Re: CVE-2017-13673 Qemu: vga: reachable assert failure during during display update

[Salvatore Bonaccorso <carnil () debian org>]

Hi!

On Wed, Aug 30, 2017 at 03:34:51PM +0530, P J P wrote:
>   Hello,
>
> Quick emulator(Qemu) built with the VGA display emulator support is
> vulnerable to an assert failure issue. It could occur while updating
> graphics display, due to miscalculating region for dirty bitmap snapshot in
> split screen mode.
>
> A privileged user/process inside guest could use this flaw to crash the Qemu
> process on the host resulting in DoS.
>
> Upstream patch:
> ---------------
>   -> https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04685.html
>
> Reference:
> ----------
>   -> https://bugzilla.redhat.com/show_bug.cgi?id=1486588
>
> This issue was reported by David Buchanan.

Can you clarify the affected versions? I noticed while looking at the
above, that MITRE description mentions "Qemu 2.8.0 through 2.9.0". I
perfectly realize those does not come from the above.  As far as I can
see, e.g. cpu_physical_memory_snapshot_get_dirty was only introduced
in v2.10.0-rc0. The upstream commit associated with the above issue
is:

 https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bfc56535f793c557aa754c50213fc5f882e6482d

which fixes

 https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=fec5e8c92becad223df9d972770522f64aafdb72

introducing the use of dirty bitmap snapshots in vga_draw_graphic().

Do I miss something makeing it affecting as well earlier versions than
2.10?

Regards and thanks already for your help,
Salvatore