RHSA-2009:1024 - Security Advisory

Topic

Updated kernel packages are now available as part of the ongoing support
and maintenance of Red Hat Enterprise Linux version 4. This is the eighth
regular update.

These updated packages fix two security issues, hundreds of bugs, and add
numerous enhancements. Space precludes a detailed description of each of
these in this advisory. Refer to the Red Hat Enterprise Linux 4.8 Release
Notes for information on 22 of the most significant of these changes. For
more detailed information on specific bug fixes or enhancements, refer to
the Bugzilla numbers associated with this advisory.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Description

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security Fixes:

• the exit_notify() function in the Linux kernel did not properly reset the

exit signal if a process executed a set user ID (setuid) application before
exiting. This could allow a local, unprivileged user to elevate their
privileges. (CVE-2009-1337, Important)

• the Linux kernel implementation of the Network File System (NFS) did not

properly initialize the file name limit in the nfs_server data structure.
This flaw could possibly lead to a denial of service on a client mounting
an NFS share. (CVE-2009-1336, Moderate)

Bug Fixes and Enhancements:

Kernel Feature Support:

• added a new allowable value to "/proc/sys/kernel/wake_balance" to allow

the scheduler to run the thread on any available CPU rather than scheduling
it on the optimal CPU.

• added "max_writeback_pages" tunable parameter to /proc/sys/vm/ to allow

the maximum number of modified pages kupdate writes to disk, per iteration
per run.

• added "swap_token_timeout" tunable parameter to /proc/sys/vm/ to provide

a valid hold time for the swap out protection token.

• added diskdump support to sata_svw driver.
• limited physical memory to 64GB for 32-bit kernels running on systems

with more than 64GB of physical memory to prevent boot failures.

• improved reliability of autofs.
• added support for 'rdattr_error' in NFSv4 readdir requests.
• fixed various short packet handling issues for NFSv4 readdir and sunrpc.
• fixed several CIFS bugs.

Networking and IPv6 Enablement:

• added router solicitation support.
• enforced sg requires tx csum in ethtool.

Platform Support:

x86, AMD64, Intel 64, IBM System z

• added support for a new Intel chipset.
• added initialization vendor info in boot_cpu_data.
• added support for N_Port ID Virtualization (NPIV) for IBM System z guests

using zFCP.

• added HDMI support for some AMD and ATI chipsets.
• updated HDA driver in ALSA to latest upstream as of 2008-07-22.
• added support for affected_cpus for cpufreq.
• removed polling timer from i8042.
• fixed PM-Timer when using the ASUS A8V Deluxe motherboard.
• backported usbfs_mutex in usbfs.

64-bit PowerPC:

• updated eHEA driver from version 0078-04 to 0078-08.
• updated logging of checksum errors in the eHEA driver.

Network Driver Updates:

• updated forcedeth driver to latest upstream version 0.61.
• fixed various e1000 issues when using Intel ESB2 hardware.
• updated e1000e driver to upstream version 0.3.3.3-k6.
• updated igb to upstream version 1.2.45-k2.
• updated tg3 to upstream version 3.96.
• updated ixgbe to upstream version 1.3.18-k4.
• updated bnx2 to upstream version 1.7.9.
• updated bnx2x to upstream version 1.45.23.
• fixed bugs and added enhancements for the NetXen NX2031 and NX3031

products.

• updated Realtek r8169 driver to support newer network chipsets. All

variants of RTL810x/RTL8168(9) are now supported.

Storage Driver Updates:

• fixed various SCSI issues. Also, the SCSI sd driver now calls the

revalidate_disk wrapper.

• fixed a dmraid reduced I/O delay bug in certain configurations.
• removed quirk aac_quirk_scsi_32 for some aacraid controllers.
• updated FCP driver on IBM System z systems with support for

point-to-point connections.

