[linux-kernel] 20100205 PROBLEM: hda-intel divide by zero kernel crash in azx_position_ok()

http://nctritech.net/bugreport.txt

39649

43315

http://support.avaya.com/css/P8/documents/100088287

http://support.avaya.com/css/P8/documents/100090459

[oss-security] 20100222 CVE request: kernel: ALSA: hda-intel: Avoid divide by zero crash

RHSA-2010:0394

RHSA-2010:0398

20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX

38348

http://www.vmware.com/security/advisories/VMSA-2011-0003.html

https://bugzilla.redhat.com/show_bug.cgi?id=567168

oval:org.mitre.oval:def:10027

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries :

  - Apache Tomcat 
  - Apache Tomcat Manager
  - cURL 
  - Java Runtime Environment (JRE)
  - Kernel 
  - Microsoft SQL Express
  - OpenSSL
  - pam_krb5

From Red Hat Security Advisory 2010:0398 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* a flaw was found in the Unidirectional Lightweight Encapsulation (ULE) implementation. A remote attacker could send a specially crafted ISO MPEG-2 Transport Stream (TS) frame to a target system, resulting in an infinite loop (denial of service). (CVE-2010-1086, Important)

* on AMD64 systems, it was discovered that the kernel did not ensure the ELF interpreter was available before making a call to the SET_PERSONALITY macro. A local attacker could use this flaw to cause a denial of service by running a 32-bit application that attempts to execute a 64-bit application. (CVE-2010-0307, Moderate)

* a flaw was found in the kernel connector implementation. A local, unprivileged user could trigger this flaw by sending an arbitrary number of notification requests using specially crafted netlink messages, resulting in a denial of service. (CVE-2010-0410, Moderate)

* a flaw was found in the Memory-mapped I/O (MMIO) instruction decoder in the Xen hypervisor implementation. An unprivileged guest user could use this flaw to trick the hypervisor into emulating a certain instruction, which could crash the guest (denial of service).
(CVE-2010-0730, Moderate)

* a divide-by-zero flaw was found in the azx_position_ok() function in the driver for Intel High Definition Audio, snd-hda-intel. A local, unprivileged user could trigger this flaw to cause a kernel crash (denial of service). (CVE-2010-1085, Moderate)

This update also fixes the following bugs :

* in some cases, booting a system with the 'iommu=on' kernel parameter resulted in a Xen hypervisor panic. (BZ#580199)

* the fnic driver flushed the Rx queue instead of the Tx queue after fabric login. This caused crashes in some cases. (BZ#580829)

* 'kernel unaligned access' warnings were logged to the dmesg log on some systems. (BZ#580832)

* the 'Northbridge Error, node 1, core: -1 K8 ECC error' error occurred on some systems using the amd64_edac driver. (BZ#580836)

* in rare circumstances, when using kdump and booting a kernel with 'crashkernel=128M@16M', the kdump kernel did not boot after a crash.
(BZ#580838)

* TLB page table entry flushing was done incorrectly on IBM System z, possibly causing crashes, subtle data inconsistency, or other issues.
(BZ#580839)

* iSCSI failover times were slower than in Red Hat Enterprise Linux 5.3. (BZ#580840)

* fixed floating point state corruption after signal. (BZ#580841)

* in certain circumstances, under heavy load, certain network interface cards using the bnx2 driver and configured to use MSI-X, could stop processing interrupts and then network connectivity would cease. (BZ#587799)

* cnic parts resets could cause a deadlock when the bnx2 device was enslaved in a bonding device and that device had an associated VLAN.
(BZ#581148)

* some BIOS implementations initialized interrupt remapping hardware in a way the Xen hypervisor implementation did not expect. This could have caused a system hang during boot. (BZ#581150)

* AMD Magny-Cours systems panicked when booting a 32-bit kernel.
(BZ#580846)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2010:0394 :

Updated kernel packages that fix multiple security issues, several bugs, and add three enhancements are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* RHSA-2009:1024 introduced a flaw in the ptrace implementation on Itanium systems. ptrace_check_attach() was not called during certain ptrace() requests. Under certain circumstances, a local, unprivileged user could use this flaw to call ptrace() on a process they do not own, giving them control over that process. (CVE-2010-0729, Important)

* a flaw was found in the kernel's Unidirectional Lightweight Encapsulation (ULE) implementation. A remote attacker could send a specially crafted ISO MPEG-2 Transport Stream (TS) frame to a target system, resulting in a denial of service. (CVE-2010-1086, Important)

