Bug 1024834 - (CVE-2017-2620) VUL-0: CVE-2017-2620: xen: cirrus_bitblt_cputovideo does not check if memory region is safe (XSA-209)
(CVE-2017-2620)
VUL-0: CVE-2017-2620: xen: cirrus_bitblt_cputovideo does not check if memory ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2017-2620:4.9:(AV:A/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-10 17:47 UTC by Marcus Meissner
Modified: 2021-01-22 08:59 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
cirrus-add-blit-is-unsafe-to-cirrus-bitblt-cputovideo.patch (1.90 KB, patch)
2017-02-21 12:35 UTC, Mikhail Kasimov
Details | Diff
xsa209-qemuu.patch (1.89 KB, patch)
2017-02-21 12:37 UTC, Mikhail Kasimov
Details | Diff
xsa209-qemut.patch (1.89 KB, patch)
2017-02-21 12:38 UTC, Mikhail Kasimov
Details | Diff
qemu-xen-traditional patch (1.89 KB, patch)
2017-02-27 07:33 UTC, Johannes Segitz
Details | Diff
qemu-xen, qemu upstream (10.00 KB, application/x-tar)
2017-02-27 07:34 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Swamp Workflow Management 2017-02-10 23:01:27 UTC
bugbot adjusting priority
Comment 7 Charles Arnold 2017-02-15 22:24:59 UTC
Submitted for,

Devel:Virt:SLE-11-SP1
Devel:Virt:SLE-11-SP3
Devel:Virt:SLE-11-SP4
Devel:Virt:SLE-12
Devel:Virt:SLE-12-SP1
Devel:Virt:SLE-12-SP2
Comment 8 Swamp Workflow Management 2017-02-16 03:50:12 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-02-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63427
Comment 9 Marcus Meissner 2017-02-21 12:13:37 UTC
is public now.

Quick emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is 
vulnerable to an out-of-bounds access issue. It could occur while copying VGA 
data in cirrus_bitblt_cputovideo.

A privileged user inside guest could use this flaw to crash the Qemu process 
resulting in DoS OR potentially execute arbitrary code on the host with 
privileges of Qemu process on the host.

Reference:
----------
   -> https://bugzilla.redhat.com/show_bug.cgi?id=1420460

* 'CVE-2017-2620' has been assigned to this issue by Red Hat Inc.
* Attached herein is a proposed patch to fix this issue.

Thank you.
Comment 10 Mikhail Kasimov 2017-02-21 12:35:26 UTC
Created attachment 714881 [details]
cirrus-add-blit-is-unsafe-to-cirrus-bitblt-cputovideo.patch

Ref: http://seclists.org/oss-sec/2017/q1/463
=============================================
  Hello,

Quick emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data in cirrus_bitblt_cputovideo.


A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on the host with privileges of Qemu process on the host.


Reference:
----------
  -> https://bugzilla.redhat.com/show_bug.cgi?id=1420460

* 'CVE-2017-2620' has been assigned to this issue by Red Hat Inc.
* Attached herein is a proposed patch to fix this issue.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Attachment: cirrus-add-blit-is-unsafe-to-cirrus-bitblt-cputovideo.patch
=============================================
Comment 11 Mikhail Kasimov 2017-02-21 12:37:38 UTC
Created attachment 714882 [details]
xsa209-qemuu.patch

Ref: http://seclists.org/oss-sec/2017/q1/464
==============================================
Xen Security Advisory CVE-2017-2620 / XSA-209
                              version 3

   cirrus_bitblt_cputovideo does not check if memory region is safe

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
cirrus_bitblt_cputovideo fails to check wethehr the specified memory
region is safe.

IMPACT
======

A malicious guest administrator can cause an out of bounds memory
write, very likely exploitable as a privilege escalation.

VULNERABLE SYSTEMS
==================

Versions of qemu shipped with all Xen versions are vulnerable.

Xen systems running on x86 with HVM guests, with the qemu process
running in dom0 are vulnerable.

Only guests provided with the "cirrus" emulated video card can exploit
the vulnerability.  The non-default "stdvga" emulated video card is
not vulnerable.  (With xl the emulated video card is controlled by the
"stdvga=" and "vga=" domain configuration options.)

ARM systems are not vulnerable.  Systems using only PV guests are not
vulnerable.

For VMs whose qemu process is running in a stub domain, a successful
attacker will only gain the privileges of that stubdom, which should
be only over the guest itself.

Both upstream-based versions of qemu (device_model_version="qemu-xen")
and `traditional' qemu (device_model_version="qemu-xen-traditional")
are vulnerable.

MITIGATION
==========

Running only PV guests will avoid the issue.

Running HVM guests with the device model in a stubdomain will mitigate
the issue.

Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
in the xl domain configuration) will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Gerd Hoffmann of Red Hat.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa209-qemuu.patch       qemu-xen, qemu upstream
(no backport yet)        qemu-xen-traditional

$ sha256sum xsa209*
167af9ed7163fa7cf4abb52f865290ced3163c7684151bdc1324eb5e534faf13  xsa209-qemut.patch
297578aa43c3e6b21333f1b859fd1d3e68aaaae77b3cadbadd20cfeca8426df3  xsa209-qemuu.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

However, deployment of the "stdvga" mitigation (changing the video
card emulation to stdvga) is NOT permitted (except where all the
affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.  This is because this produces a guest-visible
change which will indicate which component contains the vulnerability.

Additionally, distribution of updated software is prohibited (except
to other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
==============================================
Comment 12 Mikhail Kasimov 2017-02-21 12:38:06 UTC
Created attachment 714883 [details]
xsa209-qemut.patch
Comment 13 Johannes Segitz 2017-02-27 07:32:28 UTC
            Xen Security Advisory CVE-2017-2620 / XSA-209
                              version 4

   cirrus_bitblt_cputovideo does not check if memory region is safe

UPDATES IN VERSION 4
====================

Include a prerequisite patch for qemu-upstream, correct statement
regarding the availability of a qemu-traditional patch.

ISSUE DESCRIPTION
=================

In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
cirrus_bitblt_cputovideo fails to check wethehr the specified memory
region is safe.

IMPACT
======

A malicious guest administrator can cause an out of bounds memory
write, very likely exploitable as a privilege escalation.

VULNERABLE SYSTEMS
==================

Versions of qemu shipped with all Xen versions are vulnerable.

Xen systems running on x86 with HVM guests, with the qemu process
running in dom0 are vulnerable.

Only guests provided with the "cirrus" emulated video card can exploit
the vulnerability.  The non-default "stdvga" emulated video card is
not vulnerable.  (With xl the emulated video card is controlled by the
"stdvga=" and "vga=" domain configuration options.)

ARM systems are not vulnerable.  Systems using only PV guests are not
vulnerable.
For VMs whose qemu process is running in a stub domain, a successful
attacker will only gain the privileges of that stubdom, which should
be only over the guest itself.

Both upstream-based versions of qemu (device_model_version="qemu-xen")
and `traditional' qemu (device_model_version="qemu-xen-traditional")
are vulnerable.

MITIGATION
==========

Running only PV guests will avoid the issue.

Running HVM guests with the device model in a stubdomain will mitigate
the issue.

Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
in the xl domain configuration) will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Gerd Hoffmann of Red Hat.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa209-qemuu/*.patch     qemu-xen, qemu upstream
xsa209-qemut.patch       qemu-xen-traditional

$ sha256sum xsa209* xsa209*/*
167af9ed7163fa7cf4abb52f865290ced3163c7684151bdc1324eb5e534faf13  xsa209-qemut.patch
e698b73d8de24af0fe33968a43561e5e1d094f4caf2443caa447b552677d2683  xsa209-qemuu/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
50c60e45151ef2265cce4f92b204e9fd75f8bc8952f097e77ab4fe1c1446bc98  xsa209-qemuu/0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
Comment 14 Johannes Segitz 2017-02-27 07:33:37 UTC
Created attachment 715515 [details]
qemu-xen-traditional patch
Comment 15 Johannes Segitz 2017-02-27 07:34:28 UTC
Created attachment 715516 [details]
qemu-xen, qemu upstream
Comment 16 Swamp Workflow Management 2017-02-27 17:13:21 UTC
SUSE-SU-2017:0570-1: An update that solves 13 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1000195,1002496,1013657,1013668,1014490,1014507,1015169,1016340,1022627,1022871,1023004,1024183,1024186,1024307,1024834,1025188
CVE References: CVE-2016-10155,CVE-2016-9101,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5579,CVE-2017-5856,CVE-2017-5898,CVE-2017-5973
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.5_06-22.11.2
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.5_06-22.11.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.5_06-22.11.2
Comment 17 Swamp Workflow Management 2017-02-27 17:15:55 UTC
SUSE-SU-2017:0571-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1000195,1002496,1005028,1012651,1014298,1014300,1015169,1016340,1022871,1023004,1024834
CVE References: CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.1_06-31.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.1_06-31.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.1_06-31.1
Comment 18 Swamp Workflow Management 2017-02-28 23:36:11 UTC
SUSE-SU-2017:0582-1: An update that solves 14 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1000195,1002496,1013657,1013668,1014490,1014507,1015169,1016340,1022627,1022871,1023004,1024183,1024186,1024307,1024834,1025188,907805
CVE References: CVE-2014-8106,CVE-2016-10155,CVE-2016-9101,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5579,CVE-2017-5856,CVE-2017-5898,CVE-2017-5973
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_14-22.33.1
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_14-22.33.1
Comment 19 Swamp Workflow Management 2017-03-11 14:09:36 UTC
openSUSE-SU-2017:0665-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1000195,1002496,1005028,1012651,1014298,1014300,1015169,1016340,1022871,1023004,1024834
CVE References: CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.1_06-9.2
Comment 20 Swamp Workflow Management 2017-03-17 11:12:28 UTC
SUSE-SU-2017:0718-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1002496,1012651,1013657,1013668,1014298,1014507,1015169,1016340,1022871,1023004,1024183,1024834,907805
CVE References: CVE-2014-8106,CVE-2016-10013,CVE-2016-10024,CVE-2016-10155,CVE-2016-9101,CVE-2016-9776,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2016-9932,CVE-2017-2615,CVE-2017-2620
Sources used:
SUSE OpenStack Cloud 5 (src):    xen-4.2.5_21-35.1
SUSE Manager Proxy 2.1 (src):    xen-4.2.5_21-35.1
SUSE Manager 2.1 (src):    xen-4.2.5_21-35.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-35.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-35.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-35.1
Comment 21 Marcus Meissner 2017-10-25 19:04:20 UTC
released