||Red Hat Enterprise Linux 6 Essentials eBook now available in PDF and ePub formats for only $9.99
RHEL 6 Essentials contains 40 chapters and over 250 pages.
E.1.1. RHSA-2010:0842: Important: kernel security and bug fix update
This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0842
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
* Missing sanity checks in the Intel
driver in the Linux kernel could allow a local, unprivileged user to escalate their privileges. (CVE-2010-2962
in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081
* A buffer overflow flaw in
Ethernet driver in the Linux kernel, could allow a local user to cause a denial of service or escalate their privileges. (CVE-2010-3084
* A flaw in the IA32 system call emulation provided in 64-bit Linux kernels could allow a local user to escalate their privileges. (CVE-2010-3301
* A flaw in
in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service. (CVE-2010-3432
* A missing integer overflow check in
in the Linux kernel's sound subsystem could allow a local, unprivileged user on a 32-bit system to cause a denial of service or escalate their privileges. (CVE-2010-3442
* A flaw was found in
in the Linux kernel's SCTP implementation. When iterating through the
array, it did not reset the last id element if it was out of range. This could allow a remote attacker to cause a denial of service. (CVE-2010-3705
* A function in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was missing sanity checks, which could allow a local, unprivileged user to escalate their privileges. (CVE-2010-3904
* A flaw in
in the Linux kernel's Direct Rendering Manager (DRM) implementation could allow a local, unprivileged user to cause an information leak. (CVE-2010-2803
* It was found that wireless drivers might not always clear allocated buffers when handling a driver-specific IOCTL information request. A local user could trigger this flaw to cause an information leak. (CVE-2010-2955
* A NULL pointer dereference flaw in
in the Linux kernel's ftrace implementation could allow a local, unprivileged user to cause a denial of service. Note: The debugfs file system must be mounted locally to exploit this issue. It is not mounted by default. (CVE-2010-3079
* A flaw in the Linux kernel's packet writing driver could be triggered via the
IOCTL request, possibly allowing a local, unprivileged user with access to
to cause an information leak. Note: By default, only users in the cdrom group have access to
* A flaw was found in the way KVM (Kernel-based Virtual Machine) handled the reloading of
segment registers when they had invalid selectors. A privileged host user with access to
could use this flaw to crash the host. (CVE-2010-3698
Red Hat would like to thank Kees Cook for reporting CVE-2010-2962 and CVE-2010-2803; Ben Hawkes for reporting CVE-2010-3081 and CVE-2010-3301; Dan Rosenberg for reporting CVE-2010-3442, CVE-2010-3705, CVE-2010-3904, and CVE-2010-3437; and Robert Swiecki for reporting CVE-2010-3079.
When booting a Red Hat Enterprise Linux 5.5 kernel on a guest on an AMD host system running Red Hat Enterprise Linux 6, the guest kernel crashes due to an unsupported MSR (Model Specific Registers) read of the MSR_K7_CLK_CTL model. With this update, KVM support was added for the MSR_K7_CLK_CTL model specific register used in the AMD K7 CPU models, thus, the kernel crashes no longer occur.
s390 tape block driver crashed whenever it tried to switch the I/O scheduler. With this update, an official in-kernel API (
elevator_change()) is used to switch the I/O scheduler safely, thus, the crashes no longer occurs.
Previously, a kernel module not shipped by Red Hat was successfully loaded when the
FIPS boot option was enabled. With this update, kernel self-integrity is improved by rejecting to load kernel modules which are not shipped by Red Hat when the
FIPS boot option is enabled.
A regression was discovered that caused kernel panic during the booting of any SGI UV100 and UV1000 system unless the
virtefi command line option was passed to the kernel by GRUB. With this update, the need for the
virtefi command line option is removed and the kernel will boots as expected without it.
Previously, a Windows XP host experienced the stop error screen (i.e. the "Blue Screen Of Death" error) when booted with the CPU mode name. With this update, a Windows XP host no longer experiences the aforementioned error due to added KVM (Kernel-based Virtual Machine) support for the MSR_EBC_FREQUENCY_ID model specific register.
Previously the cxgb3 (Chelsio Communications T3 10Gb Ethernet) adapter experienced parity errors. With this update, the parity errors are correctly detected and the cxgb3 adapter successfully recovers from them.
Systems with an updated Video BIOS for the AMD RS880 would not properly boot with KMS (Kernel mode-setting) enabled. With this update, the Video BIOS boots successfully when KMS is enabled.
The zfcpdump (kdump) kernel on IBM System z could not be debugged using the dump analysis tool crash, because the
vmlinux file in the kernel-kdump-debuginfo RPM did not contain DWARF debug information. With this update, the
CONFIG_DEBUG_KERNEL parameter is set to yes and the needed debug information is provided.
Previously, MADV_HUGEPAGE was missing in the
include/asm-generic/mman-common.h file which caused madvise to fail to utilize TPH. With this update, the madvise option was removed from
/sys/kernel/mm/redhat_transparent_hugepage/enabled since MADV_HUGEPAGE was removed from the
madvise system call.
