Xen Security Advisory CVE-2016-3710,CVE-2016-3712 / XSA-179 version 4 QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks UPDATES IN VERSION 4 ==================== Public release. Also include CVE and description of both issues. (All advisories sent have included patches for both issues, but only the description and CVE for the first issue.) ISSUE DESCRIPTION ================= Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. But an attacker can easily change access modes after setting the bank register. This is CVE-2016-3710. Qemu VGA module allows guest to edit certain registers in 'vbe' and 'vga' modes. ie. guest could set certain 'VGA' registers while in 'VBE' mode. This is CVE-2016-3712. IMPACT ====== A privileged guest user could use CVE-2016-3710 to exceed the bank address window and write beyond the said memory area, potentially leading to arbitrary code execution with privileges of the Qemu process. If the system is not using stubdomains, this will be in domain 0. A privileged guest user could use CVE-2016-3712 to cause potential integer overflow or OOB read access issues in Qemu, resulting in a DoS of the guest itself. More dangerous effect, such as data leakage or code execution, are not known but cannot be ruled out. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "stdvga" emulated video card can exploit the vulnerability. The default "cirrus" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to cirrus (stdvga=0, vga="cirrus", in the xl domain configuraton) will avoid the vulnerability. CREDITS ======= CVE-2016-3710 was discovered and reported by "Wei Xiao and Qinghao Tang of 360 Marvel Team" of 360.cn Inc. CVE-2016-3710 was discovered and reported by Zuozhi Fzz of Alibaba Inc. RESOLUTION ========== Applying the appropriate attached patch resolves this issue for systems using upstream-based versions of qemu. Patch 0001 addresses CVE-2016-3710, and patches 0002-0005 address CVE-2016-3712.
commit e5ca69ac07d1c39986ca44a5b6bbb000ab4a5485 Author: Ian Delaney <idella4@gentoo.org> Date: Sun May 15 10:34:11 2016 +0800 app-emulation/xen-tools: rebumps: xen-tools-4.6.0-r11 xen-tools-4.6.0-r10 consequent to the security bug re patches of xsa-179 affecting qemuu Gentoo-bug: #582574 commit 1d94ce81453c50c2f529142f35b2c1069c3be749 app-emulation/xen: rm old vns. 4.5.2 Package-Manager: portage-2.2.28 commit d32c9b7af8b67f50cb15abfb958a6759339fe31e app-emulation/xen-pvgrub: rm old vn. 4.5.2 commit 9bf842c2e0b974678536ce5c578b847386fd739d app-emulation/xen-tools: rm old vns. 4.5.2 To my observation the recent reqs to for stabilisation of xen in any arch have not yet been actioned. The arches required from these additions will match the prior requests.
GLSA Vote: No