Bug 934069 - (CVE-2015-3214) VUL-0: CVE-2015-3214: qemu: OOB read in i8254 (programmable interrupt controller)
(CVE-2015-3214)
VUL-0: CVE-2015-3214: qemu: OOB read in i8254 (programmable interrupt control...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Andreas Färber
Security Team bot
maint:running:62809:important maint:r...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-09 09:30 UTC by Marcus Meissner
Modified: 2016-07-22 07:28 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Marcus Meissner 2015-06-09 10:11:57 UTC
    was fixed in 2010 for the kernel (kvm) https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656
Comment 4 Marcus Meissner 2015-06-09 10:12:51 UTC
xen - not vulnerable
kvm - not vulnerable 

tcg? no idea what t hat is
Comment 5 Andreas Stieger 2015-06-09 11:01:04 UTC
(In reply to Marcus Meissner from comment #4)
> tcg? no idea what t hat is

Tiny Code Generator
http://wiki.qemu.org/Documentation/TCG
Comment 6 Swamp Workflow Management 2015-06-09 22:00:42 UTC
bugbot adjusting priority
Comment 7 Andreas Stieger 2015-06-17 11:40:45 UTC
public.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3214

> Due converting PIO to the new memory read/write api we no longer provide
> separate I/O region lenghts for read and write operations. As a result,
> reading from PIT Mode/Command register will end with accessing
> pit->channels with invalid index and potentially cause memory corruption and/or
> minor information leak.
> 
> A privileged guest user in a guest with QEMU PIT emulation enabled could
> potentially (tough unlikely) use this flaw to execute arbitrary code on the
> host with the privileges of the hosting QEMU process.
> 
> Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT emulation
> and are thus not vulnerable to this issue.
> 
> Acknowledgements:
> 
> Red Hat would like to thank Matt Tait of Google's Project Zero security team
> for reporting this issue.

Patch submission:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg304063.html


Due converting PIO to the new memory read/write api we no longer provide
separate I/O region lenghts for read and write operations. As a result,
reading from PIT Mode/Command register will end with accessing
pit->channels with invalid index.


Fix this by ignoring read from the Mode/Command register.

This is CVE-2015-3214.

Signed-off-by: Petr Matousek <pmato...@redhat.com>
Reported-by: Matt Tait <mattt...@google.com>
---
 hw/timer/i8254.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
index 3450c98..9b65a33 100644
--- a/hw/timer/i8254.c
+++ b/hw/timer/i8254.c
@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
     PITChannelState *s;
 
     addr &= 3;
+
+    if (addr == 3) {
+        /* Mode/Command register is write only, read is ignored */
+        return 0;
+    }
+
     s = &pit->channels[addr];
     if (s->status_latched) {
         s->status_latched = 0;
-- 
2.1.0
Comment 10 Swamp Workflow Management 2016-06-13 11:09:33 UTC
SUSE-SU-2016:1560-1: An update that solves 37 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 886378,895528,901508,928393,934069,940929,944463,947159,958491,958917,959005,959386,960334,960708,960725,960835,961332,961333,961358,961556,961691,962320,963782,964413,967969,969121,969122,969350,970036,970037,975128,975136,975700,976109,978158,978160,980711,980723,981266
CVE References: CVE-2014-3615,CVE-2014-3689,CVE-2014-9718,CVE-2015-3214,CVE-2015-5239,CVE-2015-5745,CVE-2015-7295,CVE-2015-7549,CVE-2015-8504,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2538,CVE-2016-2841,CVE-2016-2857,CVE-2016-2858,CVE-2016-3710,CVE-2016-3712,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4952
Sources used:
SUSE Linux Enterprise Server 12 (src):    qemu-2.0.2-48.19.1
SUSE Linux Enterprise Desktop 12 (src):    qemu-2.0.2-48.19.1
Comment 11 Swamp Workflow Management 2016-06-28 18:08:22 UTC
SUSE-SU-2016:1698-1: An update that solves 33 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 895528,901508,928393,934069,936132,940929,944463,945404,945987,945989,947159,958491,958917,959005,960334,960725,961332,961333,961358,961556,961691,962320,963782,964413,967969,969350,970036,970037,975128,975136,975700,976109,978158,978160,980711,980723
CVE References: CVE-2014-3615,CVE-2014-3689,CVE-2014-9718,CVE-2015-3214,CVE-2015-5239,CVE-2015-5278,CVE-2015-5279,CVE-2015-5745,CVE-2015-6855,CVE-2015-7295,CVE-2015-7549,CVE-2015-8504,CVE-2015-8558,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2016-1568,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2538,CVE-2016-2841,CVE-2016-2857,CVE-2016-2858,CVE-2016-3710,CVE-2016-3712,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kvm-1.4.2-46.1
Comment 12 Swamp Workflow Management 2016-07-11 14:39:56 UTC
SUSE-SU-2016:1785-1: An update that solves 33 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 895528,901508,928393,934069,936132,940929,944463,945404,945987,945989,947159,958491,958917,959005,960334,960725,961332,961333,961358,961556,961691,962320,963782,964413,967969,969350,970036,970037,975128,975136,975700,976109,978158,978160,980711,980723
CVE References: CVE-2014-3615,CVE-2014-3689,CVE-2014-9718,CVE-2015-3214,CVE-2015-5239,CVE-2015-5278,CVE-2015-5279,CVE-2015-5745,CVE-2015-6855,CVE-2015-7295,CVE-2015-7549,CVE-2015-8504,CVE-2015-8558,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2016-1568,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2538,CVE-2016-2841,CVE-2016-2857,CVE-2016-2858,CVE-2016-3710,CVE-2016-3712,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    kvm-1.4.2-44.1
Comment 13 Johannes Segitz 2016-07-22 07:28:38 UTC
fixed everywhere