4.253. qemu-kvm

Updated qemu-kvm packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems that is built into the standard Red Hat Enterprise Linux kernel. The qemu-kvm packages form the user-space component for running virtual machines using KVM.

Security Fix

CVE-2011-2527
It was found that qemu-kvm did not properly drop supplemental group privileges when the root user started guests from the command line ("/usr/libexec/qemu-kvm") with the "-runas" option. A qemu-kvm process started this way could use this flaw to gain access to files on the host that are accessible to the supplementary groups and not accessible to the primary group.

Note

This issue only affected qemu-kvm when it was started directly from the command line. It did not affect the Red Hat Enterprise Virtualization platform or applications that start qemu-kvm via libvirt, such as the Virtual Machine Manager (virt-manager).

Bug Fixes

BZ#699635
When the "virsh dump" command was executed with the "--live" option, the subsequent "virsh dump" command for the same domain could misbehave. This was caused by a function trying to deallocate memory that had already been freed. To avoid this issue, the log field of the vhost device structure is now set to NULL after it has been passed to a deallocating routine. Running the "virsh dump" command repeatedly no longer leads to non-standard behavior, and the core dump of a guest is now collected.
BZ#697441
Previously, SPICE (the Simple Protocol for Independent Computing Environments) sent the QMP events from the SPICE worker thread context unlocked. As a consequence, memory corruption occurred in certain cases. Global QEMU lock is now taken before the QMP events are sent, which fixes the problem.
BZ#690427
When the user installed a previous version of Windows QXL driver without the off-screen support over a new driver, the virtual machine terminated unexpectedly when the user attempted to switch to graphics mode. With this update, the update_area_surface variable is nullified on the reset of the QXL device, and virtual machines successfully load with a previous version of the driver.
BZ#711213
Previously, the NFS (Network File System) request for the direct vectored I/O operation resulted in splitting a single I/O request into multiple requests. This had a significant impact on performance. QEMU has been modified to detect files that exist in NFS when a request for vectored I/O operation comes to the server. The QEMU_AIO_MISALIGNED flag is now used to force such requests to be handled with a linear buffer.
BZ#720972
The Broadcom Corporation NetXtreme BCM5761 Gigabit Ethernet PCIe network controller provides a PCI-Express Cap structure that is 8 bytes shorter than it should be according to the PCI-Express 2.0 specification. This resulted in memory corruption when it was allocated for device assignment. The code has been modified to accept the reduced size of the structure. BCM5761 can now be successfully re-assigned.
BZ#721114
Prior to this update, the savevm file was not flushed to disk properly. Restoring a virtual machine failed in certain cases due to the savevm file being incomplete. The fsync() call has been added to flush the data to disk, which fixes the problem.
BZ#730587
The qemu-img tool tried to keep sparseness even on very small areas, issuing small write requests. As a consequence, executing the "qemu-img convert" command took a long time for certain images. The qemu-img tool now requires larger zero areas to keep sparseness. Too small write requests are now avoided, and the "qemu-img convert" command converts images in a reasonable time.
BZ#728905
If the "none" cache option was selected, all the writes to the destination were very small. To improve the performance of qemu-img, the tool has been modified to use larger buffers so that the writes to the destination are larger.
BZ#718664
Previously, migration of floppy images failed if the user migrated an image from a newer version of qemu-kvm to an older version, because qemu-kvm met a subsection it did not recognize. In order to keep the migration compatibility, qemu-kvm now accepts the subsections it does not recognize. As a result, migration of floppy images between any versions of qemu-kvm is successful.
BZ#733010
When canceling a USB packet, the usb-storage emulation tried to cancel the corresponding SCSI (Small Computer Systems Interface) request without checking whether one existed. A NULL pointer dereference caused QEMU to terminate with a segmentation fault. Checks are now performed to determine the presence of the SCSI request. Non-existing requests are not referenced any more.
BZ#728464
If the user started QEMU with the "-no-shutdown" option, asking QEMU not to quit after the guest shutdown, the flag was overlooked after the first shutdown of the guest. QEMU has been modified to accept the option after repetitive shutdowns. QEMU no longer quits if this option is supplied.
BZ#707130
When KVM guests were launched with the "-device isa-serial" option instead of the "-serial" option, serial devices created were not visible by Windows guests. This was due to QEMU not exposing these devices in the guests' Advanced Configuration and Power Interface (ACPI) tables. With this update, the guest's ACPI Differentiated System Description Table (DSDT) now properly determines the presence of serial devices, and Windows guests can now see them properly.
BZ#694378
Previously, invalid balloon values, for example 0, caused QEMU to terminate. With this update, input is validated, and QEMU does not terminate if invalid input occurs.
BZ#676528
Previously, the tray got locked if the user ejected a medium forcibly, by executing the "eject -f" command. As a consequence, the user was unable to insert new media afterward. QEMU has been modified to leave the tray open so that users can insert new media as expected.
BZ#624983
Previously, QEMU did not support the new set of Model Specific Registers (MSR), and guests that used only the new set were therefore not able to use kvmclock. The new MSR set is now supported, and all guests are now able to use kvmclock.
BZ#737921
Previously, a SPICE client connected to the migration target only if the migration was completed. However, the ticket on the target was set before the migration started. If the time of the migration was longer that the time for which the ticket expired, the SPICE client failed to connect to the target and terminated. The SPICE server now informs the SPICE client to connect to the target before the migration starts. The SPICE server waits until the client performs the initial connection, and then calls the completion callback of the "client_migrate_info" command. Now, the SPICE client connects to the migration target after the migration.
BZ#710349
Previously, specifying serial numbers for virtio block devices did not work as expected. Patches have been applied to address this issue; virtio block disks are now correctly identified by guests and can be found in the /dev/disk/by-id/ directory.
BZ#738565
A bug in KVM's Non-Maskable Interrupt (NMI) delivery mechanism caused kernel dumps not to be taken on SMP guests. The bug has been fixed, and kernel dumps are now successfully captured on SMP guests.
BZ#706711
Suspending a Windows virtual machine with the running QXL driver caused the machine to terminate on resume. This update implements related I/O calls, and handling specific for S3 adapters in the driver (note that the future QXL driver is required). A Windows virtual machine with the running QXL driver can now be correctly suspended and resumed.
BZ#700134
Prior to this update, the QXL driver submitted requests to the SPICE server thread and waited synchronously for the result. This, in certain cases, caused qemu-kvm to be unresponsive for a long time. With this update, completion notification is used instead of waiting. SPICE server thread processes the requests asynchronously, and qemu-kvm no longer hangs.
BZ#742484
Previously, drives with removable media were ignored when creating snapshots. As a consequence, reverting to a certain snapshot did not revert writes to floppy disks. A patch has been applied to ensure that only read-only drives with read-only or empty media are ignored. Snapshotting now treats writable floppy disks like any other writable drive.
BZ#742480
Previously, if the guest applied the "eject" command with the "-i" parameter to lock an open tray, the guest was afterward not able to close the tray by running the "eject -t" command. A patch has been applied to address this issue so that guests can successfully close open trays, even if they are locked.
BZ#694373
When specifying a negative balloon value, the value was recognized by the code as a very high positive value. As a consequence, the RAM the guest was started with, increased to its maximum. With this update, QEMU now checks for negative values, and reports them as an error.
BZ#742476
Previously, the "eject -f" monitor command worked even for non-removable drives. If the user used the command for such drives, the drive could not be used by the guest. Users could incorrectly interpret the problem as a hardware failure. A patch has been applied to address this issue, and qemu-kvm refuses to eject non-removable drives.
BZ#742469
Previously, the CD-ROM drive prevented the guest from locking an empty tray. With this update, qemu-kvm has been modified so that guests are allowed to lock empty drives regardless of whether a medium is present in the drive or not.
BZ#681736
Previously, after a virtio-serial port was unplugged, all the communication from the guest to the host, for all other ports on the virtio-serial device, was stopped. This was because the back ends of the ports on the device were incorrectly marked as NULL. With this update, the back ends of the device are checked per-port.
BZ#678729
When performing a device assignment of a PCI(e) PF (Physical Function) or VF (Virtual Function) device with an invalid host PCI configuration address, such as 0Z:88.00, to a KVM guest, the guest terminated with a core dump. With this update, the value of the B:D.F fields of an assigned device are now checked to ensure that they are in the proper ranges. When performing a device assignment of a PCI(e) PF or VF device with an invalid host PCI configuration address, QEMU displays an error message and the device terminates correctly.
BZ#725625
Previously, it was possible to expose multiple balloon devices to the guest. As a consequence, QEMU could misbehave if various balloon devices were given different commands. With this update, only one balloon device is allowed to be exposed to the guest. Now, QEMU works correctly.
BZ#739480
Due to wrong initialization order for some data structures, migration could fail in rare cases, and the instance of QEMU on the receiving host would terminate with a segmentation fault. The initialization code is fixed with this update, and QEMU no longer crashes.
BZ#632299
Constant polling of a device (such as a USB tablet) in the USB emulation consumed an excessive amount of CPU time. The remote wake up support has been added, which allows the guest's power management to suspend the USB devices and wait for the wake up notification. USB polling can now be stopped, and the CPU utilization on the host is therefore reduced.
BZ#720535
If the character device on the host side was connected to a virtio-serial port, and was closed just before the guest sent data, QEMU terminated unexpectedly. With this update, 0 is used as the return value of the write operation, and indicates that nothing was written to the character device.
BZ#734860
Previously, the missing NULL check caused qemu-kvm to terminate unexpectedly shortly after the start if a socket character device was missing the host parameter. This update adds the missing NULL check. Now, if the device is missing the host parameter, qemu-kvm terminates with an appropriate error message.
BZ#736975
Prior to this update, qemu-kvm failed to unregister balloon devices when hot unplugging the device. As a consequence, the user was not able to hot plug a balloon device after he had hot unplugged the previous one. With this update, qemu-kvm is modified to correctly unregister the balloon device from the balloon core in QEMU. Now, balloon devices can be added and removed successfully.
BZ#655719
Previously, the "change" monitor command did not return any error information if opening a file failed. When the user attempted to execute the "change" command to change or insert a non-existent file into the CD-ROM drive of a virtual machine, an "undefined error" or no error message would be reported. With this update, the "change" command correctly returns error information so that the user is properly informed.
BZ#658467
Every time the user executed the "savevm" command, qemu-kvm queried the value of kvmclock even if the virtual machine had been stopped. As a consequence, the stability of migration results could be broken. This update introduces a new kvmclock device, and qemu-kvm queries kvmclock only if the valid flag is set. Now, kvmclock is stable for the migration unit-test.
BZ#645351
Previously, QEMU did not support the USB 2.0 EHCI (Extended Host Controller Interface) devices. It was therefore impossible to use such devices in guests. This update adds support for the USB 2.0 EHCI emulation, so that users can use USB 2.0 devices.
BZ#583922
The RTL8139 network interface controller (NIC) emulated by qemu-kvm did not support IEEE 802.1Q-tagged frames. Guests which used 802.1Q tagged virtual LAN (VLAN) were not able to communicate with each other as a consequence. This update adds support for 802.1Q. Now, guests can use the 802.1Q VLAN protocol with RTL8139.
BZ#728984
When a QXL device is initialized, it ensures that its corresponding command rings are empty. After migration, before a virtual machine is started, and when the QXL device is initialized, the command rings should not be empty. Prior to this update, the command ring was not empty and QEMU terminated with an assertion. With this update, QEMU is modified to ensure that the rings are empty only if the virtual machine is not stopped. Now, QEMU no longer terminates in the scenario described.
BZ#729294
Previously, the state of the keyboard LED lights was not kept during migration. When migrating a guest with, for example, Caps Lock or Num Lock turned on, the lights were turned off after the guest had been migrated, even when the function was still active. This update adds the state of the keyboard LED lights to the qemu state which is kept during migrations. As a result, the state of the keyboard LED lights is kept.
BZ#729621
Pausing all virtual CPUs was previously done by means of a specially registered handler in the vkm_vm_state_change_handler list. During migration, the source virtual machine that was stopped received an I/O exit after it's state change handler had been called, but before the virtual CPUs were paused. This resulted in an assertion and a termination of the virtual machine. With this update, the virtual CPU is paused after (or resumed before) all handlers are called. Migrations now proceed and finish as expected.
BZ#725965
During migration, the SPICE server on the target virtual machine started with the guest agent disconnected, and was not notified when the agent was connected. After the migration had been completed, the mouse on the client side was no longer available and the function of copying and pasting did not work. With this update, the guest_open() callback function is called at the migration target. Now, the mouse and the function of copying and pasting work as expected in the scenario described.
BZ#733993
Previously, the SPICE server could be started even if the ssd.running property was set to false. As a consequence, the migration target terminated unexpectedly with an assertion after the migration had been completed. To fix this problem, the ssd.running property is now set to true before the SPICE server is started.
BZ#735716
Previously, the qemu utility could be terminated by another process. The virtual machine terminated and the user was alerted. However, the event was never logged, and the user was therefore not able to determine what process caused qemu to terminate. Now, such information is logged for troubleshooting purposes.
BZ#723270
Previously, management applications were not able to determine whether the tray was open or closed. It could therefore be difficult for such applications to change media for the guest at the right time. With this update, the "info block" monitor command is extended to display the status of the tray. Management applications can now poll the command to see when the tray opens and closes.
BZ#744780
In rare cases, QEMU used a SCSI request after its memory had been freed. As a consequence, QEMU terminated unexpectedly with a segmentation fault. To fix this problem, SCSI requests are used by QEMU as a part of emulation of USB mass storage devices.
BZ#740547
Previously, the QXL memory slots were not created after migration if the migration started in VGA mode, and the guest was actually a native guest temporarily in VGA mode. After the migration had been completed, qemu-kvm terminated when the user switched from VGA mode back to native mode. With this update, all active memory slots are recreated during migration in VGA mode. Switching back to native mode is now successful after migration.
BZ#714773
Due to a missing probe marker for the qemu.kvm.qemu_vmalloc probe point, it was not possible to use "probe qemu.kvm.qemu_vmalloc" on a SystemTap script. The marker has been added to the qemu_vmalloc() function, so that now it is possible to use "probe qemu.kvm.qemu_vmalloc" on a SystemTap script
BZ#710046
Previously, qemu-kvm printed an unnecessary warning about the CPU model used. This message has been removed with this update.
BZ#705070
Previously, users were not able to take screenshots of secondary QXL displays. This update introduces a new monitor command to fix the problem.
BZ#743269
Hot unplugging a snapshot block device could cause future snapshot operations to misbehave or terminate unexpectedly. A patch has been applied to address this issue, and hot unplugging block devices no longer endangers future snapshot operations.
BZ#743342
Previously, the state of the CD-ROM tray was not migrated and got lost. The tray was instead closed and locked during the migration. This problem has been fixed and the state of the tray is migrated correctly.
BZ#701442
Previously, the vm_running variable was not explicitly initialized, and its values were only set by the state change notifier. This could confuse the virtio devices which were being hot plugged, such as virtio-net with the vhost back end. These could assume that the virtual machine was not running. As a consequence, vhost-net was not started after the virtio-net devices were hot plugged. The vm_running variable is now initialized explicitly during the virtio_common_init() call. The vhost-net devices are started, if required, after the virtio-net devices have been hot plugged.
BZ#738487
Previously, when shutting down qemu-kvm due to the SIGTERM request, qemu-kvm did not terminate if "-no-shutdown" option was used. The SIGTERM request could not be properly used to terminate qemu-kvm, and libvirt was therefore forced to send the SIGKILL signal, which could in certain cases cause disk corruption. The source code has been modified, so that the SIGTERM signal can now be used to terminate qemu-kvm even if "-no-shutdown" is used. This prevents disks from being corrupted due to the SIGKILL signal being sent.
BZ#669581
Prior to this update, functions in the migration code did not handle and report errors correctly. As a consequence, migration never ended if connection to the destination migration port was rejected (for example by a firewall). This update includes multiple fixes of error detection, reporting, and handling of errors in the migration code. Now, handling of errors during migration is more reliable; for example if the connection to the destination migration port is rejected, this is properly detected and migration is aborted.
BZ#715017
Previously, QEMU did not provide any mechanism to report read and write latency of a block device. The management system was therefore not able to report what the average latency for block devices of virtual machines was. This update implements a mechanism so that qemu-kvm reports disk latency statistics by executing the "info blockstats" command.
BZ#710943
With this update, the event index feature is now supported by the Red Hat Enterprise Linux 6.2 guests. This reduces CPU utilization per megabyte for most workloads. The feature is turned on by default, and can be disabled in libvirt's XML configuration.
BZ#700859
Prior to this update, the memory API was used incorrectly. As a consequence, a hot plugged virtio-net device with vhost enabled became unresponsive after the guest had been paused. This problem has been fixed, and if the guest is paused, the hot plugged device works as expected.
BZ#738555
Nested virtualization is not supported by qemu-kvm. This update therefore removes the "-enable-nested" option.
BZ#723864
With this update, emulation of the following USB devices is disabled: usb-wacom-tablet (usb-tablet can be used instead), usb-braille, usb-serial, usb-net, and usb-bt-dongle.

Enhancements

BZ#716906
A new QEMU machine type, Red Hat Enterprise Linux 6.2, has been added with this update. This type is now used by default. If live migration compatibility with previous Red Hat Enterprise Linux hosts is required, users can choose the Red Hat Enterprise Linux 6.1 or Red Hat Enterprise Linux 6.0 machine types instead.
BZ#684949
Prior to this update, qemu-kvm was not able to display BIOS messages on boot of the virtual machine. With this update, sgabios support has been added to qemu-kvm, and a requirement to the new sgabios RPM package has been added as well. Now, qemu-kvm is able to use sgabios to print BIOS messages to a virtual serial device, if configured to do so.
BZ#713743
The qemu-img tool was writing disk images using writeback and filling up the cache buffers which were then flushed by the kernel. This prevented other processes from accessing the storage. In cluster environment, accessing the storage within certain timeouts could be critical. This update adds an option to choose a cache method when writing disk images. Users that require other cache methods can now choose the cache method on the command line when using qemu-img.
BZ#725054
The warning message about the ability to run qemu-kvm directly has been modified to be more clear.
BZ#621482
Previously, the qemu-img tool did not provide information about the completion percentage. This update introduces the new "-p" option for qemu-img which displays progress information while running.
BZ#696102
When resetting error physical memory pages (marked as HWPoison) of a guest, the guest tried to reuse the memory pages after reboot. As a consequence, in certain cases, the guest terminated unexpectedly, and could terminate repeatedly after multiple reboots. With this update, memory marked as HWPoison is unmapped so that is cannot be reused. After reboot, the guest can access new memory pages which are not marked as HWPoison.
BZ#693645
Newer versions of the SPICE client and agent allow users to copy and paste from the client to the guest. However, this is not desirable in all environments. This update introduces a new option, "disable-copy-paste" which allows users to turn off the copy and paste support for the virtual machine which is being started.
Users of qemu-kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM.

Security Fix

CVE-2011-4111
A flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was configured for a CCID (Chip/Smart Card Interface Devices) USB smart card reader in passthrough mode. An attacker able to connect to the port on the host being used for such a device could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
All users of qemu-kvm should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Updated qemu-kvm packages that fix one security issue, one bug, and add one enhancement are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM.

Security Fix

CVE-2012-0029
A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host.
Red Hat would like to thank Nicolae Mogoreanu for reporting this issue.

Bug Fix

BZ#767721
qemu-kvm has a "scsi" option, to be used, for example, with the "-device" option: "-device virtio-blk-pci,drive=[drive name],scsi=off". Previously, however, it only masked the feature bit, and did not reject SCSI commands if a malicious guest ignored the feature bit and issued a request. This update corrects this issue. The "scsi=off" option can be used to mitigate the virtualization aspect of CVE-2011-4127 before the RHSA-2011:1849 kernel update is installed on the host.
This mitigation is only required if you do not have the RHSA-2011:1849 kernel update installed on the host and you are using raw format virtio disks backed by a partition or LVM volume.
If you run guests by invoking /usr/libexec/qemu-kvm directly, use the "-global virtio-blk-pci.scsi=off" option to apply the mitigation. If you are using libvirt, as recommended by Red Hat, and have the RHBA-2012:0013 libvirt update installed, no manual action is required: guests will automatically use "scsi=off".

Note

After installing the RHSA-2011:1849 kernel update, SCSI requests issued by guests via the SG_IO IOCTL will not be passed to the underlying block device when using raw format virtio disks backed by a partition or LVM volume, even if "scsi=on" is used.

Enhancement

BZ#767906
Prior to this update, qemu-kvm was not built with RELRO or PIE support. qemu-kvm is now built with full RELRO and PIE support as a security enhancement.
All users of qemu-kvm should upgrade to these updated packages, which correct these issues and add this enhancement. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Updated qemu-kvm packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages form the user-space component for running virtual machines using KVM.

Bug Fixes

BZ#799002
Previously, QEMU did not support 2000x2000 screen resolution. This resolution is now supported.
BZ#805550
Previously, the free() function was missing in management of the "xsave" processor state. This led to memory leaks in qemu-kvm when a guest used the xsave functionality, causing excessive memory consumption on the host. Buffers used to manage xsave support are now freed after use so that qemu-kvm no longer leaks memory.
All users of qemu-kvm are advised to upgrade to these updated packages, which fix these bugs. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.