Bugzilla – Bug 934069
VUL-0: CVE-2015-3214: qemu: OOB read in i8254 (programmable interrupt controller)
Last modified: 2016-07-22 07:28:38 UTC
was fixed in 2010 for the kernel (kvm) https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656
xen - not vulnerable kvm - not vulnerable tcg? no idea what t hat is
(In reply to Marcus Meissner from comment #4) > tcg? no idea what t hat is Tiny Code Generator http://wiki.qemu.org/Documentation/TCG
bugbot adjusting priority
public. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3214 > Due converting PIO to the new memory read/write api we no longer provide > separate I/O region lenghts for read and write operations. As a result, > reading from PIT Mode/Command register will end with accessing > pit->channels with invalid index and potentially cause memory corruption and/or > minor information leak. > > A privileged guest user in a guest with QEMU PIT emulation enabled could > potentially (tough unlikely) use this flaw to execute arbitrary code on the > host with the privileges of the hosting QEMU process. > > Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT emulation > and are thus not vulnerable to this issue. > > Acknowledgements: > > Red Hat would like to thank Matt Tait of Google's Project Zero security team > for reporting this issue. Patch submission: https://www.mail-archive.com/qemu-devel@nongnu.org/msg304063.html Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index. Fix this by ignoring read from the Mode/Command register. This is CVE-2015-3214. Signed-off-by: Petr Matousek <pmato...@redhat.com> Reported-by: Matt Tait <mattt...@google.com> --- hw/timer/i8254.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c index 3450c98..9b65a33 100644 --- a/hw/timer/i8254.c +++ b/hw/timer/i8254.c @@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr, PITChannelState *s; addr &= 3; + + if (addr == 3) { + /* Mode/Command register is write only, read is ignored */ + return 0; + } + s = &pit->channels[addr]; if (s->status_latched) { s->status_latched = 0; -- 2.1.0
SUSE-SU-2016:1560-1: An update that solves 37 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 886378,895528,901508,928393,934069,940929,944463,947159,958491,958917,959005,959386,960334,960708,960725,960835,961332,961333,961358,961556,961691,962320,963782,964413,967969,969121,969122,969350,970036,970037,975128,975136,975700,976109,978158,978160,980711,980723,981266 CVE References: CVE-2014-3615,CVE-2014-3689,CVE-2014-9718,CVE-2015-3214,CVE-2015-5239,CVE-2015-5745,CVE-2015-7295,CVE-2015-7549,CVE-2015-8504,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2538,CVE-2016-2841,CVE-2016-2857,CVE-2016-2858,CVE-2016-3710,CVE-2016-3712,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4952 Sources used: SUSE Linux Enterprise Server 12 (src): qemu-2.0.2-48.19.1 SUSE Linux Enterprise Desktop 12 (src): qemu-2.0.2-48.19.1
SUSE-SU-2016:1698-1: An update that solves 33 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 895528,901508,928393,934069,936132,940929,944463,945404,945987,945989,947159,958491,958917,959005,960334,960725,961332,961333,961358,961556,961691,962320,963782,964413,967969,969350,970036,970037,975128,975136,975700,976109,978158,978160,980711,980723 CVE References: CVE-2014-3615,CVE-2014-3689,CVE-2014-9718,CVE-2015-3214,CVE-2015-5239,CVE-2015-5278,CVE-2015-5279,CVE-2015-5745,CVE-2015-6855,CVE-2015-7295,CVE-2015-7549,CVE-2015-8504,CVE-2015-8558,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2016-1568,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2538,CVE-2016-2841,CVE-2016-2857,CVE-2016-2858,CVE-2016-3710,CVE-2016-3712,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441 Sources used: SUSE Linux Enterprise Server 11-SP3-LTSS (src): kvm-1.4.2-46.1
SUSE-SU-2016:1785-1: An update that solves 33 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 895528,901508,928393,934069,936132,940929,944463,945404,945987,945989,947159,958491,958917,959005,960334,960725,961332,961333,961358,961556,961691,962320,963782,964413,967969,969350,970036,970037,975128,975136,975700,976109,978158,978160,980711,980723 CVE References: CVE-2014-3615,CVE-2014-3689,CVE-2014-9718,CVE-2015-3214,CVE-2015-5239,CVE-2015-5278,CVE-2015-5279,CVE-2015-5745,CVE-2015-6855,CVE-2015-7295,CVE-2015-7549,CVE-2015-8504,CVE-2015-8558,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2016-1568,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2538,CVE-2016-2841,CVE-2016-2857,CVE-2016-2858,CVE-2016-3710,CVE-2016-3712,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): kvm-1.4.2-44.1
fixed everywhere