Bug 1028655 (CVE-2016-9603)

Summary: VUL-0: CVE-2016-9603: xen: Cirrus VGA Heap overflow via display refresh (XSA-211)
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, carnold
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-9603:3.5:(AV:L/AC:H/Au:S/C:P/I:P/A:P) maint:released:oes2015:63591
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1028656    

Comment 6 Andreas Stieger 2017-03-14 16:01:01 UTC 
Public at https://xenbits.xen.org/xsa/advisory-211.html

            Xen Security Advisory CVE-2016-9603 / XSA-211
                              version 2

             Cirrus VGA Heap overflow via display refresh

UPDATES IN VERSION 2
====================

Patches for qemu-xen-traditional.

Public release.

ISSUE DESCRIPTION
=================

When a graphics update command gets passed to the VGA emulator, there
are 3 possible modes that can be used to update the display:

* blank - Clears the display
* text - Treats the display as showing text
* graph - Treats the display as showing graphics

After the display geometry gets changed (i.e., after the CIRRUS VGA
emulation has resized the display), the VGA emulator will resize the
console during the next update command. However, when a blank mode is
also selected during an update, this resize doesn't happen. The resize
will be properly handled during the next time a non-blank mode is
selected during an update.

However, other console components - such as the VNC emulation - will
operate as though this resize had happened. When the display is
resized to be larger than before, this can result in a heap overflow
as console components will expect the display buffer to be larger than
it is currently allocated.

IMPACT
======

A privileged user within the guest VM can cause a heap overflow in the
device model process, potentially escalating their privileges to that
of the device model process.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only HVM guests with the Cirrus video card are vulnerable.  (The
Cirrus video card is the default.)  Both qemu-upstream and
qemu-traditional are vulnerable.

For HVM guests with the device model running in a stub domain, "the
privileges of the device model process" are identical to those of the
guest kernel.  But the ability of a userspace process to trigger this
vulnerability via legitimate commands to the kernel driver (thus
elevating its privileges to that of the guest kernel) cannot be ruled
out.

MITIGATION
==========

Running only PV guests, or running HVM guests with the stgvga driver,
will avoid this vulnerability.

Running HVM guests with stub domains will mitigate the vulnerability to
at most a guest kernel privilege escalation.

CREDITS
=======

The discoverer of this issue requested to remain anonymous.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue (and any
further bitblit vulnerabilities) by disabling the bitblit
functionality from the Cirrus VGA device entirely.

xsa211-qemuu.patch     qemu-upstream master
xsa211-qemuu-4.8.patch qemu-upstream 4.8
xsa211-qemuu-4.7.patch qemu-upstream 4.7
xsa211-qemuu-4.6.patch qemu-upstream 4.6 and 4.5
xsa211-qemuu-4.4.patch qemu-upstream 4.4
xsa211-qemut.patch     qemu-xen-traditional 4.6 and later
xsa211-qemut-4.5.patch qemu-xen-traditional 4.4 and 4.5

$ sha256sum xsa211*
9d0cf413dcc9654ee95f6b04fa9c5714f36775cbc9ab0390a3041ec4a68845ab  xsa211-qemut.patch
d307d67fbf3707a324da537e593702eaff3df2068b559ef19e857b493881155e  xsa211-qemut-4.5.patch
0fe17378cf2bc2742f068adf31331f36e01b0f4ffa9c596160fdba2bed3e870a  xsa211-qemuu.patch
1808aa443123d8713241a60021507a4d9c142c3cd07233e2f38e9b9b28025ae2  xsa211-qemuu-4.4.patch
5053c7cb392f34a234287092293bb91f261ed68f4b58fe856fe353b647ed5beb  xsa211-qemuu-4.6.patch
c5884bd441ae8cecce84385c99bcb72ba0eae480a013846fa59c1255aef4808f  xsa211-qemuu-4.7.patch
bea7cf4065bd9d0085f4dfc3395e59c3ca9d4de9d786a3018c8dc7fd9f3d8b6e  xsa211-qemuu-4.8.patch
$

NOTE REGARDING EMBARGO
======================

The embargo period is much shorter than our standard two-week period.
This is at the request of the discoverer.

