* [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches
@ 2015-07-27 12:01 John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 1/3] ide: Check array bounds before writing to io_buffer (CVE-2015-5154) John Snow
` (4 more replies)
0 siblings, 5 replies; 13+ messages in thread
From: John Snow @ 2015-07-27 12:01 UTC (permalink / raw
To: qemu-devel; +Cc: peter.maydell, jsnow, qemu-stable
The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
are available in the git repository at:
https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc:
ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 -0400)
----------------------------------------------------------------
----------------------------------------------------------------
Kevin Wolf (3):
ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
ide/atapi: Fix START STOP UNIT command completion
ide: Clear DRQ after handling all expected accesses
hw/ide/atapi.c | 1 +
hw/ide/core.c | 32 ++++++++++++++++++++++++++++----
2 files changed, 29 insertions(+), 4 deletions(-)
--
2.1.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Qemu-devel] [PULL 1/3] ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
2015-07-27 12:01 [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches John Snow
@ 2015-07-27 12:01 ` John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 2/3] ide/atapi: Fix START STOP UNIT command completion John Snow
` (3 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: John Snow @ 2015-07-27 12:01 UTC (permalink / raw
To: qemu-devel; +Cc: Kevin Wolf, peter.maydell, jsnow, qemu-stable
From: Kevin Wolf <kwolf@redhat.com>
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
---
hw/ide/core.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 122e955..44fcc23 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return;
+ }
+
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return;
+ }
+
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
--
2.1.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Qemu-devel] [PULL 2/3] ide/atapi: Fix START STOP UNIT command completion
2015-07-27 12:01 [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 1/3] ide: Check array bounds before writing to io_buffer (CVE-2015-5154) John Snow
@ 2015-07-27 12:01 ` John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 3/3] ide: Clear DRQ after handling all expected accesses John Snow
` (2 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: John Snow @ 2015-07-27 12:01 UTC (permalink / raw
To: qemu-devel; +Cc: Kevin Wolf, peter.maydell, jsnow, qemu-stable
From: Kevin Wolf <kwolf@redhat.com>
The command must be completed on all code paths. START STOP UNIT with
pwrcnd set should succeed without doing anything.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
---
hw/ide/atapi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
index 950e311..79dd167 100644
--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
if (pwrcnd) {
/* eject/load only happens for power condition == 0 */
+ ide_atapi_cmd_ok(s);
return;
}
--
2.1.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [Qemu-devel] [PULL 3/3] ide: Clear DRQ after handling all expected accesses
2015-07-27 12:01 [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 1/3] ide: Check array bounds before writing to io_buffer (CVE-2015-5154) John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 2/3] ide/atapi: Fix START STOP UNIT command completion John Snow
@ 2015-07-27 12:01 ` John Snow
2015-07-27 12:10 ` [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches Stefan Priebe - Profihost AG
2015-07-27 13:44 ` [Qemu-devel] " Peter Maydell
4 siblings, 0 replies; 13+ messages in thread
From: John Snow @ 2015-07-27 12:01 UTC (permalink / raw
To: qemu-devel; +Cc: Kevin Wolf, peter.maydell, jsnow, qemu-stable
From: Kevin Wolf <kwolf@redhat.com>
This is additional hardening against an end_transfer_func that fails to
clear the DRQ status bit. The bit must be unset as soon as the PIO
transfer has completed, so it's better to do this in a central place
instead of duplicating the code in all commands (and forgetting it in
some).
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
---
hw/ide/core.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 44fcc23..50449ca 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}
@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}
--
2.1.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
2015-07-27 12:01 [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches John Snow
` (2 preceding siblings ...)
2015-07-27 12:01 ` [Qemu-devel] [PULL 3/3] ide: Clear DRQ after handling all expected accesses John Snow
@ 2015-07-27 12:10 ` Stefan Priebe - Profihost AG
2015-07-27 12:28 ` John Snow
2015-07-27 12:34 ` John Snow
2015-07-27 13:44 ` [Qemu-devel] " Peter Maydell
4 siblings, 2 replies; 13+ messages in thread
From: Stefan Priebe - Profihost AG @ 2015-07-27 12:10 UTC (permalink / raw
To: John Snow, qemu-devel; +Cc: peter.maydell, qemu-stable
Am 27.07.2015 um 14:01 schrieb John Snow:
> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
>
> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
>
> are available in the git repository at:
>
> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
Any details on this CVE? Is RCE possible? Only if IDE is used?