* a use-after-free flaw was found in tcp_rcv_state_process() in the kernel's TCP/IP protocol suite implementation. If a system using IPv6 had the IPV6_RECVPKTINFO option set on a listening socket, a remote attacker could send an IPv6 packet to that system, causing a kernel panic. (CVE-2010-1188, Important)

* a divide-by-zero flaw was found in azx_position_ok() in the Intel High Definition Audio driver, snd-hda-intel. A local, unprivileged user could trigger this flaw to cause a denial of service.
(CVE-2010-1085, Moderate)

* an information leak flaw was found in the kernel's USB implementation. Certain USB errors could result in an uninitialized kernel buffer being sent to user-space. An attacker with physical access to a target system could use this flaw to cause an information leak. (CVE-2010-1083, Low)

Red Hat would like to thank Ang Way Chuang for reporting CVE-2010-1086.

Bug fixes :

* a regression prevented the Broadcom BCM5761 network device from working when in the first (top) PCI-E slot of Hewlett-Packard (HP) Z600 systems. Note: The card worked in the 2nd or 3rd PCI-E slot.
(BZ#567205)

* the Xen hypervisor supports 168 GB of RAM for 32-bit guests. The physical address range was set incorrectly, however, causing 32-bit, para-virtualized Red Hat Enterprise Linux 4.8 guests to crash when launched on AMD64 or Intel 64 hosts that have more than 64 GB of RAM.
(BZ#574392)

* RHSA-2009:1024 introduced a regression, causing diskdump to fail on systems with certain adapters using the qla2xxx driver. (BZ#577234)

* a race condition caused TX to stop in a guest using the virtio_net driver. (BZ#580089)

* on some systems, using the 'arp_validate=3' bonding option caused both links to show as 'down' even though the arp_target was responding to ARP requests sent by the bonding driver. (BZ#580842)

* in some circumstances, when a Red Hat Enterprise Linux client connected to a re-booted Windows-based NFS server, server-side filehandle-to-inode mapping changes caused a kernel panic.
'bad_inode_ops' handling was changed to prevent this. Note:
filehandle-to-inode mapping changes may still cause errors, but not panics. (BZ#582908)

* when installing a Red Hat Enterprise Linux 4 guest via PXE, hard-coded fixed-size scatterlists could conflict with host requests, causing the guest's kernel to panic. With this update, dynamically allocated scatterlists are used, resolving this issue. (BZ#582911)

Enhancements :

* kernel support for connlimit. Note: iptables errata update RHBA-2010:0395 is also required for connlimit to work correctly.
(BZ#563223)

* support for the Intel architectural performance monitoring subsystem (arch_perfmon). On supported CPUs, arch_perfmon offers means to mark performance events and options for configuring and counting these events. (BZ#582913)

* kernel support for OProfile sampling of Intel microarchitecture (Nehalem) CPUs. This update alone does not address OProfile support for such CPUs. A future oprofile package update will allow OProfile to work on Intel Nehalem CPUs. (BZ#582241)

Users should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
The system must be rebooted for this update to take effect.

This kernel is already in SL 5.5

This updated contains all the security and bug fixes from the 2.6.18-194.el5 kernel. In additions this update fixes the following security issues :

  - a flaw was found in the Unidirectional Lightweight     Encapsulation (ULE) implementation. A remote attacker     could send a specially crafted ISO MPEG-2 Transport     Stream (TS) frame to a target system, resulting in an     infinite loop (denial of service). (CVE-2010-1086,     Important)

  - on AMD64 systems, it was discovered that the kernel did     not ensure the ELF interpreter was available before     making a call to the SET_PERSONALITY macro. A local     attacker could use this flaw to cause a denial of     service by running a 32-bit application that attempts to     execute a 64-bit application. (CVE-2010-0307, Moderate)

  - a flaw was found in the kernel connector implementation.
    A local, unprivileged user could trigger this flaw by     sending an arbitrary number of notification requests     using specially crafted netlink messages, resulting in a     denial of service. (CVE-2010-0410, Moderate)

  - a flaw was found in the Memory-mapped I/O (MMIO)     instruction decoder in the Xen hypervisor     implementation. An unprivileged guest user could use     this flaw to trick the hypervisor into emulating a     certain instruction, which could crash the guest (denial     of service). (CVE-2010-0730, Moderate)

  - a divide-by-zero flaw was found in the azx_position_ok()     function in the driver for Intel High Definition Audio,     snd-hda-intel. A local, unprivileged user could trigger     this flaw to cause a kernel crash (denial of service).
    (CVE-2010-1085, Moderate)

This update also fixes the following bugs :

  - in some cases, booting a system with the 'iommu=on'     kernel parameter resulted in a Xen hypervisor panic.
    (BZ#580199)

  - the fnic driver flushed the Rx queue instead of the Tx     queue after fabric login. This caused crashes in some     cases. (BZ#580829)

  - 'kernel unaligned access' warnings were logged to the     dmesg log on some systems. (BZ#580832)

  - the 'Northbridge Error, node 1, core: -1 K8 ECC error'     error occurred on some systems using the amd64_edac     driver. (BZ#580836)

  - in rare circumstances, when using kdump and booting a     kernel with 'crashkernel=128M@16M', the kdump kernel did     not boot after a crash. (BZ#580838)

  - TLB page table entry flushing was done incorrectly on     IBM System z, possibly causing crashes, subtle data     inconsistency, or other issues. (BZ#580839)

  - iSCSI failover times were slower than in Red Hat     Enterprise Linux 5.3. (BZ#580840)

  - fixed floating point state corruption after signal.
    (BZ#580841)

  - in certain circumstances, under heavy load, certain     network interface cards using the bnx2 driver and     configured to use MSI-X, could stop processing     interrupts and then network connectivity would cease.
    (BZ#587799)

  - cnic parts resets could cause a deadlock when the bnx2     device was enslaved in a bonding device and that device     had an associated VLAN. (BZ#581148)

  - some BIOS implementations initialized interrupt     remapping hardware in a way the Xen hypervisor     implementation did not expect. This could have caused a     system hang during boot. (BZ#581150)

  - AMD Magny-Cours systems panicked when booting a 32-bit     kernel. (BZ#580846)

The system must be rebooted for this update to take effect.

Security fixes :

  - Kernel update 2.6.9-89.EL introduced a flaw in the     ptrace implementation on Itanium systems.
    ptrace_check_attach() was not called during certain     ptrace() requests. Under certain circumstances, a local,     unprivileged user could use this flaw to call ptrace()     on a process they do not own, giving them control over     that process. (CVE-2010-0729, Important)

  - a flaw was found in the kernel's Unidirectional     Lightweight Encapsulation (ULE) implementation. A remote     attacker could send a specially crafted ISO MPEG-2     Transport Stream (TS) frame to a target system,     resulting in a denial of service. (CVE-2010-1086,     Important)

  - a use-after-free flaw was found in     tcp_rcv_state_process() in the kernel's TCP/IP protocol     suite implementation. If a system using IPv6 had the     IPV6_RECVPKTINFO option set on a listening socket, a     remote attacker could send an IPv6 packet to that     system, causing a kernel panic. (CVE-2010-1188,     Important)

  - a divide-by-zero flaw was found in azx_position_ok() in     the Intel High Definition Audio driver, snd-hda-intel. A     local, unprivileged user could trigger this flaw to     cause a denial of service. (CVE-2010-1085, Moderate)

  - an information leak flaw was found in the kernel's USB     implementation. Certain USB errors could result in an     uninitialized kernel buffer being sent to user-space. An     attacker with physical access to a target system could     use this flaw to cause an information leak.
    (CVE-2010-1083, Low)

Bug fixes :

  - a regression prevented the Broadcom BCM5761 network     device from working when in the first (top) PCI-E slot     of Hewlett-Packard (HP) Z600 systems. Note: The card     worked in the 2nd or 3rd PCI-E slot. (BZ#567205)

  - the Xen hypervisor supports 168 GB of RAM for 32-bit     guests. The physical address range was set incorrectly,     however, causing 32-bit, para-virtualized Scientific     Linux 4.8 guests to crash when launched on AMD64 or     Intel 64 hosts that have more than 64 GB of RAM.
    (BZ#574392)

  - Kernel update 2.6.9-89.EL introduced a regression,     causing diskdump to fail on systems with certain     adapters using the qla2xxx driver. (BZ#577234)

  - a race condition caused TX to stop in a guest using the     virtio_net driver. (BZ#580089)

