Bug 1358359 (CVE-2016-5403) - CVE-2016-5403 Qemu: virtio: unbounded memory allocation on host via guest leading to DoS
Summary: CVE-2016-5403 Qemu: virtio: unbounded memory allocation on host via guest lea...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-5403
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1359723 1359724 1359725 1359726 1359727 1359728 1359729 1359731 1359733 1359742 1359743 1359744 1359745 1359747 1360830 1360831 1363573 1363574
Blocks: 1357541 1366416
TreeView+ depends on / blocked
 
Reported: 2016-07-20 14:56 UTC by Martin Prpič
Modified: 2019-09-29 13:53 UTC (History)
42 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Quick Emulator (QEMU) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement results in unbounded memory allocation on the host controlled by the guest.
Clone Of:
Environment:
Last Closed: 2016-12-15 04:37:12 UTC


Attachments (Terms of Use)
CVE-2016-5403 patch (546 bytes, text/plain)
2016-07-20 14:59 UTC, Martin Prpič
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1585 normal SHIPPED_LIVE Moderate: qemu-kvm security update 2016-08-09 21:54:17 UTC
Red Hat Product Errata RHSA-2016:1586 normal SHIPPED_LIVE Moderate: qemu-kvm-rhev security update 2016-08-09 21:24:44 UTC
Red Hat Product Errata RHSA-2016:1606 normal SHIPPED_LIVE Moderate: qemu-kvm security update 2016-08-11 23:08:14 UTC
Red Hat Product Errata RHSA-2016:1607 normal SHIPPED_LIVE Moderate: qemu-kvm-rhev security update 2016-08-12 18:11:58 UTC
Red Hat Product Errata RHSA-2016:1652 normal SHIPPED_LIVE Moderate: qemu-kvm-rhev security update 2016-08-23 10:14:44 UTC
Red Hat Product Errata RHSA-2016:1653 normal SHIPPED_LIVE Moderate: qemu-kvm-rhev security update 2016-08-23 10:14:36 UTC
Red Hat Product Errata RHSA-2016:1654 normal SHIPPED_LIVE Moderate: qemu-kvm-rhev security update 2016-08-23 10:14:29 UTC
Red Hat Product Errata RHSA-2016:1655 normal SHIPPED_LIVE Moderate: qemu-kvm-rhev security update 2016-08-23 10:14:21 UTC
Red Hat Product Errata RHSA-2016:1756 normal SHIPPED_LIVE Moderate: qemu-kvm-rhev security and bug fix update 2016-08-24 09:09:40 UTC
Red Hat Product Errata RHSA-2016:1763 normal SHIPPED_LIVE Moderate: qemu-kvm-rhev security update 2016-08-24 17:10:17 UTC
Red Hat Product Errata RHSA-2016:1943 normal SHIPPED_LIVE Important: kvm security update 2016-09-27 20:01:26 UTC

Description Martin Prpič 2016-07-20 14:56:16 UTC
It was found that a malicious guest user could submit more requests than the virtqueue size permits, resulting in a crash of the host QEMU process.

The guest could submit requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is incorrect but possible. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation controlled by the guest.

Exit with an error if the guest provides more requests than the virtqueue size permits. This bounds memory allocation and makes the buggy guest visible to the user.

Upstream patch
--------------
  -> git.qemu.org/?p=qemu.git;a=commit;h=afd9096eb1882f23929f5b5c177898ed231bac66

Comment 1 Martin Prpič 2016-07-20 14:56:31 UTC
Acknowledgments:

Name: hongzhenhao (Marvel Team)

Comment 2 Martin Prpič 2016-07-20 14:59:31 UTC
Created attachment 1182139 [details]
CVE-2016-5403 patch

Comment 8 Prasad J Pandit 2016-07-27 15:18:21 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1360831]

Comment 9 Prasad J Pandit 2016-07-27 15:18:36 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1360830]

Comment 11 Fedora Update System 2016-08-05 20:54:45 UTC
xen-4.6.3-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-08-08 23:53:51 UTC
xen-4.5.3-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 errata-xmlrpc 2016-08-09 17:24:56 UTC
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2016:1586 https://rhn.redhat.com/errata/RHSA-2016-1586.html

Comment 14 errata-xmlrpc 2016-08-09 17:54:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1585 https://rhn.redhat.com/errata/RHSA-2016-1585.html

Comment 15 errata-xmlrpc 2016-08-11 19:08:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1606 https://rhn.redhat.com/errata/RHSA-2016-1606.html

Comment 16 errata-xmlrpc 2016-08-12 14:12:26 UTC
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-7

Via RHSA-2016:1607 https://rhn.redhat.com/errata/RHSA-2016-1607.html

Comment 17 Marcus Furlong 2016-08-17 06:42:23 UTC
This update seems to cause an issue with live-migration in OpenStack.

After installing this update, I'm seeing the exact same issue as described here:

   https://www.redhat.com/archives/libvir-list/2016-August/msg00406.html

Comment 18 errata-xmlrpc 2016-08-23 06:15:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2016:1655 https://rhn.redhat.com/errata/RHSA-2016-1655.html

Comment 19 errata-xmlrpc 2016-08-23 06:16:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2016:1654 https://rhn.redhat.com/errata/RHSA-2016-1654.html

Comment 20 errata-xmlrpc 2016-08-23 06:17:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2016:1653 https://rhn.redhat.com/errata/RHSA-2016-1653.html

Comment 21 errata-xmlrpc 2016-08-23 06:18:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2016:1652 https://rhn.redhat.com/errata/RHSA-2016-1652.html

Comment 22 Corbin Hendrickson 2016-08-23 22:08:46 UTC
We're also seeing the issue described here: https://www.redhat.com/archives/libvir-list/2016-August/msg00406.html

If you guys would prefer this submitted in another bug report or elsewhere please let me know, but we're for sure affected by qemu exiting upon live migrating.

Comment 23 errata-xmlrpc 2016-08-24 05:10:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2016:1756 https://rhn.redhat.com/errata/RHSA-2016-1756.html

Comment 24 errata-xmlrpc 2016-08-24 13:10:59 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2016:1763 https://rhn.redhat.com/errata/RHSA-2016-1763.html

Comment 25 Laura Kamfonik 2016-08-26 15:29:23 UTC
We're seeing the same issue reported above with guest shutdown with "Virtqueue size exceeded" after migration.

Comment 26 Marcus Furlong 2016-08-27 08:20:34 UTC
Should a new bug be opened about this patch breaking live migration?

Comment 27 Laura Kamfonik 2016-08-31 14:03:51 UTC
For those following this for the live migration issue, a new bug has been opened:
https://bugzilla.redhat.com/show_bug.cgi?id=1371943

Comment 28 errata-xmlrpc 2016-09-27 16:05:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:1943 https://rhn.redhat.com/errata/RHSA-2016-1943.html

Comment 29 Wade Mealing 2016-11-02 05:20:40 UTC
I will needinfo Prasad J Pandit as he has done the investigation.  It might be best to lodge a ticket in parallel with support to get this resolved faster.

Thanks.

Wade Mealing

Comment 30 Prasad J Pandit 2016-11-23 11:24:31 UTC
(In reply to Marcus Furlong from comment #26)
> Should a new bug be opened about this patch breaking live migration?

  Yes, opening another bug was the right thing to do. I see that a fix has been shipped and others are in queue.

Thank you.


Note You need to log in before you can comment on or make changes to this bug.