Synopsis: Important: kernel security and bug fix update
Advisory ID: SLSA-2016:2006-1
Issue Date: 2016-10-04
CVE Numbers: CVE-2016-4470
* A flaw was found in the Linux kernel’s keyring handling code, where in
key_reject_and_link() an uninitialized variable would eventually lead to
arbitrary free address which could allow attacker to use a use-after-free
style attack. (CVE-2016-4470, Important)
* A heap-based buffer overflow vulnerability was found in the Linux
kernel’s hiddev driver. This flaw could allow a local attacker to corrupt
kernel memory, possible privilege escalation or crashing the system.
The CVE-2016-4470 issue was discovered by David Howells (Red Hat Inc.).
* Previously, when two NFS shares with different security settings were
mounted, the I/O operations to the kerberos-authenticated mount caused the
RPC_CRED_KEY_EXPIRE_SOON parameter to be set, but the parameter was not
unset when performing the I/O operations on the sec=sys mount.
Consequently, writes to both NFS shares had the same parameters,
regardless of their security settings. This update fixes this problem by
moving the NO_CRKEY_TIMEOUT parameter to the auth->au_flags field. As a
result, NFS shares with different security settings are now handled as
* In some circumstances, resetting a Fibre Channel over Ethernet (FCoE)
interface could lead to a kernel panic, due to invalid information
extracted from the FCoE header. This update adds santiy checking to the
cpu number extracted from the FCoE header. This ensures that subsequent
operations address a valid cpu, and eliminates the kernel panic.
* Prior to this update, the following problems occurred with the way GSF2
transitioned files and directories from the “unlinked” state to the “free”
The numbers reported for the df and the du commands in some cases got out
of sync, which caused blocks in the file system to appear missing. The
blocks were not actually missing, but they were left in the “unlinked”
In some circumstances, GFS2 referenced a cluster lock that was already
deleted, which led to a kernel panic.
If an object was deleted and its space reused as a different object, GFS2
sometimes deleted the existing one, which caused file system corruption.
With this update, the transition from “unlinked” to “free” state has been
fixed. As a result, none of these three problems occur anymore.
* Previously, the GFS2 file system in some cases became unresponsive due
to lock dependency problems between inodes and the cluster lock. This
occurred most frequently on nearly full file systems where files and
directories were being deleted and recreated at the same block location at
the same time. With this update, a set of patches has been applied to fix
these lock dependencies. As a result, GFS2 no longer hangs in the
* When used with controllers that do not support DCMD-
MR_DCMD_PD_LIST_QUERY, the megaraid_sas driver can go into infinite error
reporting loop of error reporting messages. This could cause difficulties
with finding other important log messages, or even it could cause the disk
to overflow. This bug has been fixed by ignoring the DCMD
MR_DCMD_PD_LIST_QUERY query for controllers which do not support it and
sending the DCMD SUCCESS status to the AEN functions. As a result, the
error messages no longer appear when there is a change in the status of
one of the arrays.
– Scientific Linux Development Team