Article ID: 8080, created on Feb 15, 2010, last review on Jul 25, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Release notes

Synopsis:         New Parallels Virtuozzo Containers 4.0 kernel provides a
                           number of important stability fixes and security updates.
Issue date:       2010-02-12
Product:            Parallels Virtuozzo Containers 4.0
Keywords:        'stability fixes' 'security updates'


This document provides information on the new Virtuozzo Containers 4.0 kernel,
version 2.6.18-028stab068.3.

© 1999-2010 Parallels, Inc. All rights reserved.


1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List



The current update for the Virtuozzo Containers 4.0 kernel provides a new kernel
based on the Red Hat 5 kernel (2.6.18-164.11.1.el5). The updated kernel includes
a number of important security and stability fixes.



The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
security vulnerabilities (including those that were fixed in the
2.6.18-164.11.1.el5 Red Hat kernel):

- An array index error was found in the gdth driver. A local user could send a
  specially crafted IOCTL request that would cause a denial of service or,
  possibly, privilege escalation. (CVE-2009-3080, Important)

- A flaw was found in the FUSE implementation. When a system is low on memory,
  fuse_put_request() could dereference an invalid pointer, possibly leading to
  a local denial of service or privilege escalation.
  (CVE-2009-4021, Important)

- Tavis Ormandy discovered a deficiency in the fasync_helper() implementation.
  This could allow a local, unprivileged user to leverage a use-after-free of
  locked, asynchronous file descriptors to cause a denial of service or
  privilege escalation. (CVE-2009-4141, Important)

- The Parallels Virtuozzo Containers team reported that the RHSA-2009:1243
  update introduced two flaws in the routing implementation. If an attacker was
  able to cause a large enough number of collisions in the routing hash table
  (via specially crafted packets) for the emergency route flush to trigger, a
  deadlock could occur. Secondly, if the kernel routing cache was disabled, an
  uninitialized pointer would be left behind after a route lookup, leading to a
  kernel panic. (CVE-2009-4272, Important)

- The RHSA-2009:0225 update introduced a rewrite attack flaw in the
  do_coredump() function. A local attacker able to guess the file name a
  process is going to dump its core to prior to the process crashing, could
  use this flaw to append data to the dumped core file. This issue only affects
  systems that have "/proc/sys/fs/suid_dumpable" set to 2 (the default value
  is 0).  (CVE-2006-6304, Moderate)

  The fix for CVE-2006-6304 changes the expected behavior: With suid_dumpable
  set to 2, the core file will not be recorded if the file already exists.
  For example, core files will not be overwritten on subsequent crashes of
  processes whose core files map to the same name.

- An information leak was found in the Linux kernel. On AMD64 systems, 32-bit
  processes could access and read certain 64-bit registers by temporarily
  switching themselves to 64-bit mode. (CVE-2009-2910, Moderate)

- The RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV) support
  in the qla2xxx driver, resulting in two new sysfs pseudo files,
  "/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete".
  These two files were world-writable by default, allowing a local user to
  change SCSI host attributes. This flaw only affects systems using the qla2xxx
  driver and NPIV capable hardware. (CVE-2009-3556, Moderate)

- Permission issues were found in the megaraid_sas driver. The "dbg_lvl" and
  "poll_mode_io" files on the sysfs file system ("/sys/") had world-writable
  permissions. This could allow local, unprivileged users to change the
  behavior of the driver. (CVE-2009-3889, CVE-2009-3939, Moderate)

- A NULL pointer dereference flaw was found in the firewire-ohci driver used
  for OHCI compliant IEEE 1394 controllers. A local, unprivileged user with
  access to /dev/fw* files could issue certain IOCTL calls, causing a denial of
  service or privilege escalation. The FireWire modules are blacklisted by
  default, and if enabled, only root has access to the files noted above by
  default. (CVE-2009-4138, Moderate)

- A buffer overflow flaw was found in the hfs_bnode_read() function in the HFS
  file system implementation. This could lead to a denial of service if a user
  browsed a specially crafted HFS file system, for example, by running "ls".
  (CVE-2009-4020, Low)

The updated Parallels Virtuozzo Containers 4.0 kernel also includes fixes for
the following issues:

- A kernel panic may occur while reading "/proc/bc/0/ioprio_queues" because
  some disk drivers do not create kernel objects correctly.

- A kernel panic may occur if a network interface registered on the Hardware
  Node and "moved" inside a Container is unregistered inside the Container.

- A network device may leak on stopping a Container due to positive refcounters.
  The leak is accomplished by the following messages:
  "unregister_netdevice: waiting for eth0.125=ffff8101608ad000 to become free.
  Usage count = 1 ve=0".

- "vztop" on a Hardware Node shows in the "#C" column the last used virtual CPU
  instead of the last physical one.

- When launched inside a Container, OpenVPN may fail to change the tx queue
  length and display the following warning: "Note: Cannot set tx queue length
  on tun0: Operation not permitted (errno=1)".
  Note: Despite the warning, OpenVPN works properly inside the Container.

- "vmstat" may report an incorrect number of running processes inside a
  Container (for example, "4294967295").

The new Virtuozzo Containers 4.0 kernel also includes the following

- The signalfd() syscall has been backported to the kernel to provide better
  support for Containers based on templates of modern Linux distributions (in
  particular, Ubuntu 9.10).

We highly recommend that all Parallels Virtuozzo Containers 4.0 users update
their kernel to the latest version.


The following bugs from the previous release have been fixed in the new
Virtuozzo Containers 4.0 kernel:

- #443066: A kernel panic may occur while reading "/proc/bc/0/ioprio_queues".

- #463901: A kernel panic may occur while unregistering a VLAN device inside
           a Container if the device was registered on the Hardware Node.

- #464097: Network devices leakage may occur.

- #440208: Last physical CPU must be shown by "vztop" in the "#C" column.

- #457318: OpenVPN fails to change tx queue length on tun0 inside a Container.

- #112738: The number of running processes may be reported incorrectly inside
           a Container.

The following OpenVZ bug has been fixed:

- #1415: signalfd() syscall support is required by modern distributions.



You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.



To install the update, perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab068.3.i686.rpm \
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new



Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:

- Enterprise:

- Enterprise with the 4GB split feature disabled:

x86_64 kernels:

- SMP:



35c16f1fded8e42577cb3df16429c57a d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF