RHSA-2015:0349: Important: qemu-kvm security, bug fix, and enhancement update

First published: Thu Mar 05 2015(Updated: )

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux<br>on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space<br>component for running virtual machines using KVM.<br>It was found that the Cirrus blit region checks were insufficient. A privileged<br>guest user could use this flaw to write outside of VRAM-allocated buffer<br>boundaries in the host's QEMU process address space with attacker-provided data.<br>(CVE-2014-8106)<br>An uninitialized data structure use flaw was found in the way the<br>set_pixel_format() function sanitized the value of bits_per_pixel. An attacker<br>able to access a guest's VNC console could use this flaw to crash the guest.<br>(CVE-2014-7815)<br>It was found that certain values that were read when loading RAM during<br>migration were not validated. A user able to alter the savevm data (either on<br>the disk or over the wire during migration) could use either of these flaws to<br>corrupt QEMU process memory on the (destination) host, which could potentially<br>result in arbitrary code execution on the host with the privileges of the QEMU<br>process. (CVE-2014-7840)<br>A NULL pointer dereference flaw was found in the way QEMU handled UDP packets<br>with a source port and address of 0 when QEMU's user networking was in use. A<br>local guest user could use this flaw to crash the guest. (CVE-2014-3640)<br>Red Hat would like to thank James Spadaro of Cisco for reporting CVE-2014-7815,<br>and Xavier Mehrenberger and Stephane Duverger of Airbus for reporting<br>CVE-2014-3640. The CVE-2014-8106 issue was found by Paolo Bonzini of Red Hat,<br>and the CVE-2014-7840 issue was discovered by Michael S. Tsirkin of Red Hat.<br>Bug fixes:<br><li> The KVM utility executed demanding routing update system calls every time it</li> performed an MSI vector mask/unmask operation. Consequently, guests running<br>legacy systems such as Red Hat Enterprise Linux 5 could, under certain<br>circumstances, experience significant slowdown. Now, the routing system calls<br>during mask/unmask operations are skipped, and the performance of legacy guests<br>is now more consistent. (BZ#1098976)<br><li> Due to a bug in the Internet Small Computer System Interface (iSCSI) driver, a</li> qemu-kvm process terminated unexpectedly with a segmentation fault when the<br>"write same" command was executed in guest mode under the iSCSI protocol. This<br>update fixes the bug, and the "write same" command now functions in guest mode<br>under iSCSI as intended. (BZ#1083413)<br><li> The QEMU command interface did not properly handle resizing of cache memory</li> during guest migration, causing QEMU to terminate unexpectedly with a<br>segmentation fault. This update fixes the related code, and QEMU no longer<br>crashes in the described situation. (BZ#1066338)<br>Enhancements:<br><li> The maximum number of supported virtual CPUs (vCPUs) in a KVM guest has been</li> increased to 240. This increases the number of virtual processing units that the<br>user can assign to the guest, and therefore improves its performance potential.<br>(BZ#1134408)<br><li> Support for the 5th Generation Intel Core processors has been added to the</li> QEMU hypervisor, the KVM kernel code, and the libvirt API. This allows KVM<br>guests to use the following instructions and features: ADCX, ADOX, RDSFEED,<br>PREFETCHW, and supervisor mode access prevention (SMAP). (BZ#1116117)<br><li> The "dump-guest-memory" command now supports crash dump compression. This</li> makes it possible for users who cannot use the "virsh dump" command to require<br>less hard disk space for guest crash dumps. In addition, saving a compressed<br>guest crash dump frequently takes less time than saving a non-compressed one.<br>(BZ#1157798)<br><li> This update introduces support for flight recorder tracing, which uses</li> SystemTap to automatically capture qemu-kvm data while the guest machine is<br>running. For detailed instructions on how to configure and use flight recorder<br>tracing, see the Virtualization Deployment and Administration Guide, linked to<br>in the References section below. (BZ#1088112)<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2015:0349
• agent/references
• agent/severity
• agent/title
• agent/weakness
• agent/description
• agent/type
• agent/tags
• agent/event
• agent/first-publish-date
• agent/softwarecombine
• agent/last-modified-date
• agent/remedy
• package-manager/redhat