Moderate: Red Hat Enterprise Linux 6 kernel security, bug fix and enhancement update

Synopsis

Moderate: Red Hat Enterprise Linux 6 kernel security, bug fix and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

Updated kernel packages that fix multiple security issues, address several
hundred bugs and add numerous enhancements are now available as part of the
ongoing support and maintenance of Red Hat Enterprise Linux version 6. This
is the second regular update.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

This update fixes the following security issues:

• The proc file system could allow a local, unprivileged user to obtain
  sensitive information or possibly cause integrity issues. (CVE-2011-1020,
  Moderate)
  
• Non-member VLAN (virtual LAN) packet handling for interfaces in
  promiscuous mode and also using the be2net driver could allow an attacker
  on the local network to cause a denial of service. (CVE-2011-3347,
  Moderate)
  
• A flaw was found in the Linux kernel in the way splitting two extents in
  ext4_ext_convert_to_initialized() worked. A local, unprivileged user with
  access to mount and unmount ext4 file systems could use this flaw to cause
  a denial of service. (CVE-2011-3638, Moderate)
  
• A NULL pointer dereference flaw was found in the way the Linux kernel's
  key management facility handled user-defined key types. A local,
  unprivileged user could use the keyctl utility to cause a denial of
  service. (CVE-2011-4110, Moderate)
  

Red Hat would like to thank Kees Cook for reporting CVE-2011-1020; Somnath
Kotur for reporting CVE-2011-3347; and Zheng Liu for reporting
CVE-2011-3638.

This update also fixes several hundred bugs and adds enhancements. Refer to
the Red Hat Enterprise Linux 6.2 Release Notes for information on the most
significant of these changes, and the Technical Notes for further
information, both linked to in the References.

All Red Hat Enterprise Linux 6 users are advised to install these updated
packages, which correct these issues, and fix the bugs and add the
enhancements noted in the Red Hat Enterprise Linux 6.2 Release Notes and
Technical Notes. The system must be rebooted for this update to take
effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386

Fixes

• BZ - 523122 - [RHEL-6 Xen]: Cannot balloon a Xen domU guest above the initial starting memory
• BZ - 612608 - GFS2: kernel BUG at fs/gfs2/glock.c:173! running brawl w/flocks
• BZ - 635968 - Parallel port issue in RHEL 6.0 server
• BZ - 637520 - reboot(RB_AUTOBOOT) fails if kvm instance is running
• BZ - 645777 - [RHEL6][Kernel] BUG: MAX_STACK_TRACE_ENTRIES too low!
• BZ - 646224 - cifs: properly disable fscache support
• BZ - 652262 - Slow writes to ext4 partition - INFO: task flush-253:7:2137 blocked for more than 120 seconds.
• BZ - 654198 - CIFS needs to gracefully handle unresponsive server
• BZ - 656458 - inode used before security_d_instantiate
• BZ - 658291 - SELinux does context calculations even on mount labeled filesystems
• BZ - 662626 - cifs: update NTLMSSP authentication code
• BZ - 662666 - Cannot find the extended attribute of #11 inode after remount
• BZ - 667177 - cachefilesd fails to start with SELinux disabled on default config file
• BZ - 668775 - BKL (lock_kernel) in soft lockup during parallel IO discovery
• BZ - 668791 - disable CONFIG_CIFS_EXPERIMENTAL in RHEL6
• BZ - 669739 - bump domain memory limits
• BZ - 673629 - hugetlbfs fs interface should deal with minus value echoed to /proc/sys/vm/nr_hugepages gracefully
• BZ - 678102 - dlm: increase default hash table sizes
• BZ - 678794 - pktgen makes machine panic
• BZ - 679262 - [RFE] kernel: kptr_restrict for hiding kernel pointers from unprivileged users [rhel-6.2]
• BZ - 680358 - CVE-2011-1020 kernel: no access restrictions of /proc/pid/* after setuid program exec
• BZ - 681647 - Ext4 warnings are printed if a file size in indirect block map is extended to the maximum file size
• BZ - 682789 - Request to update existing thinkpad_acpi module to support newer thinkpads e.g. X100E
• BZ - 688410 - NUMA problems in transparent hugepages
• BZ - 688944 - Kernel Warnings when starting Mellanox 10Gb network
• BZ - 689223 - [RHEL-6] statvfs tries to stat unrelated mountpoints
• BZ - 690619 - pull in NETIF_F_RXHASH support
• BZ - 691267 - [RFE] kernel: add new syncfs syscall
• BZ - 691945 - Non-responsive scsi target leads to excessive scsi recovery and dm-mp failover time
• BZ - 692677 - RHEL6.1-20110316.1 dell-pe2800 NMI received for unknown reason
• BZ - 695377 - cio: prevent purging of CCW devices in the online state
• BZ - 696396 - UV: fscache taints kernel; NFS requires fscache; NFS taints kernel
• BZ - 696422 - [SGI 6.2 FEAT] UV: add smp_affinity_list
• BZ - 696998 - Check if PTE is already allocated during page fault
• BZ - 697403 - Patch file for RAID controller driver, arcmsr, at RHEL6 Update2
• BZ - 697659 - NFS4 problem using open() on exported urandom device
• BZ - 697868 - xenfv: 32-bit guest hangs on boot
• BZ - 698094 - NULL pointer dereference, IP: blkiocg_lookup_group+0x9/0x40
• BZ - 698506 - cont. Bonded interface doesn't issue IGMP report (join) on slave interface during failover
• BZ - 699151 - ext4_lookup: deleted inode referenced
• BZ - 700277 - [RHEL6] RFE : Enable SO_REUSEADDR support for rdma_cm
• BZ - 700343 - netjet - blacklist Digium TDM400P
• BZ - 700463 - qdio: reset error states immediately
• BZ - 700499 - [RHEL6] oom_kill.c : printk in __oom_kill_task no longer includes p->uid as it did in RHEL 5
• BZ - 700538 - MLS - cgconfigparser cannot search on /cgroup/ dirs
• BZ - 701373 - Bugfixes for the 2.6.37 NFS client
• BZ - 701825 - NFS4: Incorrect server behavior when using OPEN call with O_CREATE on a directory on which the process has no WRITE permissions.
• BZ - 701857 - hibernate cause kernel panic
• BZ - 701951 - System Hang when there is smart error on IBM platform
• BZ - 702183 - kernel panic when remove dccp_probe module
• BZ - 702508 - TCP traffic to IPv6 causes 32 bit Linux OS to reboot
• BZ - 702674 - powerpc: Only sleep in rtas_busy_delay if we have useful work to do
• BZ - 703055 - RHEL6.1 x86_64 HVM guest crashes on AMD host when guest memory size is larger than 8G
