[Qemu-devel] Fix for CVE-2016-5403 causes crash on migration if memory stats are enabled

[Gaudenz Steinlin]

[ Please CC me on replies as I'm not subscribed to this list. ]

Hi 

The Fix for CVE-2016-5403 (virtio: error out if guest exceeds virtqueue
size)[1] causes qemu to exit(1) after migration or restart from a saved
state if memory statistics are enabled in libvirt. Qemu exits after
printing "qemu-system-x86_64: Virtqueue size exceeded".

I experienced this problem with the latest security update in Ubuntu
Trusty (14.04) which cherry-picked this fix. If you think that the
latest upstream version is not affected I can try this too. I only
tested with VM started through libvirt. If someone tells me how to
enable memory statistics with plain qemu without libvirt I can test this
too. My guess would be that this does not make a difference.

I discovered this bug because OpenStack Nova enables memory statistics
by default since the Juno release. After the QEMU upgrade to the latest
version in Ubuntu VMs were suddenly shutoff after migration.

Steps to reproduce:
1. Create a VM with libvirt which contains a memory balloon device
defined like this:
<memballoon model='virtio'>
   <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
   <stats period='10'/>
</memballoon>

2. Start the VM and let the Linux kernel boot (bug does not appear if
   the kernel is not yet booted, eg. while in the PXE boot phase)
3. Issue a managedsave
4. Start the VM again
5. The VM is restored and "crashes" right after it starts running again.
6. You can find the qemu output "qemu-system-x86_64: Virtqueue size
   exceeded" in the log at /var/log/libvirt/vmname.log

Gaudenz

[1] https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06257.html

signature.asc
Description: PGP signature