Sicherheit: Mehrere Probleme in QEMU
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in QEMU
ID: RHSA-2018:1104-01
Distribution: Red Hat
Plattformen: Red Hat Virtualization
Datum: Di, 10. April 2018, 22:57
Referenzen: https://access.redhat.com/security/cve/CVE-2017-15118
Applikationen: QEMU


Hash: SHA1

Red Hat Security Advisory

Synopsis: Important: qemu-kvm-rhev security, bug fix, and enhancement
Advisory ID: RHSA-2018:1104-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2018:1104
Issue date: 2018-04-10
CVE Names: CVE-2017-13672 CVE-2017-13673 CVE-2017-13711
CVE-2017-15118 CVE-2017-15119 CVE-2017-15124
CVE-2017-15268 CVE-2018-5683

1. Summary:

An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4
for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - ppc64le, x86_64

3. Description:

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm-rhev packages provide the
user-space component for running virtual machines that use KVM in
environments managed by Red Hat products.

The following packages have been upgraded to a later upstream version:
qemu-kvm-rhev (2.10.0). (BZ#1470749)

Security Fix(es):

* Qemu: stack buffer overflow in NBD server triggered via long export name

* Qemu: DoS via large option request (CVE-2017-15119)

* Qemu: vga: OOB read access during display update (CVE-2017-13672)

* Qemu: vga: reachable assert failure during display update

* Qemu: Slirp: use-after-free when sending response (CVE-2017-13711)

* Qemu: memory exhaustion through framebuffer update request message in VNC
server (CVE-2017-15124)

* Qemu: I/O: potential memory exhaustion via websock connection to VNC

* Qemu: Out-of-bounds read in vga_draw_text routine (CVE-2018-5683)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank David Buchanan for reporting CVE-2017-13672 and
CVE-2017-13673; Wjjzhang (Tencent.com) for reporting CVE-2017-13711; and
Jiang Xin and Lin ZheCheng for reporting CVE-2018-5683. The CVE-2017-15118
and CVE-2017-15119 issues were discovered by Eric Blake (Red Hat) and the
CVE-2017-15124 issue was discovered by Daniel Berrange (Red Hat).

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1139507 - wrong data-plane properties via info qtree to check if use iothread
object syntax
1178472 - fail to boot win2012r2 guest with
hv_relaxed&hv_vapic&hv_spinlocks=0x1fff&hv_time & -smp 80,cores=2,threads=1,sockets=40
1212715 - qemu-img gets wrong actual path of backing file when the file name
contains colon
1213786 - qemu-img doesn't check if base image exists when size parameter
1285044 - migration/RDMA: Race condition
1305398 - [RFE] PAPR Hash Page Table (HPT) resizing (qemu-kvm-rhev)
1320114 - qemu prompt "main-loop: WARNING: I/O thread spun for 1000
iterations" when block mirror from format qcow2 to raw
1344299 - PCIe: Add an option to PCIe ports to disable IO port space support
1372583 - Keyboard can't be used when install rhel7 in guest which has SATA
CDROM and spice+qxl mode sometimes
1378241 - QEMU image file locking
1390346 - PCI: Reserve MMIO space over 4G for PCI hotplug
1390348 - PCI: Provide to libvirt a new query command whether a device is
1398633 - [RFE] Kernel address space layout randomization [KASLR] support
1406803 - RFE: native integration of LUKS and qcow2
1414049 - [RFE] Add support to qemu-img for resizing with preallocation
1433670 - Provide an API that estimates the size of QCOW2 image converted from
a raw image
1434321 - [Q35] code 10 error when install VF in windows 2016
1437113 - PCIe: Allow configuring Generic PCIe Root Ports MMIO Window
1441460 - 'query-block' dirty bitmap count is shown in sectors but
documented in bytes
1441684 - Re-enable op blocker assertions
1441938 - When boot windows guest with two numa nodes and pc-dimm assigned to
the second node, the dimm cannot be recognized by the guest
1443877 - All the memory was assigned to the last node when guest booted up
with 128 nodes
1445834 - Add support for AMD EPYC processors
1446565 - Some keys are missing when using fr-ca keyboard layout with VNC
1447258 - Fail to create internal snapshot with data plane enable
1447413 - RFE: provide a secure way to pass cookies to curl block driver
1448344 - Failed to hot unplug cpu core which hotplugged in early boot stages
1449067 - [RFE] Device passthrough support for VT-d emulation
1449609 - qemu coredump when dd on multiple usb-storage devices concurrently in
1449991 - [rhel7.4][usb-hub]usb kdb doesn't work under 2 tier usb hubs with
xhci contronnler for win2016 guest
1451015 - Qemu core dump when do 'quit ' in HMP via ide drive.
1451189 - Add way to select qemu-xhci / nec-usb-xhci device only
1451269 - Clarify the relativity of backing file and created image in
"qemu-img create"
1453167 - [PPC] [Hot unplug CPU] Failed to hot unplug after migration
1454362 - QEMU fails to report error when requesting migration bind to
"::" when ipv6 disabled
1454367 - QEMU fails to reject IPv4 connections when IPv4 listening is disabled
1455074 - qemu core dump when continuouly hotplug/unplug virtserialport and
virito-serial-pci in a loop
1457662 - Windows guest cannot boot with interrupt remapping (VT-d)
1459906 - The guest with intel-iommu device enabled can not restore after
1459945 - migration fails with hungup serial console reader on -M
pc-i440fx-rhel7.0.0 and pc-i440fx-rhel7.1.0
1460119 - qemu gets SIGABRT when hot-plug nvdimm device twice
1460595 - [virtio-vga]Display 2 should be dropped when guest reboot
1460848 - RFE: Enhance qemu to support freeing memory before exit when using
1462145 - Qemu crashes when all fw_cfg slots are used
1463172 - [Tracing] capturing trace data failed
1464908 - [RFE] Add SCSI-3 PR support to qemu (similar to mpathpersist)
1465799 - When do migration from RHEL7.4 host to RHEL7.3.Z host, dst host
prompt "error while loading state for instance 0x0 of device 'spapr_pci'"
1468260 - vhost-user/iommu: crash when backend disconnects
1470634 - Wrong allocation value after virDomainBlockCopy() (alloc=capacity)
1472756 - Keys to control audio are not forwarded to the guest
1474464 - Unable to send PAUSE/BREAK to guests in VNC or SPICE
1475634 - Requires for the seabios version that support vIOMMU of virtio
1476121 - Unable to start vhost if iommu_platform=on but intel_iommu=on not
specified in guest
1481593 - Boot guest failed with "src/central_freelist.cc:333] tcmalloc:
allocation failed 196608" when 465 disks are attached to 465 pci-bridges
1482478 - Fail to quit source qemu when do live migration after mirroring guest
to NBD server
1486400 - CVE-2017-13711 Qemu: Slirp: use-after-free when sending response
1486560 - CVE-2017-13672 Qemu: vga: OOB read access during display update
1486588 - CVE-2017-13673 Qemu: vga: reachable assert failure during display
1489670 - Hot-unplugging a vhost network device leaks references to
1489800 - q35/ovmf: Machine type compat vs OVMF vs windows
1491909 - IP network can not recover after several vhost-user reconnect
1492178 - Non-top-level change-backing-file causes assertion failure
1492295 - Guest hit call trace with iothrottling(iops) after the status from
stop to cont during doing io testing
1495090 - Transfer a file about 10M failed from host to guest through spapr-vty
1495456 - Update downstream qemu's max supported cpus for pseries to the
RHEL supported number
1496879 - CVE-2017-15268 Qemu: I/O: potential memory exhaustion via websock
connection to VNC
1497120 - migration+new block migration race: bdrv_co_do_pwritev: Assertion
`!(bs->open_flags & 0x0800)' failed
1497137 - Update kvm_stat
1497740 - -cdrom option is broken
1498042 - RFE: option to mark virtual block device as rotational/non-rotational
1498496 - Handle device tree changes in QEMU 2.10.0
1498754 - Definition of HW_COMPAT_RHEL7_3 is not correct
1498817 - Vhost IOMMU support regression since qemu-kvm-rhev-2.9.0-16.el7_4.5
1498865 - There is no switch to build qemu-kvm-rhev or qemu-kvm-ma packages
1499011 - 7.5: x86 machine types for 7.5
1499647 - qemu miscalculates guest RAM size during HPT resizing
1500181 - [Q35] guest boot up failed with ovmf
1500334 - LUKS driver has poor performance compared to in-kernel driver
1501240 - Enable migration device
1501337 - Support specialized spapr-dr-connector devices
1501468 - Remove RHEL-7.4 machine machine type in 7.5 release
1502949 - Update configure parameters to cover changes in 2.10.0
1505654 - Missing libvxhs share-able object file when try to query vxhs
1505696 - Qemu crashed when open the second display of virtio video
1505701 - -blockdev fails if a qcow2 image has backing store format and backing
store is referenced via node-name
1506151 - [data-plane] Quitting qemu in destination side encounters "core
dumped" when doing live migration
1506531 - [data-plane] Qemu-kvm core dumped when hot-unplugging a block device
with data-plane while the drive-mirror job is running
1506882 - Call trace showed up in dmesg after migrating guest when
"stress-ng --numa 2" was running inside guest
1507693 - Unable to hot plug device to VM reporting libvirt errors.
1508271 - Migration is failed from host RHEL7.4.z to host RHEL7.5 with
"-machine pseries-rhel7.4.0 -device pci-bridge,id=pci_bridge,bus=pci.0,addr=03,chassis_nr=1"
1508799 - qemu-kvm core dumped when doing 'savevm/loadvm/delvm' for the
second time
1508886 - QEMU's AIO subsystem gets stuck inhibiting all I/O operations on
virtio-blk-pci devices
1510809 - qemu-kvm core dumped when booting up guest using both virtio-vga and
1511312 - Migrate an VM with pci-bridge or pcie-root-port failed
1513870 - For VNC connection, characters '|' and '<' are
both recognized as '>' in linux guests, while '<' and '>' are both recognized as '|' in windows guest
1515173 - Cross migration from rhel6.9 to rhel7.5 failed
1515393 - bootindex is not taken into account for virtio-scsi devices on ppc64
if the LUN is >= 256
1515604 - qemu-img info: failed to get "consistent read" lock on a
mirroring image
1516922 - CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered
via long export name
1516925 - CVE-2017-15119 qemu: DoS via large option request
1517144 - Provide a ppc64le specific /etc/modprobe.d/kvm.conf
1518482 - "share-rw" property is unavailable on scsi passthrough
1518649 - Client compatibility flaws in VNC websockets server
1519721 - Both qemu and guest hang when performing live snapshot transaction
with data-plane
1520294 - Hot-unplug the second pf cause qemu promote " Failed to remove
group $iommu_group_num from KVM VFIO device:"
1520824 - Migration with dataplane, qemu processor hang, vm hang and migration
can't finish
1523414 - [POWER guests] Verify compatible CPU & hypervisor capabilities
across migration
1525195 - CVE-2017-15124 Qemu: memory exhaustion through framebuffer update
request message in VNC server
1525324 - 2 VMs both with 'share-rw=on' appending on '-device
usb-storage' for the same source image can not be started at the same time
1525868 - Guest hit core dump with both IO throttling and data plane
1526212 - qemu-img should not need a write lock for creating the overlay image
1526423 - QEMU hang with data plane enabled after some sg_write_same operations
in guest
1528173 - Hot-unplug memory during booting early stage induced qemu-kvm
1529053 - Miss the handling of EINTR in the fcntl calls made by QEMU
1529243 - Migration from P9 to P8, migration failed and qemu quit on dst end
with "error while loading state for instance 0x0 of device 'ics'"
1529676 - kvm_stat: option '--guest' doesn't work
1530356 - CVE-2018-5683 Qemu: Out-of-bounds read in vga_draw_text routine
1534491 - Mirror jobs for drives with iothreads make QEMU to abort with
"block.c:1895: bdrv_attach_child: Assertion `bdrv_get_aio_context(parent_bs) == bdrv_get_aio_context(child_bs)' failed."
1535752 - Device tree incorrectly advertises compatibility modes for secondary
1535992 - Set force shared option "-U" as default option for
"qemu-img info"
1538494 - Guest crashed on the source host when cancel migration by
virDomainMigrateBegin3Params sometimes
1538953 - IOTLB entry size mismatch before/after migration during DPDK PVP
1540003 - Postcopy migration failed with "Unreasonably large packaged
1540182 - QEMU: disallow virtio-gpu to boot with vIOMMU
1542045 - qemu-kvm-rhev seg-faults at qemu_co_queue_run_restart
(co=co@entry=0x5602801e8080) at util/qemu-coroutine-lock.c:83)

6. Package List:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:




These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list
Pro-Linux @Twitter
Neue Nachrichten