Bug 1392938 (CVE-2016-9381, xsa197) - CVE-2016-9381 xsa197 xen: qemu incautious about shared ring processing (XSA-197)
Summary: CVE-2016-9381 xsa197 xen: qemu incautious about shared ring processing (XSA-197)
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2016-9381, xsa197
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1397383 1397385
Blocks: 1392953
TreeView+ depends on / blocked
 
Reported: 2016-11-08 13:56 UTC by Adam Mariš
Modified: 2019-09-29 13:59 UTC (History)
41 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-27 18:18:55 UTC


Attachments (Terms of Use)
qemu-upstream Xen 4.4.x (1.72 KB, patch)
2016-11-08 14:41 UTC, Adam Mariš
no flags Details | Diff
qemu-traditional Xen 4.5.x, Xen 4.4.x (1.86 KB, patch)
2016-11-08 14:42 UTC, Adam Mariš
no flags Details | Diff
qemu-upstream Xen 4.5.x (1.72 KB, patch)
2016-11-08 14:42 UTC, Adam Mariš
no flags Details | Diff
qemu-upstream Xen 4.6.x (1.72 KB, patch)
2016-11-08 14:43 UTC, Adam Mariš
no flags Details | Diff
qemu-traditional xen-unstable, Xen 4.7.x, Xen 4.6.x (1.87 KB, patch)
2016-11-08 14:44 UTC, Adam Mariš
no flags Details | Diff
qemu-upstream xen-unstable, Xen 4.7.x (1.95 KB, patch)
2016-11-08 14:44 UTC, Adam Mariš
no flags Details | Diff

Description Adam Mariš 2016-11-08 13:56:49 UTC
ISSUE DESCRIPTION
=================

The compiler can emit optimizations in qemu which can lead to double
fetch vulnerabilities.  Specifically data on the rings shared between
qemu and the hypervisor (which the guest under control can obtain
mappings of) can be fetched twice (during which time the guest can
alter the contents) possibly leading to arbitrary code execution in
qemu.

IMPACT
======

Malicious administrators can exploit this vulnerability to take over
the qemu process, elevating its privilege to that of the qemu process.

In a system not using a device model stub domain (or other techniques
for deprivileging qemu), malicious guest administrators can thus
elevate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

All Xen versions with all flavors of qemu are affected.

Only x86 HVM guests expose the vulnerability.  x86 PV guests do not
expose the vulnerability.

ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid the vulnerability.

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.
In a usual configuration, a service domain has only the privilege of
the guest, so this eliminates the vulnerability.

The vulnerability can be avoided if the guest kernel is controlled by
the host rather than guest administrator, provided that further steps
are taken to prevent the guest administrator from loading code into
the kernel (e.g. by disabling loadable modules etc) or from using
other mechanisms which allow them to run code at kernel privilege.

External References:

http://xenbits.xen.org/xsa/advisory-197.html

Acknowledgements:

Name: the Xen project
Upstream: yanghongke (Huawei Security Test Team)

Comment 1 Adam Mariš 2016-11-08 14:41:32 UTC
Created attachment 1218538 [details]
qemu-upstream Xen 4.4.x

Comment 2 Adam Mariš 2016-11-08 14:42:15 UTC
Created attachment 1218539 [details]
qemu-traditional Xen 4.5.x, Xen 4.4.x

Comment 3 Adam Mariš 2016-11-08 14:42:51 UTC
Created attachment 1218541 [details]
qemu-upstream Xen 4.5.x

Comment 4 Adam Mariš 2016-11-08 14:43:23 UTC
Created attachment 1218542 [details]
qemu-upstream Xen 4.6.x

Comment 5 Adam Mariš 2016-11-08 14:44:17 UTC
Created attachment 1218544 [details]
qemu-traditional xen-unstable, Xen 4.7.x, Xen 4.6.x

Comment 6 Adam Mariš 2016-11-08 14:44:45 UTC
Created attachment 1218545 [details]
qemu-upstream xen-unstable, Xen 4.7.x

Comment 7 Martin Prpič 2016-11-22 12:25:41 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1397383]

Comment 8 Martin Prpič 2016-11-22 12:25:58 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1397385]

Comment 9 Cole Robinson 2017-01-16 18:40:26 UTC
Upstream qemu commit:

commit b85f9dfdb156ae2a2a52f39a36e9f1f270614cd2
Author: Jan Beulich <JBeulich@suse.com>
Date:   Tue Nov 22 05:56:51 2016 -0700

    xen: fix ioreq handling


Note You need to log in before you can comment on or make changes to this bug.