[kernel-xen] Xen Security Advisory 135 (CVE-2015-3209) - Heap overflow in QEMU PCNET controller, allowing guest->host escape

Steven Haigh netwiz at crc.id.au
Thu Jun 11 10:09:36 AEST 2015 

            Xen Security Advisory CVE-2015-3209 / XSA-135
                              version 3

 Heap overflow in QEMU PCNET controller, allowing guest->host escape

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The QEMU security team has predisclosed the following advisory:

    pcnet_transmit loads a transmit-frame descriptor from the guest into the
    /tmd/ local variable to recover a length field, a status field and a
    guest-physical location of the associated frame buffer. If the status
    field indicates that the frame buffer is ready to be sent out (i.e. by
    setting the TXSTATUS_DEVICEOWNS, TXSTATUS_STARTPACKET and
    TXSTATUS_ENDPACKET bits on the status field), the PCNET device
    controller pulls in the frame from the guest-physical location to
    s->buffer (which is 4096 bytes long), and then transmits the frame.

    Because of the layout of the transmit-frame descriptor, it is not
    possible to send the PCNET device controller a frame of length > 4096,
    but it /is/ possible to send the PCNET device controller a frame that is
    marked as TXSTATUS_STARTPACKET, but not TXSTATUS_ENDPACKET. If we do
    this - and the PCNET controller is configured via the XMTRL CSR to
    support split-frame processing - then the pcnet_transmit functions loops
    round, pulling a second transmit frame descriptor from the guest. If
    this second transmit frame descriptor sets the TXSTATUS_DEVICEOWNS and
    doesn't set the TXSTATUS_STARTPACKET bits, this frame is appended to
    the s->buffer field.

    An attacker can then exploit this vulnerability by sending a first
    packet of length 4096 to the device controller, and a second frame
    containing N-bytes to trigger an N-byte heap overflow.

    On 64-bit QEMU, a 24-byte overflow allows the guest to take control of
    the phys_mem_write function pointer in the PCNetState_st structure, and
    this is called when trying to flush the updated transmit frame
    descriptor back to the guest. By specifying the content of the second
    transmit frame, the attacker therefore gets reliable fully-chosen
    control of the host instruction pointer, allowing them to take control
    of the host.

IMPACT
======

A guest which has access to an emulated PCNET network device
(e.g. with "model=pcnet" in their VIF configuration) can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.

VULNERABLE SYSTEMS
==================

All Xen systems running x86 HVM guests without stubdomains which have
been configured to use the PCNET emulated driver model are
vulnerable.

The default configuration is NOT vulnerable (because it does not
emulate PCNET NICs).

Systems running only PV guests are NOT vulnerable.

Systems using qemu-dm stubdomain device models (for example, by
specifying "device_model_stubdomain_override=1" in xl's domain
configuration files) are NOT vulnerable.

Both the traditional "qemu-xen" or upstream qemu device models are
potentially vulnerable.

ARM systems are NOT vulnerable.

MITIGATION
==========

Avoiding the use of emulated network devices altogether, by specifying
a PV only VIF in the domain configuration file will avoid this
issue.

Avoiding the use of the PCNET device in favour of other emulations
will also avoid this issue.

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.

qemu-dm stubdomains are only available with the traditional "qemu-xen"
version.

CREDITS
=======

This issue was discovered by Matt Tait of Google and reported to us
via the QEMU security team.

RESOLUTION
==========

* Wed Jun 10 2015 Steven Haigh <netwiz at crc.id.au> - 4.2.5-17
- XSA-135 (CVE-2015-3209) Heap overflow in QEMU PCNET controller, allowing 
guest->host escape

* Wed Jun 10 2015 Steven Haigh <netwiz at crc.id.au> - 4.4.1-17
- XSA-135 (CVE-2015-3209) Heap overflow in QEMU PCNET controller, allowing 
guest->host escape

* Wed Jun 10 2015 Steven Haigh <netwiz at crc.id.au> - 4.5.0-0.12
- XSA-135 (CVE-2015-3209) Heap overflow in QEMU PCNET controller, allowing 
guest->host escape

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except on
systems used and administered only by organisations which are members
of the Xen Project Security Issues Predisclosure List).  Specifically,
deployment on public cloud systems is NOT permitted.

The decision not to permit deployment was made by the group that, at
their discretion, disclosed the issue to the Xen Project Security
Team.

Deployment is permitted only AFTER the embargo ends.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20150611/d50e3a66/attachment.sig>

More information about the kernel-xen mailing list