QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

ISSUE DESCRIPTION

Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. But an attacker can easily change access modes after setting the bank register. This is CVE-2016-3710.
Qemu VGA module allows guest to edit certain registers in ‘vbe’ and ‘vga’ modes. ie. guest could set certain ‘VGA’ registers while in ‘VBE’ mode. This is CVE-2016-3712.

IMPACT

A privileged guest user could use CVE-2016-3710 to exceed the bank address window and write beyond the said memory area, potentially leading to arbitrary code execution with privileges of the Qemu process. If the system is not using stubdomains, this will be in domain 0.
A privileged guest user could use CVE-2016-3712 to cause potential integer overflow or OOB read access issues in Qemu, resulting in a DoS of the guest itself. More dangerous effect, such as data leakage or code execution, are not known but cannot be ruled out.

VULNERABLE SYSTEMS

Versions of qemu shipped with all Xen versions are vulnerable.
Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable.
Only guests provided with the “stdvga” emulated video card can exploit the vulnerability. The default “cirrus” emulated video card is not vulnerable. (With xl the emulated video card is controlled by the “stdvga=” and “vga=” domain configuration options.)
ARM systems are not vulnerable. Systems using only PV guests are not vulnerable.
For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself.
Both upstream-based versions of qemu (device_model_version=“qemu-xen”) and `traditional’ qemu (device_model_version=“qemu-xen-traditional”) are vulnerable.