FEDORA-2012-3712

SUSE-SU-2012:0554

HPSBGN02970

RHSA-2012:0743

48404

48898

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.3.1

[oss-security] 20120315 CVE-2012-1179 kernel: thp: __split_huge_page() mapcount != page_mapcount BUG_ON()

1027084

https://bugzilla.redhat.com/show_bug.cgi?id=803793

https://github.com/torvalds/linux/commit/4a1d704194a441bf83c636004a479e01360ec850

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix bug number for commit 'cciss: Update HPSA_BOUNDARY'     (Joe Jin) [Orabug: 14681166]

  - cciss: Update HPSA_BOUNDARY. (Joe Jin) [Orabug:
    14319765]

  - KVM: introduce kvm_for_each_memslot macro (Maxim Uvarov)     [Bugdb: 13966]

  - dl2k: Clean up rio_ioctl (Jeff Mahoney) [Orabug:
    14126896] (CVE-2012-2313)

  - NFSv4: include bitmap in nfsv4 get acl data (Andy     Adamson) (CVE-2011-4131)

  - KVM: Fix buffer overflow in kvm_set_irq (Avi Kivity)     [Bugdb: 13966] (CVE-2012-2137)

  - net: sock: validate data_len before allocating skb in     sock_alloc_send_pskb (Jason Wang) [Bugdb: 13966]     (CVE-2012-2136)

  - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs     pmd_populate SMP race condition (Andrea Arcangeli)     [Bugdb: 13966] (CVE-2012-2373)

  - KVM: lock slots_lock around device assignment (Alex     Williamson) [Bugdb: 13966] (CVE-2012-2121)

  - KVM: unmap pages from the iommu when slots are removed     (Maxim Uvarov) [Bugdb: 13966] (CVE-2012-2121)

  - fcaps: clear the same personality flags as suid when     fcaps are used (Eric Paris) [Bugdb: 13966]     (CVE-2012-2123)

  - tilegx: enable SYSCALL_WRAPPERS support (Chris Metcalf)     (CVE-2009-0029)

  - drm/i915: fix integer overflow in i915_gem_do_execbuffer     (Xi Wang) [Orabug: 14107456] (CVE-2012-2384)

  - drm/i915: fix integer overflow in i915_gem_execbuffer2     (Xi Wang) [Orabug: 14107445] (CVE-2012-2383)

  - [dm] do not forward ioctls from logical volumes to the     underlying device (Joe Jin) (CVE-2011-4127)

  - [block] fail SCSI passthrough ioctls on partition     devices (Joe Jin) (CVE-2011-4127)

  - [block] add and use scsi_blk_cmd_ioctl (Joe Jin)     [Orabug: 14056755] (CVE-2011-4127)

  - KVM: Ensure all vcpus are consistent with in-kernel     irqchip settings (Avi Kivity) [Bugdb: 13871]     (CVE-2012-1601)

  - regset: Return -EFAULT, not -EIO, on host-side memory     fault (H. Peter Anvin) (CVE-2012-1097)

  - regset: Prevent null pointer reference on readonly     regsets (H. Peter Anvin) (CVE-2012-1097)

  - cifs: fix dentry refcount leak when opening a FIFO on     lookup (Jeff Layton) (CVE-2012-1090)

  - mm: thp: fix pmd_bad triggering in code paths holding     mmap_sem read mode (Andrea Arcangeli) (CVE-2012-1179)

  - ext4: fix undefined behavior in ext4_fill_flex_info (Xi     Wang) (CVE-2009-4307)

  - ocfs2: clear unaligned io flag when dio fails (Junxiao     Bi) [Orabug: 14063941]

  - aio: make kiocb->private NUll in init_sync_kiocb     (Junxiao Bi) [Orabug: 14063941]

  - igb: Fix for Alt MAC Address feature on 82580 and later     devices (Carolyn Wyborny) [Orabug: 14258706]

  - igb: Alternate MAC Address Updates for Func2&3 (Akeem G.
    Abodunrin) [Orabug: 14258706]

  - igb: Alternate MAC Address EEPROM Updates (Akeem G.
    Abodunrin) [Orabug: 14258706]

  - cciss: only enable cciss_allow_hpsa when for ol5 (Joe     Jin) [Orabug: 14106006]

  - Revert 'cciss: remove controllers supported by hpsa'     (Joe Jin) [Orabug: 14106006]

  - [scsi] hpsa: add all support devices for ol5 (Joe Jin)     [Orabug: 14106006]

  - Disable VLAN 0 tagging for none VLAN traffic (Adnan     Misherfi) [Orabug: 14406424]

  - x86: Add Xen kexec control code size check to linker     script (Daniel Kiper)

  - drivers/xen: Export vmcoreinfo through sysfs (Daniel     Kiper)

  - x86/xen/enlighten: Add init and crash kexec/kdump hooks     (Maxim Uvarov)

  - x86/xen: Add kexec/kdump makefile rules (Daniel Kiper)

  - x86/xen: Add x86_64 kexec/kdump implementation (Daniel     Kiper)

  - x86/xen: Add placeholder for i386 kexec/kdump     implementation (Daniel Kiper)

  - x86/xen: Register resources required by kexec-tools     (Daniel Kiper)

  - x86/xen: Introduce architecture dependent data for     kexec/kdump (Daniel Kiper)

  - xen: Introduce architecture independent data for     kexec/kdump (Daniel Kiper)

  - x86/kexec: Add extra pointers to transition page table     PGD, PUD, PMD and PTE (Daniel Kiper)

  - kexec: introduce kexec_ops struct (Daniel Kiper)

  - SPEC: replace DEFAULTKERNEL from kernel-ovs to     kernel-uek

Description of changes:

* CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.

