Lucene search

K
xenXen ProjectXSA-199
HistoryDec 06, 2016 - 12:00 p.m.

qemu ioport array overflow

2016-12-0612:00:00
Xen Project
xenbits.xen.org
30

CVSS2

3.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:H/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

26.7%

ISSUE DESCRIPTION

The code in qemu which implements ioport read/write looks up the specified ioport address in a dispatch table. The argument to the dispatch function is a uint32_t, and is used without a range check, even though the table has entries for only 2^16 ioports.
When qemu is used as a standalone emulator, ioport accesses are generated only from cpu instructions emulated by qemu, and are therefore necessarily 16-bit, so there is no vulnerability.
When qemu is used as a device model within Xen, io requests are generated by the hypervisor and read by qemu from a shared ring. The entries in this ring use a common structure, including a 64-bit address field, for various accesses, including ioport addresses.
Xen will write only 16-bit address ioport accesses. However, depending on the Xen and qemu version, the ring may be writeable by the guest. If so, the guest can generate out-of-range ioport accesses, resulting in wild pointer accesses within qemu.

IMPACT

A malicious guest administrator can escalate their privilege to that of the qemu process.

VULNERABLE SYSTEMS

PV guests cannot exploit the vulnerability.
ARM systems are not vulnerable.
HVM domains run with QEMU stub domains cannot exploit the vulnerability. (A QEMU stub domain is used if xl’s domain configuration file contains “device_model_stubdomain_override=1”.)
Guests using the modern “qemu-xen” device model, with a qemu version of at least 1.6.0 (for example, as provided by the Xen Project in its Xen 4.4.0 and later releases), cannot exploit the vulnerability.
x86 HVM guests, not configured with qemu stub domains, using a version of qemu older than qemu upstream 1.6.0, can exploit the vulnerability.
x86 HVM guests using the traditional “qemu-xen-traditional”, not configured with qemu stub domains, can therefore exploit the vulnerability.
In tabular form:
Guest Xen QEMU QEMU “traditional” Status type version stub and/or qemu version
ARM any n/a n/a any OK x86 PV any n/a n/a any OK
x86 HVM any yes qemu-xen-traditional OK
x86 HVM any no qemu-xen* >= 1.6.0 OK x86 HVM >= 4.4 no qemu-xen* Xen supplied OK
x86 HVM any no qemu-xen* < 1.6.0 Vulnerable x86 HVM <= 4.3 no qemu-xen* Xen supplied Vulnerable
x86 HVM any no qemu-xen-traditional Vulnerable
[*] qemu-xen is the default when qemu stub domains are not in use, since Xen 4.3.

CVSS2

3.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:H/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

26.7%