readykernel-patch-40.4-48.0-1.vl7

Distribution:
Virtuozzo 7
Kernel Update Version:
3.10.0-693.11.6.vz7.40.4
Release Date:
2018-04-11 12:33:59
  • PSBM-81798

    IPv6 routing tables incorrectly handled routing rules for throw routes.

    It was discovered that IPv6 routing tables incorrectly handled routing rules for throw routes. This happened because errors were not propagated properly up to the fib_rules_lookup().
  • PSBM-82766

    Container remained mounted in some cases after 'shutdown -h now' in it.

    It was discovered that incorrect state of a container could be reported in /sys/fs/cgroup/ve/CTID/ve.state in some cases, which confused the user-space tools. As a result, a container could remain mounted after 'shutdown -h now' in it.
  • CVE-2018-1068

    ebtables: out-of-bounds write via userland offsets in ebt_entry struct.

    It was discovered that the implementation of ebtables in the kernel did not properly validate the offsets received from the user space. A local user with enough privileges in the user and network namespaces could use that to trigger an out-of-bounds write to the kernel address space.
    https://bugzilla.redhat.com/show_bug.cgi?id=1552048
  • PSBM-82021

    Potential kernel hang (lockup) during destruction of cgroups.

    'memory' and 'memsw' counters could be overcharged when the limit of 'kmem' counter was reached. This would result in a kernel lockup during destruction of cgroups.
  • PSBM-81939

    Potential kernel hang (endless loop) in try_charge().

  • PSBM-81600

    Ploop: some IO requests were not marked as completed in case of errors.

  • PSBM-81488

    High cpu usage in isolate_freepages_block().

    vstorage-mount spent a lot of time in isolate_freepages_block() in some cases, causing performance issues.
  • PSBM-81509

    Memcg swpin/swpout stats were calculated incorrectly.

  • PSBM-81264

    Memory cgroups were not released when starting/stopping a container with Docker.

    Memory cgroups were not correctly released during start/stop of a container with Docker. If the node had a significant amount of containers with Docker, this could lead to stopped containers not starting again.
  • PSBM-80340

    Hard lockups happened when the kernel was processing SAK (Secure Attention Key).

  • PSBM-81033

    Docker v17.11 and newer failed to start in a container.

    Starting from v17.11, Docker checks is all cgroups are mounted and refuses to start if some cgroups are not. Some of Virtuozzo-specific cgroups were visible in the containers and were not mounted there, which prevented Docker from starting properly.
  • PSBM-81090

    Kernel crash in mem_cgroup_iter().

  • PSBM-80839

    Potential denial of service due to extensive memory consumption.

    It was discovered that some operations with files in a container could lead to denial of service on the host due to extensive memory consumption.
  • CVE-2018-5344

    loop: potential data race between open() and release() leading to use-after-free.

    It was found that release() operation for the loop devices has insufficient protection for the device structures against the accesses from the concurrent open() operations. A local attacker can use specially arranged concurrent operations with a loop device to cause a denial of service (kernel crash due to a use-after-free error).
    https://bugzilla.redhat.com/show_bug.cgi?id=1533909
  • CVE-2017-18017

    netfilter: Use-after-free in tcpmss_mangle_packet().

    If the system uses iptables and there are iptables rules with TCPMSS action there, a remote attacker may cause a denial of service (use-after-free in tcpmss_mangle_packet function leading to memory corruption) or possibly have unspecified other impact by sending specially crafted network packets.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-18017