• updated lpfc to version 8.0.16.46.
• updated megaraid_sas to version 4.01-RH1.
• updated MPT Fusion driver to version 3.12.29.00rh.
• updated qla2xxx firmware to 4.06.01 for 4GB/s and 8GB/s adapters.
• updated qla2xxx driver to version 8.02.09.00.04.08-d.
• fixed sata_nv in libsata to disable ADMA mode by default.

Miscellaneous Updates:

• upgraded OpenFabrics Alliance Enterprise Distribution (OFED) to version

1.4.

• added driver support and fixes for various Wacom tablets.

Users should install this update, which resolves these issues and adds
these enhancements.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

• BZ - 161590 - sr_get_mcn: check for kmalloc failure
• BZ - 161594 - drivers/scsi/sg.c: fix check after use
• BZ - 169129 - remove tape during error handling -> "illegal state transition"
• BZ - 175189 - Debug: sleeping function called from invalid context at include/linux/rwsem.h:43
• BZ - 175830 - dm-snap.c: Data read from snapshot may be corrupt if origin is being written to simultaneously
• BZ - 182687 - lm_sensors fails with piix4_smbus errors on ServerWorks Grand Champion SL/w83781d
• BZ - 183651 - sd data corrupter
• BZ - 185585 - Hangs when registering modules to handle ioctls in kernel compatibility mode
• BZ - 191764 - [PATCH] Don't match tcp/udp source/destination port for IP fragments
• BZ - 191767 - [PATCH] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated.
• BZ - 191770 - [PATCH] Netfilter ip_queue: Fix wrong skb->len == nlmsg_len assumption
• BZ - 191777 - [PATCH] Fix deadlock in br_stp_disable_bridge
• BZ - 191797 - [PATCH] Fix extra dst release when ip_options_echo fails
• BZ - 203235 - PMTimer doesn't get detected in an Asus A8V Deluxe motherboard
• BZ - 243067 - Kernel panic using USB serial I/O
• BZ - 248666 - Serious problems during the diskdump, can cause the machine to hang and not reboot.
• BZ - 249775 - Request to backport zFCP NPIV support to RHEL 4
• BZ - 249867 - Kernel can BUG() in low memory conditions
• BZ - 253754 - use after free in nlm subsystem
• BZ - 294821 - RHEL4.5: PM Timer appears in top-level make menuconfig
• BZ - 298811 - pci_alloc_consistent() for 64k on 16gig machine -> return value is not multiple of 64k
• BZ - 329201 - scsi hot swapp mechanism not working with SATA HDD under RHEL4U5
• BZ - 334411 - Watchdog timeout e1000 (7.3.20-k2-NAPI)
• BZ - 367661 - Getting Cpu stuck messages on boot up
• BZ - 430997 - tx checksum offload settings reported incorrectly
• BZ - 432364 - e1000e: Wakeup-on-Lan does not work
• BZ - 432393 - memory leak on size-8192 buckets with NFSV4
• BZ - 432881 - kernel: NFS: v4 server returned a bad sequence-id error!
• BZ - 437410 - ip tunnel can't be bound to another device
• BZ - 437555 - via-rhine may lose link
• BZ - 437674 - Kernel Panic in tcp_retransmit_skb
• BZ - 437881 - ptrace: orig_rax 0x00000000ffffffff not recognized as -1
• BZ - 437921 - [PATCH] NFSv3: mode of the symlink can be update
• BZ - 439043 - Swap Token issue with RHEL4
• BZ - 439431 - include patch to add FATTR4_RDATTR_ERROR to readdir calls
• BZ - 439548 - A deadlock can occur between mmap/munmap and journaling(ext3).
• BZ - 439920 - entropy generation in bnx2 driver not consistent with other network drivers on RHEL4
• BZ - 439921 - align per-cpu section to configured cache bytes
• BZ - 440467 - ethttool -S on r8169 version 2.2LK hangs when interface is down
