Important kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5¶

1. Overview¶

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 and 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5).

2. Security Fixes¶

• [Important] A use-after-free vulnerability was found in the way KVM implements its device control API. When a device is created via kvm_ioctl_create_device(), it holds a reference to a VM object. This reference is transferred to file descriptor table of the caller. If such file descriptor was closed, reference count to the VM object could become zero, which could lead to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-6974)

• [Important] A use-after-free vulnerability was found in the way KVM emulates a preemption timer for L2 guests when nested virtualization is enabled. A guest user/process could use this flaw to crash the host kernel resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-7221)

• [Moderate] It was discovered that a certain sequence of operations related to IPv4 routing could trigger a kernel memory leak. An attacker could potentially exploit that from a container to cause a denial of service. (PSBM-94535)

3. Bug Fixes¶

• virtio_scsi: a race condition in the Linux block layer could cause certain I/O requests to hang. (PSBM-92312)

• It was discovered that inode tables created during online resize of an ext4 filesystem were not zeroed after that. This could potentially result in lower performance of the file system. (PSBM-93988)

• ploop: kernel crash in ploop_congested(). (PSBM-94270)

• It was found that if no PMU counters were exposed to guest, KVM skipped the whole remaining PMU-related initialization, including filling of LBR-related data. As it turned out, Windows Server 2016 Essentials tried to access these data during the installation and failed to install as a result. (PSBM-94429)

• ploop: ‘pcompact’ could hang if run simultaneously with ‘ploop-balloon status’. (PSBM-94727)

4. Installing the Update¶

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

5. References¶

• readykernel-patch-64.7-80.0-1.vl7.x86_64.rpm

• readykernel-patch-73.24-80.0-1.vl7.x86_64.rpm

• readykernel-patch-73.29-80.0-1.vl7.x86_64.rpm

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-7221

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-6974

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-042.json.