Article ID: 5639, created on Oct 22, 2008, last review on May 8, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Resolution

---------------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.0 kernel provides a
                   number of security and driver updates and some other
                   important fixes.
Issue date:        2008-10-22
Product:           Parallels Virtuozzo Containers 4.0
Keywords:          security updates, driver updates, stability fixes
---------------------------------------------------------------------------

This document provides information on the new Virtuozzo Containers 4.0 
kernel, version 2.6.18-028stab059.3.

(c) Parallels, 2008. All rights reserved.

---------------------------------------------------------------------------

TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo Containers 4.0 kernel provides a new kernel
based on the Red Hat 5 kernel (2.6.18-92.1.13.el5). The updated kernel includes a
number of security and driver updates and some important stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
security vulnerabilities which were fixed in the 2.6.18-92.1.6.el5 -
2.6.18-92.1.13.el5 Red Hat kernels:

  - A security flaw was found in the Linux kernel memory copy routines, when
    running on certain AMD64 systems. If an unsuccessful attempt to copy kernel
    memory from source to destination memory locations occurred, the copy
    routines did not zero the content at the destination memory location. This
    could allow a local unprivileged user to view potentially sensitive data.
    (CVE-2008-2729, Important)

  - Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and
    64-bit emulation. This could allow a local unprivileged user to prepare and
    run a specially crafted binary, which would use this deficiency to leak
    uninitialized and potentially sensitive data. (CVE-2008-0598, Important)

  - A possible kernel memory leak was found in the Linux kernel Simple
    Internet Transition (SIT) INET6 implementation. This could allow a local
    unprivileged user to cause a denial of service. (CVE-2008-2136, Important)

  - A flaw was found in the Linux kernel setrlimit system call, when setting
    RLIMIT_CPU to a certain value. This could allow a local unprivileged user
    to bypass the CPU time limit. (CVE-2008-1294, Moderate)

  - Multiple NULL pointer dereferences were found in various Linux kernel
    network drivers. These drivers were missing checks for terminal validity,
    which could allow privilege escalation. (CVE-2008-2812, Moderate)

  - A missing capability check was found in the Linux kernel do_change_type
    routine. This could allow a local unprivileged user to gain privileged
    access or cause a denial of service. (CVE-2008-2931, Important)

  - A flaw was found in the Linux kernel Direct-IO implementation. This could
    allow a local unprivileged user to cause a denial of service.
    (CVE-2007-6716, Important)

  - A deficiency was found in the Linux kernel virtual filesystem (VFS)
    implementation. This could allow a local unprivileged user to attempt file
    creation within deleted directories, possibly causing a denial of service.
    (CVE-2008-3275, Moderate)

  - A flaw was found in the Linux kernel tmpfs implementation. This could
    allow a local unprivileged user to read sensitive information from the
    kernel. (CVE-2007-6417, Moderate)

The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
issues:

  - SLM-enabled systems may report incorrect values for used memory in the
    "free" command output if the MEMINFO parameter is set to "privvmpages:1".

  - [CPT]: A kernel crash may occur during the online migration if the
    Container being migrated is under a high network load.

  - [SLM]: The locking mechanism for accessing process files has been corrected
    to prevent possible kernel panics during the process killing/exiting.

  - [NFS]: A kernel crash may occur when attempting to access files located
    on an NFS submount if the NFS server does not hide them. This issue may
    happen only if the Container's private area is located on an NFS volume.

  - The "tcpsndbuf" parameter may be charged incorrectly in the
    tcp_send_synack() function.

  - A memory corruption may occur due to a race when switching from one user
    to another. In particular, this issue may affect systems running Samba
    as it switches UIDs intensively.

  - The following warning reported by the "find" utility has been fixed:
    "find: Filesystem loop detected; `/proc/bc/0/0.0' has the same device number
    and inode as the directory that is 1 level higher in the filesystem
    hierarchy."

