Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-9236

new kernel [RHEL6.9 2.6.32-696.el6]

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • Lustre 2.10.0
    • None
    • None
    • 3
    • 9223372036854775807

    Description

      With the GA announcement of RHEL 6.9 on 3/21 we need to add content to lustre to allow building and running on it.

      This ticket is intended to cover all the changes needed in the lustre tree for this brand new distro release. This includes new target and config files for the new kernel version, new or revised base kernel and ldiskfs patches, and small incremental changes to lbuild and autoconf.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-9316 kernel update [RHEL6.9 2.6.32-696.1.1.el6]

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            [LU-9236] new kernel [RHEL6.9 2.6.32-696.el6]
            pjones Peter Jones added a comment -

            Landed for 2.10

            pjones Peter Jones added a comment - Landed for 2.10
            gerrit Gerrit Updater added a comment -

            Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/26111/
            Subject: LU-9236 kernel: new kernel RHEL 6.9 [2.6.32-696.el6]
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: 738374be02d52ba10b44f4c4d4b335807eb48b46

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/26111/ Subject: LU-9236 kernel: new kernel RHEL 6.9 [2.6.32-696.el6] Project: fs/lustre-release Branch: master Current Patch Set: Commit: 738374be02d52ba10b44f4c4d4b335807eb48b46
            gerrit Gerrit Updater added a comment -

            Bob Glossman (bob.glossman@intel.com) uploaded a new patch: https://review.whamcloud.com/26111
            Subject: LU-9236 kernel: new kernel RHEL 6.9 [2.6.32-696.el6]
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: 8c7d436efbf7c6dcfd7fca963a6334cdd284a482

            gerrit Gerrit Updater added a comment - Bob Glossman (bob.glossman@intel.com) uploaded a new patch: https://review.whamcloud.com/26111 Subject: LU-9236 kernel: new kernel RHEL 6.9 [2.6.32-696.el6] Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 8c7d436efbf7c6dcfd7fca963a6334cdd284a482
            bogl Bob Glossman (Inactive) added a comment - - edited

            Security Fix(es):

            • It was discovered that a remote attacker could leverage the generation of IPv6
              atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow
              (in scenarios in which actual fragmentation of packets is not needed) and could
              subsequently perform any type of a fragmentation-based attack against legacy
              IPv6 nodes that do not implement RFC6946. (CVE-2016-10142, Moderate)
            • A flaw was discovered in the way the Linux kernel dealt with paging
              structures. When the kernel invalidated a paging structure that was not in use
              locally, it could, in principle, race against another CPU that is switching to a
              process that uses the paging structure in question. A local user could use a
              thread running with a stale cached virtual->physical translation to potentially
              escalate their privileges if the translation in question were writable and the
              physical page got reused for something critical (for example, a page table).
              (CVE-2016-2069, Moderate)
            • A race condition flaw was found in the ioctl_send_fib() function in the Linux
              kernel's aacraid implementation. A local attacker could use this flaw to cause a
              denial of service (out-of-bounds access or system crash) by changing a certain
              size value. (CVE-2016-6480, Moderate)
            • It was found that when the gcc stack protector was enabled, reading the
              /proc/keys file could cause a panic in the Linux kernel due to stack corruption.
              This happened because an incorrect buffer size was used to hold a 64-bit timeout
              value rendered as weeks. (CVE-2016-7042, Moderate)
            • It was found that when file permissions were modified via chmod and the user
              modifying them was not in the owning group or capable of CAP_FSETID, the setgid
              bit would be cleared. Setting a POSIX ACL via setxattr sets the file permissions
              as well as the new ACL, but doesn't clear the setgid bit in a similar way. This
              could allow a local user to gain group privileges via certain setgid
              applications. (CVE-2016-7097, Moderate)
            • A flaw was found in the Linux networking subsystem where a local attacker with
              CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by
              creating a smaller-than-expected ICMP header and sending to its destination via
              sendto(). (CVE-2016-8399, Moderate)
            • It was found that the blk_rq_map_user_iov() function in the Linux kernel's
              block device implementation did not properly restrict the type of iterator,
              which could allow a local attacker to read or write to arbitrary kernel memory
              locations or cause a denial of service (use-after-free) by leveraging write
              access to a /dev/sg device. (CVE-2016-9576, CVE-2016-10088, Moderate)
            • A flaw was found in the USB-MIDI Linux kernel driver: a double-free error
              could be triggered for the 'umidi' object. An attacker with physical access to
              the system could use this flaw to escalate their privileges. (CVE-2016-2384,
              Low)

            Additional Changes:

            For detailed information on changes in this release, see the Red Hat Enterprise
            Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes on the RedHat website.

            https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.9_Release_Notes/index.html
            https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.9_Technical_Notes/index.html

            Bugs fixed (https://bugzilla.redhat.com/):

            1301893 - CVE-2016-2069 kernel: race condition in the TLB flush logic
            1308444 - CVE-2016-2384 kernel: double-free in usb-audio triggered by invalid USB descriptor
            1325766 - RHEL6.7: NFSv3 client performance regression where ls -l takes too long with "aggressive readdirplus" commit
            1362466 - CVE-2016-6480 kernel: scsi: aacraid: double fetch in ioctl_send_fib()
            1368938 - CVE-2016-7097 kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit
            1373966 - CVE-2016-7042 kernel: Stack corruption while reading /proc/keys when gcc stack protector is enabled
            1403145 - CVE-2016-9576 kernel: Use after free in SCSI generic device interface
            1403833 - CVE-2016-8399 kernel: net: Out of bounds stack read in memcpy_fromiovec
            1412210 - CVE-2016-10088 kernel: Use after free in SCSI generic device interface (CVE-2016-9576 regression)
            1415908 - CVE-2016-10142 kernel - IPV6 fragmentation flaw
            847106 - ext2 tests hang while running fsfuzzer

            bogl Bob Glossman (Inactive) added a comment - - edited Security Fix(es): It was discovered that a remote attacker could leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation of packets is not needed) and could subsequently perform any type of a fragmentation-based attack against legacy IPv6 nodes that do not implement RFC6946. (CVE-2016-10142, Moderate) A flaw was discovered in the way the Linux kernel dealt with paging structures. When the kernel invalidated a paging structure that was not in use locally, it could, in principle, race against another CPU that is switching to a process that uses the paging structure in question. A local user could use a thread running with a stale cached virtual->physical translation to potentially escalate their privileges if the translation in question were writable and the physical page got reused for something critical (for example, a page table). (CVE-2016-2069, Moderate) A race condition flaw was found in the ioctl_send_fib() function in the Linux kernel's aacraid implementation. A local attacker could use this flaw to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value. (CVE-2016-6480, Moderate) It was found that when the gcc stack protector was enabled, reading the /proc/keys file could cause a panic in the Linux kernel due to stack corruption. This happened because an incorrect buffer size was used to hold a 64-bit timeout value rendered as weeks. (CVE-2016-7042, Moderate) It was found that when file permissions were modified via chmod and the user modifying them was not in the owning group or capable of CAP_FSETID, the setgid bit would be cleared. Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way. This could allow a local user to gain group privileges via certain setgid applications. (CVE-2016-7097, Moderate) A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) It was found that the blk_rq_map_user_iov() function in the Linux kernel's block device implementation did not properly restrict the type of iterator, which could allow a local attacker to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging write access to a /dev/sg device. (CVE-2016-9576, CVE-2016-10088, Moderate) A flaw was found in the USB-MIDI Linux kernel driver: a double-free error could be triggered for the 'umidi' object. An attacker with physical access to the system could use this flaw to escalate their privileges. (CVE-2016-2384, Low) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes on the RedHat website. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.9_Release_Notes/index.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.9_Technical_Notes/index.html Bugs fixed ( https://bugzilla.redhat.com/): 1301893 - CVE-2016-2069 kernel: race condition in the TLB flush logic 1308444 - CVE-2016-2384 kernel: double-free in usb-audio triggered by invalid USB descriptor 1325766 - RHEL6.7: NFSv3 client performance regression where ls -l takes too long with "aggressive readdirplus" commit 1362466 - CVE-2016-6480 kernel: scsi: aacraid: double fetch in ioctl_send_fib() 1368938 - CVE-2016-7097 kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit 1373966 - CVE-2016-7042 kernel: Stack corruption while reading /proc/keys when gcc stack protector is enabled 1403145 - CVE-2016-9576 kernel: Use after free in SCSI generic device interface 1403833 - CVE-2016-8399 kernel: net: Out of bounds stack read in memcpy_fromiovec 1412210 - CVE-2016-10088 kernel: Use after free in SCSI generic device interface (CVE-2016-9576 regression) 1415908 - CVE-2016-10142 kernel - IPV6 fragmentation flaw 847106 - ext2 tests hang while running fsfuzzer

            People

              bogl Bob Glossman (Inactive)
              bogl Bob Glossman (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: