Xen project Mailing List

Re: [Xen-devel] [Xen-users] Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy

To: Xen.org security team <security@xxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Sat, 11 Feb 2017 08:49:54 +0000

Cc: xen-users@xxxxxxxxxxxxx, xen-announce@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx

Delivery-date: Sat, 11 Feb 2017 08:50:40 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Fri, Feb 10, 2017 at 12:43:17PM +0000, Xen.org security team wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Xen Security Advisory CVE-2017-2615 / XSA-208 > > oob access in cirrus bitblt copy > > ISSUE DESCRIPTION > ================= > > When doing bitblt copy backwards, qemu should negate the blit width. > This avoids an oob access before the start of video memory. > > IMPACT > ====== > > A malicious guest administrator can cause an out of bounds memory > access, possibly leading to information disclosure or privilege > escalation. > > VULNERABLE SYSTEMS > ================== > > Versions of qemu shipped with all Xen versions are vulnerable. > > Xen systems running on x86 with HVM guests, with the qemu process > running in dom0 are vulnerable. > > Only guests provided with the "cirrus" emulated video card can exploit > the vulnerability. The non-default "stdvga" emulated video card is > not vulnerable. (With xl the emulated video card is controlled by the > "stdvga=" and "vga=" domain configuration options.) > > ARM systems are not vulnerable. Systems using only PV guests are not > vulnerable. > > For VMs whose qemu process is running in a stub domain, a successful > attacker will only gain the privileges of that stubdom, which should > be only over the guest itself. > > Both upstream-based versions of qemu (device_model_version="qemu-xen") > and `traditional' qemu (device_model_version="qemu-xen-traditional") > are vulnerable. > > MITIGATION > ========== > > Running only PV guests will avoid the issue. > > Running HVM guests with the device model in a stubdomain will mitigate > the issue. > > Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", > in the xl domain configuration) will avoid the vulnerability. > > RESOLUTION > ========== > > Applying the appropriate attached patch resolves this issue. > > xsa208-qemuu.patch qemu-xen, mainline qemu The patch doesn't apply cleanly against the QEMU-upstream found in Xen 4.7.1: http://beefy9.nyi.freebsd.org/data/110amd64-default/433828/logs/xen-tools-4.7.1_2.log Roger. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.