  - The locking algorithm in drop_pagecache_sb() has been fixed to eliminate
    possible soft lockups of the Hardware Node.

  - The "ip" utility included in openSUSE 11.0 may not work due to an
    inappropriate return error code if the kernel does not support RTNETLINK.

The updated Virtuozzo Containers 4.0 kernel includes several driver fixes:

  - The Areca RAID controller driver has been fixed to prevent a possible kernel
    crash due to incorrect memory allocation flags.

  - The 3ware 9000 Storage controller driver has been fixed to enable the
    PCI memory-write-and-invalidate command, which greatly increases write
    performance.

  - The HP CISS driver has been enhanced to support the "scsi_id" command, which
    is required to correctly detect the root partition while booting SLES10 SP1.

The new Virtuozzo Containers 4.0 kernel also includes the following improvement:

  - The IP/IP tunnel driver has been virtualized.

We highly recommend that all Parallels Virtuozzo Containers 4.0 users update
their kernel to the latest version.

--------------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the new
Virtuozzo Containers 4.0 kernel:

- #118146: "free" reports incorrect used memory values if SLM is enabled and
           MEMINFO="privvmpages:1".

- #118912: [CPT]: a kernel panic during online migration under high network load.

- #120812: [SLM]: a kernel panic on tsk->files access during process killing.

- #119698: [NFS]: a kernel panic while accessing files located on an NFS
           submount.

- #124912: The "tcpsndbuf" beancounter leaks due to incorrect accounting in
           tcp_send_synack().

- #116868: "find" reported about filesystem loop in /proc/bc/0/0.0.

- #116673: Locking in drop_pagecache_sb() can lead to a soft lockup of the Node.

- #121112: Kernel panics on a system with Areca RAID controller installed.

- #122277: High I/O wait when using the 3w-9xxx driver.

- #114972: Root partition could not be found on a SLES10 SP1 Node with disk
           controller supported by the HP CISS driver.

- #114130: Root partition could not be found on a openSUSE 10.3 Node due to lack
           of support for the sysfs/uevent modalias attribute for scsi devices.

- #115250: The "ip" command from openSUSE 11.0 does not work with the following
           message: "RTNETLINK answers: Invalid argument".

- #121167: The "ipip" kernel module should be virtualized.


The following OpenVZ bugs have been fixed:

- #987: Incorrect skb is charged in tcp_send_synack().

- #848: A kernel panic on a system running Samba due to a race in switch_uid().


--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can get this kernel update in one of the following ways:

- You can download and install the update by using the vzup2date utility
  included in the Parallels Virtuozzo Containers 4.0 distribution set.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, you should perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab059.3.i686.rpm \
vzmodules-2.6.18-028stab059.3.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the kind of processor on your Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:
   vzkernel-2.6.18-028stab059.3.i686.rpm
   vzmodules-2.6.18-028stab059.3.i686.rpm

- Enterprise:
   vzkernel-ent-2.6.18-028stab059.3.i686.rpm
   vzmodules-ent-2.6.18-028stab059.3.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-PAE-2.6.18-028stab059.3.i686.rpm
   vzmodules-PAE-2.6.18-028stab059.3.i686.rpm


x86_64 kernels:

   vzkernel-2.6.18-028stab059.3.x86_64.rpm
   vzmodules-2.6.18-028stab059.3.x86_64.rpm

ia64 kernel:

   vzkernel-2.6.18-028stab059.3.ia64.rpm
   vzmodules-2.6.18-028stab059.3.ia64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

The following references have been used in this document:

- https://rhn.redhat.com/errata/RHSA-2008-0519.html

- https://rhn.redhat.com/errata/RHSA-2008-0612.html

- https://rhn.redhat.com/errata/RHSA-2008-0885.html

- https://bugzilla.redhat.com/show_bug.cgi?id=444759

35c16f1fded8e42577cb3df16429c57a d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF