Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 615268 (CVE-2016-9603) - <app-emulation/xen-4.7.2: Cirrus VGA Heap overflow via display refresh (XSA-211)
Summary: <app-emulation/xen-4.7.2: Cirrus VGA Heap overflow via display refresh (XSA-211)
Status: RESOLVED FIXED
Alias: CVE-2016-9603
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-11 14:48 UTC by Yury German
Modified: 2017-08-08 00:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2017-04-11 14:48:45 UTC
Xen Security Advisory CVE-2016-9603 / XSA-211

Cirrus VGA Heap overflow via display refresh

*** EMBARGOED UNTIL 2017-03-14 12:00 UTC ***

ISSUE DESCRIPTION
=================

When a graphics update command gets passed to the VGA emulator, there
are 3 possible modes that can be used to update the display:

* blank - Clears the display
* text - Treats the display as showing text
* graph - Treats the display as showing graphics

After the display geometry gets changed (i.e., after the CIRRUS VGA
emulation has resized the display), the VGA emulator will resize the
console during the next update command. However, when a blank mode is
also selected during an update, this resize doesn't happen. The resize
will be properly handled during the next time a non-blank mode is
selected during an update.

However, other console components - such as the VNC emulation - will
operate as though this resize had happened. When the display is
resized to be larger than before, this can result in a heap overflow
as console components will expect the display buffer to be larger than
it is currently allocated.

IMPACT
======

A privileged user within the guest VM can cause a heap overflow in the
device model process, potentially escalating their privileges to that
of the device model process.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only HVM guests with the Cirrus video card are vulnerable.  (The
Cirrus video card is the default.)  Both qemu-upstream and
qemu-traditional are vulnerable.

For HVM guests with the device model running in a stub domain, "the
privileges of the device model process" are identical to those of the
guest kernel.  But the ability of a userspace process to trigger this
vulnerability via legitimate commands to the kernel driver (thus
elevating its privileges to that of the guest kernel) cannot be ruled
out.

MITIGATION
==========

Running only PV guests, or running HVM guests with the stgvga driver,
will avoid this vulnerability.

Running HVM guests with stub domains will mitigate the vulnerability to
at most a guest kernel privilege escalation.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue (and any
further bitblit vulnerabilities) by disabling the bitblit
functionality from the Cirrus VGA device entirely.

No patches are available for qemu-traditional yet.

xsa211-qemuu.patch     qemu-upstream master
xsa211-qemuu-4.8.patch qemu-upstream 4.8
xsa211-qemuu-4.7.patch qemu-upstream 4.7
xsa211-qemuu-4.6.patch qemu-upstream 4.6 and 4.5
xsa211-qemuu-4.4.patch qemu-upstream 4.4
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-05-15 16:20:32 UTC
Is this fixed in? - app-emulation/{xen-4.7.2-r1,{xen-pvgrub,sen-tools}-4.7.2} as was stabilized in bug #615980?
Comment 2 Yixun Lan archtester gentoo-dev 2017-05-15 21:39:38 UTC
yes, it's fixed, see

commit 343bedece211625613f39fa431c25d914341317a
Author: Yixun Lan <dlan@gentoo.org>
Date:   Sun Apr 9 08:07:52 2017 +0800

    app-emulation/xen-tools: version bump & security fix
    
    1) bump 4.7.2
    2) fix XSA-206,211 in 4.7.2, 4.8.0-r5
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-08 00:16:46 UTC
GLSA Vote: No