It was found that a malicious guest user could submit more requests than the virtqueue size permits, resulting in a crash of the host QEMU process. The guest could submit requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is incorrect but possible. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation controlled by the guest. Exit with an error if the guest provides more requests than the virtqueue size permits. This bounds memory allocation and makes the buggy guest visible to the user. Upstream patch -------------- -> git.qemu.org/?p=qemu.git;a=commit;h=afd9096eb1882f23929f5b5c177898ed231bac66
Acknowledgments: Name: hongzhenhao (Marvel Team)
Created attachment 1182139 [details] CVE-2016-5403 patch
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1360831]
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1360830]
xen-4.6.3-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.5.3-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 Via RHSA-2016:1586 https://rhn.redhat.com/errata/RHSA-2016-1586.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1585 https://rhn.redhat.com/errata/RHSA-2016-1585.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1606 https://rhn.redhat.com/errata/RHSA-2016-1606.html
This issue has been addressed in the following products: RHEV-H and Agents for RHEL-7 Via RHSA-2016:1607 https://rhn.redhat.com/errata/RHSA-2016-1607.html
This update seems to cause an issue with live-migration in OpenStack. After installing this update, I'm seeing the exact same issue as described here: https://www.redhat.com/archives/libvir-list/2016-August/msg00406.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2016:1655 https://rhn.redhat.com/errata/RHSA-2016-1655.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2016:1654 https://rhn.redhat.com/errata/RHSA-2016-1654.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2016:1653 https://rhn.redhat.com/errata/RHSA-2016-1653.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 Via RHSA-2016:1652 https://rhn.redhat.com/errata/RHSA-2016-1652.html
We're also seeing the issue described here: https://www.redhat.com/archives/libvir-list/2016-August/msg00406.html If you guys would prefer this submitted in another bug report or elsewhere please let me know, but we're for sure affected by qemu exiting upon live migrating.
This issue has been addressed in the following products: Red Hat OpenStack Platform 8.0 (Liberty) Via RHSA-2016:1756 https://rhn.redhat.com/errata/RHSA-2016-1756.html
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2016:1763 https://rhn.redhat.com/errata/RHSA-2016-1763.html
We're seeing the same issue reported above with guest shutdown with "Virtqueue size exceeded" after migration.
Should a new bug be opened about this patch breaking live migration?
For those following this for the live migration issue, a new bug has been opened: https://bugzilla.redhat.com/show_bug.cgi?id=1371943
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2016:1943 https://rhn.redhat.com/errata/RHSA-2016-1943.html
I will needinfo Prasad J Pandit as he has done the investigation. It might be best to lodge a ticket in parallel with support to get this resolved faster. Thanks. Wade Mealing
(In reply to Marcus Furlong from comment #26) > Should a new bug be opened about this patch breaking live migration? Yes, opening another bug was the right thing to do. I see that a fix has been shipped and others are in queue. Thank you.