Subject: UnixWare 7.0.1: Virtual Memory and STREAMS Performance Supplement Advisory number: n/a Issue date: n/a ftp://stage.caldera.com/pub/security/sse/ptf7096m Dear SCO Customer, Support Level Supplement (SLS) ptf7096m, the UnixWare 7.0.1 Virtual Memory and STREAMS Performance Supplement, updates various OS packages on your system. Read this document completely before installing this SLS. SLS ptf7096m contains modifications to the Base System (base) and OS Multiprocessor Support (osmp) packages of UnixWare 7. If you are preparing to install any of these packages, discontinue the installation of SLS ptf7096m, install those packages first, and then install SLS ptf7096m. SLS ptf7096m replaces all versions of these SLSs: ptf7037, ptf7038, ptf7065 and ptf7057. Remove ptf7037, ptf7038, ptf70765 and ptf7057 from your system prior to installing SLS ptf7096m. SLS ptf7096m replaces all previous version of SLS ptf7096. It is not necessary to remove any older versions prior to installing SLS ptf7096m. SLS ptf7096m is dependent upon the presence of ptf7068c or later. SLS ptf7068c should be installed prior to installing ptf7096m. Note: If an earlier version of ptf7068 is installed on the system, then installation of ptf7096m will fail with this error message: UX:pkginstall: ERROR: unknown dependency type specified: X You must remove SLS ptf7096m before UnixWare 7.1.0 can be installed. SLS ptf7096m contains these files: /etc/conf/pack.d/pse/stubs.c /etc/conf/pack.d/pse/Driver_atup.o /etc/conf/pack.d/pse/Driver_mp.o /etc/conf/pack.d/segdev/Driver_atup.o /etc/conf/pack.d/segdev/Driver_mp.o /etc/conf/pack.d/ipc/Driver_atup.o /etc/conf/pack.d/ipc/Driver_mp.o /etc/conf/pack.d/segshm/Driver_atup.o /etc/conf/pack.d/segshm/Driver_mp.o /etc/conf/pack.d/specfs/Driver_atup.o /etc/conf/pack.d/specfs/Driver_mp.o /etc/conf/pack.d/proc/Driver_atup.o /etc/conf/pack.d/proc/Driver_mp.o /etc/conf/pack.d/proc/space.c /etc/conf/dtune.d/proc /etc/conf/mtune.d/proc /etc/conf/pack.d/memfs/Driver_atup.o /etc/conf/pack.d/memfs/Driver_mp.o /etc/conf/pack.d/s5/Driver_atup.o /etc/conf/pack.d/s5/Driver_mp.o /etc/conf/pack.d/util/Driver_atup.o /etc/conf/pack.d/util/Driver_mp.o /etc/conf/pack.d/vxfs/Driver_atup.o /etc/conf/pack.d/vxfs/Driver_mp.o /etc/conf/pack.d/fs/Driver_atup.o /etc/conf/pack.d/fs/Driver_mp.o /etc/conf/pack.d/fs/space.c /etc/conf/mtune.d/fs /etc/conf/pack.d/kernel/Driver_atup.o /etc/conf/pack.d/kernel/Driver_mp.o /etc/conf/pack.d/sfs/Driver_atup.o /etc/conf/pack.d/sfs/Driver_mp.o /etc/conf/pack.d/io/Driver_atup.o /etc/conf/pack.d/io/Driver_mp.o /etc/conf/pack.d/log/Driver_atup.o /etc/conf/pack.d/log/Driver_mp.o /etc/conf/pack.d/osm/Driver_atup.o /etc/conf/pack.d/osm/Driver_mp.o /etc/conf/pack.d/namefs/Driver_atup.o /etc/conf/pack.d/namefs/Driver_mp.o /etc/conf/pack.d/sad/Driver_atup.o /etc/conf/pack.d/sad/Driver_mp.o /etc/conf/pack.d/mem/Driver_atup.o /etc/conf/pack.d/mem/Driver_mp.o /etc/conf/pack.d/mem/space.c /etc/conf/dtune.d/mem /etc/conf/mtune.d/mem /usr/include/sys/vmparam.h /usr/include/sys/cmn_err.h /usr/include/sys/strlog.h /usr/include/sys/file.h /usr/include/sys/vnode.h /usr/include/sys/sad.h /usr/include/sys/strsubr.h /usr/lib/drf/autopush.dy /sbin/autopush /usr/sbin/autopush /usr/sbin/crash SLS ptf7096m addresses the following issues (including some from previous versions). These issues were addressed in SLS ptf7096e: - If a system with more than 4GB of physical memory is configured to use the memory above 4GB, there may be random memory corruption. This was due to the way 36-bit physical addresses were handled in the I/O and mem drivers. This fix was originally supplied in SLSs ptf7037a and ptf7038a (now superseded). - Multi-threaded applications using the socket interface with a receive thread blocked in select() while another thread successfully calls close() on the socket, leaves the receive thread blocked in select(). This behavior is undesirable as it does not allow the receive thread to exit. This fix was first included in the now superseded ptf7038b; a further fix has also been made to correct a complication generated by the original fix. - The system can hang waiting for putbuf_lock when handling NMI. - Syslogd can miss cmn_err messages at panic. - Autopush does not work for ddi8 STREAMS drivers. These fixes, first introduced in the now superseded ptf7038b, were later found to cause kma corruption resulting in spurious panics. A subsequent fix to the sad driver was supplied in ptf7096b to resolve this issue. - linkcycle() does not return unique major numbers from ddi8 drivers. - recv sometimes concludes a socket is not a socket. - select would return 'writeable' before a connection had been established on a socket. - A problem was found in ptf7038b where an init 6 or 0 would hang the system. - If doing a non-blocking write to a socket and the socket cannot accept data, write should return -1 and set errno to EAGAIN, regardless of whether O_NONBLOCK or O_NDELAY were specified. This fix was originally supplied in ptf7057a (now superseded). - A problem was found in the now superseded ptf7038c that caused VxVM to fail. - There is a panic in munlink() during shutdown to init 1. - A VxFS filesystem sized at 131105MB or greater cannot be mounted if it was created using a 1KB blocksize. The initial symptom was first reported as diskadd failing if you tried to create a filesystem size of 131105MB or greater. - Processes hang with at least one process in pvn_getdirty. A new tunable, SENDV_FORCE_RCOPY, was added and defaulted to 1, to avoid this problem. - A small number of mprotect(2) system calls used a large amount of kernel virtual memory on large shared memory segments configured as PSE (Page Size Extension) mapped memory. - A panic occurs in freectty() when using a DDI 8 serial driver. - An MPIO failover causes system hangs and panics. Note that these MPIO solutions will also require ptf7036c or later to be fully effective. MPIO, "sdipath -o repair" can successfully mark a disk as repaired without a signature, but I/O does not happen as before. buf_breakup() (and similar) panics can occur after MPIO paths have been failed. - Changing states from init 1 to init 3 can cause the system to panic. - Credential structure cached referenced counts were being mismanaged resulting in kma corruption and thus, spurious machine panics. - Various Virtual Memory performance enhancements and fixes have been backported from UnixWare 7.1.0. - Panics occur in pae_hat_unload(), specific to having PAE enabled. - Panics occur in page_sortodd() from pvn_getdirty(). - The HAT resource lock can be held for very long periods when the address range is large. This can lead to apparent system hangs, poor sharing of system resources, and clock drift. - The latest crash binary is included to enable crash to work with the VM enhancements backported from UnixWare 7.1.0. - Panics occur in pae_hat_loadpte, also specific to having PAE enabled. SLS ptf7096f addressed these issues: - Problem with the zoned bit map (ZBM) code could result in a system hang while allocating kernel virtual memory, due to excessive KVM fragmentation. - Poll or select on a udp socket could incorrectly report 'writeable'. SLS ptf7096g addressed this issue: - Fixed a problem with VM page_anonpageout involving time loss and machine hangs. SLS ptf7096h addressed these issues: - Fixed a problem where the DPT DDI8 driver max was set to 64K, but 128K was still being transferred. - Panics may occur in sv_signal() called from hat_asunload(), on cpu 0 of an 8*MP Saber system. - Possible hangs while two CPUs looping alternately in hat_load(). - Changed algorithm to distribute jobs fairly across CPUs by making changes in hat_load(). SLS ptf7096i addressed this issue: - cpio cannot create a volume greater than 2GB on the tape device when blocksize is set to 5120, resulting in this error: UX: CPIO: HALT: Cannot write to device This ptf allows you to create volumes upto 4GB in size on tapes. SLS ptf7096j addressed this issue: - Correction to the fix put into ptf7096i. SLS ptf7096k addresses these issues: - System deadlock in canput() due to locked stream. - buf_breakup can panic with fixed-blocks > 512 bytes. - Some actions can consume the whole of memory, forcing the system to start swapping. SLS ptf7096l now also addresses these additional issues: - erg501245 ul99-32801 and ul99-33011 Disk corruption seen with PAE on and greater than 4GB physical memory (all of which is general purpose) whilst performing I/O on a VxVM block device. The fix is for a kernel memory corrupting issue and is not specific to PAE or volume manager, this is simply the method required to reproduce the critical symptom observed by the customer. Note, PAE mode is enbaled by setting ENABLE_4GB_MEM=YES in /stand/boot, or by issuing this during an interactive boot. - ul99-13704 This change closes security holes in the usage of /tmp involving linking or symbolic linking of well known temporary file names to critical system files. It is implemented as additional restrictions on link, rename (mv) and symbolic linking on directories that have the sticky bit set. - ul99-18313 erg711045 System PANIC in streams routines. eeE DDI8 driver. Problem Statement : System panic under heavy TCP/IP load on system with 32 Mbytes of memory running with NIC set to 10Mbps, half duplex. Panic appears on any one of three system calls used in the transmit side of the driver: msgscgth(), msgpullup_physreq(), or getq(). - ul99-15306 A security problem has been eliminated by disallowing core dumps if there is already a corefile (or any other object) of the same name in the current directory. A security problem has been eliminated by disallowing core dumps of setgid processes (processes running with an effective group ID different from the user's real group ID). An administrator may now select old-style corefile naming, whereby the process-ID suffix normally attached to every corefile name is eliminated and every corefile is just named "core". This is intended to address situations in which it is unacceptable for a disk to fill up with corefiles. It is recommended that adminstrators stick with the current default behavior, however. The tunable that controls this behavior is named corefile_pids. - SLS ptf7096l also fixes the following problem which was previously shipped in SLS ptf7065a (now superseded) :- s5 Filesystem device node maj/min number corruption SLS ptf7096m now also addresses these additional issues: - ul99-20814 Address space of privileged processes was accessible by regular users. Privileged processes could then be traced opening several security holes. This has been fixed by making address space inaccessible to regular users. - ul99-20009 Privileged processes could core dump. Sensitive data is often located inside the core files of privileged processes. This has been fixed by no longer allowing privileged processes to core dump Software Notes and Recommendations ---------------------------------- SLS ptf7096m should only be installed on: UnixWare 7 Release 7.0.1 To find out what release your system is running, use the command: # uname -sv The command will return "UnixWare 7.0.1" if this release is installed. To determine if the SLS ptf7068c (or greater) prerequisite patch is installed, type the command: # pkginfo -l ptf7068 | grep VERSION If SLS ptf7068c is installed, this command will return "VERSION: c". Installation Instructions ------------------------- 1. Download the ptf7096m.Z and ptf7096m.txt files to the /tmp directory on your machine. 2. As root, uncompress the file and add the SLS package to your system using these commands: $ su Password: # uncompress /tmp/ptf7096m.Z # pkgadd -d /tmp/ptf7096m # rm /tmp/ptf7096m 3. Shut down and reboot the system after installing the SLS package. Note: A system reboot is required following installation of this SLS for the kernel sections to take effect. However, if you have not already installed any other SLS that you need, you should do so before rebooting. The release notes displayed prior to installation can be found in: /var/sadm/pkg/ptf7096/install/ptf7096.txt Removal Instructions -------------------- 1. As root, remove the SLS package using these commands: $ su Password: # pkgrm ptf7096 2. Shut down and reboot the system after removing the SLS package. If you have questions regarding this SLS, or the product on which it is installed, please contact your software supplier.