678559 – Disallow 0-sized writes to virtio ports to go through to host (leading to VM crash) [rhel-6.0.z]

Bug 678559 - Disallow 0-sized writes to virtio ports to go through to host (leading to VM crash) [rhel-6.0.z]

Summary: Disallow 0-sized writes to virtio ports to go through to host (leading to VM ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Frantisek Hrbata
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Depends On:	635535
Blocks:
TreeView+	depends on / blocked

Reported:	2011-02-18 12:29 UTC by RHEL Program Management
Modified:	2013-01-11 03:49 UTC (History)
CC List:	9 users (show)
Fixed In Version:	kernel-2.6.32-71.19.1.el6
Doc Type:	Bug Fix
Doc Text:	Prior to this update, user space could submit (using the write() operation) a buffer with zero length to be written to the host, causing the qemu hypervisor instance running on that host to crash. This was caused by the write() operation triggering a virtqueue event on the host, causing a NULL buffer to be accessed. With this update, user space is no longer allowed to submit zero-sized buffers and the aforementioned crash no longer occur.
Clone Of:
Environment:
Last Closed:	2011-04-08 02:59:40 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0421	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2011-04-08 02:56:45 UTC

Description RHEL Program Management 2011-02-18 12:29:56 UTC

This bug has been copied from bug #635535 and has been proposed
to be backported to 6.0 z-stream (EUS).

Comment 4 Amos Kong 2011-03-21 07:31:28 UTC

Bug exists in kernel-2.6.32-71.18.2.el6, and could not reproduced in kernel-2.6.32-71.19.1.el6.
So moving to VERIFIED.

Comment 5 errata-xmlrpc 2011-04-08 02:59:40 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0421.html

Comment 6 Martin Prpič 2011-04-12 12:41:25 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, user space could submit (using the write() operation) a buffer with zero length to be written to the host, causing the qemu hypervisor instance running on that host to crash. This was caused by the write() operation triggering a virtqueue event on the host, causing a NULL buffer to be accessed. With this update, user space is no longer allowed to submit zero-sized buffers and the aforementioned crash no longer occur.

Note You need to log in before you can comment on or make changes to this bug.