[Bug 1612089] Re: Fix for CVE-2016-5403 causes crash on migration if memory stats are enabled

Michael Roth 1612089 at bugs.launchpad.net
Fri Sep 16 18:24:43 UTC 2016 

If it is of any help, Stefan Hajnoczi has been working with me to help
fix the regressions introduced by the CVE-2016-5403 fix (upstream QEMU
commit afd9096, which is in 2.6.1 stable release) in a follow-up 2.6.2
release.

So far the following patches have been identified as being needed in
order to correct the behavior introduced with the CVE fix. The upstream
QEMU commit IDs are:

commit bccdef6b1a204db0f41ffb6e24ce373e4d7890d4
Author: Stefan Hajnoczi <stefanha at redhat.com>
Date:   Mon Aug 15 13:54:15 2016 +0100

    virtio: recalculate vq->inuse after migration

commit 58a83c61496eeb0d31571a07a51bc1947e3379ac
Author: Stefan Hajnoczi <stefanha at redhat.com>
Date:   Mon Aug 15 13:54:16 2016 +0100

    virtio: decrement vq->inuse in virtqueue_discard()

commit 4b7f91ed0270a371e1933efa21ba600b6da23ab9
Author: Stefan Hajnoczi <stefanha at redhat.com>
Date:   Wed Sep 7 11:51:25 2016 -0400

    virtio: zero vq->inuse in virtio_reset()

commit 104e70cae78bd4afd95d948c6aff188f10508a9c
Author: Ladi Prosek <lprosek at redhat.com>
Date:   Wed Sep 7 17:20:47 2016 +0200

    virtio-balloon: discard virtqueue element on reset

I believe it is the last of these which addresses the issue reported in
this bug.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1612089

Title:
  Fix for CVE-2016-5403 causes crash on migration if memory stats are
  enabled

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive icehouse series:
  Fix Committed
Status in Ubuntu Cloud Archive kilo series:
  Fix Released
Status in Ubuntu Cloud Archive liberty series:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Fix Released
Status in qemu package in Ubuntu:
  Fix Released
Status in qemu-kvm source package in Precise:
  Fix Released
Status in qemu source package in Trusty:
  Fix Released
Status in qemu source package in Xenial:
  Fix Released
Status in qemu source package in Yakkety:
  Fix Released

Bug description:
  If memory statistics are enabled for the memory baloon device in
  libvirt like this:

  <memballoon model='virtio'>
     <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
     <stats period='10'/>
  </memballoon>

  Then qemu exits with "qemu-system-x86_64: Virtqueue size exceeded"
  after the VM is migrated or when starting the VM again after a
  managedsave.

  This bug is present since 2.0.0+dfsg-2ubuntu1.26 and was not present
  in 2.0.0+dfsg-2ubuntu1.24. It's most probably caused by the Fix for
  CVE-2016-5403.

  Steps to reproduce:
  1. Create a VM with libvirt which contains the above memory balloon device
  2. Start the VM and let the Linux kernel boot (bug does not appear if the kernel is not yet booted,  eg. while in the PXE boot phase)
  3. Issue a managedsave
  4. Start the VM again
  5. The VM is restored and "crashes" right after it starts running again.
  6. You can find the qemu output "qemu-system-x86_64: Virtqueue size exceeded" in the log at /var/log/libvirt/vmname.log

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: qemu-system-x86 2.0.0+dfsg-2ubuntu1.26
  ProcVersionSignature: Ubuntu 3.13.0-93.140-generic 3.13.11-ckt39
  Uname: Linux 3.13.0-93-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.21
  Architecture: amd64
  Date: Thu Aug 11 08:39:33 2016
  SourcePackage: qemu
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1612089/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list