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or the mitigation of running with an HVM
stub domain (or others which are substantially similar) is permitted
during the embargo, even on public-facing systems with untrusted guest
users and administrators.

It is NOT permitted during the embargo to switch from Cirrus VGA to
Stdvga on public-facing systems with untrusted guest users or
administrators.  This is because it may give a clue where the issue
lies.  This mitigation is only permitted AFTER the embargo ends.

As always, distribution of updated software is prohibited (except to
other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 7 Charles Arnold 2017-04-04 20:19:29 UTC 
Submitted for,

SUSE:SLE-12-SP1:Update: SR#130330
SUSE:SLE-12:Update: SR#130331
SUSE:SLE-11-SP4:Update: SR#130332
Comment 8 Swamp Workflow Management 2017-04-20 19:10:02 UTC 
SUSE-SU-2017:1080-1: An update that solves 5 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1022555,1026636,1027519,1027570,1028235,1028655,1029827,1030144,1030442
CVE References: CVE-2016-9603,CVE-2017-2633,CVE-2017-6414,CVE-2017-6505,CVE-2017-7228
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_16-22.36.1
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_16-22.36.1
Comment 9 Swamp Workflow Management 2017-04-20 19:12:20 UTC 
SUSE-SU-2017:1081-1: An update that solves 5 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1022555,1026636,1027519,1027570,1028235,1028655,1029827,1030144,1030442
CVE References: CVE-2016-9603,CVE-2017-2633,CVE-2017-6414,CVE-2017-6505,CVE-2017-7228
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_16-54.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_16-54.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_16-54.1
Comment 10 Swamp Workflow Management 2017-05-02 07:26:09 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-05-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63573
Comment 11 Swamp Workflow Management 2017-05-02 16:10:39 UTC 
SUSE-SU-2017:1143-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1022703,1028655,1029827,1030144,1034843,1034844,1034994,1036146
CVE References: CVE-2016-9603,CVE-2017-7718
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.2_04-39.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.2_04-39.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.2_04-39.1
Comment 12 Swamp Workflow Management 2017-05-02 16:12:09 UTC 
SUSE-SU-2017:1145-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1028655,1029827,1030144,1034843,1034844,1034845,1034994,1035483
CVE References: CVE-2016-9603,CVE-2017-7718,CVE-2017-7980
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_18-57.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_18-57.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_18-57.1
Comment 13 Swamp Workflow Management 2017-05-02 16:13:38 UTC 
SUSE-SU-2017:1146-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1028655,1033948,1034843,1034844,1034845,1034994,1035483
CVE References: CVE-2016-9603,CVE-2017-7718,CVE-2017-7980,CVE-2017-7995
Sources used:
SUSE OpenStack Cloud 5 (src):    xen-4.2.5_21-41.1
SUSE Manager Proxy 2.1 (src):    xen-4.2.5_21-41.1
SUSE Manager 2.1 (src):    xen-4.2.5_21-41.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-41.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-41.1
Comment 14 Swamp Workflow Management 2017-05-02 16:16:04 UTC 
SUSE-SU-2017:1147-1: An update that solves 6 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1015348,1022555,1026636,1027519,1027570,1028235,1028655,1029827,1030144,1030442,1034843,1034844,1034845,1034994,1035483
CVE References: CVE-2016-9603,CVE-2017-2633,CVE-2017-6414,CVE-2017-6505,CVE-2017-7718,CVE-2017-7980
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.5_10-22.14.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.5_10-22.14.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.5_10-22.14.1
Comment 15 Swamp Workflow Management 2017-05-09 13:09:06 UTC 
openSUSE-SU-2017:1221-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1022703,1028655,1029827,1030144,1034843,1034844,1034994,1036146
CVE References: CVE-2016-9603,CVE-2017-7718
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.2_04-11.6.1
Comment 16 Marcus Meissner 2017-10-25 19:10:45 UTC 
released