RHSA-2018:1104 - Security Advisory

Topic

An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.

The following packages have been upgraded to a later upstream version: qemu-kvm-rhev (2.10.0). (BZ#1470749)

Security Fix(es):

• Qemu: stack buffer overflow in NBD server triggered via long export name (CVE-2017-15118)
• Qemu: DoS via large option request (CVE-2017-15119)
• Qemu: vga: OOB read access during display update (CVE-2017-13672)
• Qemu: vga: reachable assert failure during display update (CVE-2017-13673)
• Qemu: Slirp: use-after-free when sending response (CVE-2017-13711)
• Qemu: memory exhaustion through framebuffer update request message in VNC server (CVE-2017-15124)
• Qemu: I/O: potential memory exhaustion via websock connection to VNC (CVE-2017-15268)
• Qemu: Out-of-bounds read in vga_draw_text routine (CVE-2018-5683)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank David Buchanan for reporting CVE-2017-13672 and CVE-2017-13673; Wjjzhang (Tencent.com) for reporting CVE-2017-13711; and Jiang Xin and Lin ZheCheng for reporting CVE-2018-5683. The CVE-2017-15118 and CVE-2017-15119 issues were discovered by Eric Blake (Red Hat) and the CVE-2017-15124 issue was discovered by Daniel Berrange (Red Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

Affected Products

• Red Hat Virtualization 4 for RHEL 7 x86_64
• Red Hat Virtualization for IBM Power LE 4 for RHEL 7 ppc64le

Fixes

• BZ - 1139507 - wrong data-plane properties via info qtree to check if use iothread object syntax
• BZ - 1178472 - fail to boot win2012r2 guest with hv_relaxed&hv_vapic&hv_spinlocks=0x1fff&hv_time & -smp 80,cores=2,threads=1,sockets=40
• BZ - 1212715 - qemu-img gets wrong actual path of backing file when the file name contains colon
• BZ - 1213786 - qemu-img doesn't check if base image exists when size parameter indicated.
• BZ - 1285044 - migration/RDMA: Race condition
• BZ - 1305398 - [RFE] PAPR Hash Page Table (HPT) resizing (qemu-kvm-rhev)
• BZ - 1320114 - qemu prompt "main-loop: WARNING: I/O thread spun for 1000 iterations" when block mirror from format qcow2 to raw
• BZ - 1344299 - PCIe: Add an option to PCIe ports to disable IO port space support
• BZ - 1372583 - Keyboard can't be used when install rhel7 in guest which has SATA CDROM and spice+qxl mode sometimes
• BZ - 1378241 - QEMU image file locking
• BZ - 1390346 - PCI: Reserve MMIO space over 4G for PCI hotplug
• BZ - 1390348 - PCI: Provide to libvirt a new query command whether a device is PCI/PCIe/hybrid
• BZ - 1398633 - [RFE] Kernel address space layout randomization [KASLR] support (qemu-kvm-rhev)
• BZ - 1406803 - RFE: native integration of LUKS and qcow2
• BZ - 1414049 - [RFE] Add support to qemu-img for resizing with preallocation
• BZ - 1433670 - Provide an API that estimates the size of QCOW2 image converted from a raw image
• BZ - 1434321 - [Q35] code 10 error when install VF in windows 2016
• BZ - 1437113 - PCIe: Allow configuring Generic PCIe Root Ports MMIO Window
• BZ - 1441460 - 'query-block' dirty bitmap count is shown in sectors but documented in bytes
• BZ - 1441684 - Re-enable op blocker assertions
• BZ - 1441938 - When boot windows guest with two numa nodes and pc-dimm assigned to the second node, the dimm cannot be recognized by the guest
• BZ - 1443877 - All the memory was assigned to the last node when guest booted up with 128 nodes
• BZ - 1445834 - Add support for AMD EPYC processors
• BZ - 1446565 - Some keys are missing when using fr-ca keyboard layout with VNC display
• BZ - 1447258 - Fail to create internal snapshot with data plane enable
• BZ - 1447413 - RFE: provide a secure way to pass cookies to curl block driver
• BZ - 1448344 - Failed to hot unplug cpu core which hotplugged in early boot stages
• BZ - 1449067 - [RFE] Device passthrough support for VT-d emulation
• BZ - 1449609 - qemu coredump when dd on multiple usb-storage devices concurrently in guest
• BZ - 1449991 - [rhel7.4][usb-hub]usb kdb doesn't work under 2 tier usb hubs with xhci contronnler for win2016 guest
• BZ - 1451015 - Qemu core dump when do 'quit ' in HMP via ide drive.
• BZ - 1451189 - Add way to select qemu-xhci / nec-usb-xhci device only
• BZ - 1451269 - Clarify the relativity of backing file and created image in "qemu-img create"
• BZ - 1453167 - [PPC] [Hot unplug CPU] Failed to hot unplug after migration
• BZ - 1454362 - QEMU fails to report error when requesting migration bind to "::" when ipv6 disabled
• BZ - 1454367 - QEMU fails to reject IPv4 connections when IPv4 listening is disabled
• BZ - 1455074 - qemu core dump when continuouly hotplug/unplug virtserialport and virito-serial-pci in a loop
• BZ - 1457662 - Windows guest cannot boot with interrupt remapping (VT-d)
• BZ - 1459906 - The guest with intel-iommu device enabled can not restore after managedsave
• BZ - 1459945 - migration fails with hungup serial console reader on -M pc-i440fx-rhel7.0.0 and pc-i440fx-rhel7.1.0
• BZ - 1460119 - qemu gets SIGABRT when hot-plug nvdimm device twice
• BZ - 1460595 - [virtio-vga]Display 2 should be dropped when guest reboot
• BZ - 1460848 - RFE: Enhance qemu to support freeing memory before exit when using memory-backend-file
• BZ - 1462145 - Qemu crashes when all fw_cfg slots are used
• BZ - 1463172 - [Tracing] capturing trace data failed
• BZ - 1464908 - [RFE] Add SCSI-3 PR support to qemu (similar to mpathpersist)
• BZ - 1465799 - When do migration from RHEL7.4 host to RHEL7.3.Z host, dst host prompt "error while loading state for instance 0x0 of device 'spapr_pci'"
• BZ - 1468260 - vhost-user/iommu: crash when backend disconnects
• BZ - 1470634 - Wrong allocation value after virDomainBlockCopy() (alloc=capacity)
• BZ - 1472756 - Keys to control audio are not forwarded to the guest
• BZ - 1474464 - Unable to send PAUSE/BREAK to guests in VNC or SPICE
• BZ - 1475634 - Requires for the seabios version that support vIOMMU of virtio
• BZ - 1476121 - Unable to start vhost if iommu_platform=on but intel_iommu=on not specified in guest
• BZ - 1481593 - Boot guest failed with "src/central_freelist.cc:333] tcmalloc: allocation failed 196608" when 465 disks are attached to 465 pci-bridges
• BZ - 1482478 - Fail to quit source qemu when do live migration after mirroring guest to NBD server
• BZ - 1486400 - CVE-2017-13711 Qemu: Slirp: use-after-free when sending response
• BZ - 1486560 - CVE-2017-13672 Qemu: vga: OOB read access during display update
• BZ - 1486588 - CVE-2017-13673 Qemu: vga: reachable assert failure during display update
• BZ - 1489670 - Hot-unplugging a vhost network device leaks references to VFIOPCIDevice's
• BZ - 1489800 - q35/ovmf: Machine type compat vs OVMF vs windows
• BZ - 1491909 - IP network can not recover after several vhost-user reconnect
• BZ - 1492178 - Non-top-level change-backing-file causes assertion failure
• BZ - 1492295 - Guest hit call trace with iothrottling(iops) after the status from stop to cont during doing io testing
• BZ - 1495090 - Transfer a file about 10M failed from host to guest through spapr-vty device
• BZ - 1495456 - Update downstream qemu's max supported cpus for pseries to the RHEL supported number
• BZ - 1496879 - CVE-2017-15268 Qemu: I/O: potential memory exhaustion via websock connection to VNC
• BZ - 1497120 - migration+new block migration race: bdrv_co_do_pwritev: Assertion `!(bs->open_flags & 0x0800)' failed
• BZ - 1497137 - Update kvm_stat
• BZ - 1497740 - -cdrom option is broken
• BZ - 1498042 - RFE: option to mark virtual block device as rotational/non-rotational
• BZ - 1498496 - Handle device tree changes in QEMU 2.10.0
• BZ - 1498754 - Definition of HW_COMPAT_RHEL7_3 is not correct
• BZ - 1498817 - Vhost IOMMU support regression since qemu-kvm-rhev-2.9.0-16.el7_4.5
• BZ - 1498865 - There is no switch to build qemu-kvm-rhev or qemu-kvm-ma packages
• BZ - 1499011 - 7.5: x86 machine types for 7.5
• BZ - 1499647 - qemu miscalculates guest RAM size during HPT resizing
• BZ - 1500181 - [Q35] guest boot up failed with ovmf
• BZ - 1500334 - LUKS driver has poor performance compared to in-kernel driver
• BZ - 1501240 - Enable migration device
• BZ - 1501337 - Support specialized spapr-dr-connector devices
• BZ - 1501468 - Remove RHEL-7.4 machine machine type in 7.5 release
• BZ - 1502949 - Update configure parameters to cover changes in 2.10.0
• BZ - 1505654 - Missing libvxhs share-able object file when try to query vxhs protocol
• BZ - 1505696 - Qemu crashed when open the second display of virtio video
• BZ - 1505701 - -blockdev fails if a qcow2 image has backing store format and backing store is referenced via node-name
• BZ - 1506151 - [data-plane] Quitting qemu in destination side encounters "core dumped" when doing live migration
• BZ - 1506531 - [data-plane] Qemu-kvm core dumped when hot-unplugging a block device with data-plane while the drive-mirror job is running
• BZ - 1506882 - Call trace showed up in dmesg after migrating guest when "stress-ng --numa 2" was running inside guest
• BZ - 1507693 - Unable to hot plug device to VM reporting libvirt errors.
• BZ - 1508271 - Migration is failed from host RHEL7.4.z to host RHEL7.5 with "-machine pseries-rhel7.4.0 -device pci-bridge,id=pci_bridge,bus=pci.0,addr=03,chassis_nr=1"
• BZ - 1508799 - qemu-kvm core dumped when doing 'savevm/loadvm/delvm' for the second time
• BZ - 1508886 - QEMU's AIO subsystem gets stuck inhibiting all I/O operations on virtio-blk-pci devices
• BZ - 1510809 - qemu-kvm core dumped when booting up guest using both virtio-vga and VGA
• BZ - 1511312 - Migrate an VM with pci-bridge or pcie-root-port failed
• BZ - 1513870 - For VNC connection, characters '|' and '<' are both recognized as '>' in linux guests, while '<' and '>' are both recognized as '|' in windows guest
• BZ - 1515173 - Cross migration from rhel6.9 to rhel7.5 failed
• BZ - 1515393 - bootindex is not taken into account for virtio-scsi devices on ppc64 if the LUN is >= 256
• BZ - 1515604 - qemu-img info: failed to get "consistent read" lock on a mirroring image
• BZ - 1516922 - CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered via long export name
• BZ - 1516925 - CVE-2017-15119 qemu: DoS via large option request
• BZ - 1517144 - Provide a ppc64le specific /etc/modprobe.d/kvm.conf
• BZ - 1518482 - "share-rw" property is unavailable on scsi passthrough devices
• BZ - 1518649 - Client compatibility flaws in VNC websockets server
• BZ - 1519721 - Both qemu and guest hang when performing live snapshot transaction with data-plane
• BZ - 1520294 - Hot-unplug the second pf cause qemu promote " Failed to remove group $iommu_group_num from KVM VFIO device:"
• BZ - 1520824 - Migration with dataplane, qemu processor hang, vm hang and migration can't finish
• BZ - 1523414 - [POWER guests] Verify compatible CPU & hypervisor capabilities across migration
• BZ - 1525195 - CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server
• BZ - 1525324 - 2 VMs both with 'share-rw=on' appending on '-device usb-storage' for the same source image can not be started at the same time
• BZ - 1525868 - Guest hit core dump with both IO throttling and data plane
• BZ - 1526212 - qemu-img should not need a write lock for creating the overlay image
• BZ - 1526423 - QEMU hang with data plane enabled after some sg_write_same operations in guest
• BZ - 1528173 - Hot-unplug memory during booting early stage induced qemu-kvm coredump
• BZ - 1529053 - Miss the handling of EINTR in the fcntl calls made by QEMU
• BZ - 1529243 - Migration from P9 to P8, migration failed and qemu quit on dst end with "error while loading state for instance 0x0 of device 'ics'"
• BZ - 1529676 - kvm_stat: option '--guest' doesn't work
• BZ - 1530356 - CVE-2018-5683 Qemu: Out-of-bounds read in vga_draw_text routine
• BZ - 1534491 - Mirror jobs for drives with iothreads make QEMU to abort with "block.c:1895: bdrv_attach_child: Assertion `bdrv_get_aio_context(parent_bs) == bdrv_get_aio_context(child_bs)' failed."
• BZ - 1535752 - Device tree incorrectly advertises compatibility modes for secondary CPUs
• BZ - 1535992 - Set force shared option "-U" as default option for "qemu-img info"
• BZ - 1538494 - Guest crashed on the source host when cancel migration by virDomainMigrateBegin3Params sometimes
• BZ - 1538953 - IOTLB entry size mismatch before/after migration during DPDK PVP testing
• BZ - 1540003 - Postcopy migration failed with "Unreasonably large packaged state"
• BZ - 1540182 - QEMU: disallow virtio-gpu to boot with vIOMMU
• BZ - 1542045 - qemu-kvm-rhev seg-faults at qemu_co_queue_run_restart (co=co@entry=0x5602801e8080) at util/qemu-coroutine-lock.c:83)

CVEs

• CVE-2017-13672
• CVE-2017-13673
• CVE-2017-13711
• CVE-2017-15118
• CVE-2017-15119
• CVE-2017-15124
• CVE-2017-15268
• CVE-2018-5683

References

• https://access.redhat.com/security/updates/classification/#important