If a process increases permissions using fcaps, all of the dangerous personality flags which are cleared for suid apps are not cleared. This has allowed programs that gained elevated permissions using fcaps to disable the address space randomization of other processes.


* CVE-2012-2121: Memory leak in KVM device assignment.

KVM uses memory slots to track and map guest regions of memory.  When device assignment is used, the pages backing these slots are pinned in memory and mapped into the iommu.  The problem is that when a memory slot is destroyed the pages for the associated memory slot are neither unpinned nor unmapped from the iommu.


* Memory corruption in KVM device assignment slot handling.

A race condition in the KVM device assignment slot handling caused by missing locks around the unmapping of memory slots could cause a memory corruption.


* CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.

The length of packet fragments to be sent wasn't validated before use, leading to heap overflow. A user having access to TUN/TAP virtual device could use this flaw to crash the system or to potentially escalate their privileges.


* CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.

A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges.


* CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.

CVE-2012-1179: Denial of service in page mapping of the hugepage subsystem.

In some cases, the hugepage subsystem would allocate new PMDs when not expected by the memory management subsystem. A privileged user in the KVM guest can use this flaw to crash the host, an unprivileged local user could use this flaw to crash the system.

CVE-2012-2373: Denial of service in PAE page tables.

On a PAE system, a non-atomic load could be corrupted by a page fault resulting in a kernel crash, triggerable by an unprivileged user.


* Regression in handling of bind() with AF_UNSPEC family sockets.

Legacy applications used to bind() with AF_UNSPEC instead of AF_INET. Allow them to continue doing so, but verify that the address is indeed INADDR_ANY.


[2.6.39-100.10.1.el6uek]
- thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE (Andrea Arcangeli)    [Orabug: 14217003]

[2.6.39-100.9.1.el6uek]
- mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race    condition (Andrea Arcangeli) [Bugdb: 13966] {CVE-2012-2373}
- mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode    (Andrea Arcangeli)  {CVE-2012-1179}
- KVM: Fix buffer overflow in kvm_set_irq() (Avi Kivity) [Bugdb: 13966]    {CVE-2012-2137}
- net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()    (Jason Wang) [Bugdb: 13966] {CVE-2012-2136}
- KVM: lock slots_lock around device assignment (Alex Williamson) [Bugdb:
   13966] {CVE-2012-2121}
- KVM: unmap pages from the iommu when slots are removed (Alex Williamson)    [Bugdb: 13966] {CVE-2012-2121}
- KVM: introduce kvm_for_each_memslot macro (Xiao Guangrong) [Bugdb: 13966]
- fcaps: clear the same personality flags as suid when fcaps are used (Eric    Paris) [Bugdb: 13966] {CVE-2012-2123}

[2.6.39-100.8.1.el6uek]
- net: ipv4: relax AF_INET check in bind() (Eric Dumazet) [Orabug: 14054411]

Description of changes:

* CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.

If a process increases permissions using fcaps, all of the dangerous personality flags which are cleared for suid apps are not cleared. This has allowed programs that gained elevated permissions using fcaps to disable the address space randomization of other processes.


* CVE-2012-2121: Memory leak in KVM device assignment.

KVM uses memory slots to track and map guest regions of memory.  When device assignment is used, the pages backing these slots are pinned in memory and mapped into the iommu.  The problem is that when a memory slot is destroyed the pages for the associated memory slot are neither unpinned nor unmapped from the iommu.


* Memory corruption in KVM device assignment slot handling.

A race condition in the KVM device assignment slot handling caused by missing locks around the unmapping of memory slots could cause a memory corruption.


* CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.

The length of packet fragments to be sent wasn't validated before use, leading to heap overflow. A user having access to TUN/TAP virtual device could use this flaw to crash the system or to potentially escalate their privileges.


* CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.

A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges.


* CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.

CVE-2012-1179: Denial of service in page mapping of the hugepage subsystem.

In some cases, the hugepage subsystem would allocate new PMDs when not expected by the memory management subsystem. A privileged user in the KVM guest can use this flaw to crash the host, an unprivileged local user could use this flaw to crash the system.

CVE-2012-2373: Denial of service in PAE page tables.

On a PAE system, a non-atomic load could be corrupted by a page fault resulting in a kernel crash, triggerable by an unprivileged user.


* Regression in handling of bind() with AF_UNSPEC family sockets.