The kernel panicked when booting the kdump kernel on a
s390 system with an initramfs that contained an odd number of bytes. With this update, an initramfs with sufficient padding such that it contains an even number of bytes is generated, thus, the kernel no longer panics.
Previously, in order to install Snapshot 13, boot parameter
nomodeset xforcevesa had to be added to the kernel command line, otherwise, the screen turned black and and prevented the installation. With this update, the aforementioned boot parameter no longer has to be specified and the installation works as expected.
Previously, a write request may have merged with a discard request. This could have posed a potential risk for 3rd party drivers which could possibly issue a discard without waiting properly. With this update, discarding of write block I/O requests by preventing merges of discard and write requests in one block I/O has been introduced, thus, resolving the possible risks.
- BZ#641258, BZ#644037
fork() system call led to an
rmap walk finding the parent
huge-pmd twice instead of once, thus causing a discrepancy between the
page_mapcount check, which could have led to erratic page counts for subpages. This fix ensures that that the
rmap walk is accurate when a process is forked, thus resolving the issue.
Running a fsstress test which issues various operations on a ext4 filesystem when
usrquota is enabled, the following JBD (Journaling Block Device) error was output in
JBD: Spotted dirty metadata buffer (dev = sda10, blocknr = 17635). There's a risk of filesystem corruption in case of system crash.
With this update, by always journaling the quota file modification in an ext4 file system the aforementioned message no longer appears in the logs.
Previously, the destination MAC address validation was not checking for NPIV (N_Port ID Virtualization) addresses, which results in FCoE (Fibre Channel over Ethernet) frames being dropped. With this update, the destination MAC address check for FCoE frames has been modified so that multiple
N_port IDs can be multiplexed on a single physical
During an installation through Cisco NPV (N port virtualization) to Brocade, adding a LUN (Logical Unit Number) through
did not work properly. This was caused by the faulty resending of FLOGI (Fabric Login) when a Fibre Channel switch in the NPV mode rejected requests with zero Destination ID. With this update, the LUN is seen and able to be selected for installation.
Previously, timing issues could cause the FIP (FCoE Initialization Protocol) FLOGIs to timeout even if there were no problems. This caused the kernel to go into a non-FIP mode even though it should have been in the FIP mode. With this update, the timing issues no longer occur and the kernel no longer switches to the non-FIP mode when logging to the Fibre Channel Switch/Forwarder.
Previously, the vmstat (virtual memory statistics) tool incorrectly reported the disk I/O as swap-in on ppc64 and other architectures that do not support the
TRANSPARENT_HUGEPAGE configuration option in the kernel. With this update, the vmstat tool no longer reports incorrect statistics and works as expected.
Previously, building under memory pressure with KSM (Kernel Shared Memory) caused KSM to collapse with an internal compiler error indicating an error in swapping. With this update, data corruption during swapping no longer occurs.
anon_vma variable could contain the value
null in the
page_address_in_vma function and cause kernel panic. With this update, kernel panic no longer occurs.
/proc/maps file which is read by LVM2 (Logical Volume Manager 2) contained inconsistencies caused by LVM2 incorrectly deciding which memory to
munlock. With this update, LVM2 correctly decides between the
munlock operations and no longer causes inconsistencies.
Systems that have an Emulex FC controller (with SLI-3 based firmware) installed could return a kernel panic during installation. With this update, kernel panic no longer occurs during installation.
This update fixes the slow memory leak in the i915 module in DRM (Direct Rendering Manager) and GEM (Graphics Execution Manager).
Previously, a race condition in the TTM (Translation Table Maps) module of the DRM (Direct Rendering Manager) between the object destruction thread and object eviction could result in a major loss of large objects reference counts. Consequently, this caused a major amount of memory leak. With this update, the race condition no longer occurs and any memory leaks are prevented.
Previously, an operation such as
madvise(MADV_MERGEABLE) may have split VMAs (Virtual Memory Area) without checking if any huge page had to be split into regular pages, leading to huge pages to be still mapped in VMA ranges that would not be large enough to fit huge pages. With this update, huge pages are checked whether they have been split when any VMA is being truncated.
Previously, accounting of reclaimable inodes did not work correctly. When an inode was reclaimed it was only deleted from the per-AG (per Allocation Group) tree. Neither the counter was decreased, nor was the parent tree's AG entry untagged properly. This caused the system to hang indefinitely. With this update, the accounting of reclaimable inodes works properly and the system remains responsive.
A race condition occurred when Xen was presented with an inconsistent page type resulting in the crash of the kernel. With this update, the race condition is prevented and kernel crashes no longer occur.
Previously, Red Hat Enterprise Linux 6 enabled the
CONFIG_IMA option in the kernel. This caused the kernel to track all inodes in the system in a radix tree, leading to a huge waste of memory. With this update, an optimized version of a tree (rbtree) is used and memory is no longer wasted.
Previously, calling the
elevator_change function immediately after the
blk_init_queue function resulted in a null pointer dereference. With this update, the null pointer dereference no longer occurs.
When booting the latest Red Hat Enterprise Linux 6 kernel (-78.el6), the system hanged shortly after the booting. Access to the file system died and the console started outputting soft lockup messages from the TTM code. With this update, the aforementioned behavior no longer occurs and the system boots as expected.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.