Ubuntu
kvm package

kvm vulnerable to several CVEs

Bug #213570 reported by Jamie Strandboge on 2008-04-07

254

	Status	Importance	Assigned to
kvm (Fedora)	Fix Released	High	redhat-bugs #434978
kvm (Ubuntu)	Fix Released	High	Jamie Strandboge
Dapper	Invalid	Undecided	Unassigned
Edgy	Invalid	Undecided	Unassigned
Feisty	Won't Fix	Undecided	Unassigned
Gutsy	Won't Fix	Undecided	Unassigned
Hardy	Fix Released	Undecided	Unassigned
qemu (Ubuntu)	Fix Released	Undecided	Unassigned
Dapper	Won't Fix	Undecided	Unassigned
Edgy	Invalid	Undecided	Unassigned
Feisty	Won't Fix	Undecided	Unassigned
Gutsy	Won't Fix	Undecided	Unassigned
Hardy	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: kvm

kvm ships qemu 0.9.1 as part of its source code, and this version of qemu is vulnerable to several CVEs. Several of these were fixed in the Debian DSA:

http://www.debian.org/security/2007/dsa-1284

This DSA fixes CVE-2007-1320, CVE-2007-1321, CVE-2007-1322, CVE-2007-1323.
Please note that CVE-2007-1323 is a duplicate of CVE-2007-2893. Also note that CVE-2007-5729 and CVE-2007-5730 are referred to as CVE-2007-1321 in Debian.

In addition to these fixes, qemu 0.9.1 is also vulnerable to CVE-2008-0928.

Will provide a debdiff soon.

See original description

Tags:

CVE References

Revision history for this message

In Red Hat Bugzilla #434978, Jan (jan-redhat-bugs) wrote on 2008-02-26:

#12

Description of problem:
After the recent upgrade my Fedora 8 image could no longer boot.

Version-Release number of selected component (if applicable):
kvm-60-2.fc8.x86_64 (broken)
kvm-60-1.fc8.x86_64 (OK)

How reproducible:
Tried once. (I no longer have the appropriate image now.)

Steps to Reproduce:
1. Install F8 GA into kvm-60-1.fc8.
2. `yum update kernel' in this F8 GA.
3. Shutdown kvm.
4. Upgrade kvm to: kvm-60-2.fc8
5. Start kvm.

Actual results:
/1 primary superblock features different from backup, check forced.
Restarting system.
---> KVM restart
/1 primary superblock features different from backup, check forced.
Restarting system.
---> ad infinitum

Expected results:
/1 primary superblock features different from backup, check forced.
Restarting system.
---> KVM restart
/1: clean, ...

Additional info:
Downgrade to kvm-60-1.fc8.x86_64 really fixed the problem.

Expecting an off-by-one bug in the fix of the Bug 433560:
* Sat Feb 23 2008 Daniel P. Berrange <email address hidden> - 60-2.fc8
- Fix block device extents check (rhbz #433560)

The message:
/1 primary superblock features different from backup, check forced.
is right as it happened during the recent F8 kernel update.
But it should happen only once.
Expecting some ext3 superblock backup near the end of the media got ignored.

Used disk image layout:
The partition is aligned to the physical end of the media but it does not exceed it!
in KVM:
/dev/sda:
geometry = 509/255/63, sectors = 8192000, start = 0

Disk /dev/sda: 4194 MB, 4194304000 bytes
255 heads, 63 sectors/track, 509 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000d71ca

Device Boot Start End Blocks Id System
/dev/sda1 * 1 509 4088511 83 Linux

Disk /dev/sda: 255 heads, 63 sectors, 509 cylinders

Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 80 1 1 0 254 63 508 63 8177022 83
2 00 0 0 0 0 0 0 0 0 00
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00

qemu-img:
file format: qcow2
virtual size: 3.9G (4194304000 bytes)

Expecting this Bug should get cloned across all the Fs/RHELs and for QEMU.

Description of problem:
After the recent upgrade my Fedora 8 image could no longer boot.

Version-Release number of selected component (if applicable):
kvm-60-2.fc8.x86_64 (broken)
kvm-60-1.fc8.x86_64 (OK)

How reproducible:
Tried once.  (I no longer have the appropriate image now.)

Steps to Reproduce:
1. Install F8 GA into kvm-60-1.fc8.
2. `yum update kernel' in this F8 GA.
3. Shutdown kvm.
4. Upgrade kvm to: kvm-60-2.fc8
5. Start kvm.

Expected results:
/1 primary superblock features different from backup, check forced.
Restarting system.
---> KVM restart
/1: clean, ...

Additional info:
Downgrade to kvm-60-1.fc8.x86_64 really fixed the problem.

Expecting an off-by-one bug in the fix of the Bug 433560:
* Sat Feb 23 2008 Daniel P. Berrange <berrange@redhat.com> - 60-2.fc8
- Fix block device extents check (rhbz #433560)

The message:
  /1 primary superblock features different from backup, check forced.
is right as it happened during the recent F8 kernel update.
But it should happen only once.
Expecting some ext3 superblock backup near the end of the media got ignored.

Used disk image layout:
The partition is aligned to the physical end of the media but it does not exceed it!
in KVM:
/dev/sda:
 geometry      = 509/255/63, sectors = 8192000, start = 0

Disk /dev/sda: 4194 MB, 4194304000 bytes
255 heads, 63 sectors/track, 509 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000d71ca

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1         509     4088511   83  Linux

Disk /dev/sda: 255 heads, 63 sectors, 509 cylinders

Nr AF  Hd Sec  Cyl  Hd Sec  Cyl     Start      Size ID
 1 80   1   1    0 254  63  508         63    8177022 83
 2 00   0   0    0   0   0    0          0          0 00
 3 00   0   0    0   0   0    0          0          0 00
 4 00   0   0    0   0   0    0          0          0 00

qemu-img:
file format: qcow2
virtual size: 3.9G (4194304000 bytes)

Expecting this Bug should get cloned across all the Fs/RHELs and for QEMU.

Revision history for this message

In Red Hat Bugzilla #434978, Jan (jan-redhat-bugs) wrote on 2008-02-26:

#13

Created attachment 295958
Forever-restarting Fedora 8 screenshot.

Revision history for this message

In Red Hat Bugzilla #434978, Jan (jan-redhat-bugs) wrote on 2008-02-26:

#14

Created attachment 295960
Finally updated Fedora 8 screenshot on kvm-60-1.fc8.x86_64.

Revision history for this message

In Red Hat Bugzilla #434978, Daniel (daniel-redhat-bugs) wrote on 2008-02-26:

#15

Hmm, I think this could be related to use of QCow files instead of raw.

Can you convert your disk image to raw format using 'qemu-img' and see if the
problem still occurrs.

Revision history for this message

In Red Hat Bugzilla #434978, Daniel (daniel-redhat-bugs) wrote on 2008-02-26:

#16

Ok, I have reproduced this problem. It impacts QCow2 disks at least - probably
impacts the other Cow related formats too. Raw is not impacted.

In my tests it causes complete & unrecoverable data loss on the guest disk in
question :-(

Revision history for this message

In Red Hat Bugzilla #434978, Jan (jan-redhat-bugs) wrote on 2008-02-26:

#17

Thanks for reproducing it (->no NEEDINFO).

Revision history for this message

In Red Hat Bugzilla #434978, Daniel (daniel-redhat-bugs) wrote on 2008-02-27:

#18

Created attachment 296004
A revised block range checking patch

Revision history for this message

In Red Hat Bugzilla #434978, Fedora (fedora-redhat-bugs) wrote on 2008-02-28:

#19

kvm-60-3.fc8 has been submitted as an update for Fedora 8

Revision history for this message

In Red Hat Bugzilla #434978, Fedora (fedora-redhat-bugs) wrote on 2008-02-28:

#20

kvm-60-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Jamie Strandboge (jdstrand) on 2008-04-07

Changed in kvm:
assignee:	nobody → jamie-strandboge
importance:	Undecided → High
status:	New → Confirmed
description:	updated

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-04-07:

Gutsy and Hardy qemu only vulnerable to CVE-2008-0928

Changed in qemu:
status:	New → Invalid
status:	Invalid → New

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-04-07:

CVE-2008-0928 fixed in:
https://bugzilla.redhat.com/show_bug.cgi?id=433560

but needed to be updated for growable disks:
https://bugzilla.redhat.com/show_bug.cgi?id=434978

Patch committed in Fedora five weeks ago is kvm-62-block-rw-range-check.patch from:
http://cvs.fedoraproject.org/viewcvs/devel/kvm/

Other CVEs included in hardy 0.9.1-1ubuntu1 (debian/patches/90_security.patch)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-04-07:

kvm_62+dfsg-0ubuntu3.debdiff Edit (21.1 KiB, text/plain)

Built under i386 and am64. Verified on amd64 that there were no added build warnings or errors. Tested on amd64 this with:
/usr/bin/kvm -M pc -m 128 -smp 1 -monitor pty -no-acpi -boot c -hda /srv/vms/kvm/dapper-i386-sec-dapper-i386-sec-kvm/root.qcow2 -net nic,macaddr=00:16:3e:0a:fa:a2,model=ne2k_pci -usb -std-vga -soundhw sb16

I then ifconfig'd the ne2k_pci device and pinged it. video was fine, though I couldn't test sound. Finally I did:
$ yes >> ./foo

and the growable qcow2 filesystem worked fine on this boot and after a reboot.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-04-07:

Sound now tested and works fine (with -soundhw sb16). In the guest, need to:

1. add to /etc/modules:
snd-sb16

2. added /etc/modprobe.d/snd-sb16:
options snd-sb16 isapnp=0

3. then make sure that /dev/dsp is not being used (killall pulseaudio) and reboot.

Jamie Strandboge (jdstrand) on 2008-04-07

Changed in kvm:
status:	Confirmed → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-04-08:

Verified works with ne2k_pci from a separate host as well.

Jamie Strandboge (jdstrand) on 2008-04-09

Changed in kvm:
status:	New → Invalid
status:	New → Invalid

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-04-11:

kvm (1:62+dfsg-0ubuntu3) hardy; urgency=low

  [ Jamie Strandboge ]
  * debian/patches/SECURITY_CVE-2007-1320+1321+1322+1366+2893.patch
    based on 90_security.patch from qemu 0.9.1-1ubuntu1. Please note that
    CVE-2007-2893 is also known as CVE-2007-1323, and CVE-2007-5729 and
    CVE-2007-5730 are known as CVE-2007-1321 in Debian. This patch addresses
    the following:
    - Cirrus LGD-54XX "bitblt" heap overflow.
    - NE2000 "mtu" heap overflow.
    - QEMU "net socket" heap overflow.
    - QEMU NE2000 "receive" integer signedness error.
    - Infinite loop in the emulated SB16 device.
    - Unprivileged "aam" instruction does not correctly handle the
      undocumented divisor operand.
    - Unprivileged "icebp" instruction will halt emulation.
  * debian/patches/SECURITY_CVE-2008-0928.patch: perform range checks on
    block device read and write requests
  * References
    CVE-2007-1320
    CVE-2007-1321
    CVE-2007-1322
    CVE-2007-1323
    CVE-2007-1366
    CVE-2007-2893
    CVE-2007-5729
    CVE-2007-5730
    CVE-2008-0928

  [ Soren Hansen ]
  * debian/patches/extboot-geometry.patch:
    - Apply extboot patch from Anthony Liguori that fixes CHS information
      being calculated incorrectly, which seems to upset grub from time to time.

-- Soren Hansen < <email address hidden> > Thu, 10 Apr 2008 16:35:09 +0000

Changed in kvm:
status:	In Progress → Fix Released

Revision history for this message

Sergio Zanchetta (primes2h) wrote on 2008-07-29:

The 18 month support period for Edgy Eft 6.10 has reached it's end of life. As a result, we are closing the Edgy Eft task. However, please note that this report will remain open against the actively developed release. Thank you for your continued support and help as we debug this issue.

Changed in qemu:
status:	New → Invalid

Soren Hansen (soren) on 2008-08-25

Changed in qemu:
status:	New → Fix Released

Jamie Strandboge (jdstrand) on 2008-08-26

Changed in kvm:
status:	New → Fix Released

Bug Watch Updater (bug-watch-updater) on 2008-09-10

Changed in kvm:
status:	Unknown → Fix Released

Revision history for this message

Hew (hew) wrote on 2008-12-15:

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in kvm:
status:	New → Won't Fix
Changed in qemu:
status:	New → Won't Fix

Jamie Strandboge (jdstrand) on 2009-01-30

Changed in kvm:
status:	New → Confirmed
Changed in qemu:
status:	New → Confirmed
status:	New → Confirmed

Jamie Strandboge (jdstrand) on 2009-01-30

Changed in qemu:
status:	New → Fix Released

Revision history for this message

Sergio Zanchetta (primes2h) wrote on 2009-05-07:

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in kvm (Ubuntu Gutsy):
status:	Confirmed → Won't Fix
Changed in qemu (Ubuntu Gutsy):
status:	Confirmed → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-04-20:

#10

Dapper is currently EOL for universe packages, marking Won't Fix. If someone wants to provide an update for qemu on Dapper, please follow https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation and update the status of this bug accordingly.