Legacy applications used to bind() with AF_UNSPEC instead of AF_INET. Allow them to continue doing so, but verify that the address is indeed INADDR_ANY.

kernel-uek:

[2.6.32-300.27.1.el6uek]
- net: sock: validate data_len before allocating skb (Jason Wang) [Bugdb: 13966]{CVE-2012-2136}
- fcaps: clear the same personality flags as suid when fcaps are used (Eric Paris) [Bugdb: 13966] {CVE-2012-2123}
- Revert 'nfs: when attempting to open a directory, fall back on normal lookup (Todd Vierling) [Orabug 14141154]

[2.6.32-300.26.1.el6uek]
- mptsas: do not call __mptsas_probe in kthread (Maxim Uvarov) [Orabug:
   14175509]
- mm: check if any page in a pageblock is reserved before marking it    MIGRATE_RESERVE (Maxim Uvarov) [Orabug: 14073214]
- mm: reduce the amount of work done when updating min_free_kbytes (Mel Gorman)    [Orabug: 14073214]
- vmxnet3: Updated to el6-u2 (Guangyu Sun) [Orabug: 14027961]
- xen: expose host uuid via sysfs. (Zhigang Wang)
- sched: Fix cgroup movement of waking process (Daisuke Nishimura) [Orabug:
   13946210]
- sched: Fix cgroup movement of newly created process (Daisuke Nishimura)    [Orabug: 13946210]
- sched: Fix cgroup movement of forking process (Daisuke Nishimura) [Orabug:
   13946210]
- x86, boot: Wait for boot cpu to show up if nr_cpus limit is about to hit    (Zhenzhong Duan) [Orabug: 13629087]
- smp: Use nr_cpus= to set nr_cpu_ids early (Zhenzhong Duan) [Orabug: 13629087]
- net: ipv4: relax AF_INET check in bind() (Maxim Uvarov) [Orabug: 14054411]

ofa-2.6.32-300.27.1.el6uek:

[1.5.1-4.0.58]
- Add Patch 158-169

From Red Hat Security Advisory 2012:0743 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important)

* A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important)

* When a set user ID (setuid) application is executed, certain personality flags for controlling the application's behavior are cleared (that is, a privileged application will not be affected by those flags). It was found that those flags were not cleared if the application was made privileged via file system capabilities. A local, unprivileged user could use this flaw to change the behavior of such applications, allowing them to bypass intended restrictions. Note that for default installations, no application shipped by Red Hat for Red Hat Enterprise Linux is made privileged via file system capabilities.
(CVE-2012-2123, Important)

* It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A privileged guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-2136, Important)

* A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. (CVE-2012-2137, Important)

* A race condition was found in the Linux kernel's memory management subsystem in the way pmd_none_or_clear_bad(), when called with mmap_sem in read mode, and Transparent Huge Pages (THP) page faults interacted. A privileged user in a KVM guest with the ballooning functionality enabled could potentially use this flaw to crash the host. A local, unprivileged user could use this flaw to crash the system. (CVE-2012-1179, Moderate)

* A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121, Moderate)

* A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372, Moderate)

* A race condition was found in the Linux kernel's memory management subsystem in the way pmd_populate() and pte_offset_map_lock() interacted on 32-bit x86 systems with more than 4GB of RAM. A local, unprivileged user could use this flaw to cause a denial of service.
(CVE-2012-2373, Moderate)

Red Hat would like to thank Chen Haogang for reporting CVE-2012-0044.

This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

Updated kernel packages that fix various security issues and three bugs are now available for Red Hat Enterprise Linux 6.1 Extended Update Support.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important)

* It was found that the kvm_vm_ioctl_assign_device() function in the KVM (Kernel-based Virtual Machine) subsystem of a Linux kernel did not check if the user requesting device assignment was privileged or not.
A local, unprivileged user on the host could assign unused PCI devices, or even devices that were in use and whose resources were not properly claimed by the respective drivers, which could result in the host crashing. (CVE-2011-4347, Moderate)

* A flaw was found in the way the Linux kernel's XFS file system implementation handled on-disk Access Control Lists (ACLs). A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially crafted disk.
(CVE-2012-0038, Moderate)

* It was found that the Linux kernel's register set (regset) common infrastructure implementation did not check if the required get and set handlers were initialized. A local, unprivileged user could use this flaw to cause a denial of service by performing a register set operation with a ptrace() PTRACE_SETREGSET or PTRACE_GETREGSET request. (CVE-2012-1097, Moderate)

* A race condition was found in the Linux kernel's memory management subsystem in the way pmd_none_or_clear_bad(), when called with mmap_sem in read mode, and Transparent Huge Pages (THP) page faults interacted. A privileged user in a KVM guest with the ballooning functionality enabled could potentially use this flaw to crash the host. A local, unprivileged user could use this flaw to crash the system. (CVE-2012-1179, Moderate)

Red Hat would like to thank Chen Haogang for reporting CVE-2012-0044;
Sasha Levin for reporting CVE-2011-4347; Wang Xi for reporting CVE-2012-0038; and H. Peter Anvin for reporting CVE-2012-1097.

This update also fixes the following bugs :

* When a RoCE (RDMA over Converged Ethernet) adapter with active RoCE communications was taken down suddenly (either by adapter failure or the intentional shutdown of the interface), the ongoing RoCE communications could cause the kernel to panic and render the machine unusable. A patch has been provided to protect the kernel in this situation and to pass an error up to the application still using the interface after it has been taken down instead. (BZ#799944)

* The fix for Red Hat Bugzilla bug 713494, released via RHSA-2011:0928, introduced a regression. Attempting to change the state of certain features, such as GRO (Generic Receive Offload) or TSO (TCP segment offloading), for a 10 Gigabit Ethernet card that is being used in a virtual LAN (VLAN) resulted in a kernel panic.
(BZ#816974)

