Scientific Linux Security Update : kvm on SL5.4 i386/x86_64
High Nessus Plugin ID 60730
SynopsisThe remote Scientific Linux host is missing one or more security updates.
DescriptionThe x86 emulator implementation was missing a check for the Current Privilege Level (CPL) and I/O Privilege Level (IOPL). A user in a guest could leverage these flaws to cause a denial of service (guest crash) or possibly escalate their privileges within that guest.
A flaw was found in the Programmable Interval Timer (PIT) emulation.
Access to the internal data structure pit_state, which represents the data state of the emulated PIT, was not properly validated in the pit_ioport_read() function. A privileged guest user could use this flaw to crash the host. (CVE-2010-0309)
A flaw was found in the USB passthrough handling code. A specially crafted USB packet sent from inside a guest could be used to trigger a buffer overflow in the usb_host_handle_control() function, which runs under the QEMU-KVM context on the host. A user in a guest could leverage this flaw to cause a denial of service (guest hang or crash) or possibly escalate their privileges within the host. (CVE-2010-0297)
This update also fixes the following bugs :
- pvclock MSR values were not preserved during remote migration, causing time drift for guests. (BZ#537028)
- SMBIOS table 4 data is now generated for Windows guests.
- if the qemu-kvm '-net user' option was used, unattended Windows XP installations did not receive an IP address after reboot. (BZ#546562)
- when being restored from migration, a race condition caused Windows Server 2008 R2 guests to hang during shutdown. (BZ#546563)
- the kernel symbol checking on the kvm-kmod build process has a safety check for ABI changes. (BZ#547293)
- on hosts without high-res timers, Windows Server 2003 guests experienced significant time drift. (BZ#547625)
- in some situations, installing Windows Server 2008 R2 from an ISO image resulted in a blue screen 'BAD_POOL_HEADER' stop error. (BZ#548368)
- a bug in the grow_refcount_table() error handling caused infinite recursion in some cases. This caused the qemu-kvm process to hang and eventually crash.
- for Windows Server 2003 R2, Service Pack 2, 32-bit guests, an 'unhandled vm exit' error could occur during reboot on some systems. (BZ#552518)
- for Windows guests, QEMU could attempt to stop a stopped audio device, resulting in a 'snd_playback_stop: ASSERT playback_channel->base.active failed' error. (BZ#552519)
- the Hypercall driver did not reset the device on power-down. (BZ#552528)
- mechanisms have been added to make older savevm versions to be emitted in some cases. (BZ#552529)
- an error in the Makefile prevented users from using the source RPM to install KVM. (BZ#552530)
- guests became unresponsive and could use up to 100% CPU when running certain benchmark tests with more than 7 guests running simultaneously. (BZ#553249)
- QEMU could terminate randomly with virtio-net and SMP enabled. (BZ#561022)
NOTE - The following procedure must be performed before this update will take effect :
1) Stop all KVM guest virtual machines.
2) Either reboot the hypervisor machine or, as the root user, remove (using 'modprobe -r [module]') and reload (using 'modprobe [module]') all of the following modules which are currently running (determined using 'lsmod'): kvm, ksm, kvm-intel or kvm-amd.
3) Restart the KVM guest virtual machines.
SolutionUpdate the affected packages.