group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #12653
[Bug 1647389] Re: Regression: Live migrations can still crash after CVE-2016-5403 fix
This bug was fixed in the package qemu - 2.0.0+dfsg-2ubuntu1.33
---------------
qemu (2.0.0+dfsg-2ubuntu1.33) trusty-security; urgency=medium
* SECURITY UPDATE: DoS via 6300esb unplug operations
- debian/patches/CVE-2016-10155.patch: add exit function in
hw/watchdog/wdt_i6300esb.c.
- CVE-2016-10155
* SECURITY UPDATE: DoS in JAZZ RC4030 chipset emulation
- debian/patches/CVE-2016-8667.patch: limit interval timer reload value
in hw/dma/rc4030.c.
- CVE-2016-8667
* SECURITY UPDATE: DoS in 16550A UART emulation
- debian/patches/CVE-2016-8669.patch: check divider value against baud
base in hw/char/serial.c.
- CVE-2016-8669
* SECURITY UPDATE: privilege escalation via ioreq handling
- debian/patches/CVE-2016-9381.patch: avoid double fetches and add
bounds checks to xen-all.c.
- CVE-2016-9381
* SECURITY UPDATE: host filesystem access via virtFS
- debian/patches/CVE-2016-9602-*.patch: don't follow symlinks in
hw/9pfs/*.
- CVE-2016-9602
* SECURITY UPDATE: arbitrary code execution via Cirrus VGA
- debian/patches/CVE-2016-9603.patch: remove bitblit support from
console code in hw/display/cirrus_vga.c, include/ui/console.h,
ui/console.c, ui/vnc.c.
- CVE-2016-9603
* SECURITY UPDATE: infinite loop in ColdFire Fast Ethernet Controller
- debian/patches/CVE-2016-9776.patch: check receive buffer size
register value in hw/net/mcf_fec.c.
- CVE-2016-9776
* SECURITY UPDATE: DoS via memory leak in USB redirector
- debian/patches/CVE-2016-9907.patch: properly free memory in
hw/usb/redirect.c.
- CVE-2016-9907
* SECURITY UPDATE: DoS via memory leak in USB EHCI Emulation
- debian/patches/CVE-2016-9911.patch: properly free memory in
hw/usb/hcd-ehci.c.
- CVE-2016-9911
* SECURITY UPDATE: DoS via virtFS
- debian/patches/CVE-2016-9913.patch: adjust the order of resource
cleanup in hw/9pfs/virtio-9p-device.c.
- CVE-2016-9913
* SECURITY UPDATE: DoS via virtFS
- debian/patches/CVE-2016-9914-*.patch: add cleanup operations to
fsdev/file-op-9p.h, hw/9pfs/virtio-9p-device.c.
- CVE-2016-9914
* SECURITY UPDATE: DoS via virtFS
- debian/patches/CVE-2016-9915.patch: add cleanup operation to
hw/9pfs/virtio-9p-handle.c.
- CVE-2016-9915
* SECURITY UPDATE: DoS via virtFS
- debian/patches/CVE-2016-9916.patch: add cleanup operation to
hw/9pfs/virtio-9p-proxy.c.
- CVE-2016-9916
* SECURITY UPDATE: DoS in Cirrus VGA
- debian/patches/CVE-2016-9921-9922.patch: check bpp values in
hw/display/cirrus_vga.c.
- CVE-2016-9921
- CVE-2016-9922
* SECURITY UPDATE: code execution via Cirrus VGA
- debian/patches/CVE-2017-2615.patch: fix oob access in
hw/display/cirrus_vga.c.
- CVE-2017-2615
* SECURITY UPDATE: code execution via Cirrus VGA
- debian/patches/CVE-2017-2620-pre.patch: add extra parameter to
blit_is_unsafe in hw/display/cirrus_vga.c.
- debian/patches/CVE-2017-2620.patch: add blit destination check to
hw/display/cirrus_vga.c.
- CVE-2017-2620
* SECURITY UPDATE: memory corruption issues in VNC
- debian/patches/CVE-2017-2633.patch: properly handle surface sizes in
ui/vnc.c, ui/vnc.h.
