[Users] [Announce] [security] Kernel RHEL6 042stab090.3

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Tue Jun 10 01:14:28 PDT 2014 

Sorry sorry. It seems it was too late last nicht.

Stefan

Am 10.06.2014 10:03, schrieb Kir Kolyshkin:
> On 06/10/2014 12:49 AM, Stefan Priebe - Profihost AG wrote:
>> Am 10.06.2014 02:37, schrieb Kir Kolyshkin:
>>> On 06/08/2014 08:32 AM, Stefan Priebe - Profihost AG wrote:
>>>> Am 07.06.2014 um 11:12 schrieb Kir Kolyshkin <kir at openvz.org
>>>> <mailto:kir at openvz.org>>:
>>>>
>>>>> On 06/06/2014 09:48 PM, Stefan Priebe - Profihost AG wrote:
>>>>>> Oh sorry. My fault. Yes it's the same with 090.2
>>>>> I tried to reproduce it locally on an CentOS x86_64 box with the
>>>>> following set of commands,
>>>>> (checking that every one of those succeeds):
>>>>>
>>>>>      yum -y update
>>>>>      yum -u install yum-utils
>>>>>      rpm --import http://download.openvz.org/RPM-GPG-Key-OpenVZ
>>>>>      wget
>>>>> http://download.openvz.org/kernel/branches/rhel6-2.6.32-testing/042stab090.2/vzkernel-2.6.32-042stab090.2.src.rpm
>>>>>
>>>>>      yum-builddep -y vzkernel-2.6.32-042stab090.2.src.rpm
>>>>>      rpmbuild --rebuild vzkernel-2.6.32-042stab090.2.src.rpm
>>>>>
>>>>> The end result is built kernel packages.
>>>>>
>>>>> So, then I tried building from source+patch:
>>>>>
>>>>>      wget
>>>>> http://download.openvz.org/kernel/branches/rhel6-2.6.32-testing/042stab090.2/patches/patch-042stab090.2-combined.gz
>>>>>
>>>>>      wget
>>>>> https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.32.tar.xz
>>>>>      tar xf linux-2.6.32.tar.xz
>>>>>      cd linux-2.6.32
>>>>>      gzip -dc ../patch-042stab090.2-combined.gz | patch -p1
>>>>>      wget
>>>>> http://download.openvz.org/kernel/branches/rhel6-2.6.32-testing/042stab090.2/configs/config-2.6.32-042stab090.2.x86_64
>>>>>
>>>>>      mv config-2.6.32-042stab090.2.x86_64 .config
>>>>>      make oldconfig
>>>>>      make -j16
>>>>>
>>>>> Same result -- it was built w/o errors.
>>>>>
>>>>> So, I was not able to reproduce your issue in either way.
>>>>>
>>>>> *Two questions:*
>>>>>
>>>>> 1. Can you please describe how you build the kernel (including the
>>>>> build
>>>>> environment description), in a way so I will be able to reproduce it
>>>>> locally
>>>>> (for example, something similar to the above)?
>>>> Mhm debian 7.5 using a custom config. But while looking through the
>>>> source code i was not able to der a
>>>> reason why it shouldn't work.
>>> I am also building kernels for Debian as well (although I am using
>>> gcc-4.4.6 from CentOS 6
>>> and I recommend everyone to do the same -- Red Hat kernels are somewhat
>>> sensitive to the
>>> version of gcc being used -- but I think it's not the cause of the
>>> problem here)
>>>
>>> It's probably because of your .config. Is it possible that you share it?
>>> Alternatively, do a diff
>>> between your config and ours, maybe something will look suspicious. For
>>> example, you have
>>> CONFIG_NETFILTER_XTABLES=m instead of y, it might cause this (not
>>> tested).
>> No it's not something obvious like this. I already checked that. The
>> problem is indeed the config. If i copy yours it's working fine. Mine
>> was until 0.88 too. But i don't get which option can cause this.
>>
>> My config is here:
>> http://pastebin.com/raw.php?i=8KwWzwJR
> 
> My guess was suddenly right.
> 
> Compared your config to ours, here's one of the changes:
> 
> -CONFIG_NETFILTER_XTABLES=m
> +CONFIG_NETFILTER_XTABLES=y
> 