• BZ - 703474 - xen-kbdfront - advertise either absolute or relative coordinates
• BZ - 704128 - EDD module incorrectly checks validity of a BIOS provided data.
• BZ - 704511 - RHEL6.1 mm: hugepages can cause negative commitlimit
• BZ - 705082 - qemu-kvm takes lots of CPU resources due to _spin_lock_irqsave on a 64 cpu machine
• BZ - 705210 - [RFE] Provide support for Wacom cintiq (DTU-2231)
• BZ - 705441 - intel-iommu: missing flush prior to removing domains + avoid broken vm/si domain unlinking
• BZ - 706018 - miss xmit_hash_policy=layer2+3 in modinfo bonding output
• BZ - 706385 - pending THP improvements for RHEL6.2
• BZ - 707005 - dlm: fcntl F_SETLKW should be interruptible in GFS2
• BZ - 707142 - Can't change lacp_rate in bonding mode=802.3ad
• BZ - 707755 - blkio controller: Backport patches for per cgroup stats and lockless throttling for no rule group
• BZ - 707757 - cfq-iosched: Set group_isolation tunable 1 by default
• BZ - 707762 - blkio controller: Backport miscellaneous fixes and cleanups from upstream
• BZ - 708000 - cifs: asynchronous writepages support
• BZ - 708350 - nosegneg not used in 32-bit Xen guests
• BZ - 709856 - Kernel trace on m2.4xlarge or m2.2xlarge instances in EC2
• BZ - 710159 - ib_srp scan/rescan keep adding new scsi devices
• BZ - 710668 - using gdb to debug kernel causes crash
• BZ - 711317 - Mask dangerous features on xen hvm, even if the HV doesn't
• BZ - 711326 - xenpv: backport sched_clock change
• BZ - 711400 - panic in cifsd code after unexpected lookup error -88.
• BZ - 711600 - backport "sched: Next buddy hint on sleep and preempt path"
• BZ - 711636 - THP has a build error when !CONFIG_SMP
• BZ - 712000 - [bnx2x_extract_max_cfg:1079(ethxx)]Illegal configuration detected for Max BW - using 100 instead
• BZ - 712139 - GFS2: Update to rhel6.1 broke dovecot writing to a gfs2 filesystem
• BZ - 712252 - vmscan: correctly check if reclaimer should schedule during shrink_slab
• BZ - 712258 - mm: compaction: Ensure that the compaction free scanner does not move to the next zone
• BZ - 712260 - migrate: don't account swapcache as shmem
• BZ - 712653 - make guest mode entry to be rcu quiescent state
• BZ - 713337 - backport checksum optimization for virtio_net
• BZ - 713585 - RHEL 6.1 Xen paravirt guest is getting network outage during live migration
• BZ - 713620 - Bug for patches outside AGP/DRM required for AGP/DRM backport from 3.0-rc
• BZ - 713730 - enclosure fix
• BZ - 714183 - v4l app in Documentation fails to compile because it uses f15 kernel-headers
• BZ - 714325 - cxgb3i causing eeh on PPC64
• BZ - 714590 - Intel wireless broken on 11n for many users
• BZ - 714684 - RFE: command to clear scrollback buffer in linux terminal
• BZ - 714740 - pNFS Bakeathon Bug Fixes.
• BZ - 714883 - Solarflare network adapter not available during install
• BZ - 716263 - need to enable software bridge to do igmp snooping to receive/forward ipv6 router advertisements
• BZ - 716452 - Anaconda installer doesn't work with Xen virtual block devices.
• BZ - 716498 - bump domain memory limits
• BZ - 716520 - cfq-iosched: CFQ can get GPF at cfq_free_io_context()
• BZ - 717377 - Feature Request: Chelsio iw_cxgb4 driver updates for 6.2
• BZ - 718332 - ext4: WARNING: at fs/namei.c:1306 lookup_one_len during orphan inode recovery with quotas
• BZ - 719357 - dlm: increase hash table maximum allocatable size
• BZ - 719587 - Kernel: system hungs when remove bonding module with arp monitor
• BZ - 720712 - ls hangs for a specific directory (nfsv3) in kernels starting at -157
• BZ - 720918 - the block layer does't merge the requests sent from jbd/2.
• BZ - 721044 - jbd2: Improve scalability by not taking j_state_lock in jbd2_journal_stop() fix missing from RHEL6 kernel.
• BZ - 721205 - Expose RDWRGSFS new instructions to guest
• BZ - 722257 - NFS readdirs losing their cookies
• BZ - 722565 - using page_count(pfn_to_page(pfn)) on a random pfn is unsafe
• BZ - 723670 - Introduce "acpi_rsdp=" parameter for kdump
