Bug 1009109 - (CVE-2016-9381) VUL-0: CVE-2016-9381: XSA-197: xen: qemu incautious about shared ring processing
(CVE-2016-9381)
VUL-0: CVE-2016-9381: XSA-197: xen: qemu incautious about shared ring processing
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-9381:6.0:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-08 15:53 UTC by Sebastian Krahmer
Modified: 2021-01-21 18:15 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa197-4.4-qemuu.patch (1.72 KB, patch)
2016-11-08 15:54 UTC, Sebastian Krahmer
Details | Diff
xsa197-4.5-qemut.patch (1.86 KB, patch)
2016-11-08 15:55 UTC, Sebastian Krahmer
Details | Diff
xsa197-4.5-qemuu.patch (1.72 KB, patch)
2016-11-08 15:55 UTC, Sebastian Krahmer
Details | Diff
xsa197-4.6-qemuu.patch (1.72 KB, patch)
2016-11-08 15:56 UTC, Sebastian Krahmer
Details | Diff
xsa197-qemut.patch (1.87 KB, patch)
2016-11-08 15:56 UTC, Sebastian Krahmer
Details | Diff
xsa197-qemuu.patch (1.95 KB, patch)
2016-11-08 15:57 UTC, Sebastian Krahmer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Sebastian Krahmer 2016-11-08 15:54:45 UTC
Created attachment 701125 [details]
xsa197-4.4-qemuu.patch

.
Comment 2 Sebastian Krahmer 2016-11-08 15:55:29 UTC
Created attachment 701126 [details]
xsa197-4.5-qemut.patch

.
Comment 3 Sebastian Krahmer 2016-11-08 15:55:53 UTC
Created attachment 701127 [details]
xsa197-4.5-qemuu.patch

.
Comment 4 Sebastian Krahmer 2016-11-08 15:56:32 UTC
Created attachment 701128 [details]
xsa197-4.6-qemuu.patch

.
Comment 5 Sebastian Krahmer 2016-11-08 15:56:57 UTC
Created attachment 701130 [details]
xsa197-qemut.patch

.
Comment 6 Sebastian Krahmer 2016-11-08 15:57:20 UTC
Created attachment 701133 [details]
xsa197-qemuu.patch

.
Comment 7 Swamp Workflow Management 2016-11-08 23:02:09 UTC
bugbot adjusting priority
Comment 8 Marcus Meissner 2016-11-17 13:48:18 UTC
CVE-2016-9381
Comment 9 Marcus Meissner 2016-11-22 16:24:03 UTC
            Xen Security Advisory CVE-2016-9381 / XSA-197
                              version 3

             qemu incautious about shared ring processing

UPDATES IN VERSION 3
====================

Added email header syntax to patches, for e.g. git-am.

Public release.

ISSUE DESCRIPTION
=================

The compiler can emit optimizations in qemu which can lead to double
fetch vulnerabilities.  Specifically data on the rings shared between
qemu and the hypervisor (which the guest under control can obtain
mappings of) can be fetched twice (during which time the guest can
alter the contents) possibly leading to arbitrary code execution in
qemu.

IMPACT
======

Malicious administrators can exploit this vulnerability to take over
the qemu process, elevating its privilege to that of the qemu process.

In a system not using a device model stub domain (or other techniques
for deprivileging qemu), malicious guest administrators can thus
elevate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

All Xen versions with all flavors of qemu are affected.

Only x86 HVM guests expose the vulnerability.  x86 PV guests do not
expose the vulnerability.

ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid the vulnerability.

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.
In a usual configuration, a service domain has only the privilege of
the guest, so this eliminates the vulnerability.

The vulnerability can be avoided if the guest kernel is controlled by
the host rather than guest administrator, provided that further steps
are taken to prevent the guest administrator from loading code into
the kernel (e.g. by disabling loadable modules etc) or from using
other mechanisms which allow them to run code at kernel privilege.

CREDITS
=======

This issue was discovered by yanghongke of Huawei Security Test Team.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa197-qemuu.patch         qemu-upstream    xen-unstable, Xen 4.7.x
xsa197-qemut.patch         qemu-traditional xen-unstable, Xen 4.7.x, Xen 4.6.x
xsa197-4.6-qemuu.patch     qemu-upstream    Xen 4.6.x
xsa197-4.5-qemuu.patch     qemu-upstream    Xen 4.5.x
xsa197-4.5-qemut.patch     qemu-traditional Xen 4.5.x, Xen 4.4.x
xsa197-4.4-qemuu.patch     qemu-upstream    Xen 4.4.x

$ sha256sum xsa197*
a7d63958e3d3afc21c0585ec4690886a3191f01127583b4a29766c45fe4dd611  xsa197-4.4-qemuu.patch
56d037b3eaa0c3f5a7c474ad5087d8a41c2769d0d8b39c8f64699215a33e17a6  xsa197-4.5-qemut.patch
902836f0e5c6c46193c06f7c133a3bdd59f902ee490b962857640a6cd73e4be7  xsa197-4.5-qemuu.patch
20a418606f5536ac4fb009f21548a28b1b32dfb08fc97a259c40240d37a2abe8  xsa197-4.6-qemuu.patch
266996b2b5ac65ded76af63b3d57d4972ab95522b517e7bc9c5ff554d8c2d5e0  xsa197-qemut.patch
cd08b149c97b3f94dcda14b1f280dbb92911d93ffcd5dbcf5ee5ab2bebdc7878  xsa197-qemuu.patch
$
Comment 10 Swamp Workflow Management 2016-11-30 13:02:29 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-12-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63236
Comment 11 Charles Arnold 2016-11-30 16:12:18 UTC
Submissions:
============
SUSE:SLE-12-SP2:Update: 124867
SUSE:SLE-12-SP1:Update: 124868
SUSE:SLE-12:Update: 124869
SUSE:SLE-11-SP4:Update: 124870
SUSE:SLE-11-SP3:Update: 124871
SUSE:SLE-11-SP2:Update: 124872
SUSE:SLE-11-SP1:Update: 124873
SUSE:SLE-11-SP1:Update:Teradata: 124981
SUSE:SLE-10-SP4:Update:Test: 124874
SUSE:SLE-10-SP3:Update:Test: 124875
Comment 12 Swamp Workflow Management 2016-12-07 19:09:34 UTC
SUSE-SU-2016:3044-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1000893,1003030,1003032,1005004,1005005,1007157,1009100,1009103,1009107,1009109,1009111,1011652,990843
CVE References: CVE-2016-6351,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-32.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    xen-4.1.6_08-32.1
Comment 13 Swamp Workflow Management 2016-12-09 17:10:00 UTC
SUSE-SU-2016:3067-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1004981,1005004,1005005,1007157,1007941,1009100,1009103,1009104,1009105,1009107,1009108,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8910,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9384,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.1_02-25.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.1_02-25.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.1_02-25.1
Comment 14 Swamp Workflow Management 2016-12-12 12:10:33 UTC
SUSE-SU-2016:3083-1: An update that fixes 19 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1003870,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009108,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-7995,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.5_02-22.3.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.5_02-22.3.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.5_02-22.3.1
Comment 15 Swamp Workflow Management 2016-12-14 00:21:13 UTC
openSUSE-SU-2016:3134-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1004981,1005004,1005005,1007157,1007941,1009100,1009103,1009104,1009105,1009107,1009108,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8910,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9384,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.1_02-3.1
Comment 16 Swamp Workflow Management 2016-12-14 17:10:09 UTC
SUSE-SU-2016:3156-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009109,1009111,1011652,953518
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_05-22.25.1
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_05-22.25.1
Comment 17 Swamp Workflow Management 2016-12-16 15:10:31 UTC
SUSE-SU-2016:3174-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1000893,1003030,1003032,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_10-43.5
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_10-43.5
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_10-43.5
Comment 18 Marcus Meissner 2016-12-22 12:04:57 UTC
released
Comment 19 Swamp Workflow Management 2016-12-27 16:13:12 UTC
SUSE-SU-2016:3273-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1000893,1003030,1003032,1005004,1005005,1007157,1007160,1009100,1009103,1009107,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE OpenStack Cloud 5 (src):    xen-4.2.5_21-30.1
SUSE Manager Proxy 2.1 (src):    xen-4.2.5_21-30.1
SUSE Manager 2.1 (src):    xen-4.2.5_21-30.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-30.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-30.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-30.1
Comment 20 Swamp Workflow Management 2017-01-02 12:11:07 UTC
openSUSE-SU-2017:0007-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1002496,1003030,1003032,1003870,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009108,1009109,1009111,1011652,1012651,1013657,1013668,1014298,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-7995,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9101,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637,CVE-2016-9776,CVE-2016-9932
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.5_06-18.1
Comment 21 Swamp Workflow Management 2017-01-02 12:14:48 UTC
openSUSE-SU-2017:0008-1: An update that solves 19 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1000106,1000195,1002496,1003030,1003032,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009109,1009111,1011652,1012651,1014298,1016340,953518
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637,CVE-2016-9932
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_06-58.1
Comment 22 Swamp Workflow Management 2017-01-13 19:11:04 UTC
SUSE-SU-2017:0127-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1007454,1008519,1009109,1013285,1013341,1013764,1013767,1014109,1014110,1014111,1014112,1014256,1014514,1016779,937125
CVE References: CVE-2016-9102,CVE-2016-9103,CVE-2016-9381,CVE-2016-9776,CVE-2016-9845,CVE-2016-9846,CVE-2016-9907,CVE-2016-9908,CVE-2016-9911,CVE-2016-9912,CVE-2016-9913,CVE-2016-9921,CVE-2016-9922
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    qemu-2.6.2-39.1
SUSE Linux Enterprise Server 12-SP2 (src):    qemu-2.6.2-39.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    qemu-2.6.2-39.1
Comment 23 Swamp Workflow Management 2017-01-18 11:10:29 UTC
openSUSE-SU-2017:0194-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1007454,1008519,1009109,1013285,1013341,1013764,1013767,1014109,1014110,1014111,1014112,1014256,1014514,1016779,937125
CVE References: CVE-2016-9102,CVE-2016-9103,CVE-2016-9381,CVE-2016-9776,CVE-2016-9845,CVE-2016-9846,CVE-2016-9907,CVE-2016-9908,CVE-2016-9911,CVE-2016-9912,CVE-2016-9913,CVE-2016-9921,CVE-2016-9922
Sources used:
openSUSE Leap 42.2 (src):    qemu-2.6.2-26.1, qemu-linux-user-2.6.2-26.1, qemu-testsuite-2.6.2-26.1