Bugzilla – Bug 932770
VUL-0: CVE-2015-3209: qemu,xen,kvm: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135)
Last modified: 2017-11-03 15:37:05 UTC
Looking at qemu first... SLE 11 SP2 (SUSE Studio Onsite 1.3) qemu 0.10.1 affected. Patch does not apply cleanly due to rewrites, check qemu git 7b50d00911ddd6d56a766ac5671e47304c20a21b for previous changes SLE 11 SP3 qemu 0.10.1 affected, same. SLE 12 qemu 2.0.2 affected. qemu git 7b50d00911ddd6d56a766ac5671e47304c20a21b applies clean, followed by pcnet.patch from advisory
Xen: SLE 10 SP3 TD: xen 3.2.3 looks affected, ./tools/ioemu/hw/pcnet.c, but backporting needed SLE 11 SP1 TD: xen-4.0.3 affected, patches need unfuzzing SLE 11 SP3: xen 4.2.5 affected patches below apply clean in tools/qemu-xen-dir-remote: xsa135-qemuu-4.2-1.patch xsa135-qemuu-4.2-2.patch AND patches below apply clean in tools/qemu-xen-traditional-dir-remote: xsa135-qemut-1.patch xsa135-qemut-2.patch SLE 12: xen 4.4.2 affected patches below apply with offset only in tools/qemu-xen-dir-remote: xsa135-qemuu-4.3-1.patch xsa135-qemuu-4.3-2.patch AND patches below apply with offset only tools/qemu-xen-traditional-dir-remote: xsa135-qemut-1.patch xsa135-qemut-2.patch
KVM: SLE 12: affected (build by qemu) SLE 11 SP3: affected SLE 11 SP1: affected
Public via http://xenbits.xen.org/xsa/advisory-135.html Xen Security Advisory CVE-2015-3209 / XSA-135 version 3 Heap overflow in QEMU PCNET controller, allowing guest->host escape UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The QEMU security team has predisclosed the following advisory: pcnet_transmit loads a transmit-frame descriptor from the guest into the /tmd/ local variable to recover a length field, a status field and a guest-physical location of the associated frame buffer. If the status field indicates that the frame buffer is ready to be sent out (i.e. by setting the TXSTATUS_DEVICEOWNS, TXSTATUS_STARTPACKET and TXSTATUS_ENDPACKET bits on the status field), the PCNET device controller pulls in the frame from the guest-physical location to s->buffer (which is 4096 bytes long), and then transmits the frame. Because of the layout of the transmit-frame descriptor, it is not possible to send the PCNET device controller a frame of length > 4096, but it /is/ possible to send the PCNET device controller a frame that is marked as TXSTATUS_STARTPACKET, but not TXSTATUS_ENDPACKET. If we do this - and the PCNET controller is configured via the XMTRL CSR to support split-frame processing - then the pcnet_transmit functions loops round, pulling a second transmit frame descriptor from the guest. If this second transmit frame descriptor sets the TXSTATUS_DEVICEOWNS and doesn't set the TXSTATUS_STARTPACKET bits, this frame is appended to the s->buffer field. An attacker can then exploit this vulnerability by sending a first packet of length 4096 to the device controller, and a second frame containing N-bytes to trigger an N-byte heap overflow. On 64-bit QEMU, a 24-byte overflow allows the guest to take control of the phys_mem_write function pointer in the PCNetState_st structure, and this is called when trying to flush the updated transmit frame descriptor back to the guest. By specifying the content of the second transmit frame, the attacker therefore gets reliable fully-chosen control of the host instruction pointer, allowing them to take control of the host. IMPACT ====== A guest which has access to an emulated PCNET network device (e.g. with "model=pcnet" in their VIF configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process. VULNERABLE SYSTEMS ================== All Xen systems running x86 HVM guests without stubdomains which have been configured to use the PCNET emulated driver model are vulnerable. The default configuration is NOT vulnerable (because it does not emulate PCNET NICs). Systems running only PV guests are NOT vulnerable. Systems using qemu-dm stubdomain device models (for example, by specifying "device_model_stubdomain_override=1" in xl's domain configuration files) are NOT vulnerable. Both the traditional "qemu-xen" or upstream qemu device models are potentially vulnerable. ARM systems are NOT vulnerable. MITIGATION ========== Avoiding the use of emulated network devices altogether, by specifying a PV only VIF in the domain configuration file will avoid this issue. Avoiding the use of the PCNET device in favour of other emulations will also avoid this issue. Enabling stubdomains will mitigate this issue, by reducing the escalation to only those privileges accorded to the service domain. qemu-dm stubdomains are only available with the traditional "qemu-xen" version. CREDITS ======= This issue was discovered by Matt Tait of Google and reported to us via the QEMU security team. RESOLUTION ========== Applying the appropriate attached patch(es) resolves this issue. xsa135-qemuu-unstable.patch qemu-upstream, Xen unstable xsa135-qemuu-4.5-*.patch qemu-upstream, Xen 4.5.x, Xen 4.4.x xsa135-qemuu-4.3-*.patch qemu-upstream, Xen 4.3.x xsa135-qemuu-4.2-*.patch qemu-upstream, Xen 4.2.x xsa135-qemut-*.patch qemu-xen-traditional, Xen unstable, 4.5.x, 4.4.x, 4.3.x, 4.2.x Note that the second patch for qemu-xen-traditional (all versions), and qemu-upstream 4.3.x and 4.2.x are identical. Likewise xsa135-qemuu-unstable.patch is the same as xsa135-qemuu-4.5-2.patch. They are presented separately for convenience. $ sha256sum xsa135*.patch a40897166f5de84c11b5d547191cd0375c7052edb0f44940eec7b78d839e447b xsa135-qemut-1.patch d98452d4c42fae1f11e887537a4638694de8a4bf00835daac6e51801297e4091 xsa135-qemut-2.patch 099693483d468a7fdecbf825635d3595ebeecc91c496624cbe109dcb4dd235da xsa135-qemuu-unstable.patch 12ca5521f6bb1227934a1711d8adee11138a84c080a217f250efe34b3cb25b10 xsa135-qemuu-4.2-1.patch d98452d4c42fae1f11e887537a4638694de8a4bf00835daac6e51801297e4091 xsa135-qemuu-4.2-2.patch ad32c0ac145bc02b901c061fcbef83965f443fe89fcae9efc3b1dfd1e1d70bc8 xsa135-qemuu-4.3-1.patch d98452d4c42fae1f11e887537a4638694de8a4bf00835daac6e51801297e4091 xsa135-qemuu-4.3-2.patch baf9e0a960693b246ff01bb6210c5fee7713999d1e1b00a5b4e29d9ebd3c0ce8 xsa135-qemuu-4.5-1.patch 099693483d468a7fdecbf825635d3595ebeecc91c496624cbe109dcb4dd235da xsa135-qemuu-4.5-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except on systems used and administered only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. The decision not to permit deployment was made by the group that, at their discretion, disclosed the issue to the Xen Project Security Team. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html
SUSE-SU-2015:1042-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 906689,931625,931626,931627,931628,932770,932790,932996 CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.2_06-21.1 SUSE Linux Enterprise Server 12 (src): xen-4.4.2_06-21.1 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.2_06-21.1
SUSE-SU-2015:1045-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 931625,931626,931627,931628,932770,932790,932996 CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.5_08-0.9.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.5_08-0.9.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.5_08-0.9.1
openSUSE-SU-2015:1092-1: An update that solves 17 vulnerabilities and has 10 fixes is now available. Category: security (important) Bug References: 861318,882089,895528,901488,903680,906689,910254,912011,918995,918998,919098,919464,919663,921842,922705,922706,922709,923758,927967,929339,931625,931626,931627,931628,932770,932790,932996 CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2751,CVE-2015-2752,CVE-2015-2756,CVE-2015-3209,CVE-2015-3340,CVE-2015-3456,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164 Sources used: openSUSE 13.2 (src): xen-4.4.2_06-23.1
openSUSE-SU-2015:1094-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 922709,931625,931626,931627,931628,932770,932790,932996 CVE References: CVE-2015-2751,CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164 Sources used: openSUSE 13.1 (src): xen-4.3.4_05-47.1
SUSE-SU-2015:1152-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 932267,932770 CVE References: CVE-2015-3209 Sources used: SUSE Linux Enterprise Server 11 SP3 (src): kvm-1.4.2-0.22.31.1 SUSE Linux Enterprise Desktop 11 SP3 (src): kvm-1.4.2-0.22.31.1
SUSE-SU-2015:1156-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 931625,931626,931627,931628,932770,932996 CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4164 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): xen-4.0.3_21548_18-0.25.1
SUSE-SU-2015:1157-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 931625,931626,931627,931628,932770,932996 CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xen-4.1.6_08-0.13.1
SUSE-SU-2015:1206-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 932770,932996 CVE References: CVE-2015-3209,CVE-2015-4164 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): xen-3.2.3_17040_46-0.17.1
SUSE-SU-2015:1426-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 932770,938344 CVE References: CVE-2015-3209,CVE-2015-5154 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): kvm-0.15.1-0.32.2 SUSE Linux Enterprise Debuginfo 11-SP2 (src): kvm-0.15.1-0.32.2
done now I think.
SUSE-SU-2015:1519-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 893892,932267,932770 CVE References: CVE-2015-3209,CVE-2015-4037 Sources used: SUSE Linux Enterprise Server 12 (src): qemu-2.0.2-48.4.1 SUSE Linux Enterprise Desktop 12 (src): qemu-2.0.2-48.4.1
SUSE-SU-2015:1643-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 932770,932996,938344,939712 CVE References: CVE-2015-3209,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): xen-3.2.3_17040_46-0.21.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-11-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62332
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-01-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62448