Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 609160 (XSA-208) - <app-emulation/xen-tools-4.7.1-r6: qemu: display: cirrus: oob access while doing bitblt copy backward mode (CVE-2017-2615)
Summary: <app-emulation/xen-tools-4.7.1-r6: qemu: display: cirrus: oob access while do...
Status: RESOLVED FIXED
Alias: XSA-208
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://xenbits.xen.org/xsa/advisory-...
Whiteboard: B2 [glsa cve cleanup]
Keywords:
Depends on:
Blocks: CVE-2017-2615
  Show dependency tree
 
Reported: 2017-02-12 18:36 UTC by Thomas Deutschmann
Modified: 2017-02-21 00:18 UTC (History)
1 user (show)

See Also:
Package list:
=app-emulation/xen-4.7.1-r5 amd64 =app-emulation/xen-tools-4.7.1-r6 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-12 18:36:40 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2017-2615 / XSA-208

                   oob access in cirrus bitblt copy

ISSUE DESCRIPTION
=================

When doing bitblt copy backwards, qemu should negate the blit width.
This avoids an oob access before the start of video memory.

IMPACT
======

A malicious guest administrator can cause an out of bounds memory
access, possibly leading to information disclosure or privilege
escalation.

VULNERABLE SYSTEMS
==================

Versions of qemu shipped with all Xen versions are vulnerable.

Xen systems running on x86 with HVM guests, with the qemu process
running in dom0 are vulnerable.

Only guests provided with the "cirrus" emulated video card can exploit
the vulnerability.  The non-default "stdvga" emulated video card is
not vulnerable.  (With xl the emulated video card is controlled by the
"stdvga=" and "vga=" domain configuration options.)

ARM systems are not vulnerable.  Systems using only PV guests are not
vulnerable.

For VMs whose qemu process is running in a stub domain, a successful
attacker will only gain the privileges of that stubdom, which should
be only over the guest itself.

Both upstream-based versions of qemu (device_model_version="qemu-xen")
and `traditional' qemu (device_model_version="qemu-xen-traditional")
are vulnerable.

MITIGATION
==========

Running only PV guests will avoid the issue.

Running HVM guests with the device model in a stubdomain will mitigate
the issue.

Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
in the xl domain configuration) will avoid the vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa208-qemuu.patch    qemu-xen, mainline qemu
xsa208-qemut.patch    qemu-xen-traditional

$ sha256sum xsa208*
4369cce9b72daf2418a1b9dd7be6529c312b447b814c44d634bab462e80a15f5  xsa208-qemut.patch
1e516e3df1091415b6ba34aaf54fa67eac91e22daceaad569b11baa2316c78ba  xsa208-qemuu.patch
$


NOTE REGARDING LACK OF EMBARGO
==============================

This issue has already been publicly disclosed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYnbVQAAoJEIP+FMlX6CvZs2sIAKtkU1ptqojrE6GpgdMegdIS
hMcCcEVdDoYt47z9BxXcNA87kyjGLbIaliACF3GQclhBy8f6Ytm6MLQMvh79YO/l
8AvZELKSo5U/Z1El/HQ/ezzWTV15FHwdG64HvDf7SdlRquVyS0fxWLuiq8gmWXRd
bpGcbAwwdRHvrvguMpajif89ZfTWPSHRq8onS1C96SBJW8aUXxzzyKWoX1EvNWN3
vnKC5eXQ5uhLERmh6meIZo2OwB7PlMTuasgVJan915/CGF8CS+B5wqQmiL0uxfRT
fnTBVTfXHC/TzkkREJtnwgHIEv/E+Vygheeg/2P9bEaNkiN3CG5kK/ZOxgWNYU4=
=eEKh
-----END PGP SIGNATURE-----
Comment 1 Yixun Lan archtester gentoo-dev 2017-02-16 09:23:40 UTC
commit 3e4e51017be9fb21ac2f84cd162c290d2cdfd28b
Author: Yixun Lan <dlan@gentoo.org>
Date:   Wed Feb 15 15:52:25 2017 +0800

    app-emulation/xen-tools: fix XSA-208

    XSA-208: oob access in cirrus bitblt copy

    Gentoo-Bug: 609160

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

:100644 100644 8a27775919... 4fe2216e04... M    app-emulation/xen-tools/Manifest
:000000 100644 0000000000... 20cf1af534... A    app-emulation/xen-tools/xen-tools-4.7.1-r6.ebuild
:000000 100644 0000000000... 78c2c2e6f3... A    app-emulation/xen-tools/xen-tools-4.8.0-r2.ebuild
Comment 2 Yixun Lan archtester gentoo-dev 2017-02-16 09:28:58 UTC
Arches, please test and mark stable:
=app-emulation/xen-4.7.1-r5
Target keyword only: "amd64" 

=app-emulation/xen-tools-4.7.1-r6
Target keywords: "amd64 x86" 

(note: I've also combined the stablereq of bug 607840 here - affect app-emulation/xen)
Comment 3 Agostino Sarubbo gentoo-dev 2017-02-16 17:16:32 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-02-16 17:27:07 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-16 17:54:09 UTC
New GLSA request filed.

@ Maintainer(s): Please cleanup and drop <app-emulation/xen-4.7.1-r5 and <app-emulation/xen-tools-4.7.1-r6!
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:18:55 UTC
This issue was resolved and addressed in
 GLSA 201702-27 at https://security.gentoo.org/glsa/201702-27
by GLSA coordinator Thomas Deutschmann (whissi).