4.81. kvm

BZ#802429

An accounting error in the I/O thread subsystem in QEMU could, under certain circumstances, lead to I/O stalls on the guest. This would typically cause the guest to become unresponsive. With this update, the accounting error has been corrected, and I/O stalls no longer occur in this scenario.

BZ#814096

Under certain circumstances, the qemu-kvm utility tried to invalidate an incorrect physical memory block, which resulted in qemu-kvm to terminate unexpectedly with a segmentation fault. The code has been fixed and the crashes no longer occur.

BZ#684745

Previously, when an I/O error occurred on a KVM host, the guest running on it became paused. After the guest was migrated to another host, the guest could not be properly resumed. Consequently, it was impossible to log in to the guest via SSH or a console. This bug has been fixed and migrated guests can now be resumed as expected.

BZ#782631

Due to an accounting error in the QEMU I/O thread subsystem, I/O delays were occurring on guests, which were observed as unresponsive for the time of the delay. This bug has been fixed and the delays no longer occur.

BZ#805676

Due to an incompatibility between previously used encryption modes and FIPS mode, it was impossible to start KVM guests when running kernel in FIPS mode. With this update, VNC password authentication is disabled when the host system is operating in FIPS mode, and QEMU exits and returns an error message if it is configured to run as a password-authenticated VNC server. If QEMU is configured to run as an unauthenticated VNC server, it will work as expected.

BZ#838466

Previously, the typeperf command of the virtualized Microsoft Windows Server 2008 Service Pack 2 for the x86 architecture with the SQL Server 2005 Service Pack 3 installed returned an invalid value for the Processor Time. This bug has been fixed and typeperf now returns a correct value.

BZ#761350

Previously, a simple counter was used to track GSIs (Global System Interrupts) that were given to devices. Consequently, when a hot plug or unplug operation was performed approximately 30 times on certain Ethernet controllers in a Microsoft Windows Server 2008 guest on the AMD64 and Intel 64 architectures, the controller driver returned a large number of error messages on incorrectly deallocated MSI-X table entries. This update uses a bitmap to track GSIs and the errors no longer occur.

BZ#843683

Previously, KVM did not provide receive overrun status information, which is used for virtual serial devices. Consequently, virtual machines using a serial console redirection became unresponsive on startup. This update implements receive overrun status and the hangs no longer occur.

BZ#829040

Due to a coding bug, the masking in the device assignment function was invalid. Consequently, the KVM device assignment bridge test could break virtual function of certain devices that implement BAR (Base Address Register) resources. This bug has been fixed and the test now works as expected.

BZ#781922

Under certain circumstances, implementation of the Realtek 8139 Ethernet driver allowed the qemu-kvm utility to attempt to allocate unlimited buffer size. If it happened, qemu-kvm terminated unexpectedly with a glib error, unable to allocate such a buffer. This update limits the transmission buffer size of the driver, thus fixing this bug.

BZ#819413

Previously, it was possible to shut down a guest using the system_powerdown command even if the "-no-shutdown" option was specified on the command line. This bug has been fixed and "-no-shutdown" is now handled properly.

Security Fixes

CVE-2012-1601

A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host.

CVE-2012-2121

A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host.

BZ#816207

An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver.

Security Fix

CVE-2012-3515

A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.

This flaw did not affect the default use of KVM. Affected configurations were:

* When guests were started from the command line ("/usr/libexec/qemu-kvm"), and without specifying a serial or parallel device that specifically does not use a virtual console (vc) back-end. (Note that Red Hat does not support invoking "qemu-kvm" from the command line on Red Hat Enterprise Linux 5.)

* Guests that were managed via libvirt, such as when using Virtual Machine Manager (virt-manager), but that have a serial or parallel device that uses a virtual console back-end. By default, guests managed via libvirt will not use a virtual console back-end for such devices.