Login-Name Passwort


Sicherheit: Mehrere Probleme in QEMU
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in QEMU
ID: RHSA-2017:2392-01
Distribution: Red Hat
Plattformen: Red Hat Virtualization
Datum: Mi, 2. August 2017, 07:29
Referenzen: https://access.redhat.com/security/cve/CVE-2017-9374


Hash: SHA1

Red Hat Security Advisory

Synopsis: Important: qemu-kvm-rhev security, bug fix, and enhancement
Advisory ID: RHSA-2017:2392-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2392
Issue date: 2017-08-01
CVE Names: CVE-2016-10155 CVE-2016-4020 CVE-2016-6835
CVE-2016-6888 CVE-2016-7422 CVE-2016-7466
CVE-2016-8576 CVE-2016-8669 CVE-2016-8909
CVE-2016-8910 CVE-2016-9907 CVE-2016-9911
CVE-2016-9921 CVE-2016-9922 CVE-2017-2630
CVE-2017-5579 CVE-2017-5898 CVE-2017-5973
CVE-2017-9310 CVE-2017-9373 CVE-2017-9374

1. Summary:

An update for qemu-kvm-rhev is now available for RHEV 4.X RHEV-H and Agents
for RHEL-7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Managment Agent for RHEL 7 Hosts - ppc64le, x86_64

3. Description:

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm-rhev packages provide the
user-space component for running virtual machines that use KVM in
environments managed by Red Hat products.

The following packages have been upgraded to a later upstream version:
qemu-kvm-rhev (2.9.0). (BZ#1387372, BZ#1387600, BZ#1400962)

Security Fix(es):

* A stack buffer overflow flaw was found in the Quick Emulator (QEMU) built
with the Network Block Device (NBD) client support. The flaw could occur
while processing server's response to a 'NBD_OPT_LIST' request. A
NBD server could use this issue to crash a remote NBD client resulting in
DoS or potentially execute arbitrary code on client host with privileges of
the QEMU process. (CVE-2017-2630)

* An integer overflow flaw was found in Quick Emulator (QEMU) in the CCID
Card device support. The flaw could occur while passing messages via
command/response packets to and from the host. A privileged user inside a
guest could use this flaw to crash the QEMU process. (CVE-2017-5898)

* An information exposure flaw was found in Quick Emulator (QEMU) in Task
Priority Register (TPR) optimizations for 32-bit Windows guests. The flaw
could occur while accessing TPR. A privileged user inside a guest could use
this issue to read portions of the host memory. (CVE-2016-4020)

* A memory-leak flaw was found in the Quick Emulator(QEMU) built with USB
xHCI controller emulation support. The flaw could occur while doing a
USB-device unplug operation. Unplugging the device repeatedly resulted in
leaking host memory, affecting other services on the host. A privileged
user inside the guest could exploit this flaw to cause a denial of service
on the host or potentially crash the host's QEMU process instance.

* Multiple CVEs(CVE-2016-10155, CVE-2016-4020, CVE-2016-6835,
CVE-2016-6888, CVE-2016-7422, CVE-2016-7466, CVE-2016-8576, CVE-2016-8669,
CVE-2016-8909, CVE-2016-8910, CVE-2016-9907, CVE-2016-9911, CVE-2016-9921,
CVE-2016-9922, CVE-2017-2630, CVE-2017-5579, CVE-2017-5898, CVE-2017-5973,
CVE-2017-9310, CVE-2017-9373, CVE-2017-9374, CVE-2017-9375) were fixed as
result of rebase to QEMU version 2.9.0.

Red Hat would like to thank Li Qiang (Qihoo 360 Inc.) for reporting
CVE-2016-6835 and CVE-2016-6888; Li Qiang (360.cn Inc.) for reporting
CVE-2017-5898, CVE-2016-7466, CVE-2016-10155, CVE-2017-5579, and
CVE-2017-5973; Donghai Zdh (Alibaba Inc.) for reporting CVE-2016-4020;
Qinghao Tang (Marvel Team 360.cn Inc.) and Zhenhao Hong (Marvel Team 360.cn
Inc.) for reporting CVE-2016-7422; PSIRT (Huawei Inc.) for reporting
CVE-2016-8669; Andrew Henderson (Intelligent Automation Inc.) for reporting
CVE-2016-8910; Qinghao Tang (Qihoo 360), Li Qiang (Qihoo 360), and Jiangxin
(Huawei Inc.) for reporting CVE-2016-9921 and CVE-2016-9922; and Li Qiang
(Qihoo 360 Gear Team) for reporting CVE-2017-9310, CVE-2017-9373,
CVE-2017-9374, and CVE-2017-9375.

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

750801 - [RFE] specifying the entire image chain as a qemu drive (blockdev-add)
971799 - qemu should not crash when if=scsi although it's unsupportable
1032873 - block-job-cancel can not cancel current job when drive-mirror to a no
enough space libiscsi disk
1038963 - [RFE] qemu can't listen on both IPv6 and IPv4 localhost for VNC
1046612 - qemu should quit with friendly prompt when use usb3.0 stick + uhci
1055093 - RFE: usb-host redir: make usb superspeed devices work when redirected
to a non superspeed capable vm
1086193 - RFE: Add blockdev-delete QMP command in company with blockdev-add
1159726 - RFE: blockdev-add support for gluster
1159728 - add blockdev-add support with libiscsi backends
1175113 - pci-bridge should behave the same when adding devices from cli or at
hotplug time
1179045 - [rfe] qemu should report usb-host hotplug errors
1185172 - The blockcopy command will hang there in the mirror period with the
raw disk
1189998 - Active commit does not support on rbd based disk
1193826 - Dump progress only show up when memory-only dump finish
1219541 - virsh migrate --copy-storage-all fails to preserve sparse disk image
1231739 - qmp should give friendly hints when can not use
__com.redhat_drive_del to delete device
1248279 - [RFE] Memory hot unplug on powerpc platform - qemu-kvm-rhev
1254422 - [RFE]Add option to specify the initiator for qemu-img to login iscsi
1256618 - Chardev remains busy after hot remove vhost-user that connected to
the chardev.
1262277 - qemu quit when block mirror 2 disk enable data-plane
1262676 - When mirroring to remote NBD disk with granularity =8192 and
buf-size=8193, qemu core dump ( on src host)
1264255 - When hot-unplug a device which is doing block-commit, guest and qemu
will hang until the commit finished, and call trace appears in guest
1264258 - Guest's time stops with option clock=vm when guest is paused
1271060 - virtio_pci_set_host_notifier_internal: unable to init event notifier:
1274567 - HMP doesn't reflect the correct numa topology after hot plugging
1281407 - Memdev id is not specified when query memdev via QMP
1285928 - linux-aio aborts on io_submit() failure
1291284 - [RFE 7.4] support for virtio-vsock - qemu-kvm-rhev
1293975 - RFE: Operational Blockers for BDS Nodes in QEMU block layer
1295637 - [virtio-win][netkvm][rhel6]win2012 guest bsod with
DRIVER_POWER_STATE_FAILURE(9f) when shutdown after netdev_del&device_del while coping files in guest
1299876 - system_reset should clear pending request for error (IDE)
1300768 - RFE: add support for native TLS encryption on migration TCP transport
1300770 - RFE: add support for native TLS encryption on NBD client/server
1313686 - CVE-2016-4020 Qemu: i386: leakage of stack memory to guest in
1314131 - RHEV for Power: VFIO passthrough of SR-IOV virtual functions
1329145 - qemu-kvm-rhev sometimes gets SIGABRT when do continuous blockcommit
1333425 - CVE-2016-8576 Qemu: usb: xHCI: infinite loop vulnerability in
1334398 - CVE-2016-9922 Qemu: display: cirrus_vga: a divide by zero in
1335808 - [RFE] [vIOMMU] Add Support for VFIO devices with vIOMMU present
1340439 - qemu-kvm crashed when set vram64_size_mb to some vaule
1342434 - qemu core dump when starting a guest with more than 54 nested pcie
1347172 - 'info block' should not show backing file when reopen block
after drive-mirror with 'sync=full'
1352620 - qemu-kvm fail to start in vnc reverse mode
1352769 - QEMU core dumped when query memory devices in hmp after unplugging
memdev of nvdimm
1354177 - Booting from a passthrough usb stick fails when using the bootindex
1357808 - TCG defaults to POWER7 cpu which won't run modern distributions
1360301 - [RFE] allow qemu gfapi log redirection
1361487 - system_reset should clear pending request for error (virtio-blk)
1362084 - qemu core dump when do blockdev-add with option detect-zeroes on
1362729 - [RFE] log hot unplug requests
1363938 - qemu aborted after enter "q" to hmp:virtio-scsi.c:543:
virtio_scsi_handle_cmd_req_prepare: Assertion `blk_get_aio_context(d->conf.blk) == s->ctx' failed
1365708 - qemu-kvm gets SIGSEGV when attach a json backing image of ssh
1366919 - extend virtio-net to expose host MTU to guest
1367369 - Both guest and qemu hang after doing block stream when guest
1367731 - Other operations(snapshot/hot-unplug) to the block are not forbidden
after image streaming starts, which cause qemu and guest hang until streaming completes.
1368040 - Qemu-kvm coredump in repeating hotplug/hot remove virtio-gpu device
1368406 - Virtual display of virtio-gpu should behave like qxl device when
using rhel7.3 guest
1368422 - Post-copy migration fails with XBZRLE compression
1369012 - CVE-2016-6835 Qemu: net: vmxnet: buffer overflow in
vmxnet_tx_pkt_parse_headers() in vmxnet3 device emulation
1369031 - CVE-2016-6888 Qemu: net: vmxnet: integer overflow in packet
1369641 - Boot guest with 'kernel-irqchip=split',
'intremap=true' and e1000, guest fails to get ip and call trace occurs
1369795 - QMP should prompt more specific information when hotplug more than 32
vfs to guest
1373264 - DEVICE_TRAY_MOVED event is not delivered after migration
1373600 - virtio-balloon stats virtqueue does not migrate properly
1373604 - Enhance live migration post-copy to support file-backed memory (e.g.
2M hugepages)
1373710 - qemu-img: unable to create images via ftp/ftps
1373816 - [virtio-win][netkvm]qemu core dump when hotplug/hot-unplug netkvm
device(queues=4) in a loop in windows 2012R2 guest
1374237 - Multi monitors of virtio-vga works abnormally on rhel7.3 guest
1375444 - Add fw_cfg device in windows guest in order to make svvp test pass
1375520 - qemu core dump when there is an I/O error on AHCI
1376000 - xhci emulation fixes
1376755 - CVE-2016-7422 Qemu: virtio: null pointer dereference in
1376760 - Backport memory leak fixes from QEMU 2.7
1377063 - Guest numa topology not correct after hot plug-unplug-plug vcpus
1377160 - [RFE] Q35: Implement hotplug for pxb-pcie devices
1377837 - CVE-2016-7466 Qemu: usb: xhci memory leakage during device unplug
1378334 - windows guests migration from rhel6.8-z to rhel7.3 with
virtio-net-pci fail
1378536 - QEMU runtime modularization of the block layer
1378538 - QEMU: update package summary and description
1378694 - Prevent qemu-img resize from causing "Active L1 table too
1378816 - Core dump when use "data-plane" and execute change cd
1379034 - RFE: add 'iSCSI protocol' support of option
'password-secret' to support for securely passing passwords to QEMU block drivers
1379206 - Graphic can't be showed out quickly if guest graphic mode is vnc
1380258 - ppc64le: > 1024GiB of guest RAM will conflict with IO
1381630 - QEMU segfaults when using a lot of pci bridges and USB devices
1383012 - qemu-img command should return non-zero error value on fail
1384124 - cpu flag nonstop_tsc is not present in guest with host-passthrough
and feature policy require invtsc
1384909 - CVE-2016-8669 Qemu: char: divide by zero error in
1387372 - Rebase qemu-kvm-rhev for RHEL-7.4
1387600 - Rebase qemu-kvm-rhev to 2.8.0
1388046 - CVE-2016-8910 Qemu: net: rtl8139: infinite loop while transmit in C+
1388052 - CVE-2016-8909 Qemu: audio: intel-hda: infinite loop in processing dma
buffer stream
1389238 - Re-enable kvm_stat script
1390316 - PCIe: Add Generic PCIe Root Ports
1390734 - ppc64: pseries-rhel7.4.0 machine type
1390737 - RHEL-7.4 new qemu-kvm-rhev machine type (x86)
1390991 - Wrong error message when executing qemu-img commit with wrong
arguments while confusing base and top volumes
1391942 - kvmclock: advance clock by time window between vm_stop and pre_save
(backport patch)
1392328 - Disable new devices in QEMU 2.8 (x86_64)
1392359 - [abrt] qemu-img: strrchr(): qemu-img killed by SIGSEGV: TAINTED
1393322 - Guest fails boot up with ivshmem-plain and virtio-pci device
1393698 - Correctly set host bits for guests to go beyond 1TB
1394140 - qemu gets SIGSEGV when hot-plug a vhostuser network
1396536 - qemu-kvm-rhev: POWER8 CPU model is listed twice in
'query-cpu-definitions' output
1397697 - Backport remaining kvm_stat patches from the kernel to QEMU
1397870 - qemu fails to recognize gluster URIs in backing chain for
block-commit operation
1400059 - block-gluster: use one glfs instance per volume
1400785 - qemu: Remove pxi-expander-bridge (PXB) device for Power
1400962 - Verify configuration coverage for rebased qemu-kvm-rhev
1402222 - Device IOTLB support in qemu
1402265 - CVE-2016-9907 Qemu: usb: redirector: memory leakage when destroying
1402272 - CVE-2016-9911 Qemu: usb: ehci: memory leakage in ehci_init_transfer
1402645 - Required cache.direct=on when set aio=native
1404137 - 'block-job-cancel' can not cancel a "block-stream"
job normally
1404303 - RFE: virtio-blk/scsi polling mode (QEMU)
1404673 - [ppc64le]reset vm when do migration, HMP in src host promp
"tcmalloc: large alloc 1073872896 bytes..."
1405123 - Opteron_G4 CPU model broken in QEMU 2.6 with RHEL 6 machine type
1406827 - Blacklist TSX feature from specific Intel CPU models
1409973 - [TestOnly] supported Tier2 OS/distros in RHEL7.4
1410284 - [RFE] Allow PCIe devices on pseries guests (qemu part)
1410618 - Flickering Fedora 24 Login Screen on RHEL 7
1410674 - qemu: Remove unnecessary EHCI implementation for Power
1411105 - Windows Server 2008-32 crashes on startup with q35 if cdrom attached
1412327 - RFE: negotiable broadcast SMI for Q35
1412470 - Keyboard hang after migration with kernel-irqchip=split
1412472 - [RFE] VT-d migration
1414694 - Reenable edu device for kvm-unit-tests support
1415199 - CVE-2016-10155 Qemu: watchdog: memory leakage in virtual hardware
watchdog wdt_i6300esb
1415947 - data-plane cause qemu-kvm process hang when do basic Block stream for
1416157 - CVE-2017-5579 Qemu: serial: host memory leakage 16550A UART emulation
1416681 - PCIe compliance issues
1417840 - Include kvm_stat man page in qemu-kvm-tools package
1418166 - Remove dependencies required by spice on ppc64le
1418575 - Forward port of downstream-only QMP commands is incorrect
1418927 - The lifecycle event for Guest OS Shutdown is not distinguishable from
a qemu process that was quit with SIG_TERM
1419466 - Hotplug memory will induce error: kvm run failed Bad address on ppc
when boot up with "-mem-path /mnt/hugetlbfs"
1419699 - CVE-2017-5898 Qemu: usb: integer overflow in emulated_apdu_from_guest
1419899 - Documentation inaccurate for __com.redhat_qxl_screendump and
1420195 - Migration from RHEL7.4 -> RHEL7.3.z failed with rtl8139 nic card
1420216 - Migration from RHEL7.3.z -> RHEL4 failed with e1000e nic card
1420679 - Guest reboot after migration from RHEL7.2.z -> RHEL7.4
1421626 - CVE-2017-5973 Qemu: usb: infinite loop while doing control transfer
in xhci_kick_epctx
1421788 - migration/spice: assert with slot_id 112 too big,
1422415 - CVE-2017-2630 Qemu: nbd: oob stack write in client routine drop_sync
1422846 - Disable replication feature
1425151 - qemu zeroes the first byte of NVDIMM on initialization
1425178 - Remove texi2html build dependancy from RPM
1425273 - [Q35] migration failed after hotplug e1000e device
1425700 - virtio-scsi data plane takes 100% host CPU with polling
1425765 - The guest failed to start with ich6 sound when machine type is
1427466 - [RHEV7.4] dump-guest-memory failed due to Python Exception <class
'gdb.error'> Attempt to extract a component of a value that is not a (null).
1428534 - Enhance qemu to present virtual L3 cache info for vcpus
1428810 - 'Segmentation fault (core dumped)' after hot unplug one disk
in a throttle group AND do guest system reset
1430620 - TLS encryption migration via exec failed with "TLS handshake
failed: The TLS connection was non-properly terminated"
1431224 - Attach lun type disk report error and crash guest
1431939 - The host nodes of memdev is set to 128 default
1432295 - Add gpa2hpa command to qemu hmp
1432382 - Hot-unplug "device_del dimm1" induce qemu-kvm coredump
(hotplug at guest boot up stage)
1432588 - Some compat_props properties override -cpu command-line options
1433193 - Guest could not boot up when attached numa nodes with ram on ppc64le
1433921 - Switch from librdmacm-devel to rdma-core-devel
1434666 - "-numa" should not silently accept an invalid parameter
1434706 - [pci-bridge] Hotplug devices to pci-bridge failed
1434743 - Boot guest failed with error "virtio_scsi_data_plane_handle_ctrl:
Assertion `s->ctx && s->dataplane_started' failed"
1434784 - migration: 7.4->7.2 error while loading state for instance 0x0 of
device 'apic'
1435086 - Migration is failed from host RHEL7.3.z to host RHEL7.4 with
"-machine pseries-rhel7.3.0 -device pci-bridge,id=pci_bridge,bus=pci.0,addr=03,chassis_nr=1"
1435521 - Migration failed with postcopy enabled from rhel7.3.z host to rhel7.4
host "error while loading state for instance 0x0 of device 'pci@800000020000000:05.0/virtio-rng'"
1436562 - [QEMU] scsi-generic: make up opt xfer len if not reported by backend
1436616 - usb-storage device under nec-usb-xhci is unusable after migration
1437310 - The guest os can not boot when set qxl.vram64 >=2G
1437337 - Hotplug cpu cores with invalid nr_threads causes qemu-kvm coredump
1437393 - snapshot created base on the image in https server will hang during
1438566 - migration/qxl: Seg fault migrating rhel5&6 at grub
1440619 - Reboot guest will induce error message - KVM: Failed to create TCE
table for liobn 0x80000001
1440667 - The guest exit abnormally with data-plane when do
"block-job-complete" after do "drive-mirror" in QMP.
1440677 - The guest exit abnormally with data-plane when do
"blockdev-snapshot-sync"in QMP.
1441069 - Failed to create image with iscsi protocol
1443029 - Disable new devices in qemu 2.9
1443040 - seabios can't recognize usb 3.0 loader at boot menu
1444003 - USB 3.0 flash drive not accessible on Windows guest
1444326 - Keyboard inputs are buffered when qemu in stop status
1445174 - [RHEV7.4] [guest memory dump]dump-guest-memory QMP command with
"detach" param makes qemu-kvm process aborted
1446003 - vnc cannot find a free port to use
1446498 - Guest freeze after live snapshot with data-plane
1447184 - qemu abort when live snapshot for multiple block device
simultaneously with transaction and one is to a non-exist path
1447257 - QEMU coredump while doing hexdump test onto virtio serial ports
1447551 - qemu hang when do block_resize guest disk during crystal running
1447581 - [RHEV7.4] [usb-hub] input devices under usb hub don't work on
win2016 with xhci
1447590 - qemu curl driver hangs in a particular libguestfs file download
1447592 - vhost-user/reply-ack: Wait for ack even if no request sent (one-time
1447874 - Migration failed from rhel7.2.z->rhel7.4 with "-M
rhel7.0.0" and "-device nec-usb-xhci"
1448813 - qemu crash when shutdown guest with '-device intel-iommu' and
'-device vfio-pci'
1449031 - qemu core dump when hot-unplug/hot-plug scsi controller in turns
1449037 - Dst qemu quit when migrate guest with hugepage and total memory is
not a multiple of pagesize
1449490 - [q35] guest hang after do migration with virtio-scsi-pci.
1449939 - Remove dependency on seavgabios-bin and ipxe-roms-qemu for
qemu-kvm-rhev on s390x
1450759 - Creating fallocated image using qemu-img using gfapi fails
1451191 - qemu-img: block/gluster.c:1307: find_allocation: Assertion `offs
>= start' failed.
1451483 - QEMU crashes with "-machine none -device intel-iommu"
1451629 - TCP tunnel network: the guest with interface type=client can not
1451631 - Keyboard does not work after migration
1451849 - qemu-img convert crashes on error
1451862 - IOMMU support in QEMU for Vhost-user backend
1452048 - qemu abort when hot unplug block device during live commit
1452066 - Fix backing image referencing in drive-backup sync=none
1452148 - Op blockers don't work after postcopy migration
1452512 - qemu coredump when add more than 12 usb-storage devices to ehci
1452605 - disable pulseaudio and alsa support
1452620 - CVE-2017-9310 Qemu: net: infinite loop in e1000e NIC emulation
1452702 - qemu-img aborts on empty filenames
1452752 - Some block drivers incorrectly close their associated file
1453169 - qemu aborts if quit during live commit process
1454582 - Qemu crashes when start guest with qcow2 nbd image
1454641 - Windows 10 BSOD when using rhel6.4.0/rhel6.5.0/rhel6.6.0
1455150 - Unable to detach virtio disk from pcie-root-port after migration
1456424 - qemu crash when starting image streaming job fails
1456456 - qemu crashes on job completion during drain
1457088 - rbd/iscsi: json: pseudo-protocol format is incompatible with 7.3
1457740 - [Tracing] compling qemu-kvm failed through systemtap
1458270 - CVE-2017-9373 Qemu: ide: ahci host memory leakage during hotunplug
1458705 - pvdump: QMP reports "GUEST_PANICKED" event but HMP still
shows VM running after guest crashed
1458744 - CVE-2017-9375 Qemu: usb: xhci infinite recursive call via
1458782 - QEMU crashes after hot-unplugging virtio-serial device
1459132 - CVE-2017-9374 Qemu: usb: ehci host memory leakage during hotunplug
1461561 - virtio-blk: drain block before cleanup missing
1461827 - QEMU hangs in aio wait when trying to access NBD volume over TLS

6. Package List:

Managment Agent for RHEL 7 Hosts:




These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list
Pro-Linux @Facebook
Neue Nachrichten