Article ID: 6926, created on Nov 23, 2009, last review on May 11, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Release notes

--------------------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.0 kernel provides a
                            number of important stability fixes and security and driver
                            updates.
Issue date:       11-18-2009
Product:             Parallels Virtuozzo Containers 4.0
Keywords:       "stability fixes" "security updates" "driver updates"

--------------------------------------------------------------------------------

This document provides information on the new Parallels Virtuozzo Containers 4.0 kernel,
version 2.6.18-028stab066.7.

© 1999-2009 Parallels, Inc. All rights reserved.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining the New Kernel
5. Installing the New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Parallels Virtuozzo Containers (PVC) 4.0 kernel provides a new kernel
based on the Red Hat 5 kernel (2.6.18-164.2.1.el5). The updated kernel includes
a number of important security and driver updates and stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated PVC 4.0 kernel includes fixes for the following
security vulnerabilities (including those that were fixed in the
2.6.18-128.4.1.el5 - 2.6.18-164.2.1.el5 Red Hat kernels):

- The possibility of a timeout value overflow was found in the Linux kernel's
  high-resolution timers functionality, hrtimers. This could allow a local,
  unprivileged user to execute an arbitrary code, or cause a denial of service
  (kernel panic). (CVE-2007-5966, Important)

- A flaw was found in the Intel PRO/1000 network driver in the Linux
  kernel. Frames with sizes near the MTU of an interface may be split across
  multiple hardware receive descriptors. Receipt of such a frame could leak
  through a validation check, leading to a corruption of the length check. A
  remote attacker could use this flaw to send a specially-crafted packet that
  would cause a denial of service or code execution.
  (CVE-2009-1385, Important)

- Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver of the
  Linux kernel. This driver allowed interfaces using the driver to receive
  frames larger than could be handled, which could lead to a remote denial of
  service or code execution. (CVE-2009-1389, Important)

- The ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a
  setuid or setgid program was executed. A local, unprivileged user could use
  this flaw to bypass the "mmap_min_addr" protection mechanism and perform a NULL
  pointer dereference attack, or bypass the Address Space Layout Randomization
  (ASLR) security feature. (CVE-2009-1895, Important)

- Ramon de Carvalho Valle reported two flaws in the Linux kernel eCryptfs
  implementation. A local attacker with permissions to perform an eCryptfs
  mount could modify the metadata of the files in that eCrypfts mount to cause
  a buffer overflow, leading to a denial of service or privilege escalation.
  (CVE-2009-2406, CVE-2009-2407, Important)

- It was discovered that when executing a new process, the "clear_child_tid"
  pointer in the Linux kernel is not cleared. If this pointer points to a
  writable portion of the memory of the new program, the kernel could corrupt
  four bytes of memory, which can cause a local denial of service or privilege
  escalation. (CVE-2009-2848, Important)

- A flaw was found in the way the "do_sigaltstack()" function in the Linux kernel
  copies the "stack_t" structure to user-space. On 64-bit machines, this flaw
  could lead to a four-byte information leak. (CVE-2009-2847, Moderate)

- A flaw was found in the ext4 file system code. A local attacker could use
  this flaw to cause a denial of service by performing a resize operation on a
  specially-crafted ext4 file system. (CVE-2009-0745, Low)

- Multiple flaws were found in the ext4 file system code. A local attacker
  could use these flaws to cause a denial of service by mounting a
  specially-crafted ext4 file system. (CVE-2009-0746, CVE-2009-0747,
  CVE-2009-0748, Low)

- A NULL pointer dereference flaw was found in the Multiple Devices (md) driver
  in the Linux kernel. If the "suspend_lo" or "suspend_hi" file on the sysfs
  file system ("/sys/") is modified when the disk array is inactive, it could
  lead to a local denial of service or privilege escalation. Note: By default,
  only the root user can write to the files mentioned above.
  (CVE-2009-2849, Moderate)

- A Container's memory used by "tmpfs" partitions was not accounted by SLM.
  This might slow down the Hardware Node or lead to a denial of service.


The updated Parallels Virtuozzo Containers 4.0 kernel includes fixes for the
following issues:

- [c2v]: A kernel panic may occur during a Container migration to
  a Parallels Server Bare Metal Virtual Machine due to a bug in
  arguments handling in the Network Block Device driver.

- A Hardware Node may stall while printing the calltraces for all processes
  (caused by Alt+SysRQ+p magic key interrupt) due to incorrect NMI handling.

- The default size of the "tmpfs" filesystem was set to half the amount of the
  Hardware Node's memory.

- Two different UDP sockets may be bound to the same port inside a Container, 
  resulting in an "aim7" test suite fail.

- A Container based on the Ubuntu 8.04 template may fail to migrate (checkpoint)
  with the following message: "Error: d_path is invisible /dev."

- The control script for the Oracle CSS daemon ("init.cssd," a part of
  Oracle 11g Release 1 RAC software) may fail to work and fill logs with
  the following message:
  "Oprocd detected system hang while in nonfatal mode. Respawning."

