Article ID: 5490, created on Jul 22, 2008, last review on Apr 25, 2014

  • Applies to:
  • Virtuozzo for Linux 3.x

Resolution

--------------------------------------------------------------------------------
Synopsis: New Virtuozzo 3.0 kernel provides security updates, driver
updates, and some other important fixes.
Issue date: 2008-07-17
Product: Virtuozzo 3.0
Keywords: security updates, driver update, stability fixes
--------------------------------------------------------------------------------

This document provides information on the new Virtuozzo 3.0 kernel, version
2.6.9-023stab048.4.

(c) Parallels, 2008. All rights reserved.

--------------------------------------------------------------------------------

TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo 3.0 kernel provides a new kernel based on
the Red Hat 4 kernel (2.6.9-67.0.20.EL). The updated kernel includes a
number of security updates, driver updates, and important stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo 3.0 kernel includes fixes for the following security
vulnerabilities, which were fixed in the 2.6.9-67.0.1.EL to 2.6.9-67.0.20.EL
Red Hat kernels:

- A flaw was found in the handling of IEEE 802.11 frames, which affected
several wireless LAN modules. In certain situations, a remote attacker
could trigger this flaw by sending a malicious packet over a wireless
network, causing a denial of service (kernel crash).
(CVE-2007-4997, Important)

- A memory leak was found in the Red Hat Content Accelerator kernel patch.
A local user could use this flaw to cause a denial of service (memory
exhaustion). (CVE-2007-5494, Important)

- A flaw was found in the virtual filesystem (VFS). A local unprivileged
user could truncate directories to which they had write permission; this
could render the contents of the directory inaccessible.
(CVE-2008-0001, Important)

- A flaw was found in the implementation of ptrace. A local unprivileged user
could trigger this flaw and possibly cause a denial of service (system
hang). (CVE-2007-5500, Important)

- A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled
page faults when a CPU used the NUMA method for accessing memory on Itanium
architectures. A local unprivileged user could trigger this flaw and cause
a denial of service (system panic). (CVE-2007-4130, Important)

- A possible NULL pointer dereference was found in the chrp_show_cpuinfo
function when using the PowerPC architecture. This might allow a local
unprivileged user to cause a denial of service (crash).
(CVE-2007-6694, Moderate)

- A flaw was found in the way core dump files were created. If a local user
could get a root-owned process to dump a core file into a directory, which
the user had write access to, they could gain read access to that core
file. This could potentially grant unauthorized access to sensitive
information. (CVE-2007-6206, Moderate)

- Two buffer overflow flaws were found in the Linux kernel ISDN subsystem. A
local unprivileged user could use these flaws to cause a denial of
service. (CVE-2007-6063, CVE-2007-6151, Moderate)

- A buffer overflow flaw was found in the CIFS virtual file system. A
remote authenticated user could issue a request that could lead to
a denial of service. (CVE-2007-5904, Moderate)

- The absence of a protection mechanism when attempting to access a
critical section of code was found in the Linux kernel open file
descriptors control mechanism, fcntl. This could allow a local unprivileged
user to simultaneously execute the code that would otherwise be protected
against parallel execution. Additionally, a race condition during the
handling of locks in the Linux kernel fcntl functionality might allow a
process belonging to a local unprivileged user to gain re-ordered access to
the descriptor table. (CVE-2008-1669, Important)

- On AMD64 architectures, the possibility of a kernel crash was discovered
by testing the Linux kernel process-trace ability. This could allow a local
unprivileged user to cause a denial of service (kernel crash).
(CVE-2008-1615, Important)

- The absence of a protection mechanism when attempting to access a
critical section of code, as well as a race condition, were found in the
Linux kernel file system event notifier, dnotify. This could allow a local
unprivileged user to make data inconsistent or to send arbitrary signals to
arbitrary system processes. (CVE-2008-1375, Important)

- When accessing kernel memory locations, certain Linux kernel drivers
registering a fault handler did not perform the required range checks. A
local unprivileged user could use this flaw to gain read or write access to
arbitrary kernel memory, or possibly cause a kernel crash.
(CVE-2008-0007, Important)

