Date: Thu, 23 Feb 2017 09:43:53 +0000 From: Roger Pau Monné <roger.pau@...rix.com> To: Xen.org security team <security@....org> CC: <xen-announce@...ts.xen.org>, <xen-devel@...ts.xen.org>, <xen-users@...ts.xen.org>, <oss-security@...ts.openwall.com> Subject: Re: [Xen-devel] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe On Tue, Feb 21, 2017 at 12:00:03PM +0000, Xen.org security team wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Xen Security Advisory CVE-2017-2620 / XSA-209 > version 3 > > cirrus_bitblt_cputovideo does not check if memory region is safe > > UPDATES IN VERSION 3 > ==================== > > Public release. > > ISSUE DESCRIPTION > ================= > > In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine > cirrus_bitblt_cputovideo fails to check wethehr the specified memory > region is safe. > > IMPACT > ====== > > A malicious guest administrator can cause an out of bounds memory > write, very likely exploitable as a privilege escalation. > > VULNERABLE SYSTEMS > ================== > > Versions of qemu shipped with all Xen versions are vulnerable. > > Xen systems running on x86 with HVM guests, with the qemu process > running in dom0 are vulnerable. > > Only guests provided with the "cirrus" emulated video card can exploit > the vulnerability. The non-default "stdvga" emulated video card is > not vulnerable. (With xl the emulated video card is controlled by the > "stdvga=" and "vga=" domain configuration options.) > > ARM systems are not vulnerable. Systems using only PV guests are not > vulnerable. > > For VMs whose qemu process is running in a stub domain, a successful > attacker will only gain the privileges of that stubdom, which should > be only over the guest itself. > > Both upstream-based versions of qemu (device_model_version="qemu-xen") > and `traditional' qemu (device_model_version="qemu-xen-traditional") > are vulnerable. > > MITIGATION > ========== > > Running only PV guests will avoid the issue. > > Running HVM guests with the device model in a stubdomain will mitigate > the issue. > > Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", > in the xl domain configuration) will avoid the vulnerability. > > CREDITS > ======= > > This issue was discovered by Gerd Hoffmann of Red Hat. > > RESOLUTION > ========== > > Applying the appropriate attached patch resolves this issue. > > xsa209-qemuu.patch qemu-xen, qemu upstream > (no backport yet) qemu-xen-traditional It would be nice to mention that (at least on QEMU shipped with 4.7) the following patch is also needed for the XSA-209 fix to build correctly: 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 display: cirrus: ignore source pitch value as needed in blit_is_unsafe Roger.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