  - on some systems, using the 'arp_validate=3' bonding     option caused both links to show as 'down' even though     the arp_target was responding to ARP requests sent by     the bonding driver. (BZ#580842)

  - in some circumstances, when a Scientific Linux client     connected to a re-booted Windows-based NFS server,     server-side filehandle-to-inode mapping changes caused a     kernel panic. 'bad_inode_ops' handling was changed to     prevent this. Note: filehandle-to-inode mapping changes     may still cause errors, but not panics. (BZ#582908)

  - when installing a Scientific Linux 4 guest via PXE,     hard-coded fixed-size scatterlists could conflict with     host requests, causing the guest's kernel to panic. With     this update, dynamically allocated scatterlists are     used, resolving this issue. (BZ#582911)

Enhancements :

  - kernel support for connlimit. Note: iptables errata     update RHBA-2010:0395 is also required for connlimit to     work correctly. (BZ#563223)

  - support for the Intel architectural performance     monitoring subsystem (arch_perfmon). On supported CPUs,     arch_perfmon offers means to mark performance events and     options for configuring and counting these events.
    (BZ#582913)

  - kernel support for OProfile sampling of Intel     microarchitecture (Nehalem) CPUs. This update alone does     not address OProfile support for such CPUs. A future     oprofile package update will allow OProfile to work on     Intel Nehalem CPUs. (BZ#582241)

The system must be rebooted for this update to take effect.

a. vCenter Server and vCenter Update Manager update Microsoft    SQL Server 2005 Express Edition to Service Pack 3

   Microsoft SQL Server 2005 Express Edition (SQL Express)    distributed with vCenter Server 4.1 Update 1 and vCenter Update    Manager 4.1 Update 1 is upgraded from  SQL Express Service Pack 2    to SQL Express Service Pack 3, to address multiple security    issues that exist in the earlier releases of Microsoft SQL Express.

   Customers using other database solutions need not update for    these issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,    CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL    Express Service Pack 3.

b. vCenter Apache Tomcat Management Application Credential Disclosure

   The Apache Tomcat Manager application configuration file contains    logon credentials that can be read by unprivileged local users.

   The issue is resolved by removing the Manager application in    vCenter 4.1 Update 1.

   If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon    credentials are not present in the configuration file after the    update.

   VMware would like to thank Claudio Criscione of Secure Networking    for reporting this issue to us.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-2928 to this issue.

c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version    1.6.0_21

   Oracle (Sun) JRE update to version 1.6.0_21, which addresses    multiple security issues that existed in earlier releases of    Oracle (Sun) JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082,    CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088,    CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092,    CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837,    CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,    CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845,    CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849,    CVE-2010-0850.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following name to the security issue fixed in    Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.

d. vCenter Update Manager Oracle (Sun) JRE is updated to version   1.5.0_26

   Oracle (Sun) JRE update to version 1.5.0_26, which addresses    multiple security issues that existed in earlier releases of    Oracle (Sun) JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566,    CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573,    CVE-2010-3565,CVE-2010-3568, CVE-2010-3569,  CVE-2009-3555,    CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562,    CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572,    CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541,    CVE-2010-3574.

e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28

   Apache Tomcat updated to version 6.0.28, which addresses multiple    security issues that existed in earlier releases of Apache Tomcat

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i    and CVE-2009-3548.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.

f. vCenter Server third-party component OpenSSL updated to version    0.9.8n

   The version of the OpenSSL library in vCenter Server is updated to    0.9.8n.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-0740 and CVE-2010-0433 to the    issues addressed in this version of OpenSSL.

g. ESX third-party component OpenSSL updated to version 0.9.8p

   The version of the ESX OpenSSL library is updated to 0.9.8p.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-3864 and CVE-2010-2939 to the    issues addressed in this update.

h. ESXi third-party component cURL updated

   The version of cURL library in ESXi is updated.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-0734 to the issues addressed in    this update.

i. ESX third-party component pam_krb5 updated

   The version of pam_krb5 library is updated.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2008-3825 and CVE-2009-1384 to the    issues addressed in the update.

j. ESX third-party update for Service Console kernel

   The Service Console kernel is updated to include kernel version    2.6.18-194.11.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070,    CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524,    CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308,    CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086,    CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291,    CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437,    CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and    CVE-2010-3081 to the issues addressed in the update.