* If a new file was created on a Network File System version 4 (NFSv4) share, the ownership was set to nfsnobody (-2) until it was possible to upcall to the idmapper. As a consequence, subsequent file system operations could incorrectly use '-2' for the user and group IDs for the given file, causing certain operations to fail. In reported cases, this issue also caused 'Viminfo file is not writable' errors for users running Vim with files on an NFSv4 share. (BZ#820960)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - A local, unprivileged user could use an integer overflow     flaw in drm_mode_dirtyfb_ioctl() to cause a denial of     service or escalate their privileges. (CVE-2012-0044,     Important)

  - A buffer overflow flaw was found in the macvtap device     driver, used for creating a bridged network between the     guest and the host in KVM (Kernel-based Virtual Machine)     environments. A privileged guest user in a KVM guest     could use this flaw to crash the host. Note: This issue     only affected hosts that have the vhost_net module     loaded with the experimental_zcopytx module option     enabled (it is not enabled by default), and that also     have macvtap configured for at least one guest.
    (CVE-2012-2119, Important)

  - When a set user ID (setuid) application is executed,     certain personality flags for controlling the     application's behavior are cleared (that is, a     privileged application will not be affected by those     flags). It was found that those flags were not cleared     if the application was made privileged via file system     capabilities. A local, unprivileged user could use this     flaw to change the behavior of such applications,     allowing them to bypass intended restrictions. Note that     for default installations, no application shipped by us     for Scientific Linux is made privileged via file system     capabilities. (CVE-2012-2123, Important)

  - It was found that the data_len parameter of the     sock_alloc_send_pskb() function in the Linux kernel's     networking implementation was not validated before use.
    A privileged guest user in a KVM guest could use this     flaw to crash the host or, possibly, escalate their     privileges on the host. (CVE-2012-2136, Important)

  - A buffer overflow flaw was found in the     setup_routing_entry() function in the KVM subsystem of     the Linux kernel in the way the Message Signaled     Interrupts (MSI) routing entry was handled. A local,     unprivileged user could use this flaw to cause a denial     of service or, possibly, escalate their privileges.
    (CVE-2012-2137, Important)

  - A race condition was found in the Linux kernel's memory     management subsystem in the way pmd_none_or_clear_bad(),     when called with mmap_sem in read mode, and Transparent     Huge Pages (THP) page faults interacted. A privileged     user in a KVM guest with the ballooning functionality     enabled could potentially use this flaw to crash the     host. A local, unprivileged user could use this flaw to     crash the system. (CVE-2012-1179, Moderate)

  - A flaw was found in the way device memory was handled     during guest device removal. Upon successful device     removal, memory used by the device was not properly     unmapped from the corresponding IOMMU or properly     released from the kernel, leading to a memory leak. A     malicious user on a KVM host who has the ability to     assign a device to a guest could use this flaw to crash     the host. (CVE-2012-2121, Moderate)

  - A flaw was found in the Linux kernel's Reliable Datagram     Sockets (RDS) protocol implementation. A local,     unprivileged user could use this flaw to cause a denial     of service. (CVE-2012-2372, Moderate)

  - A race condition was found in the Linux kernel's memory     management subsystem in the way pmd_populate() and     pte_offset_map_lock() interacted on 32-bit x86 systems     with more than 4GB of RAM. A local, unprivileged user     could use this flaw to cause a denial of service.
    (CVE-2012-2373, Moderate)

This update also fixes several bugs.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important)

* A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important)

* When a set user ID (setuid) application is executed, certain personality flags for controlling the application's behavior are cleared (that is, a privileged application will not be affected by those flags). It was found that those flags were not cleared if the application was made privileged via file system capabilities. A local, unprivileged user could use this flaw to change the behavior of such applications, allowing them to bypass intended restrictions. Note that for default installations, no application shipped by Red Hat for Red Hat Enterprise Linux is made privileged via file system capabilities.
(CVE-2012-2123, Important)

* It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A privileged guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-2136, Important)

* A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. (CVE-2012-2137, Important)

* A race condition was found in the Linux kernel's memory management subsystem in the way pmd_none_or_clear_bad(), when called with mmap_sem in read mode, and Transparent Huge Pages (THP) page faults interacted. A privileged user in a KVM guest with the ballooning functionality enabled could potentially use this flaw to crash the host. A local, unprivileged user could use this flaw to crash the system. (CVE-2012-1179, Moderate)

* A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121, Moderate)

* A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372, Moderate)

* A race condition was found in the Linux kernel's memory management subsystem in the way pmd_populate() and pte_offset_map_lock() interacted on 32-bit x86 systems with more than 4GB of RAM. A local, unprivileged user could use this flaw to cause a denial of service.
(CVE-2012-2373, Moderate)

Red Hat would like to thank Chen Haogang for reporting CVE-2012-0044.

