Cirrus VGA Heap overflow via display refresh

ISSUE DESCRIPTION

When a graphics update command gets passed to the VGA emulator, there are 3 possible modes that can be used to update the display:

• blank - Clears the display * text - Treats the display as showing text * graph - Treats the display as showing graphics
  After the display geometry gets changed (i.e., after the CIRRUS VGA emulation has resized the display), the VGA emulator will resize the console during the next update command. However, when a blank mode is also selected during an update, this resize doesn’t happen. The resize will be properly handled during the next time a non-blank mode is selected during an update.
  However, other console components - such as the VNC emulation - will operate as though this resize had happened. When the display is resized to be larger than before, this can result in a heap overflow as console components will expect the display buffer to be larger than it is currently allocated.

IMPACT

A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process.

VULNERABLE SYSTEMS

All versions of Xen are vulnerable.
Only HVM guests with the Cirrus video card are vulnerable. (The Cirrus video card is the default.) Both qemu-upstream and qemu-traditional are vulnerable.
For HVM guests with the device model running in a stub domain, “the privileges of the device model process” are identical to those of the guest kernel. But the ability of a userspace process to trigger this vulnerability via legitimate commands to the kernel driver (thus elevating its privileges to that of the guest kernel) cannot be ruled out.