qemu-kvm (SL7)

Synopsis: Important: qemu-kvm security, bug fix, and enhancement update
Advisory ID: SLSA-2015:0349-1
Issue Date: 2015-03-05
CVE Numbers: CVE-2014-3640

It was found that the Cirrus blit region checks were insufficient. A
privileged guest user could use this flaw to write outside of VRAM-
allocated buffer boundaries in the host’s QEMU process address space with
attacker-provided data. (CVE-2014-8106)

An uninitialized data structure use flaw was found in the way the
set_pixel_format() function sanitized the value of bits_per_pixel. An
attacker able to access a guest’s VNC console could use this flaw to crash
the guest. (CVE-2014-7815)

It was found that certain values that were read when loading RAM during
migration were not validated. A user able to alter the savevm data (either
on the disk or over the wire during migration) could use either of these
flaws to corrupt QEMU process memory on the (destination) host, which
could potentially result in arbitrary code execution on the host with the
privileges of the QEMU process. (CVE-2014-7840)

A NULL pointer dereference flaw was found in the way QEMU handled UDP
packets with a source port and address of 0 when QEMU’s user networking
was in use. A local guest user could use this flaw to crash the guest.

Bug fixes:

* The KVM utility executed demanding routing update system calls every
time it performed an MSI vector mask/unmask operation. Consequently,
guests running legacy systems such as Scientific Linux 5 could, under
certain circumstances, experience significant slowdown. Now, the routing
system calls during mask/unmask operations are skipped, and the
performance of legacy guests is now more consistent.

* Due to a bug in the Internet Small Computer System Interface (iSCSI)
driver, a qemu-kvm process terminated unexpectedly with a segmentation
fault when the “write same” command was executed in guest mode under the
iSCSI protocol. This update fixes the bug, and the “write same” command
now functions in guest mode under iSCSI as intended.

* The QEMU command interface did not properly handle resizing of cache
memory during guest migration, causing QEMU to terminate unexpectedly with
a segmentation fault. This update fixes the related code, and QEMU no
longer crashes in the described situation.


* The maximum number of supported virtual CPUs (vCPUs) in a KVM guest has
been increased to 240. This increases the number of virtual processing
units that the user can assign to the guest, and therefore improves its
performance potential.

* Support for the 5th Generation Intel Core processors has been added to
the QEMU hypervisor, the KVM kernel code, and the libvirt API. This allows
KVM guests to use the following instructions and features: ADCX, ADOX,
RDSFEED, PREFETCHW, and supervisor mode access prevention (SMAP).

* The “dump-guest-memory” command now supports crash dump compression.
This makes it possible for users who cannot use the “virsh dump” command
to require less hard disk space for guest crash dumps. In addition, saving
a compressed guest crash dump frequently takes less time than saving a
non-compressed one.


– Scientific Linux Development Team