Bug 939712 - (CVE-2015-5165) VUL-0: CVE-2015-5165: XSA-140: QEMU leak of uninitialized heap memory in rtl8139 device model
(CVE-2015-5165)
VUL-0: CVE-2015-5165: XSA-140: QEMU leak of uninitialized heap memory in rtl8...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3.1:SUSE:CVE-2015-5165:5.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-28 14:34 UTC by Johannes Segitz
Modified: 2021-05-04 18:48 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Swamp Workflow Management 2015-07-28 21:59:31 UTC
bugbot adjusting priority
Comment 6 Charles Arnold 2015-07-30 13:46:09 UTC
I didn't realize anyone was working on the qemu traditional side.
I had already back ported the patches and run our stage testing with
them on sles10sp4 (Xen 3.2.3), sles11sp3 (Xen 4.2.5) and some manual
testing on sles11sp4 (Xen 4.4.2). I've also run stage testing on
sles12 with the upstream qemu version (Xen 4.4.2 with upstream qemu
version 1.6.2).

I will take these patches and compare them to what I've already done.
Comment 7 Charles Arnold 2015-07-30 13:53:24 UTC
Are there newer upstream versions of these patches (compared to what
is attached in comments #1 and #2)?
Comment 8 Johannes Segitz 2015-07-30 14:06:45 UTC
(In reply to Charles Arnold from comment #7)
no, I didn't get anything, sorry
Comment 10 Johannes Segitz 2015-08-03 12:50:54 UTC
is public

            Xen Security Advisory CVE-2015-5165 / XSA-140
                              version 2

    QEMU leak of uninitialized heap memory in rtl8139 device model

UPDATES IN VERSION 2
====================

CVE assigned.

Public release.

Updated status of the patches.

ISSUE DESCRIPTION
=================

The QEMU model of the RTL8139 network card did not sufficiently
validate inputs in the C+ mode offload emulation. This results in
uninitialised memory from the QEMU process's heap being leaked to the
domain as well as to the network.

IMPACT
======

A guest may be able to read sensitive host-level data relating to
itself which resides in the QEMU process.

Such information may include things such as information relating to
real devices backing emulated devices or passwords which the host
administrator does not intend to share with the guest admin.

VULNERABLE SYSTEMS
==================

All Xen systems running x86 HVM guests without stubdomains which have
been configured with an emulated RTL8139 driver model (which is the
default) are vulnerable.

Systems using qemu-dm stubdomain device models (for example, by
specifying "device_model_stubdomain_override=1" in xl's domain
configuration files) are NOT vulnerable.

Both the traditional ("qemu-xen-traditional") or upstream-based
("qemu-xen") qemu device models are potentially vulnerable.

Systems running only PV guests are NOT vulnerable.

ARM systems are NOT vulnerable.

QEMU-XEN-TRADITIONAL
====================

The patches supplied by the Qemu Project are of course against recent
versions of qemu.  They cannot be applied directly to
qemu-xen-traditional.  The Xen Project Security Team do not feel we
have the resources to backport and qualify these substantial and
intrusive patches.

Users using qemu-xen-traditional with stub domains are not vulnerable,
because the stub dm is a deprivileged qemu guest instance.

Users using qemu-xen-traditional for compatibility with old guests can
avoid the vulnerability by switching to using a stub device model.

The Xen Project Security Team encourages users and downstreams who are
using qemu-xen-traditional and able to backport the patches to share
those patches with us, so that we may distribute them with an updated
advisory.

We will encourage the community to have a conversation, when this
advisory is released, about the continuing security support status of
qemu-xen-traditional in non-stub-dm configurations.

MITIGATION
==========

Avoiding the use of emulated network devices altogether, by specifying
a PV only VIF in the domain configuration file will avoid this
issue.

Avoiding the use of the RTL8139 device in favour of other emulations
will also avoid this issue.

Enabling stubdomains will mitigate this issue, by reducing the
information leak to only information belonging to the service domain.

qemu-dm stubdomains are only available with the "qemu-xen-traditional"
device model version.

CREDITS
=======

This issue was discovered by Donghai Zhu of Alibaba.

RESOLUTION
==========

Applying the appropriate attached patches resolves this issue.

xsa140-qemuu-unstable-?.patch        qemu-upstream, xen-unstable, Xen 4.5.x,
                                     Xen 4.4.x
xsa140-qemuu-4.3-?.patch             qemu-upstream, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa140*.patch
12d0dc1a31449288ed5e562a1e9415c437b7a2799e8afa0b251e3957a0d8ab23  xsa140-qemuu-unstable-1.patch
c91a60b7d7e18ea95b31eca0ba940d53c14730fae1e50802375c9e5ab7d0f109  xsa140-qemuu-unstable-2.patch
99062a9cbf4b96de8f0aa8555291cf6e296a9dbdf22ad4e9285912ba02de9261  xsa140-qemuu-unstable-3.patch
82d2214a0bd42b03b72b26170e4c80699d74bc691b6e223780a693ad2e9c267a  xsa140-qemuu-unstable-4.patch
b728ae69e4a1d838bb1b4c5e6135e84fe8f6fc7e97fdc99915e7fc908edb4fd2  xsa140-qemuu-unstable-5.patch
6fb23646e05ef9a4b010d2a2c0235b6ee58a293f39ed40b6b1611115c948a79a  xsa140-qemuu-unstable-6.patch
ebcadb69110ea4672795b52472222ed1ffe67a83e37c5b7d401530f43137c587  xsa140-qemuu-unstable-7.patch
f33046ad9f29878a6d6cc7fbd5f58959b26aa1f5fb5be3ff0c933a11d7ed51d8  xsa140-qemuu-4.3-1.patch
2d43b2de5152623d8beb4e304330c09bc6bd338343e4398d74ae256623d00007  xsa140-qemuu-4.3-2.patch
54a9d5b64e3562ba68a68178a292a125ca7c73edd24ec4fc3cb5908728ff75c9  xsa140-qemuu-4.3-3.patch
b803887acb91ae52c90ef478068bd588e06c84a4ef4b92a8bfb776b79ac8f318  xsa140-qemuu-4.3-4.patch
bb4130ae38ca515e76dcac0fcb895d2e8780bab75576096372292d1707d3134e  xsa140-qemuu-4.3-5.patch
e1acc11ef537c747c118da758cf160d738576ff9efce950eed3c71c889f843f4  xsa140-qemuu-4.3-6.patch
6fabe8336e8d847366d51670b356c70a994eaf286733043209ef9ac51d67384c  xsa140-qemuu-4.3-7.patch
Comment 13 Swamp Workflow Management 2015-08-14 11:11:04 UTC
SUSE-SU-2015:1384-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 939709,939712
CVE References: CVE-2015-5165,CVE-2015-5166
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.2_10-22.8.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.2_10-22.8.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.2_10-22.8.1
Comment 14 Swamp Workflow Management 2015-08-18 15:09:52 UTC
SUSE-SU-2015:1404-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 939709,939712
CVE References: CVE-2015-5165,CVE-2015-5166
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.2_12-23.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.2_12-23.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    xen-4.4.2_12-23.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.2_12-23.1
Comment 15 Swamp Workflow Management 2015-08-19 14:09:54 UTC
SUSE-SU-2015:1408-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 938344,939712
CVE References: CVE-2015-5154,CVE-2015-5165
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-17.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    xen-4.1.6_08-17.1
Comment 16 Swamp Workflow Management 2015-08-21 14:11:57 UTC
SUSE-SU-2015:1421-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 938344,939712
CVE References: CVE-2015-5154,CVE-2015-5165
Sources used:
SUSE Linux Enterprise Server 11-SP1-LTSS (src):    xen-4.0.3_21548_18-29.1
SUSE Linux Enterprise Debuginfo 11-SP1 (src):    xen-4.0.3_21548_18-29.1
Comment 17 Swamp Workflow Management 2015-09-02 16:10:59 UTC
SUSE-SU-2015:1479-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 922709,932996,935634,938344,939709,939712
CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    xen-4.2.5_12-15.1
SUSE Linux Enterprise Server 11-SP3 (src):    xen-4.2.5_12-15.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_12-15.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_12-15.1
Comment 18 Swamp Workflow Management 2015-09-02 17:10:40 UTC
SUSE-SU-2015:1479-2: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 922709,932996,935634,938344,939709,939712
CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166
Sources used:
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_12-15.1
Comment 19 Marcus Meissner 2015-09-25 12:42:57 UTC
interesting ones released
Comment 20 Swamp Workflow Management 2015-09-25 19:11:12 UTC
SUSE-SU-2015:1643-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 932770,932996,938344,939712
CVE References: CVE-2015-3209,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.21.1
Comment 21 Swamp Workflow Management 2015-11-11 14:07:00 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-11-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62332
Comment 22 Swamp Workflow Management 2015-11-12 11:11:05 UTC
openSUSE-SU-2015:1964-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 877642,932267,938344,939709,939712,941074,944463,944697,947165,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_06-50.1
Comment 23 Swamp Workflow Management 2015-11-17 10:13:56 UTC
openSUSE-SU-2015:2003-1: An update that solves 13 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,925466,932267,935634,938344,939709,939712,944463,944697,945167,947165,949138,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-3259,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.2 (src):    xen-4.4.3_02-30.1
Comment 24 Swamp Workflow Management 2016-01-19 11:49:27 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-01-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62448