- CVE-2017-2633
* SECURITY UPDATE: DoS via memory leak in ac97 audio device
- debian/patches/CVE-2017-5525.patch: add exit function to
hw/audio/ac97.c.
- CVE-2017-5525
* SECURITY UPDATE: DoS via memory leak in es1370 audio device
- debian/patches/CVE-2017-5526.patch: add exit function to
hw/audio/es1370.c.
- CVE-2017-5526
* SECURITY UPDATE: DoS via memory leak in 16550A UART emulation
- debian/patches/CVE-2017-5579.patch: properly free resources in
hw/char/serial.c.
- CVE-2017-5579
* SECURITY UPDATE: code execution via SDHCI device emulation
- debian/patches/CVE-2017-5667.patch: check data length in
hw/sd/sdhci.c.
- CVE-2017-5667
* SECURITY UPDATE: DoS via memory leak in MegaRAID SAS device
- debian/patches/CVE-2017-5856.patch: properly handle memory in
hw/scsi/megasas.c.
- CVE-2017-5856
* SECURITY UPDATE: DoS in CCID Card device
- debian/patches/CVE-2017-5898.patch: check ccid apdu length in
hw/usb/dev-smartcard-reader.c.
- CVE-2017-5898
* SECURITY UPDATE: DoS via infinite loop in USB xHCI controller emulator
- debian/patches/CVE-2017-5973.patch: apply limits to loops in
hw/usb/hcd-xhci.c, trace-events.
- CVE-2017-5973
* SECURITY UPDATE: DoS via infinite loop in SDHCI device emulation
- debian/patches/CVE-2017-5987-*.patch: fix transfer mode register
handling in hw/sd/sdhci.c.
- CVE-2017-5987
* SECURITY UPDATE: DoS via infinite loop in USB OHCI emulation
- debian/patches/CVE-2017-6505.patch: limit the number of link eds in
hw/usb/hcd-ohci.c.
- CVE-2017-6505
* A work-around to fix live migrations (LP: #1647389)
- debian/patches/CVE-2016-5403-5.patch: fix vq->inuse recalc after
migration in hw/virtio/virtio.c.
- debian/patches/CVE-2016-5403-6.patch: make sure vdev->vq[i].inuse
never goes below 0 in hw/virtio/virtio.c.
-- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx> Wed, 05 Apr 2017
11:59:07 -0400
** Changed in: qemu (Ubuntu)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-2633
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1647389
Title:
Regression: Live migrations can still crash after CVE-2016-5403 fix
Status in qemu package in Ubuntu:
Fix Released
Status in qemu source package in Xenial:
Fix Released
Bug description:
[Impact]
* Libvirt migrations using tunnelled libvirt cause a failure to
migrate on the destination with error VQ 2 size 0x80 < last_avail_idx
0x9 - used_idx 0xa
* TBD: justification for backporting the fix to the stable release.
* TBD: In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
1. Create a VM on shared storage solution. In my case NFS.
2. set start_libvirtd="yes" in /etc/default/libvirt-bin
3. systemctl restart libvirt-bin
4. virsh dommemstat 1 <vm>
4. virsh -c qemu+ssh://${FROM}/system migrate --live --p2p --tunnelled ${VM} qemu+tcp://ubuntu@${TO}/system
5. Repeat until failure to migrate, then check /var/log/libvirt/qemu/<vm>.log for error from above.
* Yes --live, --p2p, and --tunnelled are all required to reproduce
afaik.
[Regression Potential]
TBD
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
TBD
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
___________________ Original Description follows _____________________
See updates at the end of #1612089. Sample error message:
Dec 05 14:41:07 zbk130713 libvirtd[29690]: internal error: early end of file from monitor, possible problem:
2016-12-05T14:41:07.903932Z qemu-system-x86_64: VQ 2 size 0x80 < last_avail_idx 0x9 - used_idx 0xa
2016-12-05T14:41:07.903981Z qemu-system-x86_64: error while loading state for instance 0x0 of device '0000:00:05.0/virtio-balloon'
2016-12-05T14:41:07.905180Z qemu-system-x86_64: load of migration failed: Operation not permitted
Seems related to this patch series:
https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg03079.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1647389/+subscriptions
