Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 566838 (CVE-2015-7504) - <app-emulation/xen-tools-{4.5.2-r1,4.6.0-r3}: heap buffer overflow vulnerability in pcnet emulator XSA-162 (CVE-2015-7504)
Summary: <app-emulation/xen-tools-{4.5.2-r1,4.6.0-r3}: heap buffer overflow vulnerabil...
Status: RESOLVED FIXED
Alias: CVE-2015-7504
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-25 17:30 UTC by Yury German
Modified: 2016-04-05 07:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2015-11-25 17:30:57 UTC
Xen Security Advisory CVE-2015-7504 / XSA-162

         heap buffer overflow vulnerability in pcnet emulator

              *** EMBARGOED UNTIL 2015-11-30 06:00 UTC ***

ISSUE DESCRIPTION
=================

The QEMU security team has predisclosed the following advisory:

    The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving
    packets in loopback mode, appends CRC code to the receive
    buffer. If the data size given is same as the buffer size(4096),
    the appended CRC code overwrites 4 bytes after the s->buffer,
    making the adjacent 's->irq' object point to a new location.

IMPACT
======

A guest which has access to an emulated PCNET network device
(e.g. with "model=pcnet" in their VIF configuration) can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.

VULNERABLE SYSTEMS
==================

All Xen systems running x86 HVM guests without stubdomains which have
been configured to use the PCNET emulated driver model are
vulnerable.

The default configuration is NOT vulnerable (because it does not
emulate PCNET NICs).

Systems running only PV guests are NOT vulnerable.

Systems using qemu-dm stubdomain device models (for example, by
specifying "device_model_stubdomain_override=1" in xl's domain
configuration files) are NOT vulnerable.

Both the traditional "qemu-xen" or upstream qemu device models are
potentially vulnerable.

ARM systems are NOT vulnerable.

MITIGATION
==========

Avoiding the use of emulated network devices altogether, by specifying
a PV only VIF in the domain configuration file will avoid this
issue.

Avoiding the use of the PCNET device in favour of other emulations
will also avoid this issue.

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.

qemu-dm stubdomains are only available with the traditional "qemu-xen"
version.

RESOLUTION
==========

The QEMU security team have supplied the attached xsa162-qemuu.patch
which it is believed will resolve the issue. However this patch has
not undergone the usual reviews and has not yet been accepted by QEMU
upstream.

The backports were created by the Xen Project security team on the same
basis.

xsa162-qemuu.patch           qemu upstream, Xen unstable, 4.6.x, 4.5.x, 4.4.x
xsa162-qemuu-4.3.patch       Xen 4.3.x
xsa162-qemut-4.3.patch       qemu-xen-traditional, Xen unstable, 4.5.x, 4.4.x, 4.3.x

$ sha256sum xsa162*
d823155dcc1f93098a54f295a488eb2e3d5636f00f9b229eafc7536311f8065c  xsa162-qemut.patch
90d9f0aa2c813fcb116095545f2b8e7b4240d65d5038e655ee1f184d6160493c  xsa162-qemuu.patch
7b423994e86cddd90dd53026e1e95b713580dbc12ef7f18d1bb73a2e165ad4b8  xsa162-qemuu-4.3.patch
$


CREDITS
=======

This issue was discovered by the Qihoo 360 Marvel Team.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2015-11-25 17:34:34 UTC
Patches have been sent to developer as per agreement with xen maintainers.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-30 10:59:58 UTC
UPDATES IN VERSION 2
====================

Public release.

Correct cut and paste reference to bootloaders in "DEPLOYMENT DURING
EMBARGO" section, which should have instead referred to the
configuration changes.
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2015-11-30 16:02:36 UTC
commit 67f629f0a52e81af499dc1cb5ed4a9dc79af791e
Author: Ian Delaney <idella4@gentoo.org>
Date:   Tue Dec 1 00:00:33 2015 +0800

    app-emulation/xen-tools: revbumps vns. 4.5.2-r1, 4.6.0-r3
    
    security patches (2) added from XSA-162, initally set as embargoed
    security patches, publicly released today wrt the gentoo bug
    
    Gentoo bug: #566838
Comment 4 Agostino Sarubbo gentoo-dev 2015-12-01 09:38:48 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-12-02 01:19:56 UTC
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2015-12-03 14:05:33 UTC
Actually this pair of patches pertain only to xen-tools, not to package xen.
Patches added to xen-tools-4.5.2-r1.ebuild & xen-tools-4.6.0-r3.ebuild making 
xen-tools-4.5.2.ebuild, xen-tools-4.6.0-r2.ebuild the vulnerable versions.

commit 2e385225eec30f5fbb7703c01cd862653e07143d
Author: Ian Delaney <idella4@gentoo.org>
Date:   Thu Dec 3 21:53:32 2015 +0800

    app-emulation/xen-tools: clean vulnerable versions wrt security bug #566838
    
    Gentoo bug : #566838
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-12-08 00:10:38 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-04-05 07:01:38 UTC
This issue was resolved and addressed in
 GLSA 201604-03 at https://security.gentoo.org/glsa/201604-03
by GLSA coordinator Yury German (BlueKnight).