Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2017:0387 - Security Advisory
Issued:
2017-03-02
Updated:
2017-03-02

RHSA-2017:0387 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: kernel-rt security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

  • Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630, Important)
  • A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)
  • A flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution. (CVE-2016-9083, Important)
  • The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine. (CVE-2016-9084, Moderate)

Red Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.

Bug Fix(es):

  • Previously, the asynchronous page fault woke code references spinlocks, which were actually sleeping locks in the RT kernel. Because of this, when the code was executed from the exception context, a bug warning appeared on the console. With this update, the regular wait queue and spinlock code in this area has been modified to use simple-wait-queue and raw-spinlocks. This code change enables the asynchronous page fault code to run in a non-preemptable state without bug warnings. (BZ#1418035)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux for Real Time 7 x86_64
  • Red Hat Enterprise Linux for Real Time for NFV 7 x86_64

Fixes

  • BZ - 1389258 - CVE-2016-9083 kernel: State machine confusion bug in vfio driver leading to memory corruption
  • BZ - 1389259 - CVE-2016-9084 kernel: Integer overflow when using kzalloc in vfio driver
  • BZ - 1393350 - CVE-2016-8630 kernel: kvm: x86: NULL pointer dereference during instruction decode
  • BZ - 1400019 - CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free
  • BZ - 1415172 - kernel-rt: update to the RHEL7.3.z batch#3 source tree [rt-7.3.z]

CVEs

  • CVE-2016-8630
  • CVE-2016-8655
  • CVE-2016-9083
  • CVE-2016-9084

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for Real Time 7

SRPM
kernel-rt-3.10.0-514.10.2.rt56.435.el7.src.rpm SHA-256: 9b7aa0189e1f2f0d576d7d6f70b5b5aa0325b675e2aa0bb4990e97ee249a6040
x86_64
kernel-rt-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 00ce7965e3d87093700816c3f65bedb7d1e285517c6b72ff096f1d59a288eb05
kernel-rt-debug-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 83f5e85270dcf97733d1e3d0d764a7ccc5af3d747e5e75eea96e37a61e6e19d6
kernel-rt-debug-debuginfo-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 4c94bdd9791d943c77c01ebb2301f9614100416bebe5fbfcba648494d2130813
kernel-rt-debug-devel-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 1b5bd85c5cdd6421521b289dd27043636c8029adb65d68e7bbd59435607a7c17
kernel-rt-debuginfo-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 2ab1d2b40fa191c00b2f9ab74ce27a28698a552ffdcbb1f2af2b2c11d4ff6974
kernel-rt-debuginfo-common-x86_64-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 71a6abfb13c36a67d05076867efa1bf88bf0d6e9248e20aaa78565b68142e1ab
kernel-rt-devel-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 27fb1ade192b304b2e9a0e95ea73063980e23bd4d2485aa47df5d535c51dfb02
kernel-rt-doc-3.10.0-514.10.2.rt56.435.el7.noarch.rpm SHA-256: ebe1c9131eead78e5007d0f607de16fb8f9ac865a972d8905c99e84b6a30547f
kernel-rt-trace-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: e69e30159ec790ffd9e56d2e0cc928433ddaeea4d6a8f7efa4d7b8b8d4d7df0d
kernel-rt-trace-debuginfo-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: cc53434a94593c987ac616f411df06640c35591abc2be828a8e3f9094d3127e5
kernel-rt-trace-devel-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: f3f9df598fc0f27cf0996ca65d9497e3a08a626949697a70d4edd45df269a9e6

Red Hat Enterprise Linux for Real Time for NFV 7

SRPM
kernel-rt-3.10.0-514.10.2.rt56.435.el7.src.rpm SHA-256: 9b7aa0189e1f2f0d576d7d6f70b5b5aa0325b675e2aa0bb4990e97ee249a6040
x86_64
kernel-rt-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 00ce7965e3d87093700816c3f65bedb7d1e285517c6b72ff096f1d59a288eb05
kernel-rt-debug-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 83f5e85270dcf97733d1e3d0d764a7ccc5af3d747e5e75eea96e37a61e6e19d6
kernel-rt-debug-debuginfo-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 4c94bdd9791d943c77c01ebb2301f9614100416bebe5fbfcba648494d2130813
kernel-rt-debug-devel-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 1b5bd85c5cdd6421521b289dd27043636c8029adb65d68e7bbd59435607a7c17
kernel-rt-debug-kvm-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 62ff6c4b6a4baaa41b110e388ee7174034395049035b24b41e91592c786152d0
kernel-rt-debug-kvm-debuginfo-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: f64249876300ba4be6f64f35008ee5cbe2f72bc87c5aa6e445d38e16358c7900
kernel-rt-debuginfo-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 2ab1d2b40fa191c00b2f9ab74ce27a28698a552ffdcbb1f2af2b2c11d4ff6974
kernel-rt-debuginfo-common-x86_64-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 71a6abfb13c36a67d05076867efa1bf88bf0d6e9248e20aaa78565b68142e1ab
kernel-rt-devel-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 27fb1ade192b304b2e9a0e95ea73063980e23bd4d2485aa47df5d535c51dfb02
kernel-rt-doc-3.10.0-514.10.2.rt56.435.el7.noarch.rpm SHA-256: ebe1c9131eead78e5007d0f607de16fb8f9ac865a972d8905c99e84b6a30547f
kernel-rt-kvm-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: abbb2945c933e2df10caa0e92d8e09f0b6184b62445a25311ec7908f71483c88
kernel-rt-kvm-debuginfo-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 893c4d699905e7bdd4a232c70ce1ad9076fc100191495f53d858b2cfffa8684e
kernel-rt-trace-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: e69e30159ec790ffd9e56d2e0cc928433ddaeea4d6a8f7efa4d7b8b8d4d7df0d
kernel-rt-trace-debuginfo-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: cc53434a94593c987ac616f411df06640c35591abc2be828a8e3f9094d3127e5
kernel-rt-trace-devel-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: f3f9df598fc0f27cf0996ca65d9497e3a08a626949697a70d4edd45df269a9e6
kernel-rt-trace-kvm-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: 3918c2515a8befebfc6c179330e29a253ea904deb1a3bf5da725977f319a0088
kernel-rt-trace-kvm-debuginfo-3.10.0-514.10.2.rt56.435.el7.x86_64.rpm SHA-256: f3ca3b7d5a12ad7bce7337ea1da1aa52b458c4063bd39735120988fe0f82e7be

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter