote direct memory access). This provides better scalability for example when using the Mellanox adapter in NFS/RDMA, or on machines with a lot of physical memory.
BZ#648408
Due to a mix-up between FMODE_ and O_ flags, an NFSv4 client could get a WRITE lock on a file that another NFSv4 client already had a READ lock on. As a result, data could be corrupted. With this update, FMODE_ and O_ flags are properly handled and getting a WRITE lock fails in the aforementioned case.
BZ#649436
Booting Red Hat Enterprise Linux 6 debug kernel on a system with the Dell PowerEdge RAID Controller H700 adapter caused the megaraid_sas driver to reset the controller multiple times leading to a faulty controller state. On rebooting the system, the faulty controller state could cause the firmware to detect an incorrect memory condition. This could be especially confusing since the message could be a faulty DIMM (Dual In-line Memory Module) condition prompting the administrator to replace the DIMMs. This occurred due to a leak in the mfi_sgl dma'ed frame when the firmware supported IEEE frames. The mfi_sgl would draw memory from the slab cache and any use of freed memory would result in incorrect pages being read in the ISR (Interrupt Service Routine). This caused the controller resets and the ensuing DIMM error condition. This update fixes the leak in mfi_sgl when the firmware supports IEEE frames. Faulty controller states and faulty DIMM conditions no longer occur.
BZ#653900
Running VDSM and performing an lvextend operation during an intensive Virtual Guest power up caused this operation to fail. Since lvextend was blocked, all components became non-responsive: vgs and lvs commands froze the session, Virtual Guests became Paused or Not Responding. This was caused due to a faulty use of a lock. With this update, performing an lvextend operation works as expected.
BZ#651996
Due to a faulty memory allocator, on Non-Uniform Memory Architecture (NUMA) platforms, an OOM (Out Of Memory) condition would occur when a user changed a cpuset's /etc/dev/mems file (list of memory nodes in that cpuset) even though the specified node had enough free memory. With this update, the memory allocator no longer causes an OOM condition when a node has enough free memory.
BZ#653340
When using a VIRT-IO (Virtual Input/Output) NIC (Network Interface Controller), its state was reported as unknown instead of its real state (up or down). This was due to the fact that the device could not report the state status. With this update, when a device is not capable of reporting the current state, it is assumed the state is up or the state is read from the config file.
BZ#658879
A previously released patch fixed the external module compiling when using the full source tree, however, it was discovered it resulted in breaking the build in the kernel-devel only case. With this update, the patch has been fixed to avoid any external module compiling errors.
BZ#647391
Running certain workload tests on a NUMA (Non-Uniform Memory Architecture) system could cause kernel panic at mm/migrate.c:113. This was due to a false positive BUG_ON. With this update, the false positive BUG_ON has been removed.
BZ#659611
Updated partner qualification injecting target faults uncovered a flaw where the Emulex lpfc driver would incorrectly panic due to a null pnode dereference. This update addresses the issue and was tested successfully under the same test conditions without the panic occurring.
BZ#660589
Updated partner qualification injecting controller faults uncovered a flaw where the Emulex lpfc driver panicked during error handling. With this update, kernel panic no longer occurs.
BZ#660244
Updated partner qualification injecting controller faults uncovered a flaw where Fibre Channel ports would go offline while testing with Emulex LPFC controllers due to a faulty LPFC heartbeat functionality. This update changes the default behavior of the LPFC heartbeat to off.
BZ#660591
When configuring an SIT (Simple Internet Transition) tunnel while a remote address is configured, kernel panic occurred, caused by an execution of a NULL header_ops pointer in the neigh_update_hhs() function. With this update, a check is introduced that makes sure the header_ops pointer is not of the value NULL, thus, kernel panic no longer occurs.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.