-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-2615 / XSA-208 version 3 oob access in cirrus bitblt copy UPDATES IN VERSION 3 ==================== Normalize version tags. ISSUE DESCRIPTION ================= When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. IMPACT ====== A malicious guest administrator can cause an out of bounds memory access, leading to information disclosure or privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa208-qemuu.patch qemu-upstream, qemu-xen master, 4.8 xsa208-qemuu-4.7.patch qemu-xen 4.4, 4.5, 4.6, 4.7 xsa208-qemut.patch qemu-xen-traditional $ sha256sum xsa208* afde3e9d4bf5225f92c36dec9ff673b0b1b0bad4452d406f0c12edc85e2fec72 xsa208-qemut.patch e492d528141be5899d46c2ac0bcd0c40ca9d9bfc40906a8e7a565361f17ce38d xsa208-qemuu.patch 09471b66c9d9fc5616e7b96ab67bbb51987e7d9520d1b81cb27cbbb168659ad5 xsa208-qemuu-4.7.patch $ NOTE REGARDING LACK OF EMBARGO ============================== This issue has already been publicly disclosed. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/UMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZIk0H/jr3YO+yCwKU1gpO9YHNz1uihEZcv0/KJOSGBMgS NoTp0IEWiD3K43XWzL7qPS0Gno48qF3fSpzGxESM0b3AHrvgFlDsqrM8jUthakee uIj3C3w1HZNe+wHjhp0PWywjdxTRPH4JdMAhnmcbT9N7M4KJMiMDJz6EsqTq+idc K1oHDu5tSQ9zkystOGnpb9TLZEgNkABgyS7luGugvcRrYFFgx+q1oulsQ7fPq4R+ l1ALmZCetdO7TSu6f7kfES/Q7Xaa0SAyHwFJgjwtt7tj8htv7GwEMXl3GlEl3thr h4DohiVGboWNfIT+Wm6JgacERDeSMijGSvMH2nqbl66x/jM= =7u2m -----END PGP SIGNATURE-----