B.38.6. RHSA-2011:0498 — Important: kernel security, bug fix and enhancement update
ib_uverbs_poll_cq()could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)
drm_modeset_ctl()could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1013, Important)
dccp_rcv_state_process()could allow a remote attacker to cause a denial of service, even when the socket was already closed. (CVE-2011-1093, Important)
auth_enablevariables were turned on (they are off by default). (CVE-2011-1573, Important)
inotify_init()system call. In some cases, it could leak a group, which could allow a local, unprivileged user to eventually cause a denial of service. (CVE-2010-4250, Moderate)
bnep_sock_ioctl()could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate)
bcm_connect()in the Controller Area Network (CAN) Broadcast Manager implementation could allow a local, unprivileged user to leak kernel mode addresses in
/proc/net/can-bcm. (CVE-2010-4565, Low)
ima_match_rules()to always succeed, ignoring any remaining rules. (CVE-2011-0006, Low)
snd_usb_caiaq_midi_init()could allow a local, unprivileged user with access to a Native Instruments USB audio device to cause a denial of service or escalate their privileges. (CVE-2011-0712, Low)
/proc/<PID>/statwere not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low)
dev_load()could allow a local user who has the
CAP_NET_ADMINcapability to load arbitrary modules from
/lib/modules/, instead of only netdev modules. (CVE-2011-1019, Low)
ib_uverbs_poll_cq()could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low)
do_replace()could allow a local user who has the
CAP_NET_ADMINcapability to cause an information leak. (CVE-2011-1080, Low)
- A flaw was found in the Linux kernel where, if used in conjunction with another flaw that can result in a kernel Oops, could possibly lead to privilege escalation. It does not affect Red Hat Enterprise Linux 6 as the
panic_on_oopsvariable is turned on by default. However, as a preventive measure if the variable is turned off by an administrator, this update addresses the issue. Red Hat would like to thank Nelson Elhage for reporting this vulnerability.
- Under some circumstances, faulty logic in the system BIOS could report that ASPM (Active State Power Management) was not supported on the system, but leave ASPM enabled on a device. This could lead to AER (Advanced Error Reporting) errors that the kernel was unable to handle. With this update, the kernel proactively disables ASPM on devices when the BIOS reports that ASPM is not supported, safely eliminating the aforementioned issues.
- Prior to this update, adding a bond over a bridge inside a virtual guest caused the kernel to crash due to a NULL dereference. This update improves the tests for the presence of VLANs configured above bonding (additionally, this update fixes a regression introduced by the patch for BZ#633571) . The new logic determines whether a registration has occurred, instead of testing that the internal
vlan_listof a bond is empty. Previously, the system panicked and crashed when
vlan_listwas not empty, but the
vlgrppointer was still
- During light or no network traffic, the active-backup interface bond using ARP monitoring with validation could go down and return due to an overflow or underflow of system timer interrupt ticks (jiffies). With this update, the jiffies calculation issues have been fixed and a bond interface works as expected.
- In certain network setups (specifically, using VLAN on certain NICs where packets are sent through the VLAN GRO rx path), sending packets from an active ethernet port to another inactive ethernet port could affect the network's bridge and cause the bridge to acquire a wrong bridge port. This resulted in all packets not being passed along in the network. With this update, the underlying source code has been modified to address this issue, and network traffic works as expected.
- BZ#698114, BZ#696889
- Deleting a
SCSI(Small Computer System Interface) device attached to a device handler caused applications running in user space, which were performing I/O operations on that device, to become unresponsive. This was due to the fact that the
SCSIdevice handler's activation did not propagate the
SCSIdevice deletion via an error code and a callback to the Device-Mapper Multipath. With this update, deletion of an
SCSIdevice attached to a device handler is properly handled and no longer causes certain applications to become unresponsive.
- Systems Management Applications using the libsmbios package could become unresponsive on Dell PowerEdge servers (specifically, Dell PowerEdge 2970 and Dell PowerEdge SC1435). The
dcdbasdriver can perform an I/O write operation which causes an SMI (System Management Interrupt) to occur. However, the SMI handler processed the SMI well after the
outbfunction was processed, which caused random failures resulting in the aforementioned hang. With this update, the underlying source code has been modified to address this issue, and systems management applications using the libsmbios package no longer become unresponsive.
- Invoking an EFI (Extensible Firmware Interface) call caused a restart or a failure to boot to occur on a system with more than 512GB of memory because the EFI page tables did not map the whole kernel space. EFI page tables used only one PGD (Page Global Directory) entry to map the kernel space; thus, virtual addresses higher than
PAGE_OFFSET+ 512GB could not be accessed. With this update, EFI page tables map the whole kernel space.
- Enabling the Header Splitting mode on all Intel 82599 10 Gigabit Ethernet hardware could lead to unpredictable behavior. With this update, the Header Splitting mode is never enabled on the aforementioned hardware.
ixgbedriver has been upgraded to upstream version 3.0.12, which provides a number of bug fixes and enhancements over the previous version.
- If an Intel 82598 10 Gigabit Ethernet Controller was configured in a way that caused peer-to-peer traffic to be sent to the Intel X58 I/O hub (IOH), a PCIe credit starvation problem occurred. As a result, the system would hang. With this update, the system continues to work and does not hang.
- The ALSA HDA audio driver has been updated to improve support for new chipsets and HDA audio codecs.
- A buffer overflow flaw was found in the Linux kernel's Cluster IP hashmark target implementation. A local, unprivileged user could trigger this flaw and cause a local denial of service by editing files in the
/proc/net/ipt_CLUSTERIP/directory. Note: On Red Hat Enterprise 6, only root can write to files in the
/proc/net/ipt_CLUSTERIP/directory by default. This update corrects this issue as a preventative measure in case an administrator has changed the permissions on these files. Red Hat would like to thank Vasiliy Kulikov for reporting this issue.
- Using the
pam_tty_audit.somodule (which enables or disables TTY auditing for specified users) in the
/etc/pam.d/sudofile and in the
/etc/pam.d/system-authfile when the audit package is not installed resulted in soft lock-ups on CPUs. As a result, the kernel became unresponsive. This was due to the kernel exiting immediately after TTY auditing was disabled, without emptying the buffer, which caused the kernel to spin in a loop, copying 0 bytes at each iteration and attempting to push each time without any effect. With this update, a locking mechanism is introduced to prevent the aforementioned behavior.
- Prior to this update, a collection of world-writable
procfsfiles allowed an unprivileged user to change various settings, change device hardware registers, and load certain firmware. With this update, permissions for these files have been changed.
- A previously introduced patch could cause
kswapd(the kernel's memory reclaim daemon) to enter an infinite loop, consuming 100% of the CPU it is running on. This happened because
kswapdincorrectly stayed awake for an unreclaimable zone. This update addresses this issue, and
kswapdno longer consumes 100% of the CPU it is running on.
- If an error occurred during an I/O operation, the
SCSIdriver reset the
megaraid_sascontroller to restore it to normal state. However, on Red Hat Enterprise Linux 6, the waiting time to allow a full reset completion for the
megaraid_sascontroller was too short. The driver incorrectly recognized the controller as stalled, and, as a result, the system stalled as well. With this update, more time is given to the controller to properly restart, thus, the controller operates as expected after being reset.
- This update provides VLAN null tagging support (
VLAN ID 0can be used in tags).