Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 609120 (XSA-209) - <app-emulation/xen-tools-4.7.1-r8: qemu: display: cirrus_bitblt_cputovideo does not check if memory region is safe (XSA-209,CVE-2017-2620)
Summary: <app-emulation/xen-tools-4.7.1-r8: qemu: display: cirrus_bitblt_cputovideo do...
Status: RESOLVED FIXED
Alias: XSA-209
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://xenbits.xen.org/xsa/advisory-...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-2620
  Show dependency tree
 
Reported: 2017-02-12 15:26 UTC by Thomas Deutschmann
Modified: 2017-03-28 03:22 UTC (History)
3 users (show)

See Also:
Package list:
=app-emulation/xen-tools-4.7.1-r8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2017-02-12 15:26:31 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2017-2620 / XSA-209
                              version 2

   cirrus_bitblt_cputovideo does not check if memory region is safe

              *** EMBARGOED UNTIL 2017-02-21 12:00 UTC ***

UPDATES IN VERSION 2
====================

Patch xsa209-qemut.patch updated so that it builds.

ISSUE DESCRIPTION
=================

In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
cirrus_bitblt_cputovideo fails to check wethehr the specified memory
region is safe.

IMPACT
======

A malicious guest administrator can cause an out of bounds memory
write, very likely exploitable as a privilege escalation.

VULNERABLE SYSTEMS
==================

Versions of qemu shipped with all Xen versions are vulnerable.

Xen systems running on x86 with HVM guests, with the qemu process
running in dom0 are vulnerable.

Only guests provided with the "cirrus" emulated video card can exploit
the vulnerability.  The non-default "stdvga" emulated video card is
not vulnerable.  (With xl the emulated video card is controlled by the
"stdvga=" and "vga=" domain configuration options.)

ARM systems are not vulnerable.  Systems using only PV guests are not
vulnerable.

For VMs whose qemu process is running in a stub domain, a successful
attacker will only gain the privileges of that stubdom, which should
be only over the guest itself.

Both upstream-based versions of qemu (device_model_version="qemu-xen")
and `traditional' qemu (device_model_version="qemu-xen-traditional")
are vulnerable.

MITIGATION
==========

Running only PV guests will avoid the issue.

Running HVM guests with the device model in a stubdomain will mitigate
the issue.

Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
in the xl domain configuration) will avoid the vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa209-qemuu.patch       qemu-xen, qemu upstream
(no backport yet)        qemu-xen-traditional

$ sha256sum xsa209*
324d392fe8d840b4314537ddc68ab51042a918dde4a3fc26166923856eb47776  xsa209-qemut.patch
011f4a21fdfb40a7189351a0d7348024e5e1f4b5af59ca1cd19aa88dcc9033e9  xsa209-qemuu.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

However, deployment of the "stdvga" mitigation (changing the video
card emulation to stdvga) is NOT permitted (except where all the
affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.  This is because this produces a guest-visible
change which will indicate which component contains the vulnerability.

Additionally, distribution of updated software is prohibited (except
to other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYnhTOAAoJEIP+FMlX6CvZ2M4IAI7mA1fU/WM8Phl20HkiWtGX
1I2NiH5G4H1iYeeqpvK+blOta1fosfENgOSJsPJoX827TxyHj+2WoRb2ssGNu4zq
gZ8JV77FKpfW6lOvR+LOeNCmpSAKf03mt+WZ1dD3kdUVQqe80Q085e2axdSyERoK
obX3Deiv4gGbmmWfhHVCh3At0L7FtCrzx7iiyyl0IWVJ2oVnBTNXooIjmXQ7kk8O
dOH6e2U6Y8XIjvdb8As1H8ULX4NUYz1gWAo+4OuQLGmkRw1dX+SH8pkLJP+8NdzM
5+WY9+W4RQOd4K0LfURRCUZHYra1BwFTvSX6GmPtgjvCtBKgF803PK58aZby2fg=
=TqX1
-----END PGP SIGNATURE-----
Comment 1 Thomas Deutschmann gentoo-dev 2017-02-13 02:25:19 UTC
Freeing alias for tracker usage.
Comment 2 Thomas Deutschmann gentoo-dev 2017-02-21 12:02:35 UTC
$URL is now public.

@ Maintainer(s): Please proceed!
Comment 3 Yixun Lan archtester gentoo-dev 2017-02-22 09:12:19 UTC
commit 68032806896565d2cdc7338c02092c2ee1a5fc3b
Author: Yixun Lan <dlan@gentoo.org>
Date:   Wed Feb 22 17:07:11 2017 +0800

    app-emulation/xen-tools: fix XSA-209

    cirrus_bitblt_cputovideo does not check if memory region is safe

    Gentoo-Bug: 609120

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

:100644 100644 6a15a234a9... a907077345... M    app-emulation/xen-tools/Manifest
:000000 100644 0000000000... 726e0e7094... A    app-emulation/xen-tools/xen-tools-4.7.1-r7.ebuild
:000000 100644 0000000000... f87e05ba01... A    app-emulation/xen-tools/xen-tools-4.8.0-r3.ebuild
Comment 4 Yixun Lan archtester gentoo-dev 2017-02-22 09:13:24 UTC
Arches, please test and mark stable:

=app-emulation/xen-tools-4.7.1-r7
Target keywords: "amd64 x86"
Comment 5 Yixun Lan archtester gentoo-dev 2017-02-23 04:13:29 UTC
(In reply to Yixun Lan from comment #4)
> Arches, please test and mark stable:
> 
> =app-emulation/xen-tools-4.7.1-r7
> Target keywords: "amd64 x86"

had problem with  4.7.1-r7, the XSA-209 qemuu.patch actually depend on previous one patch, so also pull in..

please stable:
 =app-emulation/xen-tools-4.7.1-r8
Target keywords: "amd64 x86"
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-23 15:55:48 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-02-23 16:31:06 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2017-02-24 02:21:28 UTC
Arches and Maintainer(s). Thank you for your work.
New GLSA Request filed.
Maintainer(s), please drop the vulnerable version(s).
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-03-28 03:22:25 UTC
This issue was resolved and addressed in
 GLSA 201703-07 at https://security.gentoo.org/glsa/201703-07
by GLSA coordinator Yury German (BlueKnight).