6.6 - RHSA-2013:0496

Problem Description:

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 6. This is the fourth regular update.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues:

* A race condition was found in the way asynchronous I/O and fallocate() interacted when using the ext4 file system. A local, unprivileged user could use this flaw to expose random data from an extent whose data blocks have not yet been written, and thus contain data from a deleted file. (CVE-2012-4508, Important)

* A flaw was found in the way the vhost kernel module handled descriptors that spanned multiple regions. A privileged guest user in a KVM guest could use this flaw to crash the host or, potentially, escalate their privileges on the host. (CVE-2013-0311, Important)

* It was found that the default SCSI command filter does not accommodate commands that overlap across device classes. A privileged guest user could potentially use this flaw to write arbitrary data to a LUN that is passed-through as read-only. (CVE-2012-4542, Moderate)

* A flaw was found in the way the xen_failsafe_callback() function in the Linux kernel handled the failed iret (interrupt return) instruction notification from the Xen hypervisor. An unprivileged user in a 32-bit para-virtualized guest could use this flaw to crash the guest. (CVE-2013-0190, Moderate)

* A flaw was found in the way pmd_present() interacted with PROT_NONE memory ranges when transparent hugepages were in use. A local, unprivileged user could use this flaw to crash the system. (CVE-2013-0309, Moderate)

* A flaw was found in the way CIPSO (Common IP Security Option) IP options were validated when set from user mode. A local user able to set CIPSO IP options on the socket could use this flaw to crash the system. (CVE-2013-0310, Moderate)

Red Hat would like to thank Theodore Ts'o for reporting CVE-2012-4508, and Andrew Cooper of Citrix for reporting CVE-2013-0190. Upstream acknowledges Dmitry Monakhov as the original reporter of CVE-2012-4508. The CVE-2012-4542 issue was discovered by Paolo Bonzini of Red Hat.

This update also fixes several hundred bugs and adds enhancements. Refer to the Red Hat Enterprise Linux 6.4 Release Notes for information on the most significant of these changes, and the Technical Notes for further information, both linked to in the References.

All Red Hat Enterprise Linux 6 users are advised to install these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Red Hat Enterprise Linux 6.4 Release Notes and Technical Notes. The system must be rebooted for this update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258

To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system.

