Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1568461 - [RFE] Kernel address space layout randomization [KASLR] support
Summary: [RFE] Kernel address space layout randomization [KASLR] support
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt
Version: 4.2.2
Hardware: All
OS: Linux
Target Milestone: ovirt-4.4.3
: ---
Assignee: Michal Skrivanek
QA Contact: meital avital
Depends On: 1555276 1290840 1395248 1398633 1411490 1424943 1493125 1519748 1555268 1568736
Blocks: 1288169 1298243 1317091 1522983 1469590
TreeView+ depends on / blocked
Reported: 2018-04-17 14:40 UTC by Michal Skrivanek
Modified: 2020-11-11 06:45 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of: 1555268
Last Closed: 2020-10-11 09:36:32 UTC
oVirt Team: Virt
pm-rhel: ovirt-4.4?
rbarry: ovirt-4.5?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
oVirt gerrit 90056 0 None MERGED core: add EnableKASLRDump vdc_option 2020-10-23 10:10:09 UTC
oVirt gerrit 90378 0 None MERGED core: add EnableKASLRDump vdc_option 2020-10-23 10:09:56 UTC
oVirt gerrit 90755 0 master MERGED core: expose EnableKASLRDump in engine-config 2020-10-23 10:09:57 UTC
oVirt gerrit 111653 0 master MERGED enable dump capability for KASLR-enabled kernels 2020-10-23 10:09:56 UTC

Description Michal Skrivanek 2018-04-17 14:40:29 UTC
+++ This bug was initially created as a clone of Bug #1555268 +++

Description of problem:
Kernel Address Space Randomization [KASLR] allows to randomize the physical and virtual address at which the kernel image is decompressed, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals. 

The feature has been described in LWN article:

With upstream patchsets of:









Version-Release number of selected component (if applicable):
went upstream in 3.14

Additional info:


Fixed upstream:

commit 7e4177a35bae49a53b04940be04418daaa988734
Author:     Marc-André Lureau <marcandre.lureau@redhat.com>
AuthorDate: Thu Nov 16 17:49:38 2017 +0100
Commit:     Martin Kletzander <mkletzan@redhat.com>
CommitDate: Sat Nov 18 10:45:10 2017 +0100

    qemu: add vmcoreinfo support
    Starting from qemu 2.11, the `-device vmcoreinfo` will create a fw_cfg
    entry for a guest to store dump details, necessary to process kernel
    dump with KASLR enabled and providing additional kernel details.
    In essence, it is similar to -fw_cfg name=etc/vmcoreinfo,file=X but in
    this case it is not backed by a file, but collected by QEMU itself.
    Since the device is a singleton and shouldn't use additional hardware
    resources, it is presented as a <feature> element in the libvirt
    domain XML.
    The device is arm/x86 only for now (targets that support fw_cfg+dma).
    Related to:
    Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

Comment 1 Michal Skrivanek 2018-04-17 14:48:42 UTC
requires qemu-2.11 or qemu-kvm-ev 2.10
Need to decide if that is something to enable by default mid-version (4.2.z) or it has to wait to 4.3 since it changes the virtual guest configuration

With current patches in 4.2.3 it can be enabled in vdc_options.

Comment 2 Michal Skrivanek 2018-08-29 08:07:28 UTC
should be safe enough to enable in 4.3 even though it would enable it for 4.2 clusters. It will still possible to disable it globally

Comment 3 Ryan Barry 2019-01-21 14:54:10 UTC
Re-targeting to 4.3.1 since it is missing a patch, an acked blocker flag, or both

Comment 6 Sandro Bonazzola 2020-11-11 06:45:38 UTC
This bugzilla is included in oVirt 4.4.3 release, published on November 10th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.