• BZ - 723849 - installation: kernel panic in EFI during restart of installer
• BZ - 724995 - xen mmu: fix a race window causing leave_mm BUG()
• BZ - 725007 - xen: off by one errors in multicalls.c
• BZ - 725041 - xen/hvc: only notify if we actually sent something
• BZ - 725234 - asix: fix setting mac address for AX88772
• BZ - 725370 - cifs: CIFSSMBQAllEAs parses xattr data wrongly
• BZ - 725435 - APEI: disable EINJ parameter support by default
• BZ - 725444 - (direct_io) __blockdev_direct_IO calls kzalloc for dio struct causes OLTP performance regression
• BZ - 725519 - revert of bug 716498 that causes x86_64 xen pv guest boot failure
• BZ - 725538 - RHEL 6 is missing upstream backport to remove prefetch instructions.
• BZ - 725580 - Improve sysfs performance when many block devices are created
• BZ - 725716 - need to fix previous ABI break in net_device struct
• BZ - 725812 - python-linux-perf: Create new package with the Linux perf subsystem python binding
• BZ - 725816 - AIM7 on redeye test bed loses up to 45% performance with barriers enabled
• BZ - 725855 - Avoid merging a VMA with another VMA which is cloned from the parent process.
• BZ - 726099 - __scsi_add_device+0xc8/0x170 has a problem when there is scsi enclosure
• BZ - 726437 - Disk write cache flushes are no longer logged in blktrace
• BZ - 728476 - machine panics with "DMAR hardware is malfunctioning"
• BZ - 729176 - ext4 regression: quota incorrect/orphan inodes on removal of (locked) files
• BZ - 729434 - nfs sillyrename can call d_move without holding the i_mutex
• BZ - 729437 - cifs: fix NTLMSSP based signing to samba
• BZ - 730077 - kdump: x86: Improve crashkernel=auto logic to take into account memory used by filtering utility
• BZ - 730144 - RHEL6.2: revert latest patchset from 587729
• BZ - 730503 - RHEL 6.1 xen guest crashes with kernel BUG at arch/x86/xen/mmu.c:1457!
• BZ - 730599 - qla4xxx: fix iscsi boot: export session iface name
• BZ - 730838 - radeon/kms regression in 6.2
• BZ - 731585 - ext3/ext4 mbcache causes high CPU load [RHEL6]
• BZ - 732986 - thp: fix tail page refcounting
• BZ - 733651 - netfront MTU drops to 1500 after domain migration
• BZ - 733672 - xen PV guest kernel 2.6.32 processes lock up in D state
• BZ - 734509 - APEI: set enable bit for OSC call
• BZ - 734732 - oom killer is killing more processes than is needed
• BZ - 735048 - USB3 device attached to a USB3 hub, fail to unregister when USB3 hub plug out.
• BZ - 735050 - USB3 device fail to register after a re-attach to USB3 hub
• BZ - 735124 - LVM --type raid1 create attempt panics system and leaves it unbootable
• BZ - 735263 - USB3 device can't be detected on USB2 hub
• BZ - 736425 - CVE-2011-3347 kernel: be2net: promiscuous mode and non-member VLAN packets DoS
• BZ - 738163 - [kdump] be2net 0000:04:00.0: mccq poll timed out
• BZ - 740312 - xfs: avoid synchronous transactions when deleting attr blocks
• BZ - 740465 - Host got crash when guest running netperf client with UDP_STREAM protocol with IPV6
• BZ - 742414 - serious SPECjbb regression in KVM guest due to cpu cgroups
• BZ - 743590 - x86_64 xen guest crash when booting with maxmem = 128Gb
• BZ - 744154 - khubd hungs
• BZ - 746254 - Kernel: dm-log-userspace not properly registering log devices
• BZ - 746861 - umount of RHEL 6.2 2.6.32-209.el6.x86_64 beta pNFS share can hang or cause Oops
• BZ - 747291 - booting latest kernel on radeon hd 6450 (CAICOS) results in corrupt screen/memory
• BZ - 747292 - booting latest kernel on llano system has wrong resolution and can cause memory corruption
• BZ - 747942 - CVE-2011-3638 kernel: ext4: ext4_ext_insert_extent() kernel oops
• BZ - 751297 - CVE-2011-4110 kernel: keys: NULL pointer deref in the user-defined key type

CVEs

• CVE-2011-1020
• CVE-2011-3347
• CVE-2011-4110
• CVE-2011-3638

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.2_Release_Notes/index.html
• https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.2_Technical_Notes/kernel.html#RHBA-2011-1530