(RHSA-2011:1813) Important: kernel security and bug fix update

These packages contain the Linux kernel.

This update fixes the following security issues:

• A flaw in the Stream Control Transmission Protocol (SCTP) implementation
  could allow a remote attacker to cause a denial of service by sending a
  specially-crafted SCTP packet to a target system. (CVE-2011-2482,
  Important)

If you do not run applications that use SCTP, you can prevent the sctp
module from being loaded by adding the following to the end of the
“/etc/modprobe.d/blacklist.conf” file:

blacklist sctp

This way, the sctp module cannot be loaded accidentally, which may occur
if an application that requires SCTP is started. A reboot is not necessary
for this change to take effect.

• A flaw in the client-side NFS Lock Manager (NLM) implementation could
  allow a local, unprivileged user to cause a denial of service.
  (CVE-2011-2491, Important)

• Flaws in the netlink-based wireless configuration interface could allow
  a local user, who has the CAP_NET_ADMIN capability, to cause a denial of
  service or escalate their privileges on systems that have an active
  wireless interface. (CVE-2011-2517, Important)

• A flaw was found in the way the Linux kernel’s Xen hypervisor
  implementation emulated the SAHF instruction. When using a
  fully-virtualized guest on a host that does not use hardware assisted
  paging (HAP), such as those running CPUs that do not have support for (or
  those that have it disabled) Intel Extended Page Tables (EPT) or AMD
  Virtualization (AMD-V) Rapid Virtualization Indexing (RVI), a privileged
  guest user could trigger this flaw to cause the hypervisor to crash.
  (CVE-2011-2519, Moderate)

• A flaw in the __addr_ok() macro in the Linux kernel’s Xen hypervisor
  implementation when running on 64-bit systems could allow a privileged
  guest user to crash the hypervisor. (CVE-2011-2901, Moderate)

• /proc/[PID]/io is world-readable by default. Previously, these files
  could be read without any further restrictions. A local, unprivileged user
  could read these files, belonging to other, possibly privileged processes
  to gather confidential information, such as the length of a password used
  in a process. (CVE-2011-2495, Low)

Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491, and
Vasiliy Kulikov of Openwall for reporting CVE-2011-2495.

This update also fixes the following bugs:

• On Broadcom PCI cards that use the tg3 driver, the operational state of a
  network device, represented by the value in
  “/sys/class/net/ethX/operstate”, was not initialized by default.
  Consequently, the state was reported as “unknown” when the tg3 network
  device was actually in the “up” state. This update modifies the tg3 driver
  to properly set the operstate value. (BZ#744699)

• A KVM (Kernel-based Virtual Machine) guest can get preempted by the host,
  when a higher priority process needs to run. When a guest is not running
  for several timer interrupts in a row, ticks could be lost, resulting in
  the jiffies timer advancing slower than expected and timeouts taking longer
  than expected. To correct for the issue of lost ticks,
  do_timer_tsc_timekeeping() checks a reference clock source (kvm-clock when
  running as a KVM guest) to see if timer interrupts have been missed. If so,
  jiffies is incremented by the number of missed timer interrupts, ensuring
  that programs are woken up on time. (BZ#747874)

• When a block device object was allocated, the bd_super field was not
  being explicitly initialized to NULL. Previously, users of the block device
  object could set bd_super to NULL when the object was released by calling
  the kill_block_super() function. Certain third-party file systems do not
  always use this function, and bd_super could therefore become uninitialized
  when the object was allocated again. This could cause a kernel panic in the
  blkdev_releasepage() function, when the uninitialized bd_super field was
  dereferenced. Now, bd_super is properly initialized in the bdget()
  function, and the kernel panic no longer occurs. (BZ#751137)