Bugzilla – Bug 1023004
VUL-0: CVE-2017-2615: kvm: qemu: display: cirrus: oob access while doing bitblt copy backward mode (XSA-208)
Last modified: 2021-01-22 08:59:27 UTC
Ref: http://seclists.org/oss-sec/2017/q1/257 ============================================= Hello, Quick emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on the host with privileges of Qemu process on the host. Upstream patch -------------- -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg00015.html It fixes -> http://git.qemu.org/?p=qemu.git;a=commit;h=d3532a0db02296e687711b8cdc7791924efccea0 Reference: ---------- -> https://bugzilla.redhat.com/show_bug.cgi?id=1418200 This issue was reported by Li Qiang of 360.cn Inc. CVE-2017-2615 was assigned to this issue by Red Hat Inc. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F =============================================
bugbot adjusting priority
(In reply to Charles Arnold from comment #3) > (In reply to Matthias Gerstner from comment #2) > > The issue was fixed upstream already two years ago so the newer codestreams > > are not affected. > > Perhaps I am misreading this but I believe this bug (CVE-2017-2615) fixes > CVE-2014-8106 from two years ago. It is not just a repost of the original > fix. > > This means that newer qemu versions are affected because what is getting > patched with this new CVE is blit_region_is_unsafe() CVE-2014-8106 was originally fixed with bsc#907805. This was a KVM only bug (I was not made aware of its existence) so the xen qemu versions were never fixed. Some of the newer xen qemu versions were fixed upstream and so we have the fix in some SLE releases. Older qemu versions are not maintained upstream and were not fixed. With SLE-12 and older the Xen traditional qemu versions do not have the fix for CVE-2014-8106. As noted before, this means that the new CVE for this bug won't apply unless we first backport the old CVE. Breaking this down into SLE releases this is what I see. SLE-12-SP2: qemu: Xen version not shipped anymore (we use kvm/qemu) qemu-traditional: Needs patch for CVE-2017-2615 SLE-12-SP1: qemu: Needs patch for CVE-2017-2615 qemu-traditional: Needs patch for CVE-2017-2615 SLE-12: qemu: Needs patch for CVE-2017-2615 qemu-traditional: First needs patch for CVE-2014-8106 then CVE-2017-2615 SLE-11-SP4: qemu: Needs patch for CVE-2017-2615 qemu-traditional: First needs patch for CVE-2014-8106 then CVE-2017-2615 SLE-11-SP3: qemu: First needs patch for CVE-2014-8106 then CVE-2017-2615 qemu-traditional: First needs patch for CVE-2014-8106 then CVE-2017-2615 SLE-11-SP2: qemu: This upstream qemu is not supported qemu-traditional: First needs patch for CVE-2014-8106 then CVE-2017-2615 SLE-11-SP1: qemu-traditional: First needs patch for CVE-2014-8106 then CVE-2017-2615 SLE-10-SP4: qemu-traditional: First needs patch for CVE-2014-8106 then CVE-2017-2615 SLE-10-SP3: qemu-traditional: First needs patch for CVE-2014-8106 then CVE-2017-2615
(In reply to Charles Arnold from comment #4) > SLE-10-SP4: > qemu-traditional: First needs patch for CVE-2014-8106 then CVE-2017-2615 > SLE-10-SP3: > qemu-traditional: First needs patch for CVE-2014-8106 then CVE-2017-2615 The SLE-10 qemu-traditional version pre-dates even the existence of the BLTUNSAFE macro. Nothing to be done here.
