Date: Thu, 23 Feb 2017 20:59:12 +1100 From: Steven Haigh <netwiz@....id.au> To: Roger Pau Monné <roger.pau@...rix.com>, "Xen.org security team" <security@....org> Cc: xen-users@...ts.xen.org, xen-announce@...ts.xen.org, oss-security@...ts.openwall.com, xen-devel@...ts.xen.org Subject: Re: Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe On 23/02/17 20:43, Roger Pau Monné wrote: > On Tue, Feb 21, 2017 at 12:00:03PM +0000, Xen.org security team wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Xen Security Advisory CVE-2017-2620 / XSA-209 >> version 3 >> >> cirrus_bitblt_cputovideo does not check if memory region is safe >> >> UPDATES IN VERSION 3 >> ==================== >> >> Public release. >> >> ISSUE DESCRIPTION >> ================= >> >> In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine >> cirrus_bitblt_cputovideo fails to check wethehr the specified memory >> region is safe. >> >> IMPACT >> ====== >> >> A malicious guest administrator can cause an out of bounds memory >> write, very likely exploitable as a privilege escalation. >> >> VULNERABLE SYSTEMS >> ================== >> >> Versions of qemu shipped with all Xen versions are vulnerable. >> >> Xen systems running on x86 with HVM guests, with the qemu process >> running in dom0 are vulnerable. >> >> Only guests provided with the "cirrus" emulated video card can exploit >> the vulnerability. The non-default "stdvga" emulated video card is >> not vulnerable. (With xl the emulated video card is controlled by the >> "stdvga=" and "vga=" domain configuration options.) >> >> ARM systems are not vulnerable. Systems using only PV guests are not >> vulnerable. >> >> For VMs whose qemu process is running in a stub domain, a successful >> attacker will only gain the privileges of that stubdom, which should >> be only over the guest itself. >> >> Both upstream-based versions of qemu (device_model_version="qemu-xen") >> and `traditional' qemu (device_model_version="qemu-xen-traditional") >> are vulnerable. >> >> MITIGATION >> ========== >> >> Running only PV guests will avoid the issue. >> >> Running HVM guests with the device model in a stubdomain will mitigate >> the issue. >> >> Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", >> in the xl domain configuration) will avoid the vulnerability. >> >> CREDITS >> ======= >> >> This issue was discovered by Gerd Hoffmann of Red Hat. >> >> RESOLUTION >> ========== >> >> Applying the appropriate attached patch resolves this issue. >> >> xsa209-qemuu.patch qemu-xen, qemu upstream >> (no backport yet) qemu-xen-traditional > > It would be nice to mention that (at least on QEMU shipped with 4.7) the > following patch is also needed for the XSA-209 fix to build correctly: > > 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 > display: cirrus: ignore source pitch value as needed in blit_is_unsafe I did request that an updated XSA be issued with this patch - as at the moment, nobody will be able to apply the XSA only patch to any other version of Xen. -- Steven Haigh Email: netwiz@....id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