Article ID: 6564, created on Aug 3, 2009, last review on May 8, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Release notes

Synopsis:          New Parallels Virtuozzo Containers 4.0 kernel provides a number of important stability fixes and security updates.
Issue date:        2009-08-03
Product:           Parallels Virtuozzo Containers 4.0
Keywords:          'stability fixes' 'security updates'


This document provides information on the new Virtuozzo Containers 4.0 kernel,
version 2.6.18-028stab064.4.

© 1999-2009 Parallels Holdings, Ltd. and its affiliates. All rights reserved.


1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List



The current update for the Virtuozzo Containers 4.0 kernel provides a new kernel
based on the Red Hat 5 kernel (2.6.18-128.2.1.el5). The updated kernel includes
a number of important security updates and stability fixes.



The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
security vulnerabilities (including those that were fixed in the
2.6.18-128.1.6.el5 - 2.6.18-128.2.1.el5 Red Hat kernels):

- Memory leaks were found on some error paths in the icmp_send()
  function in the Linux kernel. This could, potentially, cause the network
  connectivity to cease. (CVE-2009-0778, Important)

- Chris Evans reported a deficiency in the clone() system call when it was
  executed with the CLONE_PARENT flag. This flaw permits the caller (the parent
  process) to indicate an arbitrary signal it wants to receive when its child
  process exits. This could lead to a denial of service of the parent
  process. (CVE-2009-0028, Moderate)

- An off-by-one underflow flaw was found in the eCryptfs subsystem. This
  could potentially cause a local denial of service when the readlink()
  function returned an error. (CVE-2009-0269, Moderate)

- A deficiency was found in the Remote BIOS Update (RBU) driver for Dell
  systems. This could allow a local, unprivileged user to cause a denial of
  service by reading zero bytes from the image_type or packet_size files in
  "/sys/devices/platform/dell_rbu/". (CVE-2009-0322, Moderate)

- An inverted logic flaw was found in the SysKonnect FDDI PCI adapter
  driver, allowing driver statistics to be reset only when the CAP_NET_ADMIN
  capability was absent (local, unprivileged users could reset driver
  statistics). (CVE-2009-0675, Moderate)

- The sock_getsockopt() function in the Linux kernel did not properly
  initialize a data structure that can be directly returned to user-space
  when the getsockopt() function is called with SO_BSDCOMPAT optname set.
  This flaw could possibly lead to memory disclosure.
  (CVE-2009-0676, Moderate)

- The ext2 and ext3 file system code failed to properly handle corrupted
  data structures, leading to a possible local denial of service when read
  or write operations were performed on a specially-crafted file system.
  (CVE-2008-3528, Low)

- A deficiency was found in the libATA implementation. This could,
  potentially, lead to a local denial of service. Note: By default,
  the "/dev/sg*" devices are accessible only to the root user.
  (CVE-2008-5700, Low)

- A logic error was found in the do_setlk() function of the Linux kernel
  Network File System (NFS) implementation. If a signal interrupted a lock
  request, the local POSIX lock was incorrectly created. This could cause a
  denial of service on the NFS server if a file descriptor was closed before
  its corresponding lock request returned. (CVE-2008-4307, Important)

- A deficiency was found in the Linux kernel system call auditing
  implementation on 64-bit systems. This could allow a local, unprivileged
  user to circumvent a system call audit configuration, if that configuration
  filtered based on the "syscall" number or arguments.
  (CVE-2009-0834, Important)

- The exit_notify() function in the Linux kernel did not properly reset the
  exit signal if a process executed a set user ID (setuid) application before
  exiting. This could allow a local, unprivileged user to elevate their
  privileges. (CVE-2009-1337, Important)

- A flaw was found in the ecryptfs_write_metadata_to_contents() function of
  the Linux kernel eCryptfs implementation. On systems with a 4096 byte
  page-size, this flaw may have caused 4096 bytes of uninitialized kernel
  memory to be written into the eCryptfs file headers, leading to an
  information leak. Note: Encrypted files created on systems running the
  vulnerable version of eCryptfs may contain leaked data in the eCryptfs file
  headers. This update does not remove any leaked data. Refer to the
  Knowledgebase article in the References section for further information.
  (CVE-2009-0787, Moderate)

- The Linux kernel implementation of the Network File System (NFS) did not
  properly initialize the file name limit in the nfs_server data structure.
  This flaw could possibly lead to a denial of service on a client mounting
  an NFS share. (CVE-2009-1336, Moderate)

- Several flaws were found in the way the Linux kernel CIFS implementation
  handles Unicode strings. CIFS clients convert Unicode strings sent by a
  server to their local character sets and then write those strings into
  memory. If a malicious server sent a long enough string, it could write
  past the end of the target memory region and corrupt other memory areas,
  possibly leading to a denial of service or privilege escalation on a
  client mounting a CIFS share. (CVE-2009-1439, CVE-2009-1633, Important)

- The Linux kernel Network File System daemon (nfsd) implementation did not
  drop the CAP_MKNOD capability when handling requests from local,
  unprivileged users. This flaw could possibly lead to an information leak or
  privilege escalation. (CVE-2009-1072, Moderate)

- Frank Filz reported the NFSv4 client was missing a file permission check
  for the execute bit in some situations. This could allow local,
  unprivileged users to run non-executable files on NFSv4 mounted file
  systems. (CVE-2009-1630, Moderate)

- A missing check was found in the hypervisor_callback() function in the
  Linux kernel provided by the kernel-xen package. This could cause a denial
  of service of a 32-bit guest if an application running in that guest
  accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate)

- A flaw was found in the AGPGART driver. The agp_generic_alloc_page() and
  agp_generic_alloc_pages() functions did not zero out the memory pages they
  allocate, which may later be available to user-space processes. This flaw
  could possibly lead to an information leak. (CVE-2009-1192, Low)

- A flaw was found in the ptrace_start function in kernel/ptrace.c which does
  not properly handle simultaneous execution of the do_coredump function.
  This could allow local users to cause a denial of service (generate CPU
  intensive unkillable processes). (CVE-2009-1388, Important)

- The personality subsystem in the Linux kernel before 2.6.31-rc3 has the
  PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and
  MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes
  it easier for local users to leverage the details of memory usage to
   (1) conduct NULL pointer dereference attacks
   (2) bypass the mmap_min_addr protection mechanism
   (3) defeat address space layout randomization (ASLR).
  (CVE-2009-1895, Moderate)

- Some kernel bugs could sometimes become exploitable at compile time because
  of the gcc -O2 optimization if the "-fno-delete-null-pointer-checks" flag
  was used.

The updated Parallels Virtuozzo Containers 4.0 kernel includes fixes for the
following issues:

- [NFS,SLM]: Under some circumstances, a Node hangup or kernel panic may occur
  when using an NFS mount inside a Container if the Container tries to exceed
  its memory limit.

- [NFS]: A kernel panic may occur when stopping a Container if an NFS mount
  is used inside the Container and the connection to the NFS server is broken.

- [NFS]: A kernel panic may occur when accessing /proc/locks on a Hardware
  Node that is used as an NFS server.

- Log messages might be dropped from the kernel buffer due to a missed
  "printk_cpu" restoration after the printk() execution. This issue is
  accompanied by the following messages in logs:
  "BUG: recent printk recursion!".

- Network packets may be dropped by bridge code if a packet goes through more
  than one bridge on the Hardware Node.

- When performing an online migration from a Node with the 2.6.9 kernel to a
  Node with the 2.6.18 kernel, some secondary task flags may be migrated
  incorrectly. Potentially, this could confuse some applications.

- After migrating a Container online, a TCP socket connection throughput may
  decrease if the physical Ethernet adapter on the destination Node does not
  support TSO.

- When backing up Containers using the 'vzabackup' utility, a Node may hang
  due to an incorrect handling of locks on error paths.

- When stopping a Container, a kernel panic may occur on accessing

- The readdir() and fstat() calls inside Containers may return different
  inode numbers for template files. This may confuse applications such as
  CVS clients.

The new Virtuozzo Containers 4.0 kernel also includes the following

- A new sysctl - "" - has been implemented. It allows you
  to control how to react when xattr changes from inside a Container.
  Three options can be used:
    0 - accept any xattr modifications (Container 0 always and regular
        Containers by default)
    1 - ignore
    2 - reject
  Note: If you assign any other value to "ve-xattr-policy", the policy will
        be set to "accept".

- TSO support for 'venet' and 'veth' has been added, which increases bandwidth
  or considerably decreases the CPU usage if the physical Ethernet adapter
  supports TSO.

  TSO management details:
       1. TSO is off by default.
       2. For veth: TSO can be enabled/disabled in Containers or on the Node
          for a pair of adapters {veth in a Container, veth on the Node}.
       3. For venet: TSO can be enabled/disabled only on the Hardware Node
          (for all venet devices at once).

  To use this feature, you must enable:
          1. Tx checksumming: # ethtool -K DEVNAME tx on
          2. Scatter-gather:  # ethtool -K DEVNAME sg on
          3. TSO:             # ethtool -K DEVNAME tso on

- GRE over IP protocol has been virtualized and is now available inside

- PPP, PPPoE per-Container support has been added.
  Note: To use this functionality, you need the 4.0.0-233 or higher version
        of the 'vzctl' utility.

We highly recommend that all Parallels Virtuozzo Containers 4.0 users update
their kernel to the latest version.


The following bugs from the previous release have been fixed in the new
Virtuozzo Containers 4.0 kernel:

- #433452: A deadlock between do_coredump() and ptrace_start(), which leads to
           CPU intensive unkillable processes.

- #427726: [NFS,SLM]: Use-after-free by SLM code when handling "daemonized"
           kernel threads.

- #439585: [NFS]: xprt use-after-free on a Container stop operation.

- #427526: [NFS]: NFS server kernel panic while checking the /proc/locks

- #431108: [NFS]: Do not destroy sockets before all RPC tasks are completed.

- #435440: "BUG: recent printk() recursion" detected.

- #434174: Bridge code does not flush the BR_ALREADY_SEEN skb mark for input

- #433614: TSO support for 'venet' and 'veth' needs to be added.

- #436031: The 'ip_gre' module needs to be virtualized.

- #115977: The PF_USED_MATH task flag is restored incorrectly when performing
           an online migration from a Virtuozzo 3.0 Node to a Parallels
           Virtuozzo 4.0 Node.

- #431368: Throughput degrade of a TCP connection is possible after performing
           an online migration.

- #427917: A Node may hang during 'vzabackup'.

- #435139: A kernel panic may occur while accessing /proc/vz/veinfo_redir.

- #435028: readdir() and fstat() return different inode numbers inside a

The following OpenVZ bugs have been fixed:

- #1284: Dropped kernel log messages.

- #1050: 've-xattr-policy' sysctl entry to control how to react on xattr
         change from inside of a Container.

- #268:  'ppp' should be virtualized.



You can download and install the kernel update by using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.



To install the update, you should perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab064.4.i686.rpm \
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new



Depending on the kind of processor on your Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:

- Enterprise:

- Enterprise with the 4GB split feature disabled:

x86_64 kernels:

- SMP:

ia64 kernel:



35c16f1fded8e42577cb3df16429c57a d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF