Bug 1358359 (CVE-2016-5403)

Summary: CVE-2016-5403 Qemu: virtio: unbounded memory allocation on host via guest leading to DoS
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alonbl, aortega, apevec, areis, ayoung, bmcclain, c.hendrickson09, chrisw, cvsbot-xmlrpc, dblechte, furlongm, gklein, gmollett, jen, jschluet, kamfonik, kbasil, knoel, lhh, lpeer, markmc, mgoldboi, michal.skrivanek, mkenneth, moshele, mrezanin, mst, pbonzini, ppandit, rbalakri, rbryant, sclewis, security-response-team, sherold, slong, sparks, srevivo, tdecacqu, virt-maint, wmealing, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Quick Emulator (QEMU) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement results in unbounded memory allocation on the host controlled by the guest.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-15 04:37:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1359723, 1359724, 1359725, 1359726, 1359727, 1359728, 1359729, 1359731, 1359733, 1359742, 1359743, 1359744, 1359745, 1359747, 1360830, 1360831, 1363573, 1363574    
Bug Blocks: 1357541, 1366416    
Attachments:
Description Flags
CVE-2016-5403 patch none

Description Martin Prpič 2016-07-20 14:56:16 UTC 
It was found that a malicious guest user could submit more requests than the virtqueue size permits, resulting in a crash of the host QEMU process.

The guest could submit requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is incorrect but possible. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation controlled by the guest.

Exit with an error if the guest provides more requests than the virtqueue size permits. This bounds memory allocation and makes the buggy guest visible to the user.

Upstream patch
--------------
  -> git.qemu.org/?p=qemu.git;a=commit;h=afd9096eb1882f23929f5b5c177898ed231bac66
Comment 1 Martin Prpič 2016-07-20 14:56:31 UTC 
Acknowledgments:

Name: hongzhenhao (Marvel Team)
Comment 2 Martin Prpič 2016-07-20 14:59:31 UTC 
Created attachment 1182139 [details]
CVE-2016-5403 patch
Comment 8 Prasad Pandit 2016-07-27 15:18:21 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1360831]
Comment 9 Prasad Pandit 2016-07-27 15:18:36 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1360830]
Comment 11 Fedora Update System 2016-08-05 20:54:45 UTC 
xen-4.6.3-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2016-08-08 23:53:51 UTC 
xen-4.5.3-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2016-08-09 17:24:56 UTC 
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2016:1586 https://rhn.redhat.com/errata/RHSA-2016-1586.html
Comment 14 errata-xmlrpc 2016-08-09 17:54:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1585 https://rhn.redhat.com/errata/RHSA-2016-1585.html
Comment 15 errata-xmlrpc 2016-08-11 19:08:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1606 https://rhn.redhat.com/errata/RHSA-2016-1606.html
Comment 16 errata-xmlrpc 2016-08-12 14:12:26 UTC 
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-7

Via RHSA-2016:1607 https://rhn.redhat.com/errata/RHSA-2016-1607.html
Comment 17 Marcus Furlong 2016-08-17 06:42:23 UTC 
This update seems to cause an issue with live-migration in OpenStack.

After installing this update, I'm seeing the exact same issue as described here:

   https://www.redhat.com/archives/libvir-list/2016-August/msg00406.html
Comment 18 errata-xmlrpc 2016-08-23 06:15:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2016:1655 https://rhn.redhat.com/errata/RHSA-2016-1655.html
Comment 19 errata-xmlrpc 2016-08-23 06:16:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2016:1654 https://rhn.redhat.com/errata/RHSA-2016-1654.html
Comment 20 errata-xmlrpc 2016-08-23 06:17:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2016:1653 https://rhn.redhat.com/errata/RHSA-2016-1653.html
Comment 21 errata-xmlrpc 2016-08-23 06:18:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2016:1652 https://rhn.redhat.com/errata/RHSA-2016-1652.html
Comment 22 Corbin Hendrickson 2016-08-23 22:08:46 UTC 
We're also seeing the issue described here: https://www.redhat.com/archives/libvir-list/2016-August/msg00406.html

If you guys would prefer this submitted in another bug report or elsewhere please let me know, but we're for sure affected by qemu exiting upon live migrating.
Comment 23 errata-xmlrpc 2016-08-24 05:10:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2016:1756 https://rhn.redhat.com/errata/RHSA-2016-1756.html
Comment 24 errata-xmlrpc 2016-08-24 13:10:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2016:1763 https://rhn.redhat.com/errata/RHSA-2016-1763.html
Comment 25 Laura Kamfonik 2016-08-26 15:29:23 UTC 
We're seeing the same issue reported above with guest shutdown with "Virtqueue size exceeded" after migration.
Comment 26 Marcus Furlong 2016-08-27 08:20:34 UTC 
Should a new bug be opened about this patch breaking live migration?
Comment 27 Laura Kamfonik 2016-08-31 14:03:51 UTC 
For those following this for the live migration issue, a new bug has been opened:
https://bugzilla.redhat.com/show_bug.cgi?id=1371943
Comment 28 errata-xmlrpc 2016-09-27 16:05:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:1943 https://rhn.redhat.com/errata/RHSA-2016-1943.html
Comment 29 Wade Mealing 2016-11-02 05:20:40 UTC 
I will needinfo Prasad J Pandit as he has done the investigation.  It might be best to lodge a ticket in parallel with support to get this resolved faster.

Thanks.

Wade Mealing
Comment 30 Prasad Pandit 2016-11-23 11:24:31 UTC 
(In reply to Marcus Furlong from comment #26)
> Should a new bug be opened about this patch breaking live migration?

  Yes, opening another bug was the right thing to do. I see that a fix has been shipped and others are in queue.

Thank you.