This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086)

Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the Linux kernel. A local user could use this flaw to crash the system causing a denial of service. (CVE-2011-4347)

Stephan Barwolf discovered a flaw in the KVM (kernel-based virtual machine) subsystem of the Linux kernel. A local unprivileged user can crash use this flaw to crash VMs causing a deny of service.
(CVE-2012-0045)

A flaw was discovered in the Linux kernel's cifs file system. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1090)

H. Peter Anvin reported a flaw in the Linux kernel that could crash the system. A local user could exploit this flaw to crash the system.
(CVE-2012-1097)

A flaw was discovered in the Linux kernel's cgroups subset. A local attacker could use this flaw to crash the system. (CVE-2012-1146)

A flaw was found in the Linux kernel's handling of paged memory. A local unprivileged user, or a privileged user within a KVM guest, could exploit this flaw to crash the system. (CVE-2012-1179)

Tetsuo Handa reported a flaw in the OOM (out of memory) killer of the Linux kernel. A local unprivileged user can exploit this flaw to cause system unstability and denial of services. (CVE-2012-4398).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP2 kernel has been updated to 3.0.26, which fixes a lot of bugs and security issues.

The following security issues have been fixed :

  - A locking problem in transparent hugepage support could     be used by local attackers to potentially crash the     host, or via kvm a privileged guest user could crash the     kvm host system. (CVE-2012-1179)

  - A potential hypervisor escape by issuing SG_IO commands     to partitiondevices was fixed by restricting access to     these commands. (CVE-2011-4127)

  - A local attacker could oops the kernel using memory     control groups and eventfds. (CVE-2012-1146)

  - Limit the path length users can build using epoll() to     avoid local attackers consuming lots of kernel CPU time.
    (CVE-2011-1083)

  - The regset common infrastructure assumed that regsets     would always have .get and .set methods, but necessarily     .active methods. Unfortunately people have since written     regsets without .set method, so NULL pointer dereference     attacks were possible. (CVE-2012-1097)

  - Access to the /proc/pid/taskstats file requires root     access to avoid side channel (timing keypresses etc.)     attacks on other users. (CVE-2011-2494)

  - Fixed a oops in jbd/jbd2 that could be caused by     specific filesystem access patterns. (CVE-2011-4086)

  - A malicious NFSv4 server could have caused a oops in the     nfsv4 acl handling. (CVE-2011-4131)

  - Fixed a oops in jbd/jbd2 that could be caused by     mounting a malicious prepared filesystem. (Also included     are all fixes from the 3.0.14 -> 3.0.25 stable kernel     updates.). (CVE-2011-4132)

The following non-security issues have been fixed :

EFI :

  - efivars: add missing parameter to efi_pstore_read().
    BTRFS :

  - add a few error cleanups.

  - btrfs: handle errors when excluding super extents     (FATE#306586 bnc#751015).

  - btrfs: Fix missing goto in btrfs_ioctl_clone.

  - btrfs: Fixed mishandled -EAGAIN error case from     btrfs_split_item. (bnc#750459)

  - btrfs: disallow unequal data/metadata blocksize for     mixed block groups (FATE#306586).

  - btrfs: enhance superblock sanity checks (FATE#306586     bnc#749651).

  - btrfs: update message levels (FATE#306586).

  - btrfs 3.3-rc6 updates :

  - avoid setting ->d_op twice (FATE#306586 bnc#731387).

  - btrfs: fix wrong information of the directory in the     snapshot (FATE#306586).

  - btrfs: fix race in reada (FATE#306586).

  - btrfs: do not add both copies of DUP to reada extent     tree (FATE#306586).

  - btrfs: stop silently switching single chunks to raid0 on     balance (FATE#306586).

  - btrfs: fix locking issues in find_parent_nodes()     (FATE#306586).

  - btrfs: fix casting error in scrub reada code     (FATE#306586).

  - btrfs sync with upstream up to 3.3-rc5 (FATE#306586)

  - btrfs: Sector Size check during Mount

  - btrfs: avoid positive number with ERR_PTR

  - btrfs: return the internal error unchanged if     btrfs_get_extent_fiemap() call failed for     SEEK_DATA/SEEK_HOLE inquiry.

  - btrfs: fix trim 0 bytes after a device delete

  - btrfs: do not check DUP chunks twice

  - btrfs: fix memory leak in load_free_space_cache()

  - btrfs: delalloc for page dirtied out-of-band in fixup     worker

  - btrfs: fix structs where bitfields and spinlock/atomic     share 8B word.

  - btrfs: silence warning in raid array setup.

  - btrfs: honor umask when creating subvol root.

  - btrfs: fix return value check of extent_io_ops.

  - btrfs: fix deadlock on page lock when doing     auto-defragment.

  - btrfs: check return value of lookup_extent_mapping()     correctly.

  - btrfs: skip states when they does not contain bits to     clear.

  - btrfs: kick out redundant stuff in convert_extent_bit.

  - btrfs: fix a bug on overcommit stuff.

  - btrfs: be less strict on finding next node in     clear_extent_bit.

  - btrfs: improve error handling for btrfs_insert_dir_item     callers.

  - btrfs: make sure we update latest_bdev.

  - btrfs: add extra sanity checks on the path names in     btrfs_mksubvol.

  - btrfs: clear the extent uptodate bits during parent     transid failures.

  - btrfs: increase the global block reserve estimates.

  - btrfs: fix compiler warnings on 32 bit systems.

  - Clean up unused code, fix use of error-indicated pointer     in transaction teardown. (bnc#748854)

  - btrfs: fix return value check of extent_io_ops.

  - btrfs: fix deadlock on page lock when doing     auto-defragment.

  - btrfs: check return value of lookup_extent_mapping()     correctly.

  - btrfs: skip states when they does not contain bits to     clear.

  - btrfs: kick out redundant stuff in convert_extent_bit.

  - btrfs: fix a bug on overcommit stuff.

