Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 23 Feb 2017 20:59:12 +1100
From: Steven Haigh <netwiz@....id.au>
To: Roger Pau Monné <roger.pau@...rix.com>,
 "Xen.org security team" <security@....org>
Cc: xen-users@...ts.xen.org, xen-announce@...ts.xen.org,
 oss-security@...ts.openwall.com, xen-devel@...ts.xen.org
Subject: Re: Xen Security Advisory 209 (CVE-2017-2620) -
 cirrus_bitblt_cputovideo does not check if memory region is safe

On 23/02/17 20:43, Roger Pau Monné wrote:
> On Tue, Feb 21, 2017 at 12:00:03PM +0000, Xen.org security team wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>             Xen Security Advisory CVE-2017-2620 / XSA-209
>>                               version 3
>>
>>    cirrus_bitblt_cputovideo does not check if memory region is safe
>>
>> UPDATES IN VERSION 3
>> ====================
>>
>> Public release.
>>
>> ISSUE DESCRIPTION
>> =================
>>
>> In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
>> cirrus_bitblt_cputovideo fails to check wethehr the specified memory
>> region is safe.
>>
>> IMPACT
>> ======
>>
>> A malicious guest administrator can cause an out of bounds memory
>> write, very likely exploitable as a privilege escalation.
>>
>> VULNERABLE SYSTEMS
>> ==================
>>
>> Versions of qemu shipped with all Xen versions are vulnerable.
>>
>> Xen systems running on x86 with HVM guests, with the qemu process
>> running in dom0 are vulnerable.
>>
>> Only guests provided with the "cirrus" emulated video card can exploit
>> the vulnerability.  The non-default "stdvga" emulated video card is
>> not vulnerable.  (With xl the emulated video card is controlled by the
>> "stdvga=" and "vga=" domain configuration options.)
>>
>> ARM systems are not vulnerable.  Systems using only PV guests are not
>> vulnerable.
>>
>> For VMs whose qemu process is running in a stub domain, a successful
>> attacker will only gain the privileges of that stubdom, which should
>> be only over the guest itself.
>>
>> Both upstream-based versions of qemu (device_model_version="qemu-xen")
>> and `traditional' qemu (device_model_version="qemu-xen-traditional")
>> are vulnerable.
>>
>> MITIGATION
>> ==========
>>
>> Running only PV guests will avoid the issue.
>>
>> Running HVM guests with the device model in a stubdomain will mitigate
>> the issue.
>>
>> Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
>> in the xl domain configuration) will avoid the vulnerability.
>>
>> CREDITS
>> =======
>>
>> This issue was discovered by Gerd Hoffmann of Red Hat.
>>
>> RESOLUTION
>> ==========
>>
>> Applying the appropriate attached patch resolves this issue.
>>
>> xsa209-qemuu.patch       qemu-xen, qemu upstream
>> (no backport yet)        qemu-xen-traditional
> 
> It would be nice to mention that (at least on QEMU shipped with 4.7) the
> following patch is also needed for the XSA-209 fix to build correctly:
> 
> 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84
> display: cirrus: ignore source pitch value as needed in blit_is_unsafe

I did request that an updated XSA be issued with this patch - as at the
moment, nobody will be able to apply the XSA only patch to any other
version of Xen.

-- 
Steven Haigh

Email: netwiz@....id.au
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897



Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