The cirrus_invalidate_region() routine used during video-to-video copy
operations in the cirrus vga extension code omits bounds checking in
multiple locations, allowing you to overwrite adjacent buffers by
attempting to mark non-existent regions as dirty. Successful
exploitation would result in a complete compromise of the qemu
process. Additionally multiple bitblt operations omit bounds checking,
where the srcpitch or dstpitch coefficients cause the operation to
exceed the bounds of the vram buffer.
Upstream applied this fix:
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
public via http://taviso.decsystem.org/virtsec.pdf
It seems that this issue did not get fixed in qemu / kvm at the time of fix
being applied to Xen. Following patch was recently applied in the qemu SVN to
address this issue:
Cirrus seems to be the default graphics adapter used by current kvm versions.
I created bugs #448524 and #448525 as clones of this one for Fedora.
*** Bug 448524 has been marked as a duplicate of this bug. ***
kvm-65-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
kvm-60-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Closing since XS patch was applied to RHEL5 when it rebased to xen-3.1.0
and comment 11 & comment 12 indicate the fix is included in fc8 & fc9.
Is this fixed in current qemu versions as well?
I am looking around the patch.
It needs to add originally.
Since 0.9.1 Released on Jan 2008,
But a patch itself created on after that.
bellard [Sun, 6 Jan 2008 17:10:54 +0000 (17:10 +0000)]
1)CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow
aurel32 [Mon, 5 May 2008 21:26:31 +0000 (21:26 +0000)]
I have just noticed that patch for CVE-2007-1320 has never been applied
to the QEMU CVS. Please find it below.
2)CVE-2008-4539: fix a heap overflow in Cirrus emulation
aurel32 [Sat, 1 Nov 2008 00:53:39 +0000 (00:53 +0000)]
The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has
been announced and the patch has been applied. As a consequence it has
wrongly applied and QEMU is still vulnerable to this bug if using VNC.
(noticed by Jan Niehusmann)
Atsushi, thanks for providing links to qemu upstream commits.
I checked status of qemu, kvm and xen packages currently in Fedora with respect to this bug and CVE-2008-4539.
- versions checked:
qemu-0.9.0-7.fc8 qemu-0.9.1-6.fc9 qemu-0.9.1-10.fc10
- no patch applied, all versions require patch for CVE-2007-1320
- as CVE-2007-1320 was not yet addressed in qemu, CVE-2008-4539 does not apply
- versions checked:
kvm-60-6.fc8 kvm-65-10.fc9 kvm-74-5.fc10 kvm-78-4.fc11
- all versions have original patch for CVE-2007-1320, which is also included
in upstream sources in 70
- all require patch for CVE-2008-4539
- xen upstream seems to use completely different patch to address this issue, see comment #1 or:
This is ancient, and all of the affected versions have been patches (as far as I know). Closing this out.
Working qemu patch links:
This fix was found to be incorrect, see bug 1169454 / CVE-2014-8106.