  - btrfs: be less strict on finding next node in     clear_extent_bit.

  - btrfs: do not reserve data with extents locked in     btrfs_fallocate.

  - btrfs: avoid positive number with ERR_PTR.

  - btrfs: return the internal error unchanged if     btrfs_get_extent_fiemap() call failed for     SEEK_DATA/SEEK_HOLE inquiry.

  - btrfs: fix trim 0 bytes after a device delete.

  - btrfs: do not check DUP chunks twice.

  - btrfs: fix memory leak in load_free_space_cache().

  - btrfs: fix permissions of new subvolume. (bnc#746373)

  - btrfs: set ioprio of scrub readahead to idle.

  - fix logic in condition in     BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS

  - fix incorrect exclusion of superblock from blockgroups.
    (bnc#751743)

  -     patches.suse/btrfs-8059-handle-errors-when-excluding-sup     er-extents.patch: fix incorrect default value.

  - fix aio/dio bio refcounting bnc#718918.

  - btrfs: fix locking issues in find_parent_nodes()

  - Btrfs: fix casting error in scrub reada code

  -     patches.suse/btrfs-8059-handle-errors-when-excluding-sup     er-extents.patch: Fix uninitialized variable.

  - btrfs: handle errors from read_tree_block. (bnc#748632)

  - btrfs: push-up errors from btrfs_num_copies.
    (bnc#748632)

  -     patches.suse/btrfs-8059-handle-errors-when-excluding-sup     er-extents.patch: disable due to potential corruptions     (bnc#751743) XFS :

  - XFS read/write calls do not generate DMAPI events.
    (bnc#751885)

  - xfs/dmapi: Remove cached vfsmount. (bnc#749417)

  - xfs: Fix oops on IO error during     xlog_recover_process_iunlinks() (bnc#716850). NFS :

  - nfs: Do not allow multiple mounts on same mountpoint     when using -o noac. (bnc#745422)

  - lockd: fix arg parsing for grace_period and timeout     (bnc#733761). MD :

  - raid10: Disable recovery when recovery cannot proceed.
    (bnc#751171)

  - md/bitmap: ensure to load bitmap when creating via     sysfs.

  - md: do not set md arrays to readonly on shutdown.
    (bnc#740180, bnc#713148, bnc#734900)

  - md: allow last device to be forcibly removed from     RAID1/RAID10. (bnc#746717)

  - md: allow re-add to failed arrays. (bnc#746717)

  - md: Correctly handle read failure from last working     device in RAID10. (bnc#746717)

  -     patches.suse/0003-md-raid1-add-failfast-handling-for-wri     tes.patch: Refresh to not crash when handling write     error on FailFast devices. bnc#747159

  - md/raid10: Fix kernel oops during drive failure.
    (bnc#750995)

  - patches.suse/md-re-add-to-failed: Update references.
    (bnc#746717)

  - md/raid10: handle merge_bvec_fn in member devices.

  - md/raid10 - support resizing some RAID10 arrays. Hyper-V :

  - update hyperv drivers to 3.3-rc7 and move them out of     staging: hv_timesource -> merged into core kernel     hv_vmbus -> drivers/hv/hv_vmbus hv_utils ->     drivers/hv/hv_utils hv_storvsc ->     drivers/scsi/hv_storvsc hv_netvsc ->     drivers/net/hyperv/hv_netvsc hv_mousevsc ->     drivers/hid/hid-hyperv add compat modalias for     hv_mousevsc update supported.conf rename all 333     patches, use msft-hv- and suse-hv- as prefix

  - net/hyperv: Use netif_tx_disable() instead of     netif_stop_queue() when necessary.

  - net/hyperv: rx_bytes should account the ether header     size.

  - net/hyperv: fix the issue that large packets be dropped     under bridge.

  - net/hyperv: Fix the page buffer when an RNDIS message     goes beyond page boundary.

  - net/hyperv: fix erroneous NETDEV_TX_BUSY use. SCSI :

  - sd: mark busy sd majors as allocated (bug#744658).

  - st: expand tape driver ability to write immediate     filemarks. (bnc#688996)

  - scsi scan: do not fail scans when host is in recovery     (bnc#747867). S/390 :

  - dasd: Implement block timeout handling. (bnc#746717)

  - callhome: fix broken proc interface and activate compid     (bnc#748862,LTC#79115).

  - ctcmpc: use correct idal word list for ctcmpc     (bnc#750173,LTC#79264).

  - Fix recovery in case of concurrent asynchronous     deliveries (bnc#748629,LTC#78309).

  - kernel: 3215 console deadlock (bnc#748629,LTC#78612).

  - qeth: synchronize discipline module loading     (bnc#748629,LTC#78788).

  - memory hotplug: prevent memory zone interleave     (bnc#748629,LTC#79113).

  - dasd: fix fixpoint divide exception in define_extent     (bnc#748629,LTC#79125).

  - kernel: incorrect kernel message tags     (bnc#744795,LTC#78356).

  - lcs: lcs offline failure (bnc#752484,LTC#79788).

  - qeth: add missing wake_up call (bnc#752484,LTC#79899).