• BZ - 441707 - ADMA problems with sata_nv
• BZ - 441794 - intermittant mount failures
• BZ - 442579 - Backport fix for possible data corruption in mark_buffer_dirty on SMP
• BZ - 443044 - fix setuid/setgid clearing by knfsd
• BZ - 443655 - Clean up handling of short readdir packets in NFS client
• BZ - 445054 - 8250 serial port lock recursion
• BZ - 445412 - clean up CIFS build warnings
• BZ - 445795 - /proc filesystem in RHEL4 doesn't follow usual unix filesystem conventions
• BZ - 446083 - Ensure that 'noac' and/or 'actimeo=0' turn off attribute caching
• BZ - 446396 - crm #1790828 Kernel 2.6.9-67.ELsmp panics in nfs4_free_client
• BZ - 447397 - CIFS: slab error in kmem_cache_destroy(): cache `cifs_request': Can't free all objects
• BZ - 447401 - CIFS VFS: Send error in FindClose = -9
• BZ - 447413 - CIFS: clear DFS bit in header_assemble
• BZ - 447569 - mounting CIFS subshare doesn't autoconvert prepath delimiters
• BZ - 447741 - JBD: Fix typo that could result in filesystem corruption.
• BZ - 448076 - memory corruption due to portmap call succeeding after parent rpc_clnt has been freed
• BZ - 448603 - holding files under /proc/net open no longer adds to module refcount
• BZ - 448777 - Backport FCP point-to-point to RHEL 4
• BZ - 450953 - el4u6 xenU guest kernel lockup due to mm_unpinned_lock and runqueue spinlock deadlock
• BZ - 451819 - process hangs in async direct IO / possible race between dio_bio_end_aio() and dio_await_one() ?
• BZ - 452287 - [Intel 4.8 FEAT] e1000e driver update to latest upstream
• BZ - 452289 - [Intel 4.8 FEAT] igb driver update to latest upstream
• BZ - 452292 - [Intel 4.8 FEAT] ixgbe driver update to latest upstream
• BZ - 452390 - PATH and EXECVE audit records contain bogus newlines
• BZ - 452706 - kernel BUG at kernel/signal.c:369! (attempt to free tsk->signal twice)
• BZ - 452846 - FEAT: RHEL 4.8 HDA ALSA driver update from mainstream
• BZ - 453053 - RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
• BZ - 453171 - kernel: usbhid: probe of 3-1:1.0 failed with error -5
• BZ - 453359 - page keeps non uptodate
• BZ - 453507 - kernel panic with kernel version 2.6.9-67.0.20.EL
• BZ - 454050 - Fail to build kernel when enable CONFIG_ACPI_DEBUG in .config
• BZ - 454417 - Inconsistent documentation regarding pci_alloc_consistent
• BZ - 454793 - document divider= option in kernel docs
• BZ - 454838 - LTC:4.8:201714:Update the ehea driver to sync with mainline kernel
• BZ - 454872 - [NetApp 4.8 bug] online resize of filesystem does not work
• BZ - 455253 - [4.7] /proc/acpi/dsdt: No such device
• BZ - 455756 - [RHEL4/Xen]: Allow attach of > 16 xvd devices
• BZ - 455843 - Kernel panic at hcd_pci_release+16
• BZ - 455917 - fattr structs being used uninitialized in nfs3_proc_getacl and nfs3_proc_setacls
• BZ - 456051 - kernel: fix array out of bounds when mounting with selinux options [rhel-4.8]
• BZ - 456078 - Timeouts in wait_drive_not_busy with TEAC DV-W28ECW and similar
• BZ - 456425 - Crash dump fails on IA64 with block_order set to 10
• BZ - 456438 - [RHEL4.7 Beta] Wake on LAN function does not operate with LAN card which uses igb driver
• BZ - 456653 - Crash due to incorrect inet{,6} device initialization order
• BZ - 456664 - Kernel panic when unloading ip conntrack modules
• BZ - 456686 - race in aio_complete() leads to process hang
• BZ - 456911 - RHEL4 scheduler optimizations for financial applications