   Notes :
   - The update also addresses the 64-bit compatibility mode    stack pointer underflow issue identified by CVE-2010-3081. This    issue was patched in an ESX 4.1 patch prior to the release of    ESX 4.1 Update 1 and in a previous ESX 4.0 patch release.
   - The update also addresses CVE-2010-2240 for ESX 4.0.

USN-947-1 fixed vulnerabilities in the Linux kernel. Fixes for CVE-2010-0419 caused failures when using KVM in certain situations.
This update reverts that fix until a better solution can be found.

We apologize for the inconvenience.

It was discovered that the Linux kernel did not correctly handle memory protection of the Virtual Dynamic Shared Object page when running a 32-bit application on a 64-bit kernel. A local attacker could exploit this to cause a denial of service. (Only affected Ubuntu 6.06 LTS.) (CVE-2009-4271)

It was discovered that the r8169 network driver did not correctly check the size of Ethernet frames. A remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2009-4537)

Wei Yongjun discovered that SCTP did not correctly validate certain chunks. A remote attacker could send specially crafted traffic to monopolize CPU resources, leading to a denial of service. (Only affected Ubuntu 6.06 LTS.) (CVE-2010-0008)

It was discovered that KVM did not correctly limit certain privileged IO accesses on x86. Processes in the guest OS with access to IO regions could gain further privileges within the guest OS. (Did not affect Ubuntu 6.06 LTS.) (CVE-2010-0298, CVE-2010-0306, CVE-2010-0419)

Evgeniy Polyakov discovered that IPv6 did not correctly handle certain TUN packets. A remote attacker could exploit this to crash the system, leading to a denial of service.
(Only affected Ubuntu 8.04 LTS.) (CVE-2010-0437)

Sachin Prabhu discovered that GFS2 did not correctly handle certain locks. A local attacker with write access to a GFS2 filesystem could exploit this to crash the system, leading to a denial of service. (CVE-2010-0727)

Jamie Strandboge discovered that network virtio in KVM did not correctly handle certain high-traffic conditions. A remote attacker could exploit this by sending specially crafted traffic to a guest OS, causing the guest to crash, leading to a denial of service. (Only affected Ubuntu 8.04 LTS.) (CVE-2010-0741)

Marcus Meissner discovered that the USB subsystem did not correctly handle certain error conditions. A local attacker with access to a USB device could exploit this to read recently used kernel memory, leading to a loss of privacy and potentially root privilege escalation. (CVE-2010-1083)

Neil Brown discovered that the Bluetooth subsystem did not correctly handle large amounts of traffic. A physically proximate remote attacker could exploit this by sending specially crafted traffic that would consume all available system memory, leading to a denial of service. (Ubuntu 6.06 LTS and 10.04 LTS were not affected.) (CVE-2010-1084)

Jody Bruchon discovered that the sound driver for the AMD780V did not correctly handle certain conditions. A local attacker with access to this hardward could exploit the flaw to cause a system crash, leading to a denial of service.
(CVE-2010-1085)

Ang Way Chuang discovered that the DVB driver did not correctly handle certain MPEG2-TS frames. An attacker could exploit this by delivering specially crafted frames to monopolize CPU resources, leading to a denial of service.
(Ubuntu 10.04 LTS was not affected.) (CVE-2010-1086)

Trond Myklebust discovered that NFS did not correctly handle truncation under certain conditions. A local attacker with write access to an NFS share could exploit this to crash the system, leading to a denial of service. (Ubuntu 10.04 LTS was not affected.) (CVE-2010-1087)

Al Viro discovered that automount of NFS did not correctly handle symlinks under certain conditions. A local attacker could exploit this to crash the system, leading to a denial of service. (Ubuntu 6.06 LTS and Ubuntu 10.04 LTS were not affected.) (CVE-2010-1088)

Matt McCutchen discovered that ReiserFS did not correctly protect xattr files in the .reiserfs_priv directory. A local attacker could exploit this to gain root privileges or crash the system, leading to a denial of service. (CVE-2010-1146)

Eugene Teo discovered that CIFS did not correctly validate arguments when creating new files. A local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges if mmap_min_addr was not set. (CVE-2010-1148)

Catalin Marinas and Tetsuo Handa discovered that the TTY layer did not correctly release process IDs. A local attacker could exploit this to consume kernel resources, leading to a denial of service. (CVE-2010-1162)

Neil Horman discovered that TIPC did not correctly check its internal state. A local attacker could send specially crafted packets via AF_TIPC that would cause the system to crash, leading to a denial of service. (Ubuntu 6.06 LTS was not affected.) (CVE-2010-1187)

Masayuki Nakagawa discovered that IPv6 did not correctly handle certain settings when listening. If a socket were listening with the IPV6_RECVPKTINFO flag, a remote attacker could send specially crafted traffic that would cause the system to crash, leading to a denial of service. (Only Ubuntu 6.06 LTS was affected.) (CVE-2010-1188)

Oleg Nesterov discovered that the Out-Of-Memory handler did not correctly handle certain arrangements of processes. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-1488).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not correctly handle memory protection of the Virtual Dynamic Shared Object page when running a 32-bit application on a 64-bit kernel. A local attacker could exploit this to cause a denial of service. (Only affected Ubuntu 6.06 LTS.) (CVE-2009-4271)

It was discovered that the r8169 network driver did not correctly check the size of Ethernet frames. A remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2009-4537)

Wei Yongjun discovered that SCTP did not correctly validate certain chunks. A remote attacker could send specially crafted traffic to monopolize CPU resources, leading to a denial of service. (Only affected Ubuntu 6.06 LTS.) (CVE-2010-0008)

It was discovered that KVM did not correctly limit certain privileged IO accesses on x86. Processes in the guest OS with access to IO regions could gain further privileges within the guest OS. (Did not affect Ubuntu 6.06 LTS.) (CVE-2010-0298, CVE-2010-0306, CVE-2010-0419)

Evgeniy Polyakov discovered that IPv6 did not correctly handle certain TUN packets. A remote attacker could exploit this to crash the system, leading to a denial of service. (Only affected Ubuntu 8.04 LTS.) (CVE-2010-0437)

Sachin Prabhu discovered that GFS2 did not correctly handle certain locks. A local attacker with write access to a GFS2 filesystem could exploit this to crash the system, leading to a denial of service.
(CVE-2010-0727)

Jamie Strandboge discovered that network virtio in KVM did not correctly handle certain high-traffic conditions. A remote attacker could exploit this by sending specially crafted traffic to a guest OS, causing the guest to crash, leading to a denial of service. (Only affected Ubuntu 8.04 LTS.) (CVE-2010-0741)

Marcus Meissner discovered that the USB subsystem did not correctly handle certain error conditions. A local attacker with access to a USB device could exploit this to read recently used kernel memory, leading to a loss of privacy and potentially root privilege escalation.
(CVE-2010-1083)

Neil Brown discovered that the Bluetooth subsystem did not correctly handle large amounts of traffic. A physically proximate remote attacker could exploit this by sending specially crafted traffic that would consume all available system memory, leading to a denial of service. (Ubuntu 6.06 LTS and 10.04 LTS were not affected.) (CVE-2010-1084)

Jody Bruchon discovered that the sound driver for the AMD780V did not correctly handle certain conditions. A local attacker with access to this hardward could exploit the flaw to cause a system crash, leading to a denial of service. (CVE-2010-1085)

Ang Way Chuang discovered that the DVB driver did not correctly handle certain MPEG2-TS frames. An attacker could exploit this by delivering specially crafted frames to monopolize CPU resources, leading to a denial of service. (Ubuntu 10.04 LTS was not affected.) (CVE-2010-1086)

Trond Myklebust discovered that NFS did not correctly handle truncation under certain conditions. A local attacker with write access to an NFS share could exploit this to crash the system, leading to a denial of service. (Ubuntu 10.04 LTS was not affected.) (CVE-2010-1087)

Al Viro discovered that automount of NFS did not correctly handle symlinks under certain conditions. A local attacker could exploit this to crash the system, leading to a denial of service. (Ubuntu 6.06 LTS and Ubuntu 10.04 LTS were not affected.) (CVE-2010-1088)

Matt McCutchen discovered that ReiserFS did not correctly protect xattr files in the .reiserfs_priv directory. A local attacker could exploit this to gain root privileges or crash the system, leading to a denial of service. (CVE-2010-1146)

Eugene Teo discovered that CIFS did not correctly validate arguments when creating new files. A local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges if mmap_min_addr was not set. (CVE-2010-1148)

Catalin Marinas and Tetsuo Handa discovered that the TTY layer did not correctly release process IDs. A local attacker could exploit this to consume kernel resources, leading to a denial of service.
(CVE-2010-1162)

