Hide Forgot
The cirrus_invalidate_region() routine used during video-to-video copy operations in the cirrus vga extension code omits bounds checking in multiple locations, allowing you to overwrite adjacent buffers by attempting to mark non-existent regions as dirty. Successful exploitation would result in a complete compromise of the qemu process. Additionally multiple bitblt operations omit bounds checking, where the srcpitch or dstpitch coefficients cause the operation to exceed the bounds of the vram buffer.
Upstream applied this fix: http://xenbits.xensource.com/xen-unstable.hg?rev/9e86260b95a4
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
public via http://taviso.decsystem.org/virtsec.pdf
It seems that this issue did not get fixed in qemu / kvm at the time of fix being applied to Xen. Following patch was recently applied in the qemu SVN to address this issue: http://svn.savannah.gnu.org/viewvc/?view=rev&root=qemu&revision=4340 Cirrus seems to be the default graphics adapter used by current kvm versions.
I created bugs #448524 and #448525 as clones of this one for Fedora.
*** Bug 448524 has been marked as a duplicate of this bug. ***
kvm-65-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
kvm-60-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Closing since XS patch was applied to RHEL5 when it rebased to xen-3.1.0 and comment 11 & comment 12 indicate the fix is included in fc8 & fc9.
Is this fixed in current qemu versions as well?
Hi, Tomas I am looking around the patch. It needs to add originally. Since 0.9.1 Released on Jan 2008, But a patch itself created on after that. ===== version change bellard [Sun, 6 Jan 2008 17:10:54 +0000 (17:10 +0000)] http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=bfe312121eb80226f0cb2d4b7c2b9b5fafecd93e ======= 1)CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow aurel32 [Mon, 5 May 2008 21:26:31 +0000 (21:26 +0000)] I have just noticed that patch for CVE-2007-1320 has never been applied to the QEMU CVS. Please find it below. http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef 2)CVE-2008-4539: fix a heap overflow in Cirrus emulation aurel32 [Sat, 1 Nov 2008 00:53:39 +0000 (00:53 +0000)] The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC. (noticed by Jan Niehusmann) http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=65d35a09979e63541afc5bfc595b9f1b1b4ae069 Thanks Atsushi SAKAI
Atsushi, thanks for providing links to qemu upstream commits. I checked status of qemu, kvm and xen packages currently in Fedora with respect to this bug and CVE-2008-4539. qemu: - versions checked: qemu-0.9.0-7.fc8 qemu-0.9.1-6.fc9 qemu-0.9.1-10.fc10 - no patch applied, all versions require patch for CVE-2007-1320 - as CVE-2007-1320 was not yet addressed in qemu, CVE-2008-4539 does not apply kvm: - versions checked: kvm-60-6.fc8 kvm-65-10.fc9 kvm-74-5.fc10 kvm-78-4.fc11 - all versions have original patch for CVE-2007-1320, which is also included in upstream sources in 70 - all require patch for CVE-2008-4539 xen: - xen upstream seems to use completely different patch to address this issue, see comment #1 or: http://xenbits.xensource.com/xen-3.1-testing.hg?file/623a07dda15c/tools/ioemu/patches/qemu-cirrus-bounds-checks
This is ancient, and all of the affected versions have been patches (as far as I know). Closing this out.
Working qemu patch links: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef http://git.qemu.org/?p=qemu.git;a=commitdiff;h=65d35a09979e63541afc5bfc595b9f1b1b4ae069 This fix was found to be incorrect, see bug 1169454 / CVE-2014-8106.