Bug 803102 - VUL-0: CVE-2013-0241: xf86-video-qxl: synchronous io guest DoS
VUL-0: CVE-2013-0241: xf86-video-qxl: synchronous io guest DoS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Stefan Dirsch
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-02-11 15:26 UTC by Marcus Meissner
Modified: 2013-03-27 10:41 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-02-11 15:26:37 UTC
is public, via oss-security


On 01/30/2013 09:37 AM, Petr Matousek wrote:
> A flaw was found in the way spice connection breakups were handled in
> the qemu-kvm qxl driver. Some of the qxl port i/o commands were waiting
> for the spice server to complete the actions, while the corresponding
> thread holds qemu_mutex mutex, potentially blocking other threads in the
> guest's qemu-kvm process. An user able to initiate spice connection to
> the guest could use this flaw to make guest temporarily unavailable or,
> in case kernel.softlockup_panic in the guest was set, crash the guest.
> Upstream fixes:
> xf86-video-qxl commit
> http://cgit.freedesktop.org/xorg/driver/xf86-video-qxl/commit/?id=30b4b72cdbdf9f0e92a8d1c4e01779f60f15a741
> which relies on qemu-kvm functionality introduced by commit
> http://git.kernel.org/?p=virt/kvm/qemu-kvm.git;a=commit;h=5ff4e36c
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=906032
> Thanks,

Please use CVE-2013-0241 for this issue.
Comment 1 Stefan Dirsch 2013-02-11 15:50:31 UTC
Seems we are shipping xf86-video-qxl X driver since openSUSE 12.1. I never got it working with qemu-kvm though.
Comment 2 Swamp Workflow Management 2013-02-11 23:00:24 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2013-02-12 08:48:38 UTC
if its not working at all, or if we do not have synchronous io to qemu-kvm?

who can we ask? qemu folks?
Comment 4 Stefan Dirsch 2013-02-13 15:19:35 UTC
(In reply to comment #3)
> if its not working at all, or if we do not have synchronous io to qemu-kvm?
> who can we ask? qemu folks?

Last time I tried it did not work. This is some time ago though. It has been a hackweek project to get this running and I failed miserably. I wrote my results
in some FATE request about QXL support. I can't find it any longer.
Comment 5 Stefan Dirsch 2013-03-08 14:52:04 UTC
I believe figuring out, whether QXL works is much more effort than just doing the security update. Also there shouldn't be that much products, on which we already ship the xf86-video-qxl driver.
Comment 6 Marcus Meissner 2013-03-08 15:53:18 UTC
yes, either just throw the patch in and submit or we could just ignore this bug if it does not work at all for now
Comment 7 Stefan Dirsch 2013-03-09 13:04:25 UTC
SLE doesn't ship xf86-video-qxl. openSUSE does.

12.1: xorg-x11-driver-video (xf86-video-qxl-0.0.13: affected)
12.2: xf86-video-qxl (0.0.17: contains the fix)
12.3: xf86-video-qxl (0.1.0: contains the fix)
Factory/X11:XOrg: xf86-video-qxl (0.1.0: contains the fix)

==> Only openSUSE 12.1 needs to get fixed
Comment 8 Stefan Dirsch 2013-03-26 16:59:51 UTC
Well, the patch introduces wrappers around ioport_write() calls, but there is no ioport_write() yet defined in xf86-video-qxl 0.0.13 of openSUSE 12.1. Instead outb() is used in this version. 

Later ioport_write() has been introduced in xf86-video-qxl, but it requires the definition of XSPICE. If not outb() is used. And we do not build nor ship spice devel packages with openSUSE 12.1.

Maybe this is becoming a non-issue with this in mind? Do you agree?
Comment 9 Marcus Meissner 2013-03-27 10:02:00 UTC
it seems so. lets put the issue at rest.
Comment 10 Stefan Dirsch 2013-03-27 10:41:06 UTC