Stefan
> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc:
>
> ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 -0400)
>
> ----------------------------------------------------------------
>
> ----------------------------------------------------------------
>
> Kevin Wolf (3):
> ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
> ide/atapi: Fix START STOP UNIT command completion
> ide: Clear DRQ after handling all expected accesses
>
> hw/ide/atapi.c | 1 +
> hw/ide/core.c | 32 ++++++++++++++++++++++++++++----
> 2 files changed, 29 insertions(+), 4 deletions(-)
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
2015-07-27 12:10 ` [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches Stefan Priebe - Profihost AG
@ 2015-07-27 12:28 ` John Snow
2015-07-27 13:25 ` Stefan Priebe - Profihost AG
2015-07-27 12:34 ` John Snow
1 sibling, 1 reply; 13+ messages in thread
From: John Snow @ 2015-07-27 12:28 UTC (permalink / raw
To: Stefan Priebe - Profihost AG, qemu-devel; +Cc: peter.maydell, qemu-stable
On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote:
>
> Am 27.07.2015 um 14:01 schrieb John Snow:
>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
>>
>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
>>
>> are available in the git repository at:
>>
>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
>
> Any details on this CVE? Is RCE possible? Only if IDE is used?
>
> Stefan
>
It's a heap overflow. The most likely outcome is a segfault, but the
guest is allowed to continue writing past the end of the PIO buffer at
its leisure. This makes it similar to CVE-2015-3456.
This CVE can be mitigated unlike CVE-2015-3456 by just removing the
CD-ROM drive until the patch can be applied.
>> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc:
>>
>> ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 -0400)
>>
>> ----------------------------------------------------------------
>>
>> ----------------------------------------------------------------
>>
>> Kevin Wolf (3):
>> ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
>> ide/atapi: Fix START STOP UNIT command completion
>> ide: Clear DRQ after handling all expected accesses
>>
>> hw/ide/atapi.c | 1 +
>> hw/ide/core.c | 32 ++++++++++++++++++++++++++++----
>> 2 files changed, 29 insertions(+), 4 deletions(-)
>>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
2015-07-27 12:10 ` [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches Stefan Priebe - Profihost AG
2015-07-27 12:28 ` John Snow
@ 2015-07-27 12:34 ` John Snow
1 sibling, 0 replies; 13+ messages in thread
From: John Snow @ 2015-07-27 12:34 UTC (permalink / raw
To: Stefan Priebe - Profihost AG, qemu-devel; +Cc: peter.maydell, qemu-stable
On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote:
>
> Am 27.07.2015 um 14:01 schrieb John Snow:
>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
>>
>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
>>
>> are available in the git repository at:
>>
>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
>
> Any details on this CVE? Is RCE possible? Only if IDE is used?
>
> Stefan
>
>> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc:
>>
>> ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 -0400)
>>
>> ----------------------------------------------------------------
>>
>> ----------------------------------------------------------------
>>
>> Kevin Wolf (3):
>> ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
>> ide/atapi: Fix START STOP UNIT command completion
>> ide: Clear DRQ after handling all expected accesses
>>
>> hw/ide/atapi.c | 1 +
>> hw/ide/core.c | 32 ++++++++++++++++++++++++++++----
>> 2 files changed, 29 insertions(+), 4 deletions(-)
>>
See also http://seclists.org/oss-sec/2015/q3/212
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
2015-07-27 12:28 ` John Snow
@ 2015-07-27 13:25 ` Stefan Priebe - Profihost AG
2015-07-27 13:38 ` Kevin Wolf
0 siblings, 1 reply; 13+ messages in thread
From: Stefan Priebe - Profihost AG @ 2015-07-27 13:25 UTC (permalink / raw
To: John Snow, qemu-devel; +Cc: peter.maydell, qemu-stable
Am 27.07.2015 um 14:28 schrieb John Snow:
>
>
> On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote:
>>
>> Am 27.07.2015 um 14:01 schrieb John Snow:
>>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
>>>
>>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
>>>
>>> are available in the git repository at:
>>>
>>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
>>
>> Any details on this CVE? Is RCE possible? Only if IDE is used?
>>
>> Stefan
>>
>
> It's a heap overflow. The most likely outcome is a segfault, but the
> guest is allowed to continue writing past the end of the PIO buffer at
> its leisure. This makes it similar to CVE-2015-3456.
>
> This CVE can be mitigated unlike CVE-2015-3456 by just removing the
> CD-ROM drive until the patch can be applied.
Thanks. The seclist article explicitly references xen. So it does not
apply to qemu/kvm? Sorry for asking may be stupid questions.
Stefan
>>> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc:
>>>
>>> ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 -0400)
>>>
>>> ----------------------------------------------------------------
>>>
>>> ----------------------------------------------------------------
>>>
>>> Kevin Wolf (3):
>>> ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
>>> ide/atapi: Fix START STOP UNIT command completion
>>> ide: Clear DRQ after handling all expected accesses
>>>
>>> hw/ide/atapi.c | 1 +
>>> hw/ide/core.c | 32 ++++++++++++++++++++++++++++----
>>> 2 files changed, 29 insertions(+), 4 deletions(-)
>>>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
2015-07-27 13:25 ` Stefan Priebe - Profihost AG
@ 2015-07-27 13:38 ` Kevin Wolf
2015-07-27 13:46 ` Peter Lieven
0 siblings, 1 reply; 13+ messages in thread
From: Kevin Wolf @ 2015-07-27 13:38 UTC (permalink / raw
To: Stefan Priebe - Profihost AG
Cc: peter.maydell, John Snow, qemu-devel, qemu-stable
Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben:
>
> Am 27.07.2015 um 14:28 schrieb John Snow:
> >
> >
> > On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote:
> >>
> >> Am 27.07.2015 um 14:01 schrieb John Snow:
> >>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
> >>>
> >>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
> >>>
> >>> are available in the git repository at:
> >>>
> >>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
> >>
> >> Any details on this CVE? Is RCE possible? Only if IDE is used?
> >>
> >> Stefan
> >>
> >
> > It's a heap overflow. The most likely outcome is a segfault, but the
> > guest is allowed to continue writing past the end of the PIO buffer at
> > its leisure. This makes it similar to CVE-2015-3456.
> >
> > This CVE can be mitigated unlike CVE-2015-3456 by just removing the
> > CD-ROM drive until the patch can be applied.
>
> Thanks. The seclist article explicitly references xen. So it does not
> apply to qemu/kvm? Sorry for asking may be stupid questions.
The IDE emulation is shared between Xen and KVM, so both are affected.
The reason why the seclist mail only mentions Xen is probably because
the Xen security team posted it.
Meanwhile there is also a Red Hat CVE page available, which mentions
qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154
Kevin
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches
2015-07-27 12:01 [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches John Snow
` (3 preceding siblings ...)
2015-07-27 12:10 ` [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches Stefan Priebe - Profihost AG
@ 2015-07-27 13:44 ` Peter Maydell
4 siblings, 0 replies; 13+ messages in thread
From: Peter Maydell @ 2015-07-27 13:44 UTC (permalink / raw
To: John Snow; +Cc: QEMU Developers, qemu-stable
On 27 July 2015 at 13:01, John Snow <jsnow@redhat.com> wrote:
> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
>
> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
>
> are available in the git repository at:
>
> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
>
> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc:
>
> ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 -0400)
>
Applied, thanks.
-- PMM
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
2015-07-27 13:38 ` Kevin Wolf
@ 2015-07-27 13:46 ` Peter Lieven
2015-07-27 13:54 ` Kevin Wolf
0 siblings, 1 reply; 13+ messages in thread
From: Peter Lieven @ 2015-07-27 13:46 UTC (permalink / raw
To: Kevin Wolf, Stefan Priebe - Profihost AG
Cc: peter.maydell, John Snow, qemu-devel, qemu-stable
[-- Attachment #1: Type: text/plain, Size: 1714 bytes --]
Am 27.07.2015 um 15:38 schrieb Kevin Wolf:
> Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben:
>> Am 27.07.2015 um 14:28 schrieb John Snow:
>>>
>>> On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote:
>>>> Am 27.07.2015 um 14:01 schrieb John Snow:
>>>>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
>>>>>
>>>>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
>>>>>
>>>>> are available in the git repository at:
>>>>>
>>>>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
>>>> Any details on this CVE? Is RCE possible? Only if IDE is used?
>>>>
>>>> Stefan
>>>>
>>> It's a heap overflow. The most likely outcome is a segfault, but the
>>> guest is allowed to continue writing past the end of the PIO buffer at
>>> its leisure. This makes it similar to CVE-2015-3456.
>>>
>>> This CVE can be mitigated unlike CVE-2015-3456 by just removing the
>>> CD-ROM drive until the patch can be applied.
>> Thanks. The seclist article explicitly references xen. So it does not
>> apply to qemu/kvm? Sorry for asking may be stupid questions.
> The IDE emulation is shared between Xen and KVM, so both are affected.
> The reason why the seclist mail only mentions Xen is probably because
> the Xen security team posted it.
>
> Meanwhile there is also a Red Hat CVE page available, which mentions
> qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154
The redhat advisory says that some Redhat versions are not affected
"because they did not backport the upstream commit that introduced this issue ".
Can you point out which commit exactly introduced the issue?
Thanks,
Peter
[-- Attachment #2: Type: text/html, Size: 2756 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
2015-07-27 13:46 ` Peter Lieven
@ 2015-07-27 13:54 ` Kevin Wolf
2015-07-27 14:05 ` Peter Lieven
0 siblings, 1 reply; 13+ messages in thread
From: Kevin Wolf @ 2015-07-27 13:54 UTC (permalink / raw
To: Peter Lieven
Cc: peter.maydell, qemu-stable, John Snow, qemu-devel,
Stefan Priebe - Profihost AG
Am 27.07.2015 um 15:46 hat Peter Lieven geschrieben:
> Am 27.07.2015 um 15:38 schrieb Kevin Wolf:
>
> Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben:
>
> Am 27.07.2015 um 14:28 schrieb John Snow:
>
>
> On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote:
>
> Am 27.07.2015 um 14:01 schrieb John Snow:
>
> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
>
> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
>
> are available in the git repository at:
>
> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
>
> Any details on this CVE? Is RCE possible? Only if IDE is used?
>
> Stefan
>
>
> It's a heap overflow. The most likely outcome is a segfault, but the
> guest is allowed to continue writing past the end of the PIO buffer at
> its leisure. This makes it similar to CVE-2015-3456.
>
> This CVE can be mitigated unlike CVE-2015-3456 by just removing the
> CD-ROM drive until the patch can be applied.
>
> Thanks. The seclist article explicitly references xen. So it does not
> apply to qemu/kvm? Sorry for asking may be stupid questions.
>
> The IDE emulation is shared between Xen and KVM, so both are affected.
> The reason why the seclist mail only mentions Xen is probably because
> the Xen security team posted it.
>
> Meanwhile there is also a Red Hat CVE page available, which mentions
> qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154
>
>
> The redhat advisory says that some Redhat versions are not affected
> "because they did not backport the upstream commit that introduced this issue
> ".
>
> Can you point out which commit exactly introduced the issue?
That's the commit that introduced the code fixed in patch 2: Commit
ce560dcf ('ATAPI: STARTSTOPUNIT only eject/load media if powercondition
is 0').
Kevin
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
2015-07-27 13:54 ` Kevin Wolf
@ 2015-07-27 14:05 ` Peter Lieven
0 siblings, 0 replies; 13+ messages in thread
From: Peter Lieven @ 2015-07-27 14:05 UTC (permalink / raw
To: Kevin Wolf
Cc: peter.maydell, qemu-stable, John Snow, qemu-devel,
Stefan Priebe - Profihost AG
Am 27.07.2015 um 15:54 schrieb Kevin Wolf:
> Am 27.07.2015 um 15:46 hat Peter Lieven geschrieben:
>> Am 27.07.2015 um 15:38 schrieb Kevin Wolf:
>>
>> Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben:
>>
>> Am 27.07.2015 um 14:28 schrieb John Snow:
>>
>>
>> On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote:
>>
>> Am 27.07.2015 um 14:01 schrieb John Snow:
>>
>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
>>
>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
>>
>> are available in the git repository at:
>>
>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
>>
>> Any details on this CVE? Is RCE possible? Only if IDE is used?
>>
>> Stefan
>>
>>
>> It's a heap overflow. The most likely outcome is a segfault, but the
>> guest is allowed to continue writing past the end of the PIO buffer at
>> its leisure. This makes it similar to CVE-2015-3456.
>>
>> This CVE can be mitigated unlike CVE-2015-3456 by just removing the
>> CD-ROM drive until the patch can be applied.
>>
>> Thanks. The seclist article explicitly references xen. So it does not
>> apply to qemu/kvm? Sorry for asking may be stupid questions.
>>
>> The IDE emulation is shared between Xen and KVM, so both are affected.
>> The reason why the seclist mail only mentions Xen is probably because
>> the Xen security team posted it.
>>
>> Meanwhile there is also a Red Hat CVE page available, which mentions
>> qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154
>>
>>
>> The redhat advisory says that some Redhat versions are not affected
>> "because they did not backport the upstream commit that introduced this issue
>> ".
>>
>> Can you point out which commit exactly introduced the issue?
> That's the commit that introduced the code fixed in patch 2: Commit
> ce560dcf ('ATAPI: STARTSTOPUNIT only eject/load media if powercondