Synopsis: Moderate: qemu-kvm security and bug fix update
Advisory ID: SLSA-2014:0927-1
Issue Date: 2014-07-23
CVE Numbers: CVE-2013-4148
CVE-2013-4151
CVE-2013-6399
CVE-2013-4542
CVE-2013-4541
CVE-2013-4535
CVE-2013-4536
CVE-2014-0182
CVE-2014-3461
CVE-2013-4149
CVE-2013-4150
CVE-2013-4527
CVE-2013-4529
CVE-2014-0222
CVE-2014-0223
—
Two integer overflow flaws were found in the QEMU block driver for QCOW
version 1 disk images. A user able to alter the QEMU disk image files
loaded by a guest could use either of these flaws to corrupt QEMU process
memory on the host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.
(CVE-2014-0222, CVE-2014-0223)
Multiple buffer overflow, input validation, and out-of-bounds write flaws
were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet
drivers of QEMU handled state loading after migration. A user able to
alter the savevm data (either on the disk or over the wire during
migration) could use either of these flaws to corrupt QEMU process memory
on the (destination) host, which could potentially result in arbitrary
code execution on the host with the privileges of the QEMU process.
(CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151,
CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541,
CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461)
This update also fixes the following bugs:
* Previously, QEMU did not free pre-allocated zero clusters correctly and
the clusters under some circumstances leaked. With this update, pre-
allocated zero clusters are freed appropriately and the cluster leaks no
longer occur.
* Prior to this update, the QEMU command interface did not properly handle
resizing of cache memory during guest migration, causing QEMU to terminate
unexpectedly with a segmentation fault and QEMU to fail. This update fixes
the related code and QEMU no longer crashes in the described situation.
* Previously, when a guest device was hot unplugged, QEMU correctly
removed the corresponding file descriptor watch but did not re-create it
after the device was re-connected. As a consequence, the guest became
unable to receive any data from the host over this device. With this
update, the file descriptor’s watch is re-created and the guest in the
above scenario can communicate with the host as expected.
* Previously, the QEMU migration code did not account for the gaps caused
by hot unplugged devices and thus expected more memory to be transferred
during migrations. As a consequence, guest migration failed to complete
after multiple devices were hot unplugged. In addition, the migration info
text displayed erroneous values for the “remaining ram” item. With this
update, QEMU calculates memory after a device has been unplugged
correctly, and any subsequent guest migrations proceed as expected.
After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.
—
– Scientific Linux Development Team
