Xen project Mailing List

Re: [Xen-devel] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Xen.org security team" <security@xxxxxxx>

From: Steven Haigh <netwiz@xxxxxxxxx>

Date: Thu, 23 Feb 2017 20:59:12 +1100

Cc: xen-users@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-announce@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

Delivery-date: Thu, 23 Feb 2017 09:59:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 23/02/17 20:43, Roger Pau Monné wrote: > On Tue, Feb 21, 2017 at 12:00:03PM +0000, Xen.org security team wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Xen Security Advisory CVE-2017-2620 / XSA-209 >> version 3 >> >> cirrus_bitblt_cputovideo does not check if memory region is safe >> >> UPDATES IN VERSION 3 >> ==================== >> >> Public release. >> >> ISSUE DESCRIPTION >> ================= >> >> In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine >> cirrus_bitblt_cputovideo fails to check wethehr the specified memory >> region is safe. >> >> IMPACT >> ====== >> >> A malicious guest administrator can cause an out of bounds memory >> write, very likely exploitable as a privilege escalation. >> >> VULNERABLE SYSTEMS >> ================== >> >> Versions of qemu shipped with all Xen versions are vulnerable. >> >> Xen systems running on x86 with HVM guests, with the qemu process >> running in dom0 are vulnerable. >> >> Only guests provided with the "cirrus" emulated video card can exploit >> the vulnerability. The non-default "stdvga" emulated video card is >> not vulnerable. (With xl the emulated video card is controlled by the >> "stdvga=" and "vga=" domain configuration options.) >> >> ARM systems are not vulnerable. Systems using only PV guests are not >> vulnerable. >> >> For VMs whose qemu process is running in a stub domain, a successful >> attacker will only gain the privileges of that stubdom, which should >> be only over the guest itself. >> >> Both upstream-based versions of qemu (device_model_version="qemu-xen") >> and `traditional' qemu (device_model_version="qemu-xen-traditional") >> are vulnerable. >> >> MITIGATION >> ========== >> >> Running only PV guests will avoid the issue. >> >> Running HVM guests with the device model in a stubdomain will mitigate >> the issue. >> >> Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", >> in the xl domain configuration) will avoid the vulnerability. >> >> CREDITS >> ======= >> >> This issue was discovered by Gerd Hoffmann of Red Hat. >> >> RESOLUTION >> ========== >> >> Applying the appropriate attached patch resolves this issue. >> >> xsa209-qemuu.patch qemu-xen, qemu upstream >> (no backport yet) qemu-xen-traditional > > It would be nice to mention that (at least on QEMU shipped with 4.7) the > following patch is also needed for the XSA-209 fix to build correctly: > > 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 > display: cirrus: ignore source pitch value as needed in blit_is_unsafe I did request that an updated XSA be issued with this patch - as at the moment, nobody will be able to apply the XSA only patch to any other version of Xen. -- Steven Haigh Email: netwiz@xxxxxxxxx Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.