Bug 1014311 - VUL-0: CVE-2016-9913,CVE-2016-9914,CVE-2016-9915,CVE-2016-9916: xen: 9pfs: memory leakage via proxy/handle callbacks
VUL-0: CVE-2016-9913,CVE-2016-9914,CVE-2016-9915,CVE-2016-9916: xen: 9pfs: me...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2016-9915:4.9:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-07 16:32 UTC by Matthias Gerstner
Modified: 2017-06-08 10:56 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2016-12-07 16:32:41 UTC
+++ This bug was initially created as a clone of Bug #1014110 +++

Reference: http://seclists.org/oss-sec/2016/q4/617
===================================================
  Hello,

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to memory leakage issue. It could occur via its '9p-handle' or '9p-proxy' backend drivers as they do not free their respective allocated data objects.


A privileged user inside guest could use this flaw to leak host memory, thus affecting other services on the host and/or potentially crash the Qemu process on the host.


Upstream patches:
-----------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F


===================================================
Comment 1 Matthias Gerstner 2016-12-07 16:33:26 UTC
Analysis shows the following codestreams are affected:

SUSE:SLE-12:Update/xen/xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/9pfs/virtio-9p-handle.c:663
SUSE:SLE-12-SP1:Update/xen/xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/9pfs/virtio-9p-handle.c:672
SUSE:SLE-11-SP4:Update/xen/xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/9pfs/virtio-9p-handle.c:663

Not affected:

SUSE:SLE-10-SP3:Update/xen/xen-3.2.3-testing (not contained)
SUSE:SLE-11-SP1:Update:Teradata/xen/xen-4.0.3-testing (not contained)
SUSE:SLE-11-SP3:Update/xen/xen-4.2.5-testing (not contained)
SUSE:SLE-11-SP3:Update:Teradata/xen/xen-4.2.5-testing (not contained)
SUSE:SLE-12-SP2:Update/xen/xen-4.7.0-testing (not contained)
Comment 2 Swamp Workflow Management 2016-12-07 23:02:57 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2016-12-08 07:11:54 UTC
From Mitre

> Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9
> File System(9pfs) support, is vulnerable to memory leakage issue. It could
> occur via its '9p-handle' or '9p-proxy' backend drivers as they do not free
> their respective allocated data objects.
> 
> A privileged user inside guest could use this flaw to leak host memory, thus
> affecting other services on the host and/or potentially crash the Qemu process
> on the host.
> 
> https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html

>> 9pfs: adjust the order of resource cleanup in device unrealize
>> http://git.qemu.org/?p=qemu.git;a=commit;h=4774718e5c194026ba5ee7a28d9be49be3080e42

Use CVE-2016-9913.


>> 9pfs: add cleanup operation in FileOperations
>> http://git.qemu.org/?p=qemu.git;a=commit;h=702dbcc274e2ca43be20ba64c758c0ca57dab91d

Use CVE-2016-9914.


>> 9pfs: add cleanup operation for handle backend driver
>> http://git.qemu.org/?p=qemu.git;a=commit;h=971f406b77a6eb84e0ad27dcc416b663765aee30

Use CVE-2016-9915.


>> 9pfs: add cleanup operation for proxy backend driver
>> http://git.qemu.org/?p=qemu.git;a=commit;h=898ae90a44551d25b8e956fd87372d303c82fe68

Use CVE-2016-9916.
Comment 4 Charles Arnold 2017-01-03 21:20:26 UTC
9pfs is not supported by Xen. VirtFS support is disabled in the configuration
file when building the Xen qemu. While the source code exists in the Xen qemu,
it does not get compiled. This bug may be closed as invalid.
Comment 5 Matthias Gerstner 2017-01-04 14:45:38 UTC
(In reply to carnold@suse.com from comment #3)

> While the source code exists in the Xen qemu, it does not get compiled.

I can confirm this for all affected codestreams. Closing ticket.