Bug 803102

Summary: VUL-0: CVE-2013-0241: xf86-video-qxl: synchronous io guest DoS
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Stefan Dirsch <sndirsch>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: agraf, brogers, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2013-02-11 15:26:37 UTC
is public, via oss-security


On 01/30/2013 09:37 AM, Petr Matousek wrote:
> A flaw was found in the way spice connection breakups were handled in
> the qemu-kvm qxl driver. Some of the qxl port i/o commands were waiting
> for the spice server to complete the actions, while the corresponding
> thread holds qemu_mutex mutex, potentially blocking other threads in the
> guest's qemu-kvm process. An user able to initiate spice connection to
> the guest could use this flaw to make guest temporarily unavailable or,
> in case kernel.softlockup_panic in the guest was set, crash the guest.
> Upstream fixes:
> xf86-video-qxl commit
> http://cgit.freedesktop.org/xorg/driver/xf86-video-qxl/commit/?id=30b4b72cdbdf9f0e92a8d1c4e01779f60f15a741
> which relies on qemu-kvm functionality introduced by commit
> http://git.kernel.org/?p=virt/kvm/qemu-kvm.git;a=commit;h=5ff4e36c
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=906032
> Thanks,

Please use CVE-2013-0241 for this issue.
Comment 1 Stefan Dirsch 2013-02-11 15:50:31 UTC
Seems we are shipping xf86-video-qxl X driver since openSUSE 12.1. I never got it working with qemu-kvm though.
Comment 2 Swamp Workflow Management 2013-02-11 23:00:24 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2013-02-12 08:48:38 UTC
if its not working at all, or if we do not have synchronous io to qemu-kvm?

who can we ask? qemu folks?
Comment 4 Stefan Dirsch 2013-02-13 15:19:35 UTC
(In reply to comment #3)
> if its not working at all, or if we do not have synchronous io to qemu-kvm?
> who can we ask? qemu folks?

Last time I tried it did not work. This is some time ago though. It has been a hackweek project to get this running and I failed miserably. I wrote my results
in some FATE request about QXL support. I can't find it any longer.
Comment 5 Stefan Dirsch 2013-03-08 14:52:04 UTC
I believe figuring out, whether QXL works is much more effort than just doing the security update. Also there shouldn't be that much products, on which we already ship the xf86-video-qxl driver.
Comment 6 Marcus Meissner 2013-03-08 15:53:18 UTC
yes, either just throw the patch in and submit or we could just ignore this bug if it does not work at all for now
Comment 7 Stefan Dirsch 2013-03-09 13:04:25 UTC
SLE doesn't ship xf86-video-qxl. openSUSE does.

12.1: xorg-x11-driver-video (xf86-video-qxl-0.0.13: affected)
12.2: xf86-video-qxl (0.0.17: contains the fix)
12.3: xf86-video-qxl (0.1.0: contains the fix)
Factory/X11:XOrg: xf86-video-qxl (0.1.0: contains the fix)

==> Only openSUSE 12.1 needs to get fixed
Comment 8 Stefan Dirsch 2013-03-26 16:59:51 UTC
Well, the patch introduces wrappers around ioport_write() calls, but there is no ioport_write() yet defined in xf86-video-qxl 0.0.13 of openSUSE 12.1. Instead outb() is used in this version. 

Later ioport_write() has been introduced in xf86-video-qxl, but it requires the definition of XSPICE. If not outb() is used. And we do not build nor ship spice devel packages with openSUSE 12.1.

Maybe this is becoming a non-issue with this in mind? Do you agree?
Comment 9 Marcus Meissner 2013-03-27 10:02:00 UTC
it seems so. lets put the issue at rest.
Comment 10 Stefan Dirsch 2013-03-27 10:41:06 UTC