Neil Horman discovered that TIPC did not correctly check its internal state. A local attacker could send specially crafted packets via AF_TIPC that would cause the system to crash, leading to a denial of service. (Ubuntu 6.06 LTS was not affected.) (CVE-2010-1187)

Masayuki Nakagawa discovered that IPv6 did not correctly handle certain settings when listening. If a socket were listening with the IPV6_RECVPKTINFO flag, a remote attacker could send specially crafted traffic that would cause the system to crash, leading to a denial of service. (Only Ubuntu 6.06 LTS was affected.) (CVE-2010-1188)

Oleg Nesterov discovered that the Out-Of-Memory handler did not correctly handle certain arrangements of processes. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-1488).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* a flaw was found in the Unidirectional Lightweight Encapsulation (ULE) implementation. A remote attacker could send a specially crafted ISO MPEG-2 Transport Stream (TS) frame to a target system, resulting in an infinite loop (denial of service). (CVE-2010-1086, Important)

* on AMD64 systems, it was discovered that the kernel did not ensure the ELF interpreter was available before making a call to the SET_PERSONALITY macro. A local attacker could use this flaw to cause a denial of service by running a 32-bit application that attempts to execute a 64-bit application. (CVE-2010-0307, Moderate)

* a flaw was found in the kernel connector implementation. A local, unprivileged user could trigger this flaw by sending an arbitrary number of notification requests using specially crafted netlink messages, resulting in a denial of service. (CVE-2010-0410, Moderate)

* a flaw was found in the Memory-mapped I/O (MMIO) instruction decoder in the Xen hypervisor implementation. An unprivileged guest user could use this flaw to trick the hypervisor into emulating a certain instruction, which could crash the guest (denial of service).
(CVE-2010-0730, Moderate)

* a divide-by-zero flaw was found in the azx_position_ok() function in the driver for Intel High Definition Audio, snd-hda-intel. A local, unprivileged user could trigger this flaw to cause a kernel crash (denial of service). (CVE-2010-1085, Moderate)

This update also fixes the following bugs :

* in some cases, booting a system with the 'iommu=on' kernel parameter resulted in a Xen hypervisor panic. (BZ#580199)

* the fnic driver flushed the Rx queue instead of the Tx queue after fabric login. This caused crashes in some cases. (BZ#580829)

* 'kernel unaligned access' warnings were logged to the dmesg log on some systems. (BZ#580832)

* the 'Northbridge Error, node 1, core: -1 K8 ECC error' error occurred on some systems using the amd64_edac driver. (BZ#580836)

* in rare circumstances, when using kdump and booting a kernel with 'crashkernel=128M@16M', the kdump kernel did not boot after a crash.
(BZ#580838)

* TLB page table entry flushing was done incorrectly on IBM System z, possibly causing crashes, subtle data inconsistency, or other issues.
(BZ#580839)

* iSCSI failover times were slower than in Red Hat Enterprise Linux 5.3. (BZ#580840)

* fixed floating point state corruption after signal. (BZ#580841)

* in certain circumstances, under heavy load, certain network interface cards using the bnx2 driver and configured to use MSI-X, could stop processing interrupts and then network connectivity would cease. (BZ#587799)

* cnic parts resets could cause a deadlock when the bnx2 device was enslaved in a bonding device and that device had an associated VLAN.
(BZ#581148)

* some BIOS implementations initialized interrupt remapping hardware in a way the Xen hypervisor implementation did not expect. This could have caused a system hang during boot. (BZ#581150)

* AMD Magny-Cours systems panicked when booting a 32-bit kernel.
(BZ#580846)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues, several bugs, and add three enhancements are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* RHSA-2009:1024 introduced a flaw in the ptrace implementation on Itanium systems. ptrace_check_attach() was not called during certain ptrace() requests. Under certain circumstances, a local, unprivileged user could use this flaw to call ptrace() on a process they do not own, giving them control over that process. (CVE-2010-0729, Important)

* a flaw was found in the kernel's Unidirectional Lightweight Encapsulation (ULE) implementation. A remote attacker could send a specially crafted ISO MPEG-2 Transport Stream (TS) frame to a target system, resulting in a denial of service. (CVE-2010-1086, Important)

* a use-after-free flaw was found in tcp_rcv_state_process() in the kernel's TCP/IP protocol suite implementation. If a system using IPv6 had the IPV6_RECVPKTINFO option set on a listening socket, a remote attacker could send an IPv6 packet to that system, causing a kernel panic. (CVE-2010-1188, Important)

* a divide-by-zero flaw was found in azx_position_ok() in the Intel High Definition Audio driver, snd-hda-intel. A local, unprivileged user could trigger this flaw to cause a denial of service.
(CVE-2010-1085, Moderate)

* an information leak flaw was found in the kernel's USB implementation. Certain USB errors could result in an uninitialized kernel buffer being sent to user-space. An attacker with physical access to a target system could use this flaw to cause an information leak. (CVE-2010-1083, Low)

Red Hat would like to thank Ang Way Chuang for reporting CVE-2010-1086.

