Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2016:0212 - Security Advisory
Issued:
2016-02-16
Updated:
2016-02-16

RHSA-2016:0212 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: kernel-rt security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated kernel-rt packages that fix two security issues, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.

  • It was found that the Linux kernel's keys subsystem did not correctly

garbage collect uninstantiated keyrings. A local attacker could use this
flaw to crash the system or, potentially, escalate their privileges on the
system. (CVE-2015-7872, Important)

  • A flaw was found in the way the Linux kernel handled IRET faults during

the processing of NMIs. An unprivileged, local user could use this flaw to
crash the system or, potentially (although highly unlikely), escalate their
privileges on the system. (CVE-2015-5157, Moderate)

The kernel-rt packages have been upgraded to version 3.10.0-327.10.1, which
provides a number of bug fixes and enhancements, including:

  • [md] dm: fix AB-BA deadlock in __dm_destroy()
  • [md] revert "dm-mpath: fix stalls when handling invalid ioctl
  • [cpufreq] intel_pstate: Fix limits->max_perf and limits->max_policy_pct

rounding errors

  • [cpufreq] revert "intel_pstate: fix rounding error in max_freq_pct"
  • [crypto] nx: 842 - Add CRC and validation support
  • [of] return NUMA_NO_NODE from fallback of_node_to_nid()

(BZ#1282591)

This update also fixes the following bugs:

  • Because the realtime kernel replaces most of the spinlocks with

rtmutexes, the locking scheme used in both NAPI polling and busy polling
could become out of synchronization with the State Machine they protected.
This could cause system performance degradation or even a livelock
situation when a machine with faster NICs (10g or 40g) was subject to a
heavy pressure receiving network packets. The locking schemes on NAPI
polling and busy polling routines have been hardened to enforce the State
machine sanity to help ensure the system continues to function properly
under pressure. (BZ#1293230)

  • A possible livelock in the NAPI polling and busy polling routines could

lead the system to a livelock on threads running at high, realtime,
priorities. The threads running at priorities lower than the ones of the
threads involved in the livelock were prevented from running on the CPUs
affected by the livelock. Among those lower priority threads are the rcuc/
threads. With this update, right before (4 jiffies) a RCU stall is
detected, the rcuc/ threads on the CPUs facing the livelock have their
priorities boosted above the priority of the threads involved in the
livelock. The softirq code has also been updated to be more robust.
These modifications allow the rcuc/ threads to execute even under system
pressure, mitigating the RCU stalls. (BZ#1293229)

  • Multiple CPUs trying to take an rq lock previously caused large latencies

on machines with many CPUs. On systems with more than 32 cores, this update
uses the "push" rather than "pull" approach and provides multiple changes
to the scheduling of rq locks. As a result, machines no longer suffer from
multiplied latencies on large CPU systems. (BZ#1282597)

  • Previously, the SFC driver for 10 GB cards executed polling in NAPI mode,

using a locking mechanism similar to a "trylock". Consequently, when
running on a Realtime kernel, a livelock could occur. This update modifies
the locking mechanism so that once the lock is taken it is not released
until the operation is complete. (BZ#1282609)

All kernel-rt users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements. The system must be
rebooted for this update to take effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for Real Time 7 x86_64

Fixes

  • BZ - 1259577 - CVE-2015-5157 kernel: x86-64: IRET faults during NMIs processing
  • BZ - 1272371 - CVE-2015-7872 kernel: Keyrings crash triggerable by unprivileged user
  • BZ - 1282591 - kernel-rt: update to the RHEL7.2.z batch 2 source tree
  • BZ - 1293229 - RCU stalls message on realtime kernel
  • BZ - 1293230 - rt: netpoll: live lock with NAPI polling and busy polling on realtime kernel

CVEs

  • CVE-2015-5157
  • CVE-2015-7872

References

  • http://www.redhat.com/security/updates/classification/#normal
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for Real Time 7

SRPM
kernel-rt-3.10.0-327.10.1.rt56.211.el7_2.src.rpm SHA-256: 99879b28933083c11df698d6e9869cbc7743e8da13c0d1da4226a68e0da388de
x86_64
kernel-rt-3.10.0-327.10.1.rt56.211.el7_2.x86_64.rpm SHA-256: 31228c2a4598f16a0545b3942e578803429e7ebee85683b1a69c7015e48b0199
kernel-rt-debug-3.10.0-327.10.1.rt56.211.el7_2.x86_64.rpm SHA-256: d99e53938e2bb2d19a9d1d66a7f170b8b7f122d01f7b4972b6b9d051b3b08866
kernel-rt-debug-debuginfo-3.10.0-327.10.1.rt56.211.el7_2.x86_64.rpm SHA-256: 51e916845605400b9fff2bfd04b0ca07b48a9157171d6c46b3e1ae108f7b5f7a
kernel-rt-debug-devel-3.10.0-327.10.1.rt56.211.el7_2.x86_64.rpm SHA-256: 4d15f24f4661135a855779d5c577babc3a4e17cf5040a8790447e32fcf832e1b
kernel-rt-debuginfo-3.10.0-327.10.1.rt56.211.el7_2.x86_64.rpm SHA-256: c080a13cf31382895cc4c7cc83d4c1c1750b729a5c5b8d2d12f1d71b00fb0b82
kernel-rt-debuginfo-common-x86_64-3.10.0-327.10.1.rt56.211.el7_2.x86_64.rpm SHA-256: 620e46296c9239786446c56b675e72ae9966246f9ee76afa85d6aacf1d8b6e92
kernel-rt-devel-3.10.0-327.10.1.rt56.211.el7_2.x86_64.rpm SHA-256: fa3a91f8eda06837e0ae4d9c49a8d0ad4c763e92364919adcac0a8d659ae5572
kernel-rt-doc-3.10.0-327.10.1.rt56.211.el7_2.noarch.rpm SHA-256: d384aa77396f9d45a42e4057a4d220e09bb25ad17b841704333439d0a4512396
kernel-rt-trace-3.10.0-327.10.1.rt56.211.el7_2.x86_64.rpm SHA-256: c1f6d60ee8e1b9cc811d9fc97837b5fbbc5282e5f41d83017b31c515771f181a
kernel-rt-trace-debuginfo-3.10.0-327.10.1.rt56.211.el7_2.x86_64.rpm SHA-256: fa3b0f1dcc1c48ef39994a5c5da9b94c35701d7d078ac9dcc18b0c8e91a1777b
kernel-rt-trace-devel-3.10.0-327.10.1.rt56.211.el7_2.x86_64.rpm SHA-256: d2726da4b37d732a9df230ade785544ff93dbd2653c1728ce3b435fc7ba20290

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter