5.265. qemu-kvm

Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM.

Security Fix

CVE-2012-3515
A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
This flaw did not affect the default use of KVM. Affected configurations were:
  • When guests were started from the command line ("/usr/libexec/qemu-kvm") without the "-nodefaults" option, and also without specifying a serial or parallel device, or a virtio-console device, that specifically does not use a virtual console (vc) back-end. (Note that Red Hat does not support invoking "qemu-kvm" from the command line without "-nodefaults" on Red Hat Enterprise Linux 6.)
  • Guests that were managed via libvirt, such as when using Virtual Machine Manager (virt-manager), but that have a serial or parallel device, or a virtio-console device, that uses a virtual console back-end. By default, guests managed via libvirt will not use a virtual console back-end for such devices.
Red Hat would like to thank the Xen project for reporting this issue.
All users of qemu-kvm should upgrade to these updated packages, which resolve this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Updated qemu-kvm packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages form the user-space component for running virtual machines using KVM.

Bug Fixes

BZ#861049
If no listener is connected to a port on a host, output from the guest is suppressed until a listener is connected. However, for console ports, the guest output needs to be discarded instead. Previously, the guest kept waiting for a listener after it wrote data to a console port. But since there was no listener, the guest eventually became unresponsive. This bug has been fixed by changing behavior of the "pty" socket type to not suppress output from the ports and properly discard the data if no listener is connected.
BZ#861906
With some initial guest OS installations using the QXL driver and VNC as the display protocol, virtual machines were terminating unexpectedly with a segmentation fault during setup and returned the "lost connection with kvm process" error message. A patch has been provided to address this issue and virtual machines now run properly in the described scenario.
All users of qemu-kvm are advised to upgrade to these updated packages, which fix these bugs. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Updated qemu-kvm packages that fix a bug are now available for Red Hat Enterprise Linux 6.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages form the user-space component for running virtual machines using KVM.

Bug Fix

BZ#873270
In the SVVP (Server Virtualization Validation Program) environment, when the e1000 network driver was used, the PCI Hardware Compliance Test For Systems job failed. Consequently, the HCK (Hardware Certification Kit) SVVP certification could not be passed on the system. A patch has been provided to address this issue and the test now passes in the described scenario.
All users of qemu-kvm are advised to upgrade to these updated packages, which fix this bug. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Updated qemu-kvm packages that fix a bug are now available for Red Hat Enterprise Linux 6.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages form the user-space component for running virtual machines using KVM.

Bug Fix

BZ#886101
When the vdsm daemon was running on a blocking NFS storage, it attempted to continuously access the storage. Consequently, vdsm could become unresponsive for almost an hour. This bug has been fixed and vdsm is now able to recover within a few minutes in the described scenario.
All users of qemu-kvm are advised to upgrade to these updated packages, which fix this bug. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Updated qemu-kvm packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages form the user-space component for running virtual machines using KVM.

Bug Fixes

BZ#839897
Previously, the KVM modules were not loaded by the postinstall scriplet of RPM scripts. This bug caused various issues and required the system to be rebooted to resolve them. With this update, the modules are loaded properly by the scriptlet and no unnecessary reboots are now required.
BZ#840054
Previously, when a guest was started up with two serial devices, qemu-kvm returned an error message and terminated the boot because IRQ 4 for the ISA bus was being used by both devices. This update fixes the qemu-kvm code, which allows IRQ 4 to be used by more than one device on the ISA bus, and the boot now succeeds in the described scenario.
All users of qemu-kvm are advised to upgrade to these updated packages, which fix these bugs. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Updated qemu-kvm packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages form the user-space component for running virtual machines using KVM.

Bug Fixes

BZ#787974
A virtio-serial device marked a guest driver with the "present" bit even if a guest was not present. Because the bit was set, the Simple Protocol for Independent Computing Environments (SPICE) assumed, after the migration process had completed, that a guest agent was running, and disabled the server-side mouse. This caused the mouse to be unusable even if no agent was running. The "present" bit is now only set if a working guest driver is present. When no guest agent is running, the mouse continues working after migration as expected.
BZ#789417
Previously, the free() function was missing in management of the "xsave" processor state. This led to memory leaks in qemu-kvm when a guest used the xsave functionality, causing excessive memory consumption on the host. Buffers used to manage xsave support are now freed after use so that qemu-kvm no longer leaks memory.
BZ#790421
It is possible to set up SPICE channels using Transport Layer Security (TLS) when no TLS port has been specified (that is, TLS is disabled). Due to this, it was previously not possible to connect to a virtual machine using SPICE when starting QEMU. With this update, QEMU now exits with an error message in such a situation.
BZ#807313
Previously, in certain cases, the USB storage emulation feature failed to update the state correctly on I/O request cancellation. As a consequence, the USB storage machine triggered an assertion in the USB core code, leading to the qemu process dumping core. With this update, status updates are handled correctly, and qemu no longer dumps core.
BZ#807916
The QEMU Enhanced Host Controller Interface (EHCI) code previously contained a spurious assert() function. As a consequence, qemu could dump core. The assert() function has been removed, preventing core dumps in this scenario.
BZ#748810
Due to a bug in the QXL driver, if the user started a QEMU guest, stopped the guest, and executed the "screendump" command, the qemu-kvm process terminated unexpectedly with a segmentation fault. The bug in the QXL driver has been fixed, and qemu-kvm no longer crashed in this scenario.
BZ#785963
If the user pressed a modifier key (Shift, Ctrl or Alt) while closing a Virtual Network Computing (VNC) connection, the key event was treated as if pressed when the next VNC connection was opened. This happened for example when the VNC viewer was closed with the Alt+F4 key combination. To prevent this problem, a key-up event is now injected into the guest and the event is handled as expected if any modifier key is pressed when closing the VNC connection.
BZ#738519
When hot plugging or hot unplugging a USB controller more than 1000 times, the qemu-kvm process dumped core. This was because the Memory-mapped I/O (MMIO) BARs were present, but failed to be unregistered. Unregistering of MMIO BARs has been implemented with this update, so that qemu-kvm runs correctly and a USB controller can be hot plugged and hot unplugged multiple times as expected.
BZ#740707
Due to an assertion performed on packet completion, running a guest with a USB device passthrough to the USB 1.1 controller caused qemu-kvm to terminate with an assertion failure. The assertion is no longer performed on packet completion, which ensures that qemu-kvm runs correctly.
BZ#734426
When starting a guest and moving time backwards on the host, the guest became unresponsive. This was because of incorrect real-time clock (RTC) timer emulation. This problem has been fixed, and the guest settings are now adjusted properly so the guest does not hang in this scenario.
BZ#795652
If the "__com.redhat_spice_migrate_info" monitor command was applied with incorrect parameters, the error handler caused the QEMU monitor to become unresponsive. Error handling has been modified so that the QEMU monitor no longer hangs when executing commands with incorrect parameters.
BZ#796063
An incorrect bit was set in the SAVE/RESTORE handler. As a consequence, the guest could become unresponsive after a live or save and restore migration. A patch has been applied to address this issue, so that the guest no longer hangs in this scenario.
BZ#754349
USB device initialization failure was not handled properly. Adding multiple invalid USB host devices led to the guest dumping core. USB initialization failure handling has been fixed so that the guest no longer dumps core under these circumstances.
BZ#702370
Due to incorrect calculation of transferred bytes, migration downtime was previously longer than expected and allowed by setting the "migrate_max_downtime()" monitor command. A guest was therefore unavailable for much longer time than allowed. The underlying source code has been modified to calculate only transferred bytes, so that qemu-kvm now honors migration downtime settings.
BZ#698936
Migration to hosts with earlier versions of Red Hat Enterprise Linux (notably Red Hat Enterprise Linux 6.1) could fail due to incompatible QXL revision. The revision number has been changed to be compatible with older versions of Red Hat Enterprise Linux, so that guests can now be successfully migrated to such hosts.
BZ#769760
The USB controller did not wait to finish the last transaction before trying to format a USB device. If any USB operation was in progress when resetting the USB device, the operation never finished. This update fixes detaching of a child process, so that the reset process starts after the transaction has finished. Formatting a usb-storage device and the respective USB operations therefore finish successfully.
BZ#769745
Previously, the USB release function was not called in the exit notifier. As a consequence, the host was unable to reuse the USB device after it had been removed from the guest. With this update, the release function is now called in the exit notifier, ensuring that the host can reuse the USB after it has been removed from the guest.
BZ#796118
Previously, the QEMU USB emulation code modified data structures after releasing them. Consequently, an assertion was triggered due to unexpected data structure changes, and the qemu process dumped core. The release call has been moved to the correct place in the code, so that core dumps no longer occur in this scenario.
BZ#769142
When using VNC reverse mode (QEMU connects to the VNC viewer, not vice versa), the VNC server attempted to access the display before initialization. This led to a core dump on the guest machine. With this update, the display is initialized before it is used.
BZ#638055
In safe mode, the "qemu-img rebase" command incorrectly handled backing files as if they were of the same size as the rebased image. As a consequence, attempting to rebase an image if the old or the new backing file was smaller than the image itself failed with the following error message:
qemu-img: error while reading from new backing file
With this update, backing files are handled correctly, and the "qemu-img rebase" command succeeds even if a backing file is smaller than the rebased image.
BZ#736942
The cleanup code of the qemu-img utility did not perform NULL pointer checks for old and new backing files. When executing "qemu-img rebase" in safe mode on an image with a backing file that could not be opened, the utility terminated unexpectedly with a segmentation fault and an error message. This update adds the necessary NULL pointer checks to the cleanup code of qemu-img, and qemu-img now exits gracefully if either the new or the old backing file cannot be opened.
BZ#737879
Due to incorrect handling of invalid arguments for the "-drive" option, running "qemu-kvm -drive" with such arguments could lead to a drive misconfiguration. Validation of the "-drive" arguments has been corrected. As a result, qemu-kvm fails to run if invalid arguments are used.
BZ#790083
When migrating a Microsoft Windows guest with the QXL display driver version 0.1.9 or earlier, the screen of the destination machine could contain rendering artifacts because the primary surface memory was not up to date. With this update, the primary surface memory is updated properly, and screen corruption no longer occurs under these circumstances.
BZ#781920
While reallocating transmission buffers, the guest driver could have allocated unlimited memory to the transmission buffers. This caused qemu to terminate with a glib error. The transmission buffer size is now limited, which prevents the guest from allocating unlimited memory to the buffers, and qemu no longer crashes under these circumstances.
BZ#796575
Previously, the qemu process required periodic polling for events, which could lead to qemu waking up multiple times per a second. Because qemu can set specific timers to poll for events periodically, the generic polling timer has been removed. As a result, an idle guest with no VNC or SPICE connections active does not wake up the qemu process unnecessarily.
BZ#798936
Running the "qemu -cpu host" command did not expose emulated Performance Monitor Unit (PMU) to a guest, and the guest was therefore unable to use the PMU counters. With this update, if the host kernel supports PMU emulation, the CPUID OAH leaf is exposed to a guest, so the guest can use the PMU counters to profile itself.
BZ#757713
The code for monitor file name completion previously incorrectly checked for a directory. Consequently, the slash character could be appended to a string even if the completed name did not refer to a directory. The check for directory has been fixed, and the slash character is now added only when the completed name refers to a directory.
BZ#757132
Implementation of the VGA underline attribute could read beyond arrays and corrupted pixels in underlined characters could have been observed on a guest running a non-framebuffer text console. With this update, reading beyond arrays is no longer allowed, and corrupted pixels are no longer present.
BZ#752049
The Enhanced Host Controller Interface (EHCI) reset handler was incorrect. Microsoft Windows guests could become unresponsive on boot with USB disk passthrough when loading the USB controller. Reset handler implementation has been fixed, and Microsoft Windows guests with USB device passthrough now boot successfully.
BZ#749820
A use-after-free bug in the "acl_reset" monitor command could cause the qemu-kvm process to terminate unexpectedly with a segmentation fault. With this update, the use of freed memory is avoided, and qemu-kvm no longer crashes under these circumstances.
BZ#747010
An incorrect value was used to calculate memory usage of the qemu-kvm process and to turn on Kernel Samepage Merging (KSM). As a consequence, KSM was turned on too early. Real memory size is now used instead of virtual memory size for calculating qemu-kvm memory usage, which ensures that turning on KSM is now more optimized.
BZ#743251
When running the "qemu-kvm" command without the "-spice" option, qemu-kvm terminated unexpectedly with a segmentation fault if the user attempted to run the "info spice" monitor command afterward. A check has been added to verify whether the command is being run with the "-spice" option, so that qemu-kvm no longer crashes in this scenario.
BZ#812328
Enhanced Host Controller Interface (EHCI) emulation previously had a limitation of the number of queue heads processed. If many devices were present, EHCI did not process all queues, rendering some devices non-functional. The limitation has been removed, so that EHCI now works as expected with a high number of devices.
BZ#728385
When running qemu-kvm with the "-nographic" option, and then executing the "screendump" command, qemu-kvm terminated unexpectedly with a segmentation fault. A check for a valid screendump function pointer has been implemented, and is performed prior to calling the function. As a result, qemu-kvm no longer crashes in this scenario.

Enhancements

BZ#562886
KVM now supports dynamic CPU allocation, also called vCPU hot plug, as a Technology Preview. This feature allows users to dynamically adjust CPU resources in a guest. The availability of the guest is increased, because it is no longer needed to take the guest offline to adjust CPU resources.
BZ#632771
Now, qemu-kvm contains a new sub-package called qemu-guest-agent. When running Red Hat Enterprise Linux 6.3 guests with this package installed, properly configured Red Hat Enterprise Linux 6.3 hosts can send new commands to the guest, for example, "guest-sync", "guest-ping", "guest-info", "guest-shutdown", and "guest-suspend-*".
BZ#783950
KVM in Red Hat Enterprise Linux 6.3 now has an improved access to qcow2 disk images (qcow2 is the default format), which is now more asynchronous. The vCPU stalls frequency has been thus decreased resulting in an overall performance improvement during disk I/O.
BZ#782029
KVM Virtualization's storage stack has been improved with the addition of virtio-SCSI (a storage architecture for KVM based on SCSI) capabilities. Virtio-SCSI now provides the ability to connect directly to SCSI LUNs and significantly improves scalability compared to virtio-blk. The advantage of virtio-SCSI is that it is capable of handling hundreds of devices compared to virtio-blk which can only handle 28 devices and exhausts PCI slots.
BZ#767302
This update adds new CPU model definitions for the latest AMD processors.
BZ#760953
This update adds new CPU model definitions for Intel Core i3, i5 and i7 processors.
BZ#758104
Spice builds on KVM USB 2.0 host adapter emulation support, and enables remote USB redirection support that allows virtual machines running on servers to use remotely plugged USB devices on the client side.
All users of qemu-kvm are advised to upgrade to these packages, which fix these bugs and add these enhancements.