Bug 237342 (CVE-2007-1320)

Summary: CVE-2007-1320 xen/qemu Cirrus LGD-54XX "bitblt" Heap Overflow
Product: [Other] Security Response Reporter: Marcel Holtmann <holtmann>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: armbru, berrange, clalance, dwmw2, gcosta, hdegoede, jlieskov, kreilly, sakaia, sundaram, xen-maint
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 65-7.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-13 17:55:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 237467, 296271, 296281, 448524, 448525, 466890    
Bug Blocks: 471055    

Description Marcel Holtmann 2007-04-20 21:41:55 UTC 
The cirrus_invalidate_region() routine used during video-to-video copy
operations in the cirrus vga extension code omits bounds checking in
multiple locations, allowing you to overwrite adjacent buffers by
attempting to mark non-existent regions as dirty. Successful
exploitation would result in a complete compromise of the qemu
process. Additionally multiple bitblt operations omit bounds checking,
where the srcpitch or dstpitch coefficients cause the operation to
exceed the bounds of the vram buffer.
Comment 1 Daniel Berrangé 2007-04-25 00:04:36 UTC 
Upstream applied this fix:

http://xenbits.xensource.com/xen-unstable.hg?rev/9e86260b95a4
Comment 2 RHEL Program Management 2007-05-04 13:27:07 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Mark J. Cox 2007-09-19 13:21:18 UTC 
public via http://taviso.decsystem.org/virtsec.pdf
Comment 8 Tomas Hoger 2008-05-27 06:50:45 UTC 
It seems that this issue did not get fixed in qemu / kvm at the time of fix
being applied to Xen.  Following patch was recently applied in the qemu SVN to
address this issue:

http://svn.savannah.gnu.org/viewvc/?view=rev&root=qemu&revision=4340

Cirrus seems to be the default graphics adapter used by current kvm versions.
Comment 9 Glauber Costa 2008-05-27 13:14:10 UTC 
I created bugs #448524 and #448525 as clones of this one for Fedora.
Comment 10 Lubomir Rintel 2008-05-27 14:09:57 UTC 
*** Bug 448524 has been marked as a duplicate of this bug. ***
Comment 11 Fedora Update System 2008-05-29 02:33:07 UTC 
kvm-65-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-05-29 02:48:57 UTC 
kvm-60-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Don Dutile (Red Hat) 2008-09-03 17:06:02 UTC 
Closing since XS patch was applied to RHEL5 when it rebased to xen-3.1.0
and comment 11 & comment 12 indicate the fix is included in fc8 & fc9.
Comment 14 Tomas Hoger 2008-09-04 06:52:30 UTC 
Is this fixed in current qemu versions as well?
Comment 16 Atsushi SAKAI 2008-11-04 04:11:50 UTC 
Hi, Tomas

I am looking around the patch.
It needs to add originally.
Since 0.9.1 Released on Jan 2008,
But a patch itself created on after that.

=====
version change
bellard [Sun, 6 Jan 2008 17:10:54 +0000 (17:10 +0000)]

http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=bfe312121eb80226f0cb2d4b7c2b9b5fafecd93e
=======

1)CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow
aurel32 [Mon, 5 May 2008 21:26:31 +0000 (21:26 +0000)]

I have just noticed that patch for CVE-2007-1320 has never been applied
to the QEMU CVS. Please find it below.
http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef


2)CVE-2008-4539: fix a heap overflow in Cirrus emulation
aurel32 [Sat, 1 Nov 2008 00:53:39 +0000 (00:53 +0000)]

The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has
been announced and the patch has been applied. As a consequence it has
wrongly applied and QEMU is still vulnerable to this bug if using VNC.

(noticed by Jan Niehusmann)

http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=65d35a09979e63541afc5bfc595b9f1b1b4ae069

Thanks
Atsushi SAKAI
Comment 20 Tomas Hoger 2008-11-11 14:45:40 UTC 
Atsushi, thanks for providing links to qemu upstream commits.

I checked status of qemu, kvm and xen packages currently in Fedora with respect to this bug and CVE-2008-4539.

qemu:
- versions checked:
  qemu-0.9.0-7.fc8 qemu-0.9.1-6.fc9 qemu-0.9.1-10.fc10
- no patch applied, all versions require patch for CVE-2007-1320
- as CVE-2007-1320 was not yet addressed in qemu, CVE-2008-4539 does not apply

kvm:
- versions checked:
  kvm-60-6.fc8 kvm-65-10.fc9 kvm-74-5.fc10 kvm-78-4.fc11
- all versions have original patch for CVE-2007-1320, which is also included
  in upstream sources in 70
- all require patch for CVE-2008-4539

xen:
- xen upstream seems to use completely different patch to address this issue, see comment #1 or:
http://xenbits.xensource.com/xen-3.1-testing.hg?file/623a07dda15c/tools/ioemu/patches/qemu-cirrus-bounds-checks
Comment 21 Chris Lalancette 2011-07-13 17:55:13 UTC 
This is ancient, and all of the affected versions have been patches (as far as I know).  Closing this out.
Comment 22 Tomas Hoger 2014-12-05 08:52:08 UTC 
Working qemu patch links:

http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=65d35a09979e63541afc5bfc595b9f1b1b4ae069

This fix was found to be incorrect, see bug 1169454 / CVE-2014-8106.