oss-sec mailing list archives
Re: Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe
From: Steven Haigh <netwiz () crc id au>
Date: Thu, 23 Feb 2017 20:59:12 +1100
On 23/02/17 20:43, Roger Pau Monné wrote:
On Tue, Feb 21, 2017 at 12:00:03PM +0000, Xen.org security team wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2017-2620 / XSA-209 version 3 cirrus_bitblt_cputovideo does not check if memory region is safe UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe. IMPACT ====== A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. CREDITS ======= This issue was discovered by Gerd Hoffmann of Red Hat. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa209-qemuu.patch qemu-xen, qemu upstream (no backport yet) qemu-xen-traditionalIt would be nice to mention that (at least on QEMU shipped with 4.7) the following patch is also needed for the XSA-209 fix to build correctly: 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 display: cirrus: ignore source pitch value as needed in blit_is_unsafe
I did request that an updated XSA be issued with this patch - as at the moment, nobody will be able to apply the XSA only patch to any other version of Xen. -- Steven Haigh Email: netwiz () crc id au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe Xen . org security team (Feb 21)
- Re: [Xen-devel] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe Roger Pau Monné (Feb 23)
- Re: Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe Steven Haigh (Feb 23)
- <Possible follow-ups>
- Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe Xen . org security team (Feb 23)
- Re: [Xen-devel] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe Roger Pau Monné (Feb 23)