Bug 678559

Summary: Disallow 0-sized writes to virtio ports to go through to host (leading to VM crash) [rhel-6.0.z]
Product: Red Hat Enterprise Linux 6 Reporter: RHEL Program Management <pm-rhel>
Component: kernelAssignee: Frantisek Hrbata <fhrbata>
Status: CLOSED ERRATA QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: high Docs Contact:
Priority: medium    
Version: 6.1CC: akong, amit.shah, dhoward, gyue, llim, plyons, pm-eus, tburke, virt-maint
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-2.6.32-71.19.1.el6 Doc Type: Bug Fix
Doc Text:
Prior to this update, user space could submit (using the write() operation) a buffer with zero length to be written to the host, causing the qemu hypervisor instance running on that host to crash. This was caused by the write() operation triggering a virtqueue event on the host, causing a NULL buffer to be accessed. With this update, user space is no longer allowed to submit zero-sized buffers and the aforementioned crash no longer occur.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-08 02:59:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 635535    
Bug Blocks:    

Description RHEL Program Management 2011-02-18 12:29:56 UTC 
This bug has been copied from bug #635535 and has been proposed
to be backported to 6.0 z-stream (EUS).
Comment 4 Amos Kong 2011-03-21 07:31:28 UTC 
Bug exists in kernel-2.6.32-71.18.2.el6, and could not reproduced in kernel-2.6.32-71.19.1.el6.
So moving to VERIFIED.
Comment 5 errata-xmlrpc 2011-04-08 02:59:40 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0421.html
Comment 6 Martin Prpič 2011-04-12 12:41:25 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, user space could submit (using the write() operation) a buffer with zero length to be written to the host, causing the qemu hypervisor instance running on that host to crash. This was caused by the write() operation triggering a virtqueue event on the host, causing a NULL buffer to be accessed. With this update, user space is no longer allowed to submit zero-sized buffers and the aforementioned crash no longer occur.