Bug 1011652 - (CVE-2016-9637) VUL-0: CVE-2016-9637: xen: qemu ioport array overflow (XSA-199)
(CVE-2016-9637)
VUL-0: CVE-2016-9637: xen: qemu ioport array overflow (XSA-199)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-9637:6.5:(AV:A/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-22 15:07 UTC by Marcus Meissner
Modified: 2021-01-21 18:16 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa199-trad.patch (2.83 KB, patch)
2016-12-07 01:01 UTC, Mikhail Kasimov
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Swamp Workflow Management 2016-11-22 22:56:03 UTC
bugbot adjusting priority
Comment 7 Marcus Meissner 2016-11-24 10:59:10 UTC
CVE-2016-9637
Comment 8 Swamp Workflow Management 2016-11-30 13:00:58 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-12-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63236
Comment 9 Charles Arnold 2016-11-30 16:14:20 UTC
Submissions:
============
SUSE:SLE-12-SP2:Update: 124867
SUSE:SLE-12-SP1:Update: 124868
SUSE:SLE-12:Update: 124869
SUSE:SLE-11-SP4:Update: 124870
SUSE:SLE-11-SP3:Update: 124871
SUSE:SLE-11-SP2:Update: 124872
SUSE:SLE-11-SP1:Update: 124873
SUSE:SLE-11-SP1:Update:Teradata: 124981
SUSE:SLE-10-SP4:Update:Test: 124874
SUSE:SLE-10-SP3:Update:Test: 124875
Comment 10 Marcus Meissner 2016-12-06 12:25:59 UTC
is public now

            Xen Security Advisory CVE-2016-9637 / XSA-199
                              version 3

                      qemu ioport array overflow

UPDATES IN VERSION 3
====================

Clarify the IMPACT description, by escalating privilege to that of the
qemu process, not necesserily the host.

Public release.

ISSUE DESCRIPTION
=================

The code in qemu which implements ioport read/write looks up the
specified ioport address in a dispatch table.  The argument to the
dispatch function is a uint32_t, and is used without a range check,
even though the table has entries for only 2^16 ioports.

When qemu is used as a standalone emulator, ioport accesses are
generated only from cpu instructions emulated by qemu, and are
therefore necessarily 16-bit, so there is no vulnerability.

When qemu is used as a device model within Xen, io requests are
generated by the hypervisor and read by qemu from a shared ring.  The
entries in this ring use a common structure, including a 64-bit
address field, for various accesses, including ioport addresses.

Xen will write only 16-bit address ioport accesses.  However,
depending on the Xen and qemu version, the ring may be writeable by
the guest.  If so, the guest can generate out-of-range ioport
accesses, resulting in wild pointer accesses within qemu.


IMPACT
======

A malicious guest administrator can escalate their privilege to that
of the qemu process.


VULNERABLE SYSTEMS
==================

PV guests cannot exploit the vulnerability.

ARM systems are not vulnerable.

HVM domains run with QEMU stub domains cannot exploit the
vulnerability.  (A QEMU stub domain is used if xl's domain
configuration file contains "device_model_stubdomain_override=1".)

Guests using the modern "qemu-xen" device model, with a qemu version
of at least 1.6.0 (for example, as provided by the Xen Project in its
Xen 4.4.0 and later releases), cannot exploit the vulnerability.

x86 HVM guests, not configured with qemu stub domains, using a version
of qemu older than qemu upstream 1.6.0, can exploit the vulnerability.

x86 HVM guests using the traditional "qemu-xen-traditional", not
configured with qemu stub domains, can therefore exploit the
vulnerability.

In tabular form:

  Guest      Xen       QEMU    QEMU "traditional"            Status
  type       version   stub      and/or qemu version

  ARM        any       n/a     n/a         any               OK
  x86 PV     any       n/a     n/a         any               OK

  x86 HVM    any       yes     qemu-xen-traditional          OK

  x86 HVM    any       no      qemu-xen*   >= 1.6.0          OK
  x86 HVM    >= 4.4    no      qemu-xen*   Xen supplied      OK

  x86 HVM    any       no      qemu-xen*   < 1.6.0           Vulnerable
  x86 HVM    <= 4.3    no      qemu-xen*   Xen supplied      Vulnerable

  x86 HVM    any       no      qemu-xen-traditional          Vulnerable

[*] qemu-xen is the default when qemu stub domains are not in
    use, since Xen 4.3.


MITIGATION
==========

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.
In a usual configuration, a service domain has only the privilege of
the guest, so this eliminates the vulnerability.

Running HVM guests with the default upstream device model, in Xen 4.4
and later, will also avoid this vulnerability.


CREDITS
=======

This issue was discovered by yanghongke@huawei.com of the Huawei
Security Test Team.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa199-trad.patch      qemu-xen-traditional, all versions

$ sha256sum xsa199*
35c6a7d0d51c2347b46a9acf22e034ca328ca62b0ce4ad868a94c190b2e14d36  xsa199-trad.patch
$
Comment 11 Mikhail Kasimov 2016-12-07 01:01:31 UTC
Created attachment 705203 [details]
xsa199-trad.patch
Comment 12 Swamp Workflow Management 2016-12-07 19:09:53 UTC
SUSE-SU-2016:3044-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1000893,1003030,1003032,1005004,1005005,1007157,1009100,1009103,1009107,1009109,1009111,1011652,990843
CVE References: CVE-2016-6351,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-32.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    xen-4.1.6_08-32.1
Comment 13 Swamp Workflow Management 2016-12-09 17:10:21 UTC
SUSE-SU-2016:3067-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1004981,1005004,1005005,1007157,1007941,1009100,1009103,1009104,1009105,1009107,1009108,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8910,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9384,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.1_02-25.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.1_02-25.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.1_02-25.1
Comment 14 Swamp Workflow Management 2016-12-12 12:10:54 UTC
SUSE-SU-2016:3083-1: An update that fixes 19 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1003870,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009108,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-7995,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.5_02-22.3.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.5_02-22.3.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.5_02-22.3.1
Comment 15 Swamp Workflow Management 2016-12-14 00:21:32 UTC
openSUSE-SU-2016:3134-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1004981,1005004,1005005,1007157,1007941,1009100,1009103,1009104,1009105,1009107,1009108,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8910,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9384,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.1_02-3.1
Comment 16 Swamp Workflow Management 2016-12-14 17:10:33 UTC
SUSE-SU-2016:3156-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009109,1009111,1011652,953518
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_05-22.25.1
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_05-22.25.1
Comment 17 Swamp Workflow Management 2016-12-16 15:10:56 UTC
SUSE-SU-2016:3174-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1000893,1003030,1003032,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_10-43.5
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_10-43.5
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_10-43.5
Comment 18 Marcus Meissner 2016-12-22 12:06:10 UTC
released
Comment 19 Swamp Workflow Management 2016-12-27 16:13:34 UTC
SUSE-SU-2016:3273-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1000893,1003030,1003032,1005004,1005005,1007157,1007160,1009100,1009103,1009107,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE OpenStack Cloud 5 (src):    xen-4.2.5_21-30.1
SUSE Manager Proxy 2.1 (src):    xen-4.2.5_21-30.1
SUSE Manager 2.1 (src):    xen-4.2.5_21-30.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-30.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-30.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-30.1
Comment 20 Swamp Workflow Management 2017-01-02 12:11:28 UTC
openSUSE-SU-2017:0007-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1002496,1003030,1003032,1003870,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009108,1009109,1009111,1011652,1012651,1013657,1013668,1014298,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-7995,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9101,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637,CVE-2016-9776,CVE-2016-9932
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.5_06-18.1
Comment 21 Swamp Workflow Management 2017-01-02 12:15:07 UTC
openSUSE-SU-2017:0008-1: An update that solves 19 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1000106,1000195,1002496,1003030,1003032,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009109,1009111,1011652,1012651,1014298,1016340,953518
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637,CVE-2016-9932
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_06-58.1