• BZ - 457009 - ipv6: use timer pending to fix bridge reference count problem [rhel-4.8]
• BZ - 457015 - pppoe: Check packet length on all receive paths [rhel-4.8]
• BZ - 457020 - pppoe: Unshare skb before anything else [rhel-4.8]
• BZ - 457028 - ide-cd: fix oops when using growisofs [rhel-4.8]
• BZ - 457310 - RTL8101E with driver r8169 does not work on 1000 network
• BZ - 457409 - [RHEL4.6] x86_64 race condition at shutdown/panic
• BZ - 457552 - aac_fib_send failed with status 8195
• BZ - 458022 - kernel: random32: seeding improvement [rhel-4.8]
• BZ - 458805 - missing infiniband kernel headers
• BZ - 458863 - Backport NetXen nic driver from upstream kernel to RHEL4
• BZ - 458955 - Badness in __writeback_single_inode at fs/fs-writeback.c:248
• BZ - 459063 - pppoe: Fix skb_unshare_check call position [rhel-4.8]
• BZ - 459222 - RHEL4.8: Patch to support new HDMI Audio
• BZ - 459644 - [RHEL4] nmi watchdog: include fix for Pentium 4 D processors
• BZ - 460083 - Kernel part of AutoFS still having issues with expiration of submount maps
• BZ - 460106 - regression, rhel4.7+, on the try to read /proc/self/mem getting improper return value
• BZ - 460859 - kernel: devmem: add range_is_allowed() check to mmap_mem() [rhel-4.8]
• BZ - 460874 - lost packets when live migrating (RHEL4 XEN)
• BZ - 461005 - CIFS option forcedirectio fails to allow the appending of text to files.
• BZ - 461014 - netdump fails when bnx2 has remote copper PHY - Badness in local_bh_enable at kernel/softirq.c:141
• BZ - 461085 - lockd: return NLM_LCK_DENIED_GRACE_PERIOD after long periods
• BZ - 461246 - RHEL4 64 bit skips all pids with bit 15 set (32768-65535, 98304-131071 etc)
• BZ - 462277 - find using an automounted directory results in 'No such file or directory'
• BZ - 462278 - do_mount_indirect: indirect trigger not valid
• BZ - 462459 - Update CIFS for RHEL4.8
• BZ - 463897 - [RHEL4 PV-on-HVM]: Crash in xen-vbd when trying to attach disks
• BZ - 464676 - virtual ethernet device stops working on reception of duplicate backend state change signals
• BZ - 465360 - openib creates multiple /proc/net/sdp files
• BZ - 465366 - add multi-core support to cpufreq driver
• BZ - 465487 - Fix compile warnings caused by adding roundup() to kernel.h
• BZ - 465914 - rhel4 PV guest installations busted on rhel 5.3 i386 intel dom0
• BZ - 466127 - dasd: fix loop in request expiration handling
• BZ - 467442 - Concurrent CIFS mount/umount processes to same windows machine, different shares hangs umount processes or crashes kernel
• BZ - 467669 - kernel panic related to autofs4_catatonic_mode when stopping autofs
• BZ - 467714 - Kernel BUG at include/linux/module.h:397
• BZ - 467829 - md: pass down BIO_RW_SYNC in raid{1,10}' applied to RHEL4 kernel
• BZ - 468890 - BUG() call in net/core/skbuff.c in function ___pksb_trim()
• BZ - 471560 - [4.7.z] Unable to Unload "ohci-hcd " And to Reboot
• BZ - 472005 - [Stratus 4.8 bug REVERT] panic reading /proc/bus/input/devices during input device removal
• BZ - 472557 - futex missreporting ETIMEDOUT instead of EINVAL
• BZ - 472568 - CRM #1862478 xen guest installation panics when installing 100th guest
• BZ - 472572 - RHEL4.7 guest will crash, if creating with only RTL8139 emulation NIC
• BZ - 473258 - [4.7] ethtool operation to the slave device of bonding makes the system hang up.
