[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: [Xen-devel] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo 
From:       Roger Pau =?iso-8859-1?Q?Monn=E9?= <roger.pau () citrix ! com>
Date:       2017-02-23 9:43:53
Message-ID: 20170223094353.hrdgcxjsqdoy3v5l () dhcp-3-221 ! uk ! xensource ! com
[Download RAW message or body]

On Tue, Feb 21, 2017 at 12:00:03PM +0000, Xen.org security team wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>             Xen Security Advisory CVE-2017-2620 / XSA-209
>                               version 3
> 
>    cirrus_bitblt_cputovideo does not check if memory region is safe
> 
> UPDATES IN VERSION 3
> ====================
> 
> Public release.
> 
> ISSUE DESCRIPTION
> =================
> 
> In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
> cirrus_bitblt_cputovideo fails to check wethehr the specified memory
> region is safe.
> 
> IMPACT
> ======
> 
> A malicious guest administrator can cause an out of bounds memory
> write, very likely exploitable as a privilege escalation.
> 
> VULNERABLE SYSTEMS
> ==================
> 
> Versions of qemu shipped with all Xen versions are vulnerable.
> 
> Xen systems running on x86 with HVM guests, with the qemu process
> running in dom0 are vulnerable.
> 
> Only guests provided with the "cirrus" emulated video card can exploit
> the vulnerability.  The non-default "stdvga" emulated video card is
> not vulnerable.  (With xl the emulated video card is controlled by the
> "stdvga=" and "vga=" domain configuration options.)
> 
> ARM systems are not vulnerable.  Systems using only PV guests are not
> vulnerable.
> 
> For VMs whose qemu process is running in a stub domain, a successful
> attacker will only gain the privileges of that stubdom, which should
> be only over the guest itself.
> 
> Both upstream-based versions of qemu (device_model_version="qemu-xen")
> and `traditional' qemu (device_model_version="qemu-xen-traditional")
> are vulnerable.
> 
> MITIGATION
> ==========
> 
> Running only PV guests will avoid the issue.
> 
> Running HVM guests with the device model in a stubdomain will mitigate
> the issue.
> 
> Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
> in the xl domain configuration) will avoid the vulnerability.
> 
> CREDITS
> =======
> 
> This issue was discovered by Gerd Hoffmann of Red Hat.
> 
> RESOLUTION
> ==========
> 
> Applying the appropriate attached patch resolves this issue.
> 
> xsa209-qemuu.patch       qemu-xen, qemu upstream
> (no backport yet)        qemu-xen-traditional

It would be nice to mention that (at least on QEMU shipped with 4.7) the
following patch is also needed for the XSA-209 fix to build correctly:

52b7f43c8fa185ab856bcaacda7abc9a6fc07f84
display: cirrus: ignore source pitch value as needed in blit_is_unsafe

Roger.
[prev in list] [next in list] [prev in thread] [next in thread]