Bug 1318712 (CVE-2016-3712) - CVE-2016-3712 qemu-kvm: Out-of-bounds read when creating weird vga screen surface
Summary: CVE-2016-3712 qemu-kvm: Out-of-bounds read when creating weird vga screen sur...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-3712
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1332282 1332284 1334342 1334343
Blocks: 1318730
TreeView+ depends on / blocked
 
Reported: 2016-03-17 15:00 UTC by Adam Mariš
Modified: 2019-11-14 07:37 UTC (History)
41 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An integer overflow flaw and an out-of-bounds read flaw were found in the way QEMU's VGA emulator set certain VGA registers while in VBE mode. A privileged guest user could use this flaw to crash the QEMU process instance.
Clone Of:
Environment:
Last Closed: 2017-03-21 09:56:14 UTC


Attachments (Terms of Use)
Backtrace report (1.86 KB, text/plain)
2016-03-17 15:06 UTC, Adam Mariš
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2585 normal SHIPPED_LIVE Moderate: qemu-kvm security, bug fix, and enhancement update 2016-11-03 12:09:03 UTC
Red Hat Product Errata RHSA-2017:0621 normal SHIPPED_LIVE Moderate: qemu-kvm security and bug fix update 2017-03-21 12:28:31 UTC

Description Adam Mariš 2016-03-17 15:00:16 UTC
Qemu VGA module allows guest to edit certain registers in 'vbe' and 'vga' 
modes. ie. guest could set certain 'VGA' registers while in 'VBE' mode. This 
leads to potential integer overflow or OOB read access issues in Qemu, 

A privileged guest user could use this flaw to crash the Qemu process on the 
host resulting in DoS.

Upstream patches:
-----------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg01198.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2016/05/09/4

Comment 1 Adam Mariš 2016-03-17 15:00:37 UTC
Acknowledgments:

Name: Zuozhi Fzz (Alibaba Inc.)

Comment 3 Adam Mariš 2016-03-17 15:06:43 UTC
Created attachment 1137419 [details]
Backtrace report

Comment 5 Prasad J Pandit 2016-05-02 19:19:55 UTC
Statement:

(none)

Comment 6 Adam Mariš 2016-05-09 12:16:00 UTC
Public via:

http://xenbits.xen.org/xsa/advisory-179.html

Comment 7 Prasad J Pandit 2016-05-09 12:21:20 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1334343]

Comment 8 Prasad J Pandit 2016-05-09 12:21:36 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1334342]

Comment 9 Fedora Update System 2016-05-12 07:27:17 UTC
xen-4.5.3-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2016-05-15 05:26:18 UTC
qemu-2.4.1-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2016-05-16 16:20:26 UTC
xen-4.6.1-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-05-20 23:48:31 UTC
qemu-2.3.1-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Gerd Hoffmann 2016-05-24 14:16:54 UTC
This one caused a regression.  How do we handle these?

upstream patch (merged in master, queued for 2.6.1 steable update):
https://lists.nongnu.org/archive/html/qemu-devel/2016-05/msg03790.html

fedora bugs: bug 1339268, bug 1339267

Comment 14 Jeff Nelson 2016-05-24 16:59:02 UTC
> This one caused a regression.  How do we handle these?

Does the regression introduce a new security issue?

I'd suggest tracking the regression as a separate issue in a new set of BZs for RHEL-6.9 and RHEL-7.3. Whether or not we backport the fix to the respective Z-streams depends on whether or not a customer hits the regression.

Setting NEEDINFO to areis for additional review/feedback.

Comment 15 Gerd Hoffmann 2016-05-25 08:28:41 UTC
(In reply to Jeff Nelson from comment #14)
> > This one caused a regression.  How do we handle these?
> 
> Does the regression introduce a new security issue?

No.

Comment 16 Ademar Reis 2016-05-25 15:17:32 UTC
(In reply to Jeff Nelson from comment #14)
> > This one caused a regression.  How do we handle these?
> 
> Does the regression introduce a new security issue?
> 
> I'd suggest tracking the regression as a separate issue in a new set of BZs
> for RHEL-6.9 and RHEL-7.3. Whether or not we backport the fix to the
> respective Z-streams depends on whether or not a customer hits the
> regression.

My understanding is that this particular security issue is not being backported to z-streams.

If that's indeed the case, then given the patches are being reviewed (BZs are POST), there's no need for a new BZ for the regression. We can simply respin the patches.

Comment 17 Fedora Update System 2016-05-28 23:22:17 UTC
xen-4.5.3-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Gerd Hoffmann 2016-06-01 08:57:28 UTC
(In reply to Ademar Reis from comment #16)
> (In reply to Jeff Nelson from comment #14)
> > > This one caused a regression.  How do we handle these?
> > 
> > Does the regression introduce a new security issue?
> > 
> > I'd suggest tracking the regression as a separate issue in a new set of BZs
> > for RHEL-6.9 and RHEL-7.3. Whether or not we backport the fix to the
> > respective Z-streams depends on whether or not a customer hits the
> > regression.
> 
> My understanding is that this particular security issue is not being
> backported to z-streams.
> 
> If that's indeed the case, then given the patches are being reviewed (BZs
> are POST), there's no need for a new BZ for the regression. We can simply
> respin the patches.

Both CVE-2016-3710 and CVE-2016-3712 are fixed together in one series (RHEL-6 + RHEL-7).  RHEL-5 gets the CVE-2016-3710 fix only so no regression there.

Patches are out for 6.8 and 7.2.z.

Comment 19 errata-xmlrpc 2016-11-03 20:10:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2585 https://rhn.redhat.com/errata/RHSA-2016-2585.html

Comment 21 errata-xmlrpc 2017-03-21 09:37:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0621 https://rhn.redhat.com/errata/RHSA-2017-0621.html


Note You need to log in before you can comment on or make changes to this bug.