- The possibility of a kernel crash was found in the Linux kernel IPsec
protocol implementation, due to improper handling of fragmented ESP
packets. When an attacker controlling an intermediate router fragmented
these packets into very small pieces, it would cause a kernel crash on the
receiving node during packet reassembly. (CVE-2007-6282, Important)

- A flaw in the MOXA serial driver could allow a local unprivileged user
to perform privileged operations, such as replacing firmware.
(CVE-2005-0504, Important)

- A security flaw was found in the Linux kernel memory copy routines, when
running on certain AMD64 systems. If an unsuccessful attempt to copy kernel
memory from source to destination memory locations occurred, the copy
routines did not zero the content at the destination memory location. This
could allow a local unprivileged user to view potentially sensitive data.
(CVE-2008-2729, Important)

- Alexey Dobriyan discovered a race condition in the Linux kernel
process-tracing system call, ptrace. A local unprivileged user could
use this flaw to cause a denial of service (kernel hang).
(CVE-2008-2365, Important)

- Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and
64-bit emulation. This could allow a local unprivileged user to prepare and
run a specially crafted binary that would use this deficiency to leak
uninitialized and potentially sensitive data. (CVE-2008-0598, Important)

- It was discovered that the Linux kernel handled string operations in the
opposite way to the GNU Compiler Collection (GCC). This could allow a local
unprivileged user to cause memory corruption. (CVE-2008-1367, Low)


The updated Virtuozzo 3.0 kernel includes fixes for the following issues:

- A kernel crash might happen due to a bug in CIFS code. The crash ended with
the following message: "CIFS VFS: close with pending writes".

- A kernel crash might occur due to a race during a UDP socket release.

- [CPT]: A kernel crash might happen during an online migration if the
Container being migrated contained a process that had a big file (>2Gb)
opened for write only and that file had been already deleted from the
filesystem.

- There could appear processes consuming 100% of the CPU if the "tcpsndbuf"
limit were exceeded. The processes broke busy loops if a signal was sent to
them, for example, if there was an attempt to strace the process.

- Stopping a Container might fail due to positive refcounters on a network
device (with the following warnings: "unregister_netdevice: waiting for lo
to become free. Usage count = 7"). This might render the Hardware Node
unreachable via ssh until the reboot.

- [SLM]: Under certain circumstances the SLM subsystem might report
"no_reason" instead of the correct "reason_inst_cap" action reason.

- /proc/stat reported the non-virtualized btime (boot time), which sometimes
confused the tools that used that value to calculate process times.

- The "sys.ipv4.conf.default" sysctl did not have any affect inside a
Container.

- The traffic accounting statistics could not be reset without a Hardware Node
restart.

- The load average statistics got broken after setting the number of vCPUs
available to the Container.


The updated Virtuozzo 3.0 kernel includes a number of updated drivers:

- MegaRAID driver for SAS-based RAID controllers
(megaraid_sas driver 00.00.03.18-rh1 version)

- 3ware 9000 Storage Controller driver
(3w-9xxx driver 2.26.07.003 version,
in particular, support for 3Ware 9690SA Controller has been added)


Besides, the new Virtuozzo 3.0 kernel includes the following improvements:

- The kernel has been re-based on the 2.6.9-67.0.20.EL Red Hat kernel.

- [CPT]: The support for SYSV message queues has been added to the
checkpointing code. Previous kernels denied the online migration of a
Container if any of its processes used SYSV message queues. The error
message was the following: "CPT ERR: ... :SYSV msgqueues are not supported".
In particular, this enhancement allows the online migration of those
Containers that run the IBM DB2 software.

- An empty /proc/devices file has been added to a VE to avoid /sbin/MAKEDEV's
warning: "can't read /proc/devices".

- [CPT]: The migration code has been enhanced to check both the source and
destination nodes for the presence of the "slm_dmprst" module if SLM is
enabled.

- An out of socket memory warning has been enhanced to report the ID of the
Container that produced this warning.

- A warning about the time wait bucket table overflow has been enhanced to
report the ID of the Container that produced this warning.


We highly recommend that all Virtuozzo 3.0 users update their kernel to the
latest version.

--------------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the new
Virtuozzo 3.0 kernel:

- #114500: The megaraid_sas driver should be updated to avoid
"Rejecting I/O to offline device" messages on controllers with
new firmware.

- #100727: Support for 3ware 9690SA Controller should be added.

- #114887: /proc/stat reports non-virtualized btime

- #114847: /sbin/MAKEDEV: warning: can't read /proc/devices.

- #113087: Network device leak if refcount remains positive for too long.

- #114621: SLM action reported as "no_reason", while it should be
"reason_inst_cap".

- #114312: [CPT]: need to check for presence of module slm_dmprst if SLM is
enabled.

- #99542: [CPT]: temporary files should be created with O_LARGEFILE flag during
checkpointing and restore process.

- #112170: Possible double free for UDP socket.

- #112103: An endless loop is possible while waiting for TCPSNDBUF memory if
timeout is not specified.

- #111468: A memory leak in venet_acct_set_base() leads to inability to reset
traffic network statistics.

- #96405: A kernel panic in cifs_write().

- #92414: Support for SYSV message queues online migration should be added.


The following OpenVZ bugs have been fixed:

- #828: /proc/stat reports non-virtualized btime

- #826: Sysctl "sys.ipv4.conf.default" does not work inside a Container.

- #760: A warning "Out of socket memory" should print the ID of the Container
that triggers it.

- #767: A warning "TCP: time wait bucket table overflow" should print the ID of
the Container that triggers it.

- #732: Loadavg statistics should be merged when removing a vCPU from a
Container.

--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can get this kernel update in one of the following ways:

- You can download and install the update by using the vzup2date
utility included in the Virtuozzo 3.0 distribution set.

- You can download the update from ftp://downloads.swsoft.com.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, you should perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-smp-2.6.9-023stab048.4.i686.rpm \
vzmodules-smp-2.6.9-023stab048.4.i686.rpm
Preparing... ################################# [100%]
1:vzkernel-smp ################################# [50%]
2:vzmodules-smp ################################# [100%]

Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
all the kernels previously installed on your system may be removed from
the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
loaded by default. If you use the LILO bootloader, please do not forget to
execute the 'lilo' command to write the changes to the boot sector:

# lilo
Added Virtuozzo2 *
Added Virtuozzo1
Added linux
Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the kind of processor on your Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- Uniprocessor:
vzkernel-2.6.9-023stab048.4.i686.rpm
vzmodules-2.6.9-023stab048.4.i686.rpm

- SMP:
vzkernel-smp-2.6.9-023stab048.4.i686.rpm
vzmodules-smp-2.6.9-023stab048.4.i686.rpm

- Enterprise:
vzkernel-enterprise-2.6.9-023stab048.4.i686.rpm
vzmodules-enterprise-2.6.9-023stab048.4.i686.rpm

- Enterprise with the 4GB split feature disabled:
vzkernel-entnosplit-2.6.9-023stab048.4.i686.rpm
vzmodules-entnosplit-2.6.9-023stab048.4.i686.rpm


x86_64 kernels:

- Uniprocessor:
vzkernel-2.6.9-023stab048.4.x86_64.rpm
vzmodules-2.6.9-023stab048.4.x86_64.rpm

- SMP:
vzkernel-smp-2.6.9-023stab048.4.x86_64.rpm
vzmodules-smp-2.6.9-023stab048.4.x86_64.rpm

ia64 kernel:
vzkernel-2.6.9-023stab048.4.ia64.rpm
vzmodules-2.6.9-023stab048.4.ia64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

The following references have been used in this document:

- https://rhn.redhat.com/errata/RHSA-2007-1104.html

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4997

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5494

- https://rhn.redhat.com/errata/RHSA-2008-0055.html

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4130

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5500

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6063

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6151

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6694

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0001

- https://rhn.redhat.com/errata/RHSA-2008-0167.html

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5904

- https://rhn.redhat.com/errata/RHSA-2008-0237.html

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0504

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6282

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0007

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1375

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1615

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1669

- https://rhn.redhat.com/errata/RHSA-2008-0508.html

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0598

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1367

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2365

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2729

9b9439294978ca011521bd467a069524 e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF