Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170223094353.hrdgcxjsqdoy3v5l@dhcp-3-221.uk.xensource.com>
Date: Thu, 23 Feb 2017 09:43:53 +0000
From: Roger Pau Monné <roger.pau@...rix.com>
To: Xen.org security team <security@....org>
CC: <xen-announce@...ts.xen.org>, <xen-devel@...ts.xen.org>,
	<xen-users@...ts.xen.org>, <oss-security@...ts.openwall.com>
Subject: Re: [Xen-devel] Xen Security Advisory 209 (CVE-2017-2620) -
 cirrus_bitblt_cputovideo does not check if memory region is safe

On Tue, Feb 21, 2017 at 12:00:03PM +0000, Xen.org security team wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>             Xen Security Advisory CVE-2017-2620 / XSA-209
>                               version 3
> 
>    cirrus_bitblt_cputovideo does not check if memory region is safe
> 
> UPDATES IN VERSION 3
> ====================
> 
> Public release.
> 
> ISSUE DESCRIPTION
> =================
> 
> In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
> cirrus_bitblt_cputovideo fails to check wethehr the specified memory
> region is safe.
> 
> IMPACT
> ======
> 
> A malicious guest administrator can cause an out of bounds memory
> write, very likely exploitable as a privilege escalation.
> 
> VULNERABLE SYSTEMS
> ==================
> 
> Versions of qemu shipped with all Xen versions are vulnerable.
> 
> Xen systems running on x86 with HVM guests, with the qemu process
> running in dom0 are vulnerable.
> 
> Only guests provided with the "cirrus" emulated video card can exploit
> the vulnerability.  The non-default "stdvga" emulated video card is
> not vulnerable.  (With xl the emulated video card is controlled by the
> "stdvga=" and "vga=" domain configuration options.)
> 
> ARM systems are not vulnerable.  Systems using only PV guests are not
> vulnerable.
> 
> For VMs whose qemu process is running in a stub domain, a successful
> attacker will only gain the privileges of that stubdom, which should
> be only over the guest itself.
> 
> Both upstream-based versions of qemu (device_model_version="qemu-xen")
> and `traditional' qemu (device_model_version="qemu-xen-traditional")
> are vulnerable.
> 
> MITIGATION
> ==========
> 
> Running only PV guests will avoid the issue.
> 
> Running HVM guests with the device model in a stubdomain will mitigate
> the issue.
> 
> Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
> in the xl domain configuration) will avoid the vulnerability.
> 
> CREDITS
> =======
> 
> This issue was discovered by Gerd Hoffmann of Red Hat.
> 
> RESOLUTION
> ==========
> 
> Applying the appropriate attached patch resolves this issue.
> 
> xsa209-qemuu.patch       qemu-xen, qemu upstream
> (no backport yet)        qemu-xen-traditional

It would be nice to mention that (at least on QEMU shipped with 4.7) the
following patch is also needed for the XSA-209 fix to build correctly:

52b7f43c8fa185ab856bcaacda7abc9a6fc07f84
display: cirrus: ignore source pitch value as needed in blit_is_unsafe

Roger.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.