> You either have to revert it to m, or apply the following one-liner:
> 
> --- linux-2.6.32/kernel/kmod.c.old    2014-06-10 04:00:11.516427311 -0400
> +++ linux-2.6.32/kernel/kmod.c    2014-06-10 04:00:01.146853184 -0400
> @@ -286,6 +286,8 @@
> 
>      return false;
>  }
> +EXPORT_SYMBOL(module_payload_allowed);
> +
>  #endif /* CONFIG_VE_IPTABLES */
> 
>  int ve0_request_module(const char *name,...)
> 
> 
>>
>>> As for the patches you have, I doubt it is the cause, but it might be.
>>>
>>> Just a general note -- when filing a bug report, it is a good thing to
>>> provide
>>> everything that can help to reproduce it. So, instead of just saying "I
>>> got such error
>>> compiling such kernel" you can say "I got such error compiling such
>>> kernel on
>>> an Ubuntu xx.xx using gcc x.x.x, attached are my .config and the patches
>>> I apply
>>> on top of yours". This is in your own interest, if you want the issue to
>>> be solved.
>>>
>>>>  
>>>>> 2. (Just curious) What is the reason you are building your own kernels
>>>>> instead of relying on packaged binaries that we release? Sorry if I
>>>>> already
>>>>> asked.
>>>> Needed some tweaks newer intel 10gbe drivers, ISO vfs support inside
>>>> guest
>>> I'd suggest using fuseiso for that.
>>>
>>>> , netconsole build inside kernel instead of module...
>>>>
>>>> Stefan
>>>>
>>>>> Kir.
>>>>>
>>>>>> Stefan
>>>>>>
>>>>>> Excuse my typo sent from my mobile phone.
>>>>>>
>>>>>> Am 07.06.2014 um 06:23 schrieb Kir Kolyshkin <kir at openvz.org
>>>>>> <mailto:kir at openvz.org>>:
>>>>>>
>>>>>>> Kostya, can you please take a quick look?
>>>>>>>
>>>>>>> Stefan,
>>>>>>>
>>>>>>> Did you have the same problem with 090.2? This release (090.3) only
>>>>>>> patches futex code
>>>>>>> and has nothing to do with iptables.
>>>>>>>
>>>>>>> Also, please refrain from using private emails (or announce@) --
>>>>>>> instead use either users@
>>>>>>> mailing list or bugzilla. Thanks!
>>>>>>>
>>>>>>> Kir.
>>>>>>>
>>>>>>> -------- Original Message --------
>>>>>>> Subject:     Re: [Announce] [security] Kernel RHEL6 042stab090.3
>>>>>>> Date:     Sat, 7 Jun 2014 00:27:37 +0200
>>>>>>> From:     Stefan Priebe <s.priebe at profihost.ag>
>>>>>>> To:     Kir Kolyshkin <kir at openvz.org>, "announce at openvz.org"
>>>>>>> <announce at openvz.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> while compiling i always get:
>>>>>>> ERROR: "module_payload_allowed" [net/netfilter/x_tables.ko]
>>>>>>> undefined!
>>>>>>>
>>>>>>> Stefan
>>>>>>> Am 06.06.2014 21:05, schrieb Kir Kolyshkin:
>>>>>>>> OpenVZ project released an updated RHEL6 based kernel. Read
>>>>>>>> below for
>>>>>>>> more information. Everyone is advised to update.
>>>>>>>>
>>>>>>>>
>>>>>>>> Changes and Download
>>>>>>>> ====================
>>>>>>>> * Security fix for CVE-2014-3153
>>>>>>>>
>>>>>>>> https://openvz.org/Download/kernel/rhel6/042stab090.3
>>>>>>>>
>>>>>>>>
>>>>>>>> Bug reporting
>>>>>>>> =============
>>>>>>>> Use http://bugzilla.openvz.org/  to report any bugs found.
>>>>>>>>
>>>>>>>>
>>>>>>>> Other sources of info on updates
>>>>>>>> ================================
>>>>>>>> See http://wiki.openvz.org/News  to view all the news (including
>>>>>>>> updates)
>>>>>>>> online. There you can also find RSS/Atom feed links.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>     OpenVZ team
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Announce mailing list
>>>>>>>> Announce at openvz.org
>>>>>>>> https://lists.openvz.org/mailman/listinfo/announce
>>>>>>>
>

More information about the Users mailing list