kmod, kvm security update

CentOS Errata and Security Advisory CESA-2010:0088

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for
the standard Red Hat Enterprise Linux kernel.

The x86 emulator implementation was missing a check for the Current
Privilege Level (CPL) and I/O Privilege Level (IOPL). A user in a guest
could leverage these flaws to cause a denial of service (guest crash) or
possibly escalate their privileges within that guest. (CVE-2010-0298,
CVE-2010-0306)

A flaw was found in the Programmable Interval Timer (PIT) emulation. Access
to the internal data structure pit_state, which represents the data state
of the emulated PIT, was not properly validated in the pit_ioport_read()
function. A privileged guest user could use this flaw to crash the host.
(CVE-2010-0309)

A flaw was found in the USB passthrough handling code. A specially-crafted
USB packet sent from inside a guest could be used to trigger a buffer
overflow in the usb_host_handle_control() function, which runs under the
QEMU-KVM context on the host. A user in a guest could leverage this flaw to
cause a denial of service (guest hang or crash) or possibly escalate their
privileges within the host. (CVE-2010-0297)

This update also fixes the following bugs:

• pvclock MSR values were not preserved during remote migration, causing
  time drift for guests. (BZ#537028)

• SMBIOS table 4 data is now generated for Windows guests. (BZ#545874)

• if the qemu-kvm “-net user” option was used, unattended Windows XP
  installations did not receive an IP address after reboot. (BZ#546562)

• when being restored from migration, a race condition caused Windows
  Server 2008 R2 guests to hang during shutdown. (BZ#546563)

• the kernel symbol checking on the kvm-kmod build process has a safety
  check for ABI changes. (BZ#547293)

• on hosts without high-res timers, Windows Server 2003 guests experienced
  significant time drift. (BZ#547625)

• in some situations, installing Windows Server 2008 R2 from an ISO image
  resulted in a blue screen “BAD_POOL_HEADER” stop error. (BZ#548368)

• a bug in the grow_refcount_table() error handling caused infinite
  recursion in some cases. This caused the qemu-kvm process to hang and
  eventually crash. (BZ#552159)

• for Windows Server 2003 R2, Service Pack 2, 32-bit guests, an “unhandled
  vm exit” error could occur during reboot on some systems. (BZ#552518)

• for Windows guests, QEMU could attempt to stop a stopped audio device,
  resulting in a “snd_playback_stop: ASSERT playback_channel->base.active
  failed” error. (BZ#552519)

• the Hypercall driver did not reset the device on power-down. (BZ#552528)

• mechanisms have been added to make older savevm versions to be emitted in
  some cases. (BZ#552529)

• an error in the Makefile prevented users from using the source RPM to
  install KVM. (BZ#552530)

• guests became unresponsive and could use up to 100% CPU when running
  certain benchmark tests with more than 7 guests running simultaneously.
  (BZ#553249)

• QEMU could terminate randomly with virtio-net and SMP enabled.
  (BZ#561022)

All KVM users should upgrade to these updated packages, which contain
backported patches to resolve these issues. Note: The procedure in the
Solution section must be performed before this update will take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2010-February/078656.html

Affected packages:
kmod-kvm
kvm
kvm-qemu-img
kvm-tools

Upstream details at:
https://access.redhat.com/errata/RHSA-2010:0088