Bug 1057378 - VUL-0: CVE-2017-10911: qemu: blkif responses leak backend stack data (XSA-216)
VUL-0: CVE-2017-10911: qemu: blkif responses leak backend stack data (XSA-216)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fei Li
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-06 10:04 UTC by Johannes Segitz
Modified: 2018-02-14 12:13 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-09-06 10:04:01 UTC
+++ This bug was initially created as a clone of Bug #1042863 +++

Xen Security Advisory XSA-216

                blkif responses leak backend stack data

              *** EMBARGOED UNTIL 2017-06-20 12:00 UTC ***

ISSUE DESCRIPTION
=================

The block interface response structure has some discontiguous fields.
Certain backends populate the structure fields of an otherwise
uninitialized instance of this structure on their stacks, leaking
data through the (internal or trailing) padding field.

IMPACT
======

A malicious unprivileged guest may be able to obtain sensitive
information from the host or other guests.

VULNERABLE SYSTEMS
==================

All Linux versions supporting the xen-blkback, blkback, or blktap
drivers are vulnerable.

FreeBSD, NetBSD and Windows (with our without PV drivers) are not
vulnerable (either because they do not have backends at all, or
because they use a different implementation technique which does not
suffer from this problem).

All qemu versions supporting the Xen block backend are vulnerable.  The
qemu-xen-traditional code base does not include such code, so is not
vulnerable.  Note that an instance of qemu will be spawned to provide
the backend for most non-raw-format disks; so you may need to apply the
patch to qemu even if you use only PV guests.

MITIGATION
==========

There's no mitigation available for x86 PV and ARM guests.

For x86 HVM guests it may be possible to change the guest
configuaration such that a fully virtualized disk is being made
available instead.  However, this would normally entail changes inside
the guest itself.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa216-linux-4.11.patch           Linux 4.5 ... 4.11
xsa216-qemuu.patch                qemu-upstream master, 4.8
xsa216-qemuu-4.7.patch            qemu-upstream 4.7, 4.6
xsa216-qemuu-4.5.patch            qemu-upstream 4.5
xsa216-linux-2.6.18-xen.patch     linux-2.6.18-xen.hg

$ sha256sum xsa216*
28beb3d876fa0eee77f4377ef2708d764a5d9a2003dd4f1a4ecb9b8bf60658a4  xsa216-linux-2.6.18-xen.patch
e04da27961cd867f7bbba31677f61e3e425c0e7cc7352a7a2d22b5a35eaf8585  xsa216-linux-4.11.patch
850b0143cfe3c69c62abdad71be9813014d46c380109fc650689a10c90ff39f4  xsa216-qemuu.patch
072270274d2554b71579a529c908d16479f8eba6646d8aed2e3d129495b27716  xsa216-qemuu-4.5.patch
5a64e2c5bb78f1c8fae97354be10fcc63ea39d333d6490e3a422ff30460cdef1  xsa216-qemuu-4.7.patch
Comment 1 Marcus Meissner 2017-09-07 12:29:28 UTC
affects qemu on sle12 and later.
qemu and kvm on sle11 do not have the code
Comment 2 Swamp Workflow Management 2017-11-02 23:08:58 UTC
SUSE-SU-2017:2924-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1054724,1055587,1056291,1056334,1057378,1057585,1057966,1062069,1062942,1063122
CVE References: CVE-2017-10911,CVE-2017-12809,CVE-2017-13672,CVE-2017-13711,CVE-2017-14167,CVE-2017-15038,CVE-2017-15268,CVE-2017-15289
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    qemu-2.9.1-6.6.3
SUSE Linux Enterprise Desktop 12-SP3 (src):    qemu-2.9.1-6.6.3
Comment 3 Swamp Workflow Management 2017-11-06 20:09:12 UTC
SUSE-SU-2017:2936-1: An update that solves 12 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1043176,1043808,1046636,1047674,1048902,1049381,1054724,1056334,1057378,1057585,1057966,1059369,1062069,1062942,1063122,997358
CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-10911,CVE-2017-11334,CVE-2017-11434,CVE-2017-12809,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15268,CVE-2017-15289,CVE-2017-9524
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    qemu-2.6.2-41.22.2
SUSE Linux Enterprise Server 12-SP2 (src):    qemu-2.6.2-41.22.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    qemu-2.6.2-41.22.2
Comment 4 Swamp Workflow Management 2017-11-07 05:10:03 UTC
openSUSE-SU-2017:2938-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1054724,1055587,1056291,1056334,1057378,1057585,1057966,1062069,1062942,1063122
CVE References: CVE-2017-10911,CVE-2017-12809,CVE-2017-13672,CVE-2017-13711,CVE-2017-14167,CVE-2017-15038,CVE-2017-15268,CVE-2017-15289
Sources used:
openSUSE Leap 42.3 (src):    qemu-2.9.1-35.1, qemu-linux-user-2.9.1-35.1, qemu-testsuite-2.9.1-35.1
Comment 5 Swamp Workflow Management 2017-11-07 05:13:18 UTC
openSUSE-SU-2017:2941-1: An update that solves 12 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1043176,1043808,1046636,1047674,1048902,1049381,1054724,1056334,1057378,1057585,1057966,1059369,1062069,1062942,1063122,997358
CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-10911,CVE-2017-11334,CVE-2017-11434,CVE-2017-12809,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15268,CVE-2017-15289,CVE-2017-9524
Sources used:
openSUSE Leap 42.2 (src):    qemu-2.6.2-31.9.1, qemu-linux-user-2.6.2-31.9.1, qemu-testsuite-2.6.2-31.9.2
Comment 6 Swamp Workflow Management 2017-11-08 11:14:19 UTC
SUSE-SU-2017:2946-1: An update that solves 33 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1020427,1021741,1025109,1025311,1028184,1028656,1030624,1032075,1034866,1034908,1035406,1035950,1036211,1037242,1037334,1037336,1039495,1042159,1042800,1042801,1043073,1043296,1045035,1046636,1047674,1048902,1049381,1054724,1056334,1057378,1057585,1062069,1063122,994418,994605
CVE References: CVE-2016-6834,CVE-2016-6835,CVE-2016-9602,CVE-2016-9603,CVE-2017-10664,CVE-2017-10806,CVE-2017-10911,CVE-2017-11334,CVE-2017-11434,CVE-2017-12809,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15289,CVE-2017-5579,CVE-2017-5973,CVE-2017-5987,CVE-2017-6505,CVE-2017-7377,CVE-2017-7471,CVE-2017-7493,CVE-2017-7718,CVE-2017-7980,CVE-2017-8086,CVE-2017-8112,CVE-2017-8309,CVE-2017-8379,CVE-2017-8380,CVE-2017-9330,CVE-2017-9373,CVE-2017-9374,CVE-2017-9375,CVE-2017-9503
Sources used:
SUSE OpenStack Cloud 6 (src):    qemu-2.3.1-33.3.3
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    qemu-2.3.1-33.3.3
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    qemu-2.3.1-33.3.3
Comment 7 Marcus Meissner 2018-02-14 12:13:47 UTC
released