• BZ - 474055 - [RHEL-4] wacomexpresskeys: fix Graphire support
• BZ - 474479 - RHEL4.8 kernel crashed in net_rx_action() on IA64 machine in RHTS connectathon test
• BZ - 474667 - Need to build xen-platform-pci as a module and not into the kernel
• BZ - 475715 - [autofs4] Incorrect "active offset mount" messages in syslog
• BZ - 475849 - [RHEL 4.7 Xen]: Guest hang on FV save/restore
• BZ - 476461 - panic in kcopyd during snapshot I/O
• BZ - 476704 - [QLogic 4.8 bug] qla2xxx - Properly support programmable devices
• BZ - 476726 - [nfs] actimeo=0 not enforced during ftruncate operations, resulting in database crashes
• BZ - 477202 - oops in net_rx_action on double free of dev->poll_list
• BZ - 477280 - [QLogic 4.8 bug] qla4xxx - Driver Update Patches - bugs, cleanups
• BZ - 477635 - If diskdump fails, panic information should be displayed.
• BZ - 477945 - Kernel Panic with Bnx2 - Badness in local_bh_enable at kernel/softirq.c:141
• BZ - 478687 - LTC:4.8:200770:Include Open Fabric Enterprise Distribution
• BZ - 478798 - fix scsi device cleanup when sysfs addition fails
• BZ - 479094 - [QLogic 4.8 bug] qla2xxx - Updates from standard and upstream drivers
• BZ - 479728 - NFS: unable to unmount file system
• BZ - 479764 - Leap second message can hang the kernel
• BZ - 479845 - Kernel maintainer's bz for committing some maintenance patches
• BZ - 479862 - [QLogic 4.8 bug] qla4xxx - Correct version number
• BZ - 479910 - Kernel Panic on AMD-K6
• BZ - 480137 - Improve udp port randomization
• BZ - 480158 - RHEL 4.8 mpt driver fails to bring up device
• BZ - 480666 - [EMULEX 4.8 bug] scsi messages correlate with silent data corruption, but no i/o errors
• BZ - 481207 - netdump generates incomplete vmcore logs with Broadcom BCM5754
• BZ - 482822 - Intel E1000 doesn't work on NVIDIA MCP51 motherboards
• BZ - 483535 - RHEL4 kvm virtio: kernel driver updates
• BZ - 484261 - cifs mounted home directory breaks ssh security checks on authorized_keys file
• BZ - 484319 - Random crashing in dm snapshots because of a race condition
• BZ - 484376 - netdump is broken on igb and ixgbe devices in recent update
• BZ - 484667 - Dropping packets in bnx2 since 1.7.9 bnx2 version
• BZ - 485092 - [Qlogic 4.8 bug] qla4xxx: properly support the Async Msg PDU
• BZ - 485421 - Kernel panic when running xen-vnif enabled FV guest image on KVM
• BZ - 488018 - NMI appears to be stuck (460) - NMI received for unknown reason 21
• BZ - 489300 - fix dst cache leak
• BZ - 489768 - [RHEL4u4] Kernel panic was caused by page_symlink() when kernel has to shrink caches
• BZ - 490021 - Creation of mirrored logical volume with VG extent-size of 1K fails
• BZ - 490744 - UNDERRUN and TIMEOUT status with qla2xxx
• BZ - 491154 - divider option does not work with TSC clocksource
• BZ - 491784 - [QLogic 4.8 bug] qla2xxx - fixes for flash, loop resets and HBA traversal
• BZ - 492156 - [QLogic 4.8 bug] qla2xxx - firmware update for blade servers
• BZ - 493771 - CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check
• BZ - 494074 - CVE-2009-1336 kernel: nfsv4 client can be crashed by stating a long filename
• BZ - 495673 - kernel dm crypt: memory corruption when invalid mapping parameters provided

CVEs

• CVE-2009-1337
• CVE-2009-1336

References

• http://www.redhat.com/security/updates/classification/#important
• http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/4.8/html/Release_Notes/index.html