Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 23 Feb 2017 20:59:12 +1100
From: Steven Haigh <netwiz@....id.au>
To: Roger Pau Monné <roger.pau@...rix.com>,
 "Xen.org security team" <security@....org>
Cc: xen-users@...ts.xen.org, xen-announce@...ts.xen.org,
 oss-security@...ts.openwall.com, xen-devel@...ts.xen.org
Subject: Re: Xen Security Advisory 209 (CVE-2017-2620) -
 cirrus_bitblt_cputovideo does not check if memory region is safe

On 23/02/17 20:43, Roger Pau Monné wrote:
> On Tue, Feb 21, 2017 at 12:00:03PM +0000, Xen.org security team wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>             Xen Security Advisory CVE-2017-2620 / XSA-209
>>                               version 3
>>
>>    cirrus_bitblt_cputovideo does not check if memory region is safe
>>
>> UPDATES IN VERSION 3
>> ====================
>>
>> Public release.
>>
>> ISSUE DESCRIPTION
>> =================
>>
>> In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
>> cirrus_bitblt_cputovideo fails to check wethehr the specified memory
>> region is safe.
>>
>> IMPACT
>> ======
>>
>> A malicious guest administrator can cause an out of bounds memory
>> write, very likely exploitable as a privilege escalation.
>>
>> VULNERABLE SYSTEMS
>> ==================
>>
>> Versions of qemu shipped with all Xen versions are vulnerable.
>>
>> Xen systems running on x86 with HVM guests, with the qemu process
>> running in dom0 are vulnerable.
>>
>> Only guests provided with the "cirrus" emulated video card can exploit
>> the vulnerability.  The non-default "stdvga" emulated video card is
>> not vulnerable.  (With xl the emulated video card is controlled by the
>> "stdvga=" and "vga=" domain configuration options.)
>>
>> ARM systems are not vulnerable.  Systems using only PV guests are not
>> vulnerable.
>>
>> For VMs whose qemu process is running in a stub domain, a successful
>> attacker will only gain the privileges of that stubdom, which should
>> be only over the guest itself.
>>
>> Both upstream-based versions of qemu (device_model_version="qemu-xen")
>> and `traditional' qemu (device_model_version="qemu-xen-traditional")
>> are vulnerable.
>>
>> MITIGATION
>> ==========
>>
>> Running only PV guests will avoid the issue.
>>
>> Running HVM guests with the device model in a stubdomain will mitigate
>> the issue.
>>
>> Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
>> in the xl domain configuration) will avoid the vulnerability.
>>
>> CREDITS
>> =======
>>
>> This issue was discovered by Gerd Hoffmann of Red Hat.
>>
>> RESOLUTION
>> ==========
>>
>> Applying the appropriate attached patch resolves this issue.
>>
>> xsa209-qemuu.patch       qemu-xen, qemu upstream
>> (no backport yet)        qemu-xen-traditional
> 
> It would be nice to mention that (at least on QEMU shipped with 4.7) the
> following patch is also needed for the XSA-209 fix to build correctly:
> 
> 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84
> display: cirrus: ignore source pitch value as needed in blit_is_unsafe

I did request that an updated XSA be issued with this patch - as at the
moment, nobody will be able to apply the XSA only patch to any other
version of Xen.

-- 
Steven Haigh

Email: netwiz@....id.au
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897



Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.