Bug fixes :

* a regression prevented the Broadcom BCM5761 network device from working when in the first (top) PCI-E slot of Hewlett-Packard (HP) Z600 systems. Note: The card worked in the 2nd or 3rd PCI-E slot.
(BZ#567205)

* the Xen hypervisor supports 168 GB of RAM for 32-bit guests. The physical address range was set incorrectly, however, causing 32-bit, para-virtualized Red Hat Enterprise Linux 4.8 guests to crash when launched on AMD64 or Intel 64 hosts that have more than 64 GB of RAM.
(BZ#574392)

* RHSA-2009:1024 introduced a regression, causing diskdump to fail on systems with certain adapters using the qla2xxx driver. (BZ#577234)

* a race condition caused TX to stop in a guest using the virtio_net driver. (BZ#580089)

* on some systems, using the 'arp_validate=3' bonding option caused both links to show as 'down' even though the arp_target was responding to ARP requests sent by the bonding driver. (BZ#580842)

* in some circumstances, when a Red Hat Enterprise Linux client connected to a re-booted Windows-based NFS server, server-side filehandle-to-inode mapping changes caused a kernel panic.
'bad_inode_ops' handling was changed to prevent this. Note:
filehandle-to-inode mapping changes may still cause errors, but not panics. (BZ#582908)

* when installing a Red Hat Enterprise Linux 4 guest via PXE, hard-coded fixed-size scatterlists could conflict with host requests, causing the guest's kernel to panic. With this update, dynamically allocated scatterlists are used, resolving this issue. (BZ#582911)

Enhancements :

* kernel support for connlimit. Note: iptables errata update RHBA-2010:0395 is also required for connlimit to work correctly.
(BZ#563223)

* support for the Intel architectural performance monitoring subsystem (arch_perfmon). On supported CPUs, arch_perfmon offers means to mark performance events and options for configuring and counting these events. (BZ#582913)

* kernel support for OProfile sampling of Intel microarchitecture (Nehalem) CPUs. This update alone does not address OProfile support for such CPUs. A future oprofile package update will allow OProfile to work on Intel Nehalem CPUs. (BZ#582241)

Users should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
The system must be rebooted for this update to take effect.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2010-0398.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2010-0394.

ID	Name	Product	Family	Severity
89674	VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check)	Nessus	Misc.	critical
68037	Oracle Linux 5 : kernel (ELSA-2010-0398)	Nessus	Oracle Linux Local Security Checks	high
68036	Oracle Linux 4 : kernel (ELSA-2010-0394)	Nessus	Oracle Linux Local Security Checks	high
60788	Scientific Linux Security Update : kernel on SL 5.0-5.4 i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60787	Scientific Linux Security Update : kernel on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
51971	VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX	Nessus	VMware ESX Local Security Checks	critical
46811	Ubuntu 10.04 LTS : linux regression (USN-947-2)	Nessus	Ubuntu Local Security Checks	high
46810	Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : linux, linux-source-2.6.15 vulnerabilities (USN-947-1)	Nessus	Ubuntu Local Security Checks	high
46759	CentOS 5 : kernel (CESA-2010:0398)	Nessus	CentOS Local Security Checks	high
46307	RHEL 5 : kernel (RHSA-2010:0398)	Nessus	Red Hat Local Security Checks	high
46306	RHEL 4 : kernel (RHSA-2010:0394)	Nessus	Red Hat Local Security Checks	high
46256	CentOS 4 : kernel (CESA-2010:0394)	Nessus	CentOS Local Security Checks	high
801490	CentOS RHSA-2010-0398 Security Check	Log Correlation Engine	Generic	high
801489	CentOS RHSA-2010-0394 Security Check	Log Correlation Engine	Generic	high

CVE-2010-1085

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins