cirrus_bitblt_cputovideo does not check if memory region is safe

2017-02-2110:42:00

Xen Project

xenbits.xen.org

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

50.8%

JSON

ISSUE DESCRIPTION

In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe.

IMPACT

A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation.

VULNERABLE SYSTEMS

Versions of qemu shipped with all Xen versions are vulnerable.
Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable.
Only guests provided with the “cirrus” emulated video card can exploit the vulnerability. The non-default “stdvga” emulated video card is not vulnerable. (With xl the emulated video card is controlled by the “stdvga=” and “vga=” domain configuration options.)
ARM systems are not vulnerable. Systems using only PV guests are not vulnerable.
For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself.
Both upstream-based versions of qemu (device_model_version=“qemu-xen”) and `traditional’ qemu (device_model_version=“qemu-xen-traditional”) are vulnerable.