Information

Advisory XSA-179
Public release 2016-05-09 11:48
Updated 2016-05-10 11:23
Version 5
CVE(s) CVE-2016-3710 CVE-2016-3712
Title QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

Files

advisory-179.txt (signed advisory file)
xsa179-qemuu-unstable-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-unstable-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-unstable-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-unstable-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-unstable-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
xsa179-qemuu-4.3-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.3-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.3-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.3-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.3-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
xsa179-qemuu-4.4-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.4-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.4-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.4-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.4-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
xsa179-qemuu-4.5-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.5-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.5-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.5-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.5-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
xsa179-qemuu-4.6-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
xsa179-qemut-unstable-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemut-unstable-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemut-unstable-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemut-unstable-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemut-unstable-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Xen Security Advisory CVE-2016-3710,CVE-2016-3712 / XSA-179
                               version 5

 QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

UPDATES IN VERSION 5
====================

Fixed credits section. Zuozhi Fzz was mistakenly credited with
CVE-2016-3710, but should have been credited with CVE-2016-3712.

ISSUE DESCRIPTION
=================

Qemu VGA module allows banked access to video memory using the window
at 0xa00000 and it supports different access modes with different
address calculations.  But an attacker can easily change access modes
after setting the bank register.  This is CVE-2016-3710.

Qemu VGA module allows guest to edit certain registers in 'vbe' and
'vga' modes. ie. guest could set certain 'VGA' registers while in
'VBE' mode.  This is CVE-2016-3712.


IMPACT
======

A privileged guest user could use CVE-2016-3710 to exceed the bank
address window and write beyond the said memory area, potentially
leading to arbitrary code execution with privileges of the Qemu
process.  If the system is not using stubdomains, this will be in
domain 0.

A privileged guest user could use CVE-2016-3712 to cause potential
integer overflow or OOB read access issues in Qemu, resulting in a DoS
of the guest itself.  More dangerous effect, such as data leakage or
code execution, are not known but cannot be ruled out.


VULNERABLE SYSTEMS
==================

Versions of qemu shipped with all Xen versions are vulnerable.

Xen systems running on x86 with HVM guests, with the qemu process
running in dom0 are vulnerable.

Only guests provided with the "stdvga" emulated video card can exploit
the vulnerability.  The default "cirrus" emulated video card is not
vulnerable.  (With xl the emulated video card is controlled by the
"stdvga=" and "vga=" domain configuration options.)

ARM systems are not vulnerable.  Systems using only PV guests are not
vulnerable.

For VMs whose qemu process is running in a stub domain, a successful
attacker will only gain the privileges of that stubdom, which should
be only over the guest itself.

Both upstream-based versions of qemu (device_model_version="qemu-xen")
and `traditional' qemu (device_model_version="qemu-xen-traditional")
are vulnerable.

MITIGATION
==========

Running only PV guests will avoid the issue.

Running HVM guests with the device model in a stubdomain will mitigate
the issue.

Changing the video card emulation to cirrus (stdvga=0, vga="cirrus",
in the xl domain configuraton) will avoid the vulnerability.

CREDITS
=======

CVE-2016-3710 was discovered and reported by "Wei Xiao and Qinghao
Tang of 360 Marvel Team" of 360.cn Inc.

CVE-2016-3712 was discovered and reported by Zuozhi Fzz of Alibaba
Inc.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue for
systems using upstream-based versions of qemu.  Patch 0001 addresses
CVE-2016-3710, and patches 0002-0005 address CVE-2016-3712.

qemu-upstream, xen-unstable:

xsa179-qemuu-unstable-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-unstable-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-unstable-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-unstable-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-unstable-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

qemu-upstream, xen 4.6:

xsa179-qemuu-4.6-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

qemu-upstream, xen 4.5:

xsa179-qemuu-4.5-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.5-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.5-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.5-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.5-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

qemu-upstream, xen 4.4:

xsa179-qemuu-4.4-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.4-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.4-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.4-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.4-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

qemu-upstream, xen 4.3:

xsa179-qemuu-4.3-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.3-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.3-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.3-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.3-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

qemu-xen-traditional, unstable:

xsa179-qemut-unstable-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemut-unstable-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemut-unstable-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemut-unstable-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemut-unstable-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

$ sha256sum xsa179*
e216959d099ed807b282026e1e4d558ce0c0e8ead284ddd9d0581cef5fcef0ad  xsa179-qemuu-unstable-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
708e40d85866540567d2d915731c6e9876cd0d6754bc6696650ed71d8e48d710  xsa179-qemuu-unstable-0002-vga-add-vbe_enabled-helper.patch
767007028189bce54df9769ff6cb9db7cd37b5c2afaac86787b30c8f2a03f342  xsa179-qemuu-unstable-0003-vga-factor-out-vga-register-setup.patch
1fb507c307b093e5e4471d4a5e567db419adecbfe772a68bf91722836bcba4cd  xsa179-qemuu-unstable-0004-vga-update-vga-register-setup-on-vbe-changes.patch
ff4327d598d2e0912dc3a22ab9ba14d6c79bfa5a154714b6c5da761d5ded403f  xsa179-qemuu-unstable-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
059bfa59f39222ad6991e6c0c8338385f2a317e379d02d0c2cb0e5a8138cb329  xsa179-qemuu-4.3-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
c6dfe50d694b75670bbdec78a3ce6293a8da46d5ff8b47f1e0d7e4fac22260bf  xsa179-qemuu-4.3-0002-vga-add-vbe_enabled-helper.patch
f57e31e8b81f1161537277a0934013c1fb3bbf57319543dfd10a5dc5fdfb927b  xsa179-qemuu-4.3-0003-vga-factor-out-vga-register-setup.patch
14900af2b13d362ffb98c061e76b13965965284399dd9b9f1a4e41b41f34a3a3  xsa179-qemuu-4.3-0004-vga-update-vga-register-setup-on-vbe-changes.patch
2b2e7d306fd95fa74490ee1694af1af9438d7ff738d8c6aecc7d99d4eb96dcb2  xsa179-qemuu-4.3-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
e6108266bf0abada5fc6e0a3ca65c2702fcae610826ead6a215d622ec3ed973a  xsa179-qemuu-4.4-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
05bdfae312078b22542e9f18db98fae11dbfd9785184b0b3c8de8c94797e1427  xsa179-qemuu-4.4-0002-vga-add-vbe_enabled-helper.patch
56dee9d0f54357391d5249a01ab28a1879dd7d1a36b4d147d68c62688d8af22b  xsa179-qemuu-4.4-0003-vga-factor-out-vga-register-setup.patch
10603f5ffe317de328dc46139a6b5ff6081040ca6368ee1642b5343db9bcfda1  xsa179-qemuu-4.4-0004-vga-update-vga-register-setup-on-vbe-changes.patch
e0dbc47086f0346a9554b98468256bc325d67440f5d786c5825390d293896509  xsa179-qemuu-4.4-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
9b0cfdba369437a3e3da86690cd0c6d9d05e39d1168065e4d11ff2de4e546feb  xsa179-qemuu-4.5-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
3c56f255d2ff3e5ae24f15de69cbd4abf3ff0d2dbb63a686937d5e2ab1989d59  xsa179-qemuu-4.5-0002-vga-add-vbe_enabled-helper.patch
b1ddabf50720635efa17a7c57778acd2e1d9fd6a6424038455163991afecb044  xsa179-qemuu-4.5-0003-vga-factor-out-vga-register-setup.patch
0f34eeda817f39d3b5e484d535aa29bae16e7e36b4dc042bc41ef0e1844bf3cb  xsa179-qemuu-4.5-0004-vga-update-vga-register-setup-on-vbe-changes.patch
c24b3401a7ed45f853de7c96b998d50461254e9082a706753b814ddcbc285b17  xsa179-qemuu-4.5-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
de59a098a39c1adbc86f3857dbb2b655479f97756d46e017e83b41c1390a98b9  xsa179-qemuu-4.6-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
3686d0b5c3603819fe0eca65ed62161c676e6abd8e676e513f6d4b3d46e7a997  xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch
18d01083e2f4000816ecf26d85da5cb337f540da447e6252f348a5b538cc7fa4  xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch
811ce206293b54ad601eb0a0e59bee502277c642f73f1ea0bad712efc528f82d  xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch
2097c9e4eac66a65e07607664d1aaec288c4c8b0f147c73636c1b2532cdd20dd  xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
132fd7f7d1f7bee4d934daefc24ec65080ae09b7d0e07a86edc3b683cad8156a  xsa179-qemut-unstable-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
b83c29c3737415bf05da14c0b856abeb3bdbb77fba7d538956535ed67160abe8  xsa179-qemut-unstable-0002-vga-add-vbe_enabled-helper.patch
834266af0499167e6d8e2e87bb770b79c0e8480ab5ea72064298656ccdd36741  xsa179-qemut-unstable-0003-vga-factor-out-vga-register-setup.patch
a5c3c38340261c7ff44047289aad6276e501930e214c40350056a364469965cd  xsa179-qemut-unstable-0004-vga-update-vga-register-setup-on-vbe-changes.patch
4869ad504cba52f537dae102e226b020422e3b6494ffba3b865eb2893bee0e9e  xsa179-qemut-unstable-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJXMcStAAoJEIP+FMlX6CvZ8g4H/i3UdCtqBWhs5ZAa7arEzDLC
GggGZ0MQDriujr+10MN6OyM7W493AxHC2+8Ck0jft1YrUh0ojlVt3/tqd+f4yI1I
1S5ueWQYS0vEqH4lxiftp4MRc9/wWpKnEGdo3437AyDuuZwqDfTjvt8yDrfMLCuI
2v3ofXfSOeBiNYqSSsz3Hbmlb9ZqohGRIGqc74C4D+RKYJlDBVO6GNDMv9lI5tdW
LE5PqaCxndZVO+uFAgIg6tw+GOObk2IyEBi00R5FmkW5g9QP2i2em+/usKAb8l3v
bFjBEuw0SkL/CZF3fpoBNjTej/5HHSJwhB2rDY2NFV1hwmt36G8NPKKwLrcQKdU=
=O3qx
-----END PGP SIGNATURE-----

Xenproject.org Security Team