Patch Name: PHNE_28786 Patch Description: s700_800 11.04 (VVOS) VVOS/Net Cumulative Patch Creation Date: 03/03/12 Post Date: 03/03/18 Hardware Platforms - OS Releases: s700: 11.04 s800: 11.04 Products: N/A Filesets: VirtualVaultOS.VVOS-KRN,fr=B.11.04,fa=HP-UX_B.11.04_32,v=HP VirtualVaultOS.VVOS-KRN,fr=B.11.04,fa=HP-UX_B.11.04_64,v=HP Automatic Reboot?: Yes Status: General Release Critical: No (superseded patches were critical) PHNE_25900: PANIC data page fault on MP system during heavy traffic PHNE_20646: OTHER Needed to limit scope of connectivity with netmultilevelserver. PHNE_18548: PANIC Inability to send RAWIP packets to local system Potential panic during listen or bind call Category Tags: defect_repair general_release critical panic Path Name: /hp-ux_patches/s700_800/11.X/PHNE_28786 Symptoms: PHNE_28786: With IPSec enabled, ftp 'put' from a VVOS client machine hangs. PHNE_25900: Data page fault (panic) is possible on an MP system in vv_am_lookup(). PHNE_23257: In a multi-threaded program, a thread attempting to perform a network operation at a different SL than the process may fail. PHNE_21581: Invalid IPSec connections are established. PHNE_21261: 1. IPSec/9000 support on VVOS requires changes to the VVOS/Net modules. 2. Interface queries to secondary instances (such as lan0:1) yield unexpected results. PHNE_20646: TCP endpoints with the netmultilevelserver privilege can establish a connection. PHNE_20707: Programs, such as TGP, can get failures when calling get_peer_attributes() under certain load conditions. 1. get_peer_attributes() returns ENOTCONN intermittently when called by a connecting client to a local server. Subsequent calls successfully return the attributes. 2. get_peer_attributes() returns ENOTCONN when the peer endpoint is a remote connection. PHNE_18548: 1. When the network interfaces are configured at an SL other than syslo, and a user attempts to ping any of the local system addresses at an SL other than syslo, no ping packets are echoed back (100% packet loss). Local addresses include localhost (127.0.0.1), and all configured local IP addresses. 2. Local UDP packet delivery fails if the application attempts to communicate over a "connected" UDP endpoint to any local host address. The problem was discovered while attempting to do local tftp. 3. System panics while attempting to restart outside NES server via the uxwdog process. Defect Description: PHNE_28786: Attribute lookup logic fails after connections are closed. Resolution: Modified the logic for attribute lookup to avoid the problem. PHNE_25900: Race condition in spinlock handling is possible. Resolution: Repositioned spinlock code to eliminate race condition. PHNE_23257: When a thread creates a network connection, the SL attributes are copied from the process context. If the thread changes it's SL, the SL that is copied from the process context is incorrect. Resolution: Copy the SL from the thread context. PHNE_21581: Some IPSec connections are established, when they should be rejected. This is not an issue for non-IPSec traffic. Resolution: Corrected inbound TCP processing in the SFM. Also, modified parsing of tcp flags field to correct problem distinguishing session establishment packets. PHNE_21261: 1. Inbound TCP checks are performed by NLM currently. Since IPSec/9000 packets may be encrypted, NLM will not be able to parse the TCP headers. NLM is not able to parse encrypted outbound IPSec/9000 packets in order to make outbound delivery decisions. 2. Attribute information was not properly maintained in the SFM for secondary interface instances. Resolution: 1. Moved inbound TCP checks to SFM module after packet has been decrypted. Added support to associate process attributes with the outbound IPSec/9000 packet so that NLM can make outbound delivery decisions based on this association. 2. Added logic to enforce consistent behavior during interface queries of secondary instances. PHNE_20646: Tighten the requirements for establishing a connection when using the netmultilevelserver privilege on TCP endpoints. Resolution: Reworked the networking packet delivery code to place tighter restrictions on packet delivery when netmultilevelserver is in effect. PHNE_20707: 1. A race condition occurs when the get_peer_attributes() is called immediately after a connect(). The listening endpoint has not been notified of the new connection yet, so there are no attributes available on the peer when the call is made. 2. There is no check by get_peer_attributes() to see if the connection is local or remote, so when a peer attribute set is not found, it was assumed to be ENOTCONN. Resolution: 1. Use the attributes of the appropriate listening endpoint if the server endpoint attributes are not yet available. 2. Check first to see if the endpoint is connected locally. If not,return EOPNOTSUPP "the operation is not supported" for a remote connection. PHNE_18548: 1. the Session Filter Module (SFM) was matching attributes for all local RAWIP packets to the first attribute map entry for the protocol (ICMP in the noted case above). Also, there were orphaned attribute map entries in the table. 2. An application that sends data over a UDP endpoint that has first called connect() experiences data loss because the connect() is being denied. 3. When an application sends a second listen request on an open listening endpoint, the acknowledgement is treated like a bind request and the NULL address field is referenced. Resolution: 1. For all RAWIP packets originating from the local system, do not do an attribute check, just deliver them (process must still have 'netrawaccess' privilege to create raw endpoint). Make sure that endpoints only get one attribute map entry created for them, otherwise, modify the existing attribute map entry. 2. Only do attribute checks for TCP on connect(). On inbound UDP packets, make sure that destination address of the packet is used for the attribute lookup (for local checks). 3. Check the length of all bind and listen acknowledgements to make sure they have address fields before referencing them. Enhancement: No SR: 8606229566 8606114715 8606114387 8606131402 8606132492 8606136086 8606178920 8606178718 8606296697 Patch Files: VirtualVaultOS.VVOS-KRN,fr=B.11.04,fa=HP-UX_B.11.04_32,v=HP: /usr/conf/lib/libsec.a(vv_sfm.o) /usr/conf/lib/libsec.a(vv_nlm.o) /usr/conf/lib/libsec.a(sec_vvosnet.o) /usr/conf/lib/libsec.a(vv_attrmap.o) VirtualVaultOS.VVOS-KRN,fr=B.11.04,fa=HP-UX_B.11.04_64,v=HP: /usr/conf/lib/libsec.a(vv_sfm.o) /usr/conf/lib/libsec.a(vv_nlm.o) /usr/conf/lib/libsec.a(sec_vvosnet.o) /usr/conf/lib/libsec.a(vv_attrmap.o) what(1) Output: VirtualVaultOS.VVOS-KRN,fr=B.11.04,fa=HP-UX_B.11.04_32,v=HP: /usr/conf/lib/libsec.a(vv_sfm.o): $Source: kern/sec/vv_sfm.c, sysmisc, vvos_rose, rose 0294 $ $Date: 01/12/10 10:09:51 $ $Revision: 1.18.1.5 PATCH_11.04 (PHNE_25900) $ /usr/conf/lib/libsec.a(vv_nlm.o): $Source: kern/sec/vv_nlm.c, sysmisc, vvos_rose, rose 0294 $ $Date: 00/03/10 14:32:27 $ $Revision: 1.11 PATCH_11.04 (PHNE_21261) $ /usr/conf/lib/libsec.a(sec_vvosnet.o): $Source: kern/sec/sec_vvosnet.c, sysmisc, vvos_rose, rose0294 $ $Date: 01/01/30 16:45:26 $ $Revi sion: 1.19.4.3 PATCH_11.04 (PHNE_23257) $ /usr/conf/lib/libsec.a(vv_attrmap.o): $Source: kern/sec/vv_attrmap.c, sysmisc, vvos_rose, rose0296 $ $Date: 03/03/13 12:08:42 $ $Revis ion: 1.4.1.8 PATCH_11.04 (PHNE_28786) $ VirtualVaultOS.VVOS-KRN,fr=B.11.04,fa=HP-UX_B.11.04_64,v=HP: /usr/conf/lib/libsec.a(vv_sfm.o): $Source: kern/sec/vv_sfm.c, sysmisc, vvos_rose, rose 0294 $ $Date: 01/12/10 10:09:51 $ $Revision: 1.18.1.5 PATCH_11.04 (PHNE_25900) $ /usr/conf/lib/libsec.a(vv_nlm.o): $Source: kern/sec/vv_nlm.c, sysmisc, vvos_rose, rose 0294 $ $Date: 00/03/10 14:32:27 $ $Revision: 1.11 PATCH_11.04 (PHNE_21261) $ /usr/conf/lib/libsec.a(sec_vvosnet.o): $Source: kern/sec/sec_vvosnet.c, sysmisc, vvos_rose, rose0294 $ $Date: 01/01/30 16:45:26 $ $Revi sion: 1.19.4.3 PATCH_11.04 (PHNE_23257) $ /usr/conf/lib/libsec.a(vv_attrmap.o): $Source: kern/sec/vv_attrmap.c, sysmisc, vvos_rose, rose0296 $ $Date: 03/03/13 12:08:42 $ $Revis ion: 1.4.1.8 PATCH_11.04 (PHNE_28786) $ cksum(1) Output: VirtualVaultOS.VVOS-KRN,fr=B.11.04,fa=HP-UX_B.11.04_32,v=HP: 601676184 32440 /usr/conf/lib/libsec.a(vv_sfm.o) 3474408589 7556 /usr/conf/lib/libsec.a(vv_nlm.o) 753533631 5564 /usr/conf/lib/libsec.a(sec_vvosnet.o) 1821186353 7820 /usr/conf/lib/libsec.a(vv_attrmap.o) VirtualVaultOS.VVOS-KRN,fr=B.11.04,fa=HP-UX_B.11.04_64,v=HP: 338257190 69376 /usr/conf/lib/libsec.a(vv_sfm.o) 1196673859 15344 /usr/conf/lib/libsec.a(vv_nlm.o) 1760507405 14136 /usr/conf/lib/libsec.a(sec_vvosnet.o) 2886025747 19200 /usr/conf/lib/libsec.a(vv_attrmap.o) Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_18548 PHNE_20646 PHNE_20707 PHNE_21261 PHNE_21581 PHNE_23257 PHNE_25900 Equivalent Patches: None Patch Package Size: 210 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_28786 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHNE_28786.depot By default swinstall will archive the original software in /var/adm/sw/save/PHNE_28786. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHNE_28786.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHNE_28786.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_28786.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None