  - dasd: Terminate inactive cqrs correctly. (bnc#750995)

  - dasd: detailed I/O errors. (bnc#746717)

  - patches.suse/dasd-blk-timeout.patch: Only activate     blk_timeout for failfast requests (bnc#753617). ALSA :

  - ALSA: hda - Set codec to D3 forcibly even if not used.
    (bnc#750426)

  - ALSA: hda - Add Realtek ALC269VC codec support.
    (bnc#748827)

  - ALSA: hda/realtek - Apply the coef-setup only to     ALC269VB. (bnc#748827)

  - ALSA: pcm - Export snd_pcm_lib_default_mmap() helper.
    (bnc#748384,bnc#738597)

  - ALSA: hda - Add snoop option. (bnc#748384,bnc#738597)

  - ALSA: HDA: Add support for new AMD products.
    (bnc#748384,bnc#738597)

  - ALSA: hda - Fix audio playback support on HP Zephyr     system. (bnc#749787)

  - ALSA: hda - Fix mute-LED VREF value for new HP laptops     (bnc#745741). EXT3 :

  - enable     patches.suse/ext3-increase-reservation-window.patch. DRM :

  - drm/i915: Force explicit bpp selection for     intel_dp_link_required. (bnc#749980)

  - drm/i915/dp: Dither down to 6bpc if it makes the mode     fit. (bnc#749980)

  - drm/i915/dp: Read more DPCD registers on connection     probe. (bnc#749980)

  - drm/i915: fixup interlaced bits clearing in PIPECONF on     PCH_SPLIT. (bnc#749980)

  - drm/i915: read full receiver capability field during DP     hot plug. (bnc#749980)

  - drm/intel: Fix initialization if startup happens in     interlaced mode [v2]. (bnc#749980)

  - drm/i915 IVY/SNB fix patches from upstream 3.3-rc5 &amp;
    rc6:
    patches.drivers/drm-i915-Prevent-a-machine-hang-by-check     ing-crtc-act,     patches.drivers/drm-i915-do-not-enable-RC6p-on-Sandy-Bri     dge,     patches.drivers/drm-i915-fix-operator-precedence-when-en     abling-RC6p,     patches.drivers/drm-i915-gen7-Disable-the-RHWO-optimizat     ion-as-it-ca,     patches.drivers/drm-i915-gen7-Implement-an-L3-caching-wo     rkaround,     patches.drivers/drm-i915-gen7-implement-rczunit-workarou     nd,     patches.drivers/drm-i915-gen7-work-around-a-system-hang-     on-IVB

  - drm/i915: Clear the TV sense state bits on cantiga to     make TV detection reliable. (bnc#750041)

  - drm/i915: Do not write DSPSURF for old chips.
    (bnc#747071)

  - drm: Do not delete DPLL Multiplier during DAC init.
    (bnc#728840)

  - drm: Set depth on low mem Radeon cards to 16 instead of     8. (bnc#746883)

  - patches.drivers/drm-i915-set-AUD_CONFIG_N_index-for-DP:
    Refresh. Updated the patch from the upstream.
    (bnc#722560)

  - Add a few missing drm/i915 fixes from upstream 3.2     kernel (bnc#744392) :

  - drm/i915: Sanitize BIOS debugging bits from PIPECONF.
    (bnc#751916)

  - drm/i915: Add lvds_channel module option. (bnc#739837)

  - drm/i915: Check VBIOS value for determining LVDS dual     channel mode, too. (bnc#739837)

  - agp: fix scratch page cleanup. (bnc#738679)

  - drm/i915: suspend fbdev device around suspend/hibernate     (bnc#732908). ACPI :

  - supported.conf: Add acpi_ipmi as supported (bnc#716971).
    MM :

  - cpusets: avoid looping when storing to mems_allowed if     one.

  - cpusets: avoid stall when updating mems_allowed for     mempolicy.

  - cpuset: mm: Reduce large amounts of memory barrier     related slowdown.

  - mm: make swapin readahead skip over holes.

  - mm: allow PF_MEMALLOC from softirq context.

  - mm: Ensure processes do not remain throttled under     memory pressure. (Swap over NFS (fate#304949,     bnc#747944).

  - mm: Allow sparsemem usemap allocations for very large     NUMA nodes. (bnc#749049)

  - backing-dev: fix wakeup timer races with     bdi_unregister(). (bnc#741824)

  - readahead: fix pipeline break caused by block plug.
    (bnc#746454)

  - Fix uninitialised variable warning and obey the     [get|put]_mems_allowed API. CIFS :

  - cifs: fix dentry refcount leak when opening a FIFO on     lookup (CVE-2012-1090 / bnc#749569). USB :

  - xhci: Fix encoding for HS bulk/control NAK rate.
    (bnc#750402)

  - USB: Fix handoff when BIOS disables host PCI device.
    (bnc#747878)

  - USB: Do not fail USB3 probe on missing legacy PCI IRQ.
    (bnc#749543)

  - USB: Adding #define in hub_configure() and hcd.c file.
    (bnc#714604)

  - USB: remove BKL comments. (bnc#714604)

  - xHCI: Adding #define values used for hub descriptor.
    (bnc#714604)

  - xHCI: Kick khubd when USB3 resume really completes.
    (bnc#714604)

  - xhci: Fix oops caused by more USB2 ports than USB3     ports. (bnc#714604)

  - USB/xhci: Enable remote wakeup for USB3 devices.
    (bnc#714604)

  - USB: Suspend functions before putting dev into U3.
    (bnc#714604)

