HVM qemu unexpectedly enabling emulated VGA graphics backends

ISSUE DESCRIPTION

When instantiating an emulated VGA device for an x86 HVM guest qemu will by default enable a backend to expose that device, either SDL or VNC depending on the version of qemu and the build time configuration.
The libxl toolstack library does not explicitly disable these default backends when they are not enabled, leading to an unexpected backend running.
If either SDL or VNC is explicitly enabled in the guest configuration then only the expected backends will be enabled.
This affects qemu-xen and qemu-xen-traditional differently.
If qemu-xen was compiled with SDL support then this would result in an SDL window being opened if $DISPLAY is valid, or a failure to start the guest if not.
If qemu-xen was compiled without SDL support then qemu would instead start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1 (IPv4 localhost) with IPv6 preferred if available. A VNC password will not be configured even if one is present in the guest configuration.
qemu-xen-traditional will never start a vnc backend unless explicitly configured. However by default it will start an SDL backend if it was built with SDL support and $DISPLAY is valid.

IMPACT

For qemu-xen compiled without SDL support (unexpected VNC server):
Any local user on the domain 0 hosting the VM will be able to access the guest’s emulated VGA console.
For any qemu compiled with SDL support (unexpected SDL backend):
Users who are able to control the DISPLAY environment variable of the toolstack process which creates the VM will be able to direct the SDL output to an X server of their choosing and from there gain access to the guest’s emulated console.
This is a practical attack only on systems where arrangements have been made for lower-privileged users to execute Xen toolstack code via means which do not sufficiently launder the process environment. This would include some restricted sudo command configurations.
In both cases unexpected access to the guest console may then, depending on the guest configuration, grant further privilege or opportunities for attack.
Both cases also open up the qemu process to attacks via the VNC or X network protocols.
The qemu monitor is not exposed via this means unless it is explicitly enabled in the guest configuration.

VULNERABLE SYSTEMS

ARM systems are not vulnerable.
PV domains are not vulnerable.
Systems where either SDL or VNC is explicitly enabled in the guest configuration (eg sdl=1' or vnc=1’ in the guest config file) are not vulnerable.
Systems using qemu-xen-traditional, or systems using qemu-xen where SDL support is built into qemu-xen, are not vulnerable; unless the Xen toolstack code runs in a process environment partially controlled by potential attackers.
x86 systems running HVM domains, configured to disable both SDL and VNC access to the emulated VGA device, may be vulnerable.
Versions of Xen from 4.2 onwards are known to be affected. Older versions have not been inspected.