Created attachment 713685 [details] xsa208-qemuu patch
Created attachment 713686 [details] xsa208-qemut patch
Ref: http://seclists.org/oss-sec/2017/q1/377 (Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy) ============================================================================== Xen Security Advisory CVE-2017-2615 / XSA-208 oob access in cirrus bitblt copy ISSUE DESCRIPTION ================= When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. IMPACT ====== A malicious guest administrator can cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa208-qemuu.patch qemu-xen, mainline qemu xsa208-qemut.patch qemu-xen-traditional $ sha256sum xsa208* 4369cce9b72daf2418a1b9dd7be6529c312b447b814c44d634bab462e80a15f5 xsa208-qemut.patch 1e516e3df1091415b6ba34aaf54fa67eac91e22daceaad569b11baa2316c78ba xsa208-qemuu.patch $ NOTE REGARDING LACK OF EMBARGO ============================== This issue has already been publicly disclosed. ==============================================================================
Ref: http://seclists.org/oss-sec/2017/q1/424 ============================================= Xen Security Advisory CVE-2017-2615 / XSA-208 version 2 oob access in cirrus bitblt copy UPDATES IN VERSION 2 ==================== Included backport for qemu-xen versions 4.7 (and earlier); fixed qemu-xen-traditional patch. Also included proper (non-obscured) e-mail addresses from upstream patch. Removed "possibly" from Impact. 3 patches updated ISSUE DESCRIPTION ================= When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. IMPACT ====== A malicious guest administrator can cause an out of bounds memory access, leading to information disclosure or privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa208-qemuu.patch mainline qemu, qemu-xen master,4.8 xsa208-qemuu-4.7.patch qemu-xen 4.4, 4.5, 4.6, 4.7 xsa208-qemut.patch qemu-xen-traditional $ sha256sum xsa208* afde3e9d4bf5225f92c36dec9ff673b0b1b0bad4452d406f0c12edc85e2fec72 xsa208-qemut.patch e492d528141be5899d46c2ac0bcd0c40ca9d9bfc40906a8e7a565361f17ce38d xsa208-qemuu.patch 09471b66c9d9fc5616e7b96ab67bbb51987e7d9520d1b81cb27cbbb168659ad5 xsa208-qemuu-4.7.patch $ NOTE REGARDING LACK OF EMBARGO ============================== This issue has already been publicly disclosed. =============================================
Created attachment 713922 [details] patches_from_XSA-208_version 2
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-02-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63427
Created attachment 714997 [details] CVE-2017-2615.c QA REPRODUCER: gcc -o CVE-2017-2615 CVE-2017-2615.c ./CVE-2017-2615
(I see the bug was not forked for XEN consicously. Lets keep it this way.)
SUSE-SU-2017:0570-1: An update that solves 13 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1000195,1002496,1013657,1013668,1014490,1014507,1015169,1016340,1022627,1022871,1023004,1024183,1024186,1024307,1024834,1025188 CVE References: CVE-2016-10155,CVE-2016-9101,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5579,CVE-2017-5856,CVE-2017-5898,CVE-2017-5973 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): xen-4.5.5_06-22.11.2 SUSE Linux Enterprise Server 12-SP1 (src): xen-4.5.5_06-22.11.2 SUSE Linux Enterprise Desktop 12-SP1 (src): xen-4.5.5_06-22.11.2
SUSE-SU-2017:0571-1: An update that solves four vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1000195,1002496,1005028,1012651,1014298,1014300,1015169,1016340,1022871,1023004,1024834 CVE References: CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): xen-4.7.1_06-31.1 SUSE Linux Enterprise Server 12-SP2 (src): xen-4.7.1_06-31.1 SUSE Linux Enterprise Desktop 12-SP2 (src): xen-4.7.1_06-31.1
SUSE-SU-2017:0582-1: An update that solves 14 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1000195,1002496,1013657,1013668,1014490,1014507,1015169,1016340,1022627,1022871,1023004,1024183,1024186,1024307,1024834,1025188,907805 CVE References: CVE-2014-8106,CVE-2016-10155,CVE-2016-9101,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5579,CVE-2017-5856,CVE-2017-5898,CVE-2017-5973 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): xen-4.4.4_14-22.33.1 SUSE Linux Enterprise Server 12-LTSS (src): xen-4.4.4_14-22.33.1
SUSE-SU-2017:0625-1: An update that solves 15 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1014702,1015169,1016779,1017081,1017084,1020491,1020589,1020928,1021129,1021195,1021481,1022541,1023004,1023053,1023073,1023907,1024972,1026583,977027 CVE References: CVE-2016-10028,CVE-2016-10029,CVE-2016-10155,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5552,CVE-2017-5578,CVE-2017-5667,CVE-2017-5856,CVE-2017-5857,CVE-2017-5898 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): qemu-2.6.2-41.9.1 SUSE Linux Enterprise Server 12-SP2 (src): qemu-2.6.2-41.9.1 SUSE Linux Enterprise Desktop 12-SP2 (src): qemu-2.6.2-41.9.1
Fixed.
SUSE-SU-2017:0647-1: An update that solves 14 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1000195,1002496,1013657,1013668,1014490,1014507,1015169,1016340,1022627,1022871,1023004,1024183,1024186,1024307,1024834,1025188,907805,987002 CVE References: CVE-2014-8106,CVE-2016-10155,CVE-2016-9101,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5579,CVE-2017-5856,CVE-2017-5898,CVE-2017-5973 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xen-4.4.4_14-51.1 SUSE Linux Enterprise Server 11-SP4 (src): xen-4.4.4_14-51.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.4_14-51.1
SUSE-SU-2017:0661-1: An update that solves 11 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1021129,1022541,1023004,1023053,1023907,1024972 CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): qemu-2.0.2-48.31.1 SUSE Linux Enterprise Server 12-LTSS (src): qemu-2.0.2-48.31.1
openSUSE-SU-2017:0665-1: An update that solves four vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1000195,1002496,1005028,1012651,1014298,1014300,1015169,1016340,1022871,1023004,1024834 CVE References: CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620 Sources used: openSUSE Leap 42.2 (src): xen-4.7.1_06-9.2
openSUSE-SU-2017:0707-1: An update that solves 15 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1014702,1015169,1016779,1017081,1017084,1020491,1020589,1020928,1021129,1021195,1021481,1022541,1023004,1023053,1023073,1023907,1024972,1026583,977027 CVE References: CVE-2016-10028,CVE-2016-10029,CVE-2016-10155,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5552,CVE-2017-5578,CVE-2017-5667,CVE-2017-5856,CVE-2017-5857,CVE-2017-5898 Sources used: openSUSE Leap 42.2 (src): qemu-2.6.2-29.4, qemu-linux-user-2.6.2-29.1, qemu-testsuite-2.6.2-29.8
SUSE-SU-2017:0718-1: An update that solves 12 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1002496,1012651,1013657,1013668,1014298,1014507,1015169,1016340,1022871,1023004,1024183,1024834,907805 CVE References: CVE-2014-8106,CVE-2016-10013,CVE-2016-10024,CVE-2016-10155,CVE-2016-9101,CVE-2016-9776,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2016-9932,CVE-2017-2615,CVE-2017-2620 Sources used: SUSE OpenStack Cloud 5 (src): xen-4.2.5_21-35.1 SUSE Manager Proxy 2.1 (src): xen-4.2.5_21-35.1 SUSE Manager 2.1 (src): xen-4.2.5_21-35.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): xen-4.2.5_21-35.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): xen-4.2.5_21-35.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xen-4.2.5_21-35.1
SUSE-SU-2017:1135-1: An update that solves 10 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1021129,1023004,1023053,1023907,1024972 CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5856,CVE-2017-5898 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): kvm-1.4.2-59.1
SUSE-SU-2017:1241-1: An update that solves 13 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1020491,1020589,1020928,1021129,1022541,1023004,1023053,1023907,1024972,937125 CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): qemu-2.3.1-32.11 SUSE Linux Enterprise Desktop 12-SP1 (src): qemu-2.3.1-32.11
openSUSE-SU-2017:1312-1: An update that solves 13 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1020491,1020589,1020928,1021129,1022541,1023004,1023053,1023907,1024972,937125 CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898 Sources used: openSUSE Leap 42.1 (src): qemu-2.3.1-25.1, qemu-linux-user-2.3.1-25.1, qemu-testsuite-2.3.1-25.1
SUSE-SU-2017:3084-1: An update that solves 33 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1013285,1014109,1014111,1014702,1015048,1016779,1020427,1021129,1021741,1023004,1023053,1023907,1024972,1025109,1028184,1028656,1030624,1031051,1034044,1034866,1034908,1035406,1035950,1037242,1038396,1039495,1042159,1042800,1042801,1043296,1045035,1046636,1047674,1048902,1049381,1049785,1056334,1057585,1062069,1063122 CVE References: CVE-2016-10155,CVE-2016-9602,CVE-2016-9603,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15289,CVE-2017-2615,CVE-2017-2620,CVE-2017-5579,CVE-2017-5856,CVE-2017-5898,CVE-2017-5973,CVE-2017-6505,CVE-2017-7471,CVE-2017-7493,CVE-2017-7718,CVE-2017-7980,CVE-2017-8086,CVE-2017-8309,CVE-2017-9330,CVE-2017-9373,CVE-2017-9375,CVE-2017-9503 Sources used: SUSE Linux Enterprise Server 11-SP3-LTSS (src): kvm-1.4.2-53.11.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): kvm-1.4.2-53.11.1