  - USB/xHCI: Enable USB 3.0 hub remote wakeup. (bnc#714604)

  - USB: Refactor hub remote wake handling. (bnc#714604)

  - USB/xHCI: Support device-initiated USB 3.0 resume.
    (bnc#714604)

  - USB: Set wakeup bits for all children hubs. (bnc#714604)

  - USB: Turn on auto-suspend for USB 3.0 hubs. (bnc#714604)

  - USB: Set hub depth after USB3 hub reset. (bnc#749115)

  - xhci: Fix USB 3.0 device restart on resume. (bnc#745867)

  - xhci: Remove scary warnings about transfer issues.
    (bnc#745867)

  - xhci: Remove warnings about MSI and MSI-X capabilities     (bnc#745867). Other :

  - PCI / PCIe: Introduce command line option to disable     ARI. (bnc#742845)

  - PCI: Set device power state to PCI_D0 for device without     native PM support (bnc#752972). X86 :

  - x86/UV: Lower UV rtc clocksource rating. (bnc#748456)

  - x86, mce, therm_throt: Do not report power limit and     package level thermal throttle events in mcelog.
    (bnc#745876)

  - x86: Unlock nmi lock after kdb_ipi call. (bnc#745424)

  - x86, tsc: Fix SMI induced variation in     quick_pit_calibrate(). (bnc#751322) XEN :

  - Update Xen patches to 3.0.22.

  - xenbus_dev: add missing error checks to watch handling.

  - drivers/xen/: use strlcpy() instead of strncpy().

  - xenoprof: backward compatibility for changed     XENOPROF_ESCAPE_CODE.

  - blkfront: properly fail packet requests. (bnc#745929)

  - Refresh other Xen patches. (bnc#732070, bnc#742871)

  - xenbus: do not free other end details too early.

  - blkback: also call blkif_disconnect() when frontend     switched to closed.

  - gnttab: add deferred freeing logic.

  - blkback: failure to write 'feature-barrier' node is     non-fatal. Infiniband :

  - RDMA/cxgb4: Make sure flush CQ entries are collected on     connection close. (bnc#721587)

  - RDMA/cxgb4: Serialize calls to CQs comp_handler.
    (bnc#721587)

  - mlx4_en: Assigning TX irq per ring (bnc#624072).
    Bluetooth :

  - Bluetooth: Add Atheros AR3012 Maryann PID/VID supported     in ath3k. (bnc#732296)

  - Bluetooth: btusb: fix bInterval for high/super speed     isochronous endpoints (bnc#754052). SCTP :

  - dlm: Do not allocate a fd for peeloff. (bnc#729247)

  - sctp: Export sctp_do_peeloff (bnc#729247). Other :

  - qlge: Removing needless prints which are not.
    (bnc#718863)

  - ibft: Fix finding IBFT ACPI table on UEFI. (bnc#746579)

  - proc: Consider NO_HZ when printing idle and iowait     times. (bnc#705551)

  - procfs: do not confuse jiffies with cputime64_t.
    (bnc#705551)

  - procfs: do not overflow get_{idle,iowait}_time for nohz.
    (bnc#705551)

  - bfa: Do not return DID_ABORT on failure. (bnc#745400)

  - epoll: Do not limit non-nested epoll paths. (bnc#676204)

  - Bridge: Always send NETDEV_CHANGEADDR up on br MAC     change. (bnc#752408)

  - hp_accel: Ignore the error from lis3lv02d_poweron() at     resume. (bnc#751903)

  - watchdog: make sure the watchdog thread gets CPU on     loaded system. (bnc#738583)

Update to the 3.2.10 stable release, which contains a number of fixes across the kernel.

Fixes CVE-2012-1146 Fixes CVE-2012-1179

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2012-0743.

ID	Name	Product	Family	Severity
79484	OracleVM 3.1 : kernel-uek (OVMSA-2012-0042)	Nessus	OracleVM Local Security Checks	high
68676	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2021)	Nessus	Oracle Linux Local Security Checks	high
68675	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2020)	Nessus	Oracle Linux Local Security Checks	high
68544	Oracle Linux 6 : kernel (ELSA-2012-0743)	Nessus	Oracle Linux Local Security Checks	high
64044	RHEL 6 : kernel (RHSA-2012:1042)	Nessus	Red Hat Local Security Checks	high
61331	Scientific Linux Security Update : kernel on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
59609	CentOS 6 : kernel (CESA-2012:0743)	Nessus	CentOS Local Security Checks	high
59562	RHEL 6 : kernel (RHSA-2012:0743)	Nessus	Red Hat Local Security Checks	high
58947	Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1433-1)	Nessus	Ubuntu Local Security Checks	critical
58946	Ubuntu 11.10 : linux vulnerabilities (USN-1431-1)	Nessus	Ubuntu Local Security Checks	critical
58845	SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 6163 / 6164 / 6172)	Nessus	SuSE Local Security Checks	critical
58488	Fedora 15 : kernel-2.6.42.12-1.fc15 (2012-3715)	Nessus	Fedora Local Security Checks	critical
58376	Fedora 16 : kernel-3.2.10-3.fc16 (2012-3712)	Nessus	Fedora Local Security Checks	critical
801519	CentOS RHSA-2012-0743 Security Check	Log Correlation Engine	Generic	high

CVE-2012-1179

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins