Xen project Mailing List

Re: [Xen-users] [Xen-devel] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe

To: Xen.org security team <security@xxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 23 Feb 2017 09:43:53 +0000

Cc: xen-users@xxxxxxxxxxxxx, xen-announce@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx

Delivery-date: Thu, 23 Feb 2017 09:45:08 +0000

List-id: Xen user discussion <xen-users.lists.xen.org>

On Tue, Feb 21, 2017 at 12:00:03PM +0000, Xen.org security team wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Xen Security Advisory CVE-2017-2620 / XSA-209 > version 3 > > cirrus_bitblt_cputovideo does not check if memory region is safe > > UPDATES IN VERSION 3 > ==================== > > Public release. > > ISSUE DESCRIPTION > ================= > > In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine > cirrus_bitblt_cputovideo fails to check wethehr the specified memory > region is safe. > > IMPACT > ====== > > A malicious guest administrator can cause an out of bounds memory > write, very likely exploitable as a privilege escalation. > > VULNERABLE SYSTEMS > ================== > > Versions of qemu shipped with all Xen versions are vulnerable. > > Xen systems running on x86 with HVM guests, with the qemu process > running in dom0 are vulnerable. > > Only guests provided with the "cirrus" emulated video card can exploit > the vulnerability. The non-default "stdvga" emulated video card is > not vulnerable. (With xl the emulated video card is controlled by the > "stdvga=" and "vga=" domain configuration options.) > > ARM systems are not vulnerable. Systems using only PV guests are not > vulnerable. > > For VMs whose qemu process is running in a stub domain, a successful > attacker will only gain the privileges of that stubdom, which should > be only over the guest itself. > > Both upstream-based versions of qemu (device_model_version="qemu-xen") > and `traditional' qemu (device_model_version="qemu-xen-traditional") > are vulnerable. > > MITIGATION > ========== > > Running only PV guests will avoid the issue. > > Running HVM guests with the device model in a stubdomain will mitigate > the issue. > > Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", > in the xl domain configuration) will avoid the vulnerability. > > CREDITS > ======= > > This issue was discovered by Gerd Hoffmann of Red Hat. > > RESOLUTION > ========== > > Applying the appropriate attached patch resolves this issue. > > xsa209-qemuu.patch qemu-xen, qemu upstream > (no backport yet) qemu-xen-traditional It would be nice to mention that (at least on QEMU shipped with 4.7) the following patch is also needed for the XSA-209 fix to build correctly: 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 display: cirrus: ignore source pitch value as needed in blit_is_unsafe Roger. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx https://lists.xen.org/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.