- An iptables NAT rule configured on a Hardware Node may conflict with
  a virtual network created by "vznetcfg" and fail to work, printing the
  following message to the syslog:
  "Performing cross-bridge DNAT requires IP forwarding to be enabled."

- A kernel crash may occur after the Packet Generator tool kernel module
  (pktgen.ko) is loaded.

- The "sched_getcpu() function" may return an incorrect number to the current CPU if
  a process was migrated to another CPU via user request.


The updated PVC 4.0 kernel includes several driver updates:

- The Distributed Replicated Block Device (DRBD) driver has been updated
  up to version v8.3.4.

- The Global File System (GFS) driver has been updated up to version 0.1.34-2.


The new PVC 4.0 kernel also includes the following
improvements:

- Memory reclaiming algorithm has been modified, resulting in
  significant NUMA node performance improvement.

- "Magic" Alt+SysRQ key's management has been enhanced:
  Now, disabling SysRQ keys (via "echo 0 > /proc/sys/sysrq") also disables
  the ability to execute SysRQ key handlers via the "/proc/sysrq-trigger" file.

- A "kmemsize" debugging mechanism has been added, which simplifies
  "kmemsize" leaks investigation.

- The "Veth" driver statistic has been enhanced to report correct "tx_dropped"
  packet values.

- The UDP hash table size has been significantly increased to speed up UDP
  traffic handling, which is important, for example, for Containers running
  Asterisk servers, especially in the Full Proxy mode.

  Alternatively, the UDP hash table size can be configured via the "uhash_entries="
  kernel boot parameter.

- Softirq statistics can be now monitored via the "/proc/softirq" file.

- "root" on a Hardware Node may now run some new processes, even if the overall
  number of processes/threads on the Node exceeds the "kernel.threads-max"
  sysctl. In particular, this feature allows "root" to log in to an overloaded
  Hardware Node.


We highly recommend that all Parallels Virtuozzo Containers 4.0 users update
their kernel to the latest version.
--------------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the new
PVC 4.0 kernel:

- #439997: OOM on the Hardware Node when SLM-based Container exceeds its
           memory limit.

- #445670: A kernel panic occurs during a Container-to-Virtual Machine migration.

- #436393: A Hardware Node stalls on Alt+SysRQ+p interrupt.

- #439785: Two different UDP sockets may be bound to the same port inside
           a Container.

- #120852: A Container based on Ubuntu 8.04 fails to migrate.

- #448149: Oracle 11g Release 1 RAC requires that the /proc/sysrq-trigger
           be accessible inside the Container.

- #441199: a NAT rule configured on a Hardware Node stops working after virtual
           network creation.

- #438358: Sometimes, NUMA nodes run too slow, especially on massive
           disk I/O operations.

- #443339: Disabling SysRQ via "/proc/sys/sysrq" does not disable the
           "/proc/sysrq-trigger" interface.

- #439935: The per-Container "kmem-cache" statistic exported is needed to simplify
           kmemsize memory leak investigations.

- #440467: Too high of an overhead of UDP traffic handling if the system
           has many opened UDP sockets.

- #455262: Unable to log in to a server with a huge number of Containers
           running.


The following OpenVZ bugs have been fixed:

- #1198: A Container based on Ubuntu 8.04 cannot be checkpointed.

- #1325: Kernel panic due to incorrect CPU checking in "pktgen_thread_worker()."

- #1149: The vDSO cache coherency problem (returning previously cached value)
         might cause the "sched_getcpu()" function to return an obsolete value.

--------------------------------------------------------------------------------

4. OBTAINING THE NEW KERNEL

You can download and install this kernel update using the "vzup2date" utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.

--------------------------------------------------------------------------------

5. INSTALLING THE NEW KERNEL

To install the update, perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and PVC modules.

# rpm -ivh vzkernel-2.6.18-028stab066.7.i686.rpm \
vzmodules-2.6.18-028stab066.7.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the "lilo" command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the processor you have on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:
   vzkernel-2.6.18-028stab066.7.i686.rpm
   vzmodules-2.6.18-028stab066.7.i686.rpm

- Enterprise:
   vzkernel-ent-2.6.18-028stab066.7.i686.rpm
   vzmodules-ent-2.6.18-028stab066.7.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-PAE-2.6.18-028stab066.7.i686.rpm
   vzmodules-PAE-2.6.18-028stab066.7.i686.rpm


x86_64 kernels:

- SMP:
   vzkernel-2.6.18-028stab066.7.x86_64.rpm
   vzmodules-2.6.18-028stab066.7.x86_64.rpm


--------------------------------------------------------------------------------

7. REFERENCE LIST

https://rhn.redhat.com/errata/RHSA-2009-1193.html

https://rhn.redhat.com/errata/RHSA-2009-1222.html

https://rhn.redhat.com/errata/RHSA-2009-1243.html

https://rhn.redhat.com/errata/RHSA-2009-1455.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0747
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2849

d02f9caf3e11b191a38179103495106f 35c16f1fded8e42577cb3df16429c57a 2897d76d56d2010f4e3a28f864d69223 e8e50b42231236b82df27684e7ec0beb

Email subscription for changes to this article
Save as PDF