|Public release ||2017-02-10 12:43|
|Updated ||2017-02-13 18:13|
|Title ||oob access in cirrus bitblt copy|
Filesadvisory-208.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2017-2615 / XSA-208
oob access in cirrus bitblt copy
UPDATES IN VERSION 2
Included backport for qemu-xen versions 4.7 (and earlier); fixed
qemu-xen-traditional patch. Also included proper (non-obscured)
e-mail addresses from upstream patch.
Removed "possibly" from Impact.
3 patches updated
When doing bitblt copy backwards, qemu should negate the blit width.
This avoids an oob access before the start of video memory.
A malicious guest administrator can cause an out of bounds memory
access, leading to information disclosure or privilege escalation.
Versions of qemu shipped with all Xen versions are vulnerable.
Xen systems running on x86 with HVM guests, with the qemu process
running in dom0 are vulnerable.
Only guests provided with the "cirrus" emulated video card can exploit
the vulnerability. The non-default "stdvga" emulated video card is
not vulnerable. (With xl the emulated video card is controlled by the
"stdvga=" and "vga=" domain configuration options.)
ARM systems are not vulnerable. Systems using only PV guests are not
For VMs whose qemu process is running in a stub domain, a successful
attacker will only gain the privileges of that stubdom, which should
be only over the guest itself.
Both upstream-based versions of qemu (device_model_version="qemu-xen")
and `traditional' qemu (device_model_version="qemu-xen-traditional")
Running only PV guests will avoid the issue.
Running HVM guests with the device model in a stubdomain will mitigate
Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
in the xl domain configuration) will avoid the vulnerability.
Applying the appropriate attached patch resolves this issue.
xsa208-qemuu.patch mainline qemu, qemu-xen master,4.8
xsa208-qemuu-4.7.patch qemu-xen 4.4, 4.5, 4.6, 4.7
$ sha256sum xsa208*
NOTE REGARDING LACK OF EMBARGO
This issue has already been publicly disclosed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Xenproject.org Security Team