CVE-2017-9375 fix cause qemu crash

Bug #1718222 reported by RussianNeuroMancer on 2017-09-19
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu (Debian)
Fix Released
Unknown
qemu (Ubuntu)
Status tracked in Artful
Trusty
High
Marc Deslauriers
Xenial
High
Marc Deslauriers
Zesty
High
Marc Deslauriers
Artful
High
Unassigned

Bug Description

CVE-2017-9375 fix cause qemu crash on Ubuntu 17.04 if USB 3 controller is selected in virtual machine properties.

To reproduce this issue:
1. Install Ubuntu 17.04
2. Install package ubuntu-virt
3. Create virtual machine with USB 3 controller
4. Try to start this virtual machine

Error message from libvirt log:
qemu-system-x86_64: /build/qemu-g5EXBU/qemu-2.8+dfsg/hw/usb/hcd-xhci.c:2169: xhci_kick_epctx: Assertion `!epctx->kick_active' failed.

Workaround:
Switch controller type to USB 2, but AFAIK this is not applicable if user need to passthrough many USB devices to guest, or if user actually need USB 3 speed.

CVE References

Example of xml that cause qemu crash on updated Ubuntu 17.04.

tags: added: regression-update zesty
ChristianEhrhardt (paelzer) wrote :

Subscribing Mark who did the fix for his check on the case.
And setting regression-upgrade until we know otherwise.

ChristianEhrhardt (paelzer) wrote :

Oh tag was already set, thanks!

Changed in qemu (Debian):
status: Unknown → Fix Released
Changed in qemu (Ubuntu Artful):
status: New → Fix Released
Changed in qemu (Ubuntu Trusty):
status: New → Confirmed
Changed in qemu (Ubuntu Xenial):
status: New → In Progress
Changed in qemu (Ubuntu Trusty):
status: Confirmed → In Progress
Changed in qemu (Ubuntu Zesty):
status: New → In Progress
Changed in qemu (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Zesty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Trusty):
importance: Undecided → High
Changed in qemu (Ubuntu Xenial):
importance: Undecided → High
Changed in qemu (Ubuntu Zesty):
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.8+dfsg-3ubuntu2.5

---------------
qemu (1:2.8+dfsg-3ubuntu2.5) zesty-security; urgency=medium

  * SECURITY REGRESSION: regression in in USB xHCI emulation (LP: #1718222)
    - debian/patches/CVE-2017-9375-regression.patch: don't kick in
      xhci_submit and xhci_fire_ctl_transfer in hw/usb/hcd-xhci.c.

 -- Marc Deslauriers <email address hidden> Wed, 20 Sep 2017 07:22:48 -0400

Changed in qemu (Ubuntu Zesty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 2.0.0+dfsg-2ubuntu1.36

---------------
qemu (2.0.0+dfsg-2ubuntu1.36) trusty-security; urgency=medium

  * SECURITY REGRESSION: regression in in USB xHCI emulation (LP: #1718222)
    - debian/patches/CVE-2017-9375-regression.patch: don't kick in
      xhci_submit and xhci_fire_ctl_transfer in hw/usb/hcd-xhci.c.

 -- Marc Deslauriers <email address hidden> Wed, 20 Sep 2017 07:27:30 -0400

Changed in qemu (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu10.16

---------------
qemu (1:2.5+dfsg-5ubuntu10.16) xenial-security; urgency=medium

  * SECURITY REGRESSION: regression in in USB xHCI emulation (LP: #1718222)
    - debian/patches/CVE-2017-9375-regression.patch: don't kick in
      xhci_submit and xhci_fire_ctl_transfer in hw/usb/hcd-xhci.c.

 -- Marc Deslauriers <email address hidden> Wed, 20 Sep 2017 07:25:44 -0400

Changed in qemu (Ubuntu Xenial):
status: In Progress → Fix Released

Thanks for fast fix! :)

Marc Deslauriers (mdeslaur) wrote :

Thanks for the links, they were very helpful! :)

Changed in qemu (Ubuntu Artful):
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.