5. Bugs fixed (http://bugzilla.redhat.com/):

664586 - ALSA - backport the recent USB audio driver from upstream (to fix low audio volume issue, new hw enablement) 700324 - RFE: add online discard support to XFS 734051 - rhel6.1 guest hang when unplug is using virtio disk from monitor 735768 - kernel BUG at fs/jbd2/commit.c:353 or fs/jbd/commit.c:319 hitting J_ASSERT(journal->j_running_transaction != NULL) in journal_commit_transaction 749273 - Failure to resume from suspend (nVidia Quadro NVS 400) 758202 - pNFS read crashes when mounting with rsize < 4096 767886 - ATS capability is disabled when NIC is assigned to a guest 784174 - SECINFO support in the NFS v4 client in RHEL 6 796352 - NFS mounts fail against Windows 8 servers 796992 - krb5p mounts fail against a Microsoft 8 server. 807503 - xfs contention problem 808112 - [nfsv4] open(O_CREAT) returns EEXISTS on symbolic link created on another system until stat()ed 813137 - [xfs/xfstests 273] heavy cp workload hang 813227 - Balloon value reported doesn't get updated after guest driver is removed and re-inserted. 816059 - can not Install guest(RHEL6.3 32) using scsi-hd and scsi-cd 816308 - kvm: 9480: cpu0 unimplemented perfctr wrmsr: 0x186 data 0x130079 816880 - ALSA: Update the snd-oxygen and snd-virtuoso (CMI87xx based) drivers for RHEL 6.4 816888 - kernel panic in qfq_dequeue 817243 - Guest failed to resume from S4 after migration with kvmclock 821060 - dlm: make dlm_recv single threaded 821463 - SEP CPU flag is disabled on Intel 64 bit when exec_shield is on 822075 - Console complain about "Unable to load target_core_stgt" 823018 - link of a delegated file fails (due to server returning NOENT instead of DELAY) 823625 - cifs: fix handling of scopeid in cifs_convert_address 823630 - cifs: simplify open code 823842 - cifs: Cleanup TCP_SERVER_Info 823843 - cifs: Fix oplock break handling 823878 - cifs: Simplify cache invalidation 823902 - cifs: Add rwpidforward mount option [kernel] 823934 - cifs: Cleanup cifs mount code. 824065 - cifs: Introduce code required for cifs idmap and ACL support 824964 - dlm: deadlock between dlm_send and dlm_controld 825009 - NFSv4.1: Add LAYOUTRETURN support 826067 - Use-after-free on CPU hotplug 826650 - pNFS: Page Infrastructure Upgrades. 827474 - [RHEL 6.4] Sync up perf tool with upstream 3.4 [perf-tool] 829031 - Fix KVM device assignment bridge test 830977 - [RHEL6 kernel] crypto: sha512 - Fix byte counter overflow in SHA-512 832252 - cifs_async_writev blocked by limited kmap on i386 with high-mem 832301 - windows 8 32bit can not be installed on qemu-kvm 832434 - nfs: rpciod is blocked in nfs_release_page waiting for nfs_commit_inode to complete 832486 - KVM: make GET_SUPPORTED_CPUID whitelist-based 834097 - Performance regression between kernels 2.6.32-131.0.15 and 2.6.32-220 836803 - RHEL6: Potential fix for leapsecond caused futex related load spikes 837871 - pNFS: General Client Infrastructure 839266 - Change network with netconsole loaded cause kernel panic 839984 - [PATCH sysfs] kernel cannot rename network interfaces 840458 - RFE - Virtio-scsi should support block_resize 841578 - Update wireless LAN subsystem 841604 - Add support for modern Ralink wireless devices (28xx/3xxx/53xx chips) 841622 - add virtio-scsi unlocked kick patches 841983 - VLAN configured on top of a bonded interface (active-backup) does not failover 842312 - nfs_attr_use_mounted_on_file() returns wrong value 842435 - NFSv4 Handle a bad or revoked delegation 844542 - virtio: Use ida to allocate virtio index 844579 - virtio-rng: 'cat' process hangs when ^C pressed when there's no input 844582 - virtio-rng: module removal doesn't succeed till input from host received 844583 - s3/s4 support for virtio-rng driver 845233 - XFS regularly truncating files after crash/reboot 846585 - [qemu-kvm] [hot-plug] qemu-process (RHEL6.3 guest) goes into D state during nic hot unplug (netdev_del hostnet1) 846702 - [RHEL 6.4] Sync up perf tool with upstream 3.5 [perf-tool] 847722 - backport: KVM: fix race with level interrupts 849223 - RHEL5 Xen SR-IOV VF PCI passthru does not work to RHEL6 HVM guest; no interrupts received on the guest VF 850642 - Fuse: backport FUSE_AUTO_INVAL_DATA flag support and related patches 851312 - pNFS client fails to select correct DS from multipath 854066 - [rhel6] lvs: issues with GRO / icmp fragmentation needed 854584 - mmu_notifier: updates for RHEL6.4 855436 - Spurious LVDS detected on HP T5740 855448 - DM RAID: Bad table argument could cause kernel panic 857555 - nfs: fix potential slabcache leaks when cache allocations fail 857792 - drm rebase bug for 6.4 857956 - hpsa: fix handling of protocol error 858292 - cciss: fix handling of protocol error 858850 - fuse: backport scatter-gather direct IO 859242 - [6.4] Backport upstream XFS fixes 859259 - parallel perf build fails 859355 - wireless: crash in crypto_destroy_tfm 860404 - [RHEL 6.4] Sync up perf tool with upstream latest 3.6 [perf-tool] 862025 - wl1251_sdio driver missed in RHEL6.4 863077 - Soft lockup on reboot with an active VG 863212 - SUNRPC: Patch inclusion request 865380 - Kernel oops/crash when running perf on a SandyBridge host 865666 - host boot fail and when system boots with kernel parameter intel_iommu=on 865929 - xfs: report projid32bit feature in geometry call 866271 - When browse option is used, failed mounts by AutoFS leave broken directories 866417 - iwlwifi rmmod crash after roaming 867169 - nouveau in optimus configuration oops on load 867688 - sysctl table check failed: /net/ipv6/nf_conntrack_frag6_low_thresh Unknown sysctl binary path 868233 - [xfs/md] NULL pointer dereference - xfs_alloc_ioend_bio 869856 - [Arrandale] Text disappearing in Firefox and Terminal 869904 - CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure 870246 - LVM RAID: Images that are reintroduced into an array are not synced 870297 - storvsc: Account for in-transit packets in the RESET path 871350 - Add minimal hyper-v support to kvm in order to support relaxed timing feature 871630 - DM RAID: kernel panic when attempting to activate partial RAID LV (i.e. an array that has missing devices) 871968 - RPC tasks can deadlock during rpc_shutdown 872229 - export the symbol nfs_fs_type 872232 - export the symbol nfs_fhget 872799 - net: WARN if struct ip_options was allocated directly by kmalloc [rhel-6.4] 873226 - attaching a dummy interface to bonding device causes a crash 873462 - PCIe SRIOV VFs may not configure on PCIe port with no ARI support 873816 - NFSv4 referrals fail if NFS server returns hostnames rather than IP addresses (Kernel part) 874322 - [6.4] XFS log recovery failure leads to loss of data 874539 - [xfs] Bug on invaliding page that is not locked 875309 - An Hyper-V RHEL6.3 Guest is unreachable from the network after live migration 875360 - CVE-2012-4542 kernel: block: default SCSI command filter does not accomodate commands overlap across device classes 896038 - CVE-2013-0190 kernel: stack corruption in xen_failsafe_callback() 912898 - CVE-2013-0309 kernel: mm: thp: pmd_present and PROT_NONE local DoS 912900 - CVE-2013-0310 kernel: net: CIPSO_V4_TAG_LOCAL tag NULL pointer dereference 912905 - CVE-2013-0311 kernel: vhost: fix length for cross region descriptor