RHSA-2015:0624 - Security Advisory

Topic

Updated qemu-kvm-rhev packages that fix multiple security issues, several
bugs, and add various enhancements are now available for Red Hat Enterprise
Virtualization Hypervisor 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the
user-space component for running virtual machines using KVM, in
environments managed by Red Hat Enterprise Virtualization Manager.

It was found that the Cirrus blit region checks were insufficient.
A privileged guest user could use this flaw to write outside of
VRAM-allocated buffer boundaries in the host's QEMU process address space
with attacker-provided data. (CVE-2014-8106)

An uninitialized data structure use flaw was found in the way the
set_pixel_format() function sanitized the value of bits_per_pixel.
An attacker able to access a guest's VNC console could use this flaw to
crash the guest. (CVE-2014-7815)

It was found that certain values that were read when loading RAM during
migration were not validated. A user able to alter the savevm data (either
on the disk or over the wire during migration) could use either of these
flaws to corrupt QEMU process memory on the (destination) host, which could
potentially result in arbitrary code execution on the host with the
privileges of the QEMU process. (CVE-2014-7840)

A NULL pointer dereference flaw was found in the way QEMU handled UDP
packets with a source port and address of 0 when QEMU's user networking was
in use. A local guest user could use this flaw to crash the guest.
(CVE-2014-3640)

Red Hat would like to thank James Spadaro of Cisco for reporting
CVE-2014-7815, and Xavier Mehrenberger and Stephane Duverger of Airbus for
reporting CVE-2014-3640. The CVE-2014-8106 issue was found by Paolo Bonzini
of Red Hat, and the CVE-2014-7840 issue was discovered by Michael S.
Tsirkin of Red Hat.

This update provides the enhanced version of the qemu-kvm-rhev packages for
Red Hat Enterprise Virtualization (RHEV) Hypervisor, which also fixes
several bugs and adds various enhancements.

All Red Hat Enterprise Virtualization users with deployed virtualization
hosts are advised to install these updated packages, which add this
enhancement. After installing this update, shut down all running virtual
machines. Once all virtual machines have shut down, start them again for
this update to take effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Virtualization 3 for RHEL 7 x86_64

Fixes

• BZ - 733600 - qemu-kvm doesn't report error when supplied negative vnc port value
• BZ - 760898 - kvm should disable to change vnc password after removing vnc password option
• BZ - 801284 - usb-host accepting out-of-range values for various parameters ending an invalid usb device occupy an ehci port
• BZ - 852348 - fail to block_resize local data disk with IDE/AHCI disk_interface
• BZ - 893654 - allow non-contiguous CPU ranges on -numa command-line options
• BZ - 923599 - Virtio serial chardev will be still in use even failed to hot plug a serial port on it
• BZ - 946993 - Q35 does not honor -drive if=ide,... and its sugared forms -cdrom, -hda, ...
• BZ - 1003432 - qemu-kvm should not allow different virtio serial port use the same name
• BZ - 1013157 - backport block-layer dataplane implementation
• BZ - 1024599 - Windows7 x86 guest with ahci backend hit BSOD when do "hibernate"
• BZ - 1029987 - spice-server reports incorrect listening address on monitor with "ipv6" option
• BZ - 1032855 - qemu-kvm core dump when do S4 inside guest after drive-mirror got BLOCK_JOB_READY status(from libiscsi storage to libiscsi storage))
• BZ - 1039745 - qemu vcpu hotplug support for q35 machine type
• BZ - 1047748 - fail to specify the bootindex for the usb-storage with usb-xhci controller
• BZ - 1052041 - Rubbish serial port device is generated once failed to hotplug a serial port
• BZ - 1055532 - QEMU should abort when invalid CPU flag name is used
• BZ - 1057425 - multiple qxl devices(>9) cause qemu-kvm core dump
• BZ - 1061827 - Maintain relative path to backing file image during live merge (block-commit)
• BZ - 1064742 - QMP: "query-version" doesn't include the -rhev prefix from the qemu-kvm-rhev package
• BZ - 1066239 - Hotplug second virtioserialport failed after attached and detached virtconsole port
• BZ - 1071058 - qemu-img unable to create image filename containing a ':'
• BZ - 1071199 - qemu-kvm numa emulation won't check duplicate node id
• BZ - 1076990 - Enable complex memory requirements for virtual machines
• BZ - 1083844 - Original image checking get errors after commit back with lazy_refcounts=on+qcow2_v3
• BZ - 1086502 - QEMU core dumped when blockdev_add with 'aio': 'native' but without 'cache' specified
• BZ - 1093023 - provide RHEL-specific machine types in QEMU
• BZ - 1096196 - QEMU should abort if NUMA node configuration don't cover all RAM
• BZ - 1102411 - qemu guest-set-time: RTC timer interrupt reinjection vs guest-set-time
• BZ - 1110429 - need a non-event way to determine qemu's current offset from utc
• BZ - 1114889 - drive-mirror cause qemu-kvm process segfaults
• BZ - 1116729 - Backport qemu_bh_schedule() race condition fix
• BZ - 1117445 - QMP: extend block events with error information
• BZ - 1120718 - Migration: Something broken with video
• BZ - 1121025 - Migration: acpi/tables size mismatch
• BZ - 1122619 - unnecessary files being distributed
• BZ - 1123908 - block.c: multiwrite_merge() truncates overlapping requests
• BZ - 1126777 - guest which set numa in xml can't start success
• BZ - 1128095 - chardev 'chr0' isn't initialized when we try to open rng backend
• BZ - 1128608 - [AHCI] RHEL 5.10 x86_64 guest kernel panic - VFS: Unable to mount root fs on unknown-block(9,1)
• BZ - 1129259 - Add traces to virtio-rng device
• BZ - 1129593 - Guest can't poweroff after finishing installation
• BZ - 1132385 - qemu-img convert rate about 100k/second from qcow2/raw to vmdk format on nfs system file
• BZ - 1132569 - RFE: Enable curl driver in qemu-kvm-rhev: https only
• BZ - 1133736 - qemu should provide iothread and x-data-plane properties for /usr/libexec/qemu-kvm -device virtio-blk-pci,?
• BZ - 1134980 - Should export first vga display with Spice
• BZ - 1135844 - [virtio-win]communication ports were marked with a yellow exclamation after hotplug pci-serial,pci-serial-2x,pci-serial-4x
• BZ - 1135893 - qemu-kvm should report an error message when host's freehugepage memory < domain's memory
• BZ - 1136381 - RFE: Supporting creating vdi/vpc format disk with protocols (glusterfs) for qemu-kvm-rhev-2.1.x
• BZ - 1136752 - virtio-blk dataplane support for block_resize and hot unplug
• BZ - 1138359 - RFE: Enable ssh driver in qemu-kvm-rhev
• BZ - 1138579 - Migration failed with nec-usb-xhci from RHEL7. 0 to RHEL7.1
• BZ - 1140001 - data-plane hotplug should be refused to start if device is already in use (drive-mirror job)
• BZ - 1140145 - qemu-kvm crashed when doing iofuzz testing
• BZ - 1140620 - Should replace "qemu-system-i386" by "/usr/libexec/qemu-kvm" in manpage of qemu-kvm for our official qemu-kvm build
• BZ - 1140744 - Enable native support for Ceph
• BZ - 1140975 - fail to login spice session with password + expire time
• BZ - 1140997 - guest is stuck when setting balloon memory with large guest-stats-polling-interval
• BZ - 1141656 - Virtio-scsi: performance degradation from 1.5.3 to 2.1.0
• BZ - 1141666 - Qemu crashed if reboot guest after hot remove AC97 sound device
• BZ - 1142331 - qemu-img convert intermittently corrupts output images
• BZ - 1144325 - Can not probe "qemu.kvm.virtio_blk_data_plane_complete_request"
• BZ - 1144818 - CVE-2014-3640 qemu: slirp: NULL pointer deref in sosendto()
• BZ - 1145042 - The output of "/usr/libexec/qemu-kvm -M ?" should be ordered.
• BZ - 1146573 - qemu core dump when boot guest with smp(num)<cores(num)
• BZ - 1146801 - sendkey: releasing order of combined keys was wrongly converse
• BZ - 1146826 - QEMU will not reject invalid number of queues (num_queues = 0) specified for virtio-scsi
• BZ - 1147354 - Qemu core dump when boot up a guest on a non-existent hugepage path
• BZ - 1150820 - fail to specify wwn for virtual IDE CD-ROM
• BZ - 1151947 - virtconsole causes qemu-kvm core dump
• BZ - 1152830 - Fix sense buffer in virtio-scsi LUN passthrough
• BZ - 1152901 - block/curl: Fix type safety of s->timeout
• BZ - 1152922 - smbios uuid mismatched
• BZ - 1153590 - Improve error message on huge page preallocation
• BZ - 1157329 - qemu-kvm: undefined symbol: glfs_discard_async
• BZ - 1157641 - CVE-2014-7815 qemu: vnc: insufficient bits_per_pixel from the client sanitization
• BZ - 1160102 - opening read-only iscsi lun as read-write should fail
• BZ - 1160504 - guest can not show usb device after adding some usb controllers and redirdevs.
• BZ - 1161397 - qemu core dump when install a RHEL.7 guest(xhci) with migration
• BZ - 1163075 - CVE-2014-7840 qemu: insufficient parameter validation during ram load
• BZ - 1163735 - -device pc-dimm fails to initialize on non-NUMA configs
• BZ - 1164759 - Handle multipage ranges in invalidate_and_set_dirty()
• BZ - 1166481 - Allow qemu-img to bypass the host cache (check, compare, convert, rebase, amend)
• BZ - 1169280 - Segfault while query device properties (ics, icp)
• BZ - 1169454 - CVE-2014-8106 qemu: cirrus: insufficient blit region checks
• BZ - 1169589 - test case 051 071 and 087 of qemu-iotests fail for qcow2 with qemu-kvm-rhev-2.1.2-14.el7
• BZ - 1170093 - guest NUMA failed to migrate when machine is rhel6.5.0
• BZ - 1170533 - Should disalbe S3/S4 in default under Q35 machine type in rhel7
• BZ - 1170871 - qemu core dumped when unhotplug gpu card assigned to guest
• BZ - 1171552 - Storage vm migration failed when running BurnInTes
• BZ - 1172473 - BUG: seccomp filter failure with "-object memory-backend-ram"
• BZ - 1173167 - Corrupted ACPI tables in some configurations using pc-i440fx-rhel7.0.0
• BZ - 1175841 - Delete cow block driver
• BZ - 1177127 - [SVVP]smbios HCT job failed with 'Processor Max Speed cannot be Unknown' with -M pc-i440fx-rhel7.1.0
• BZ - 1179165 - [SVVP]smbios HCT job failed with Unspecified error with -M pc-i440fx-rhel7.1.0
• BZ - 1182494 - BUG: qemu-kvm hang when enabled both sandbox and mlock

CVEs

• CVE-2014-3640
• CVE-2014-7815
• CVE-2014-7840
• CVE-2014-8106

References

• https://access.redhat.com/security/updates/classification/#important