Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 582574 (CVE-2016-3710, CVE-2016-3712) - <app-emulation/xen-4.6.0-r11: QEMU - Banked access to VGA memory (VBE) uses inconsistent bounds checks - XSA-179 (CVE-2016-{3710,3712})
Summary: <app-emulation/xen-4.6.0-r11: QEMU - Banked access to VGA memory (VBE) uses i...
Status: RESOLVED FIXED
Alias: CVE-2016-3710, CVE-2016-3712
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-09 13:27 UTC by Yury German
Modified: 2016-11-12 12:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2016-05-09 13:27:34 UTC
Xen Security Advisory CVE-2016-3710,CVE-2016-3712 / XSA-179
                              version 4

 QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

UPDATES IN VERSION 4
====================

Public release.  Also include CVE and description of both issues.
(All advisories sent have included patches for both issues, but only
the description and CVE for the first issue.)

ISSUE DESCRIPTION
=================

Qemu VGA module allows banked access to video memory using the window
at 0xa00000 and it supports different access modes with different
address calculations.  But an attacker can easily change access modes
after setting the bank register.  This is CVE-2016-3710.

Qemu VGA module allows guest to edit certain registers in 'vbe' and
'vga' modes. ie. guest could set certain 'VGA' registers while in
'VBE' mode.  This is CVE-2016-3712.


IMPACT
======

A privileged guest user could use CVE-2016-3710 to exceed the bank
address window and write beyond the said memory area, potentially
leading to arbitrary code execution with privileges of the Qemu
process.  If the system is not using stubdomains, this will be in
domain 0.

A privileged guest user could use CVE-2016-3712 to cause potential
integer overflow or OOB read access issues in Qemu, resulting in a DoS
of the guest itself.  More dangerous effect, such as data leakage or
code execution, are not known but cannot be ruled out.


VULNERABLE SYSTEMS
==================

Versions of qemu shipped with all Xen versions are vulnerable.

Xen systems running on x86 with HVM guests, with the qemu process
running in dom0 are vulnerable.

Only guests provided with the "stdvga" emulated video card can exploit
the vulnerability.  The default "cirrus" emulated video card is not
vulnerable.  (With xl the emulated video card is controlled by the
"stdvga=" and "vga=" domain configuration options.)

ARM systems are not vulnerable.  Systems using only PV guests are not
vulnerable.

For VMs whose qemu process is running in a stub domain, a successful
attacker will only gain the privileges of that stubdom, which should
be only over the guest itself.

Both upstream-based versions of qemu (device_model_version="qemu-xen")
and `traditional' qemu (device_model_version="qemu-xen-traditional")
are vulnerable.

MITIGATION
==========

Running only PV guests will avoid the issue.

Running HVM guests with the device model in a stubdomain will mitigate
the issue.

Changing the video card emulation to cirrus (stdvga=0, vga="cirrus",
in the xl domain configuraton) will avoid the vulnerability.

CREDITS
=======

CVE-2016-3710 was discovered and reported by "Wei Xiao and Qinghao
Tang of 360 Marvel Team" of 360.cn Inc.

CVE-2016-3710 was discovered and reported by Zuozhi Fzz of Alibaba
Inc.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue for
systems using upstream-based versions of qemu.  Patch 0001 addresses
CVE-2016-3710, and patches 0002-0005 address CVE-2016-3712.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2016-05-15 03:20:10 UTC
commit e5ca69ac07d1c39986ca44a5b6bbb000ab4a5485
Author: Ian Delaney <idella4@gentoo.org>
Date:   Sun May 15 10:34:11 2016 +0800

    app-emulation/xen-tools: rebumps: xen-tools-4.6.0-r11 xen-tools-4.6.0-r10
    
    consequent to the security bug re patches of xsa-179 affecting qemuu
    
    Gentoo-bug: #582574


commit 1d94ce81453c50c2f529142f35b2c1069c3be749

    app-emulation/xen: rm old vns. 4.5.2
    
    Package-Manager: portage-2.2.28

commit d32c9b7af8b67f50cb15abfb958a6759339fe31e

    app-emulation/xen-pvgrub: rm old vn. 4.5.2
    
commit 9bf842c2e0b974678536ce5c578b847386fd739d

    app-emulation/xen-tools: rm old vns. 4.5.2


To my observation the recent reqs to for stabilisation of xen in any arch have not yet been actioned. The arches required from these additions will match the prior requests.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-11-12 12:10:30 UTC
GLSA Vote: No