Bug 678559 – Disallow 0-sized writes to virtio ports to go through to host (leading to VM crash) [rhel-6.0.z]

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 678559 - Disallow 0-sized writes to virtio ports to go through to host (leading to VM crash) [rhel-6.0.z]

Summary:	Disallow 0-sized writes to virtio ports to go through to host (leading to VM ...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	All Linux

Priority	medium Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Frantisek Hrbata
QA Contact:	Red Hat Kernel QE team
Docs Contact:

URL:
Whiteboard:
Keywords:	ZStream

Depends On:	635535
Blocks:
	Show dependency tree / graph

Reported:	2011-02-18 07:29 EST by RHEL Product and Program Management
Modified:	2013-01-10 22:49 EST (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	kernel-2.6.32-71.19.1.el6
Doc Type:	Bug Fix
Doc Text:	Prior to this update, user space could submit (using the write() operation) a buffer with zero length to be written to the host, causing the qemu hypervisor instance running on that host to crash. This was caused by the write() operation triggering a virtqueue event on the host, causing a NULL buffer to be accessed. With this update, user space is no longer allowed to submit zero-sized buffers and the aforementioned crash no longer occur.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-04-07 22:59:40 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0421	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2011-04-07 22:56:45 EDT

Groups: None (edit)

Description RHEL Product and Program Management 2011-02-18 07:29:56 EST

This bug has been copied from bug #635535 and has been proposed
to be backported to 6.0 z-stream (EUS).

Comment 4 Amos Kong 2011-03-21 03:31:28 EDT

Bug exists in kernel-2.6.32-71.18.2.el6, and could not reproduced in kernel-2.6.32-71.19.1.el6.
So moving to VERIFIED.

Comment 5 errata-xmlrpc 2011-04-07 22:59:40 EDT

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0421.html

Comment 6 Martin Prpič 2011-04-12 08:41:25 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, user space could submit (using the write() operation) a buffer with zero length to be written to the host, causing the qemu hypervisor instance running on that host to crash. This was caused by the write() operation triggering a virtqueue event on the host, causing a NULL buffer to be accessed. With this update, user space is no longer allowed to submit zero-sized buffers and the aforementioned crash no longer occur.

Note You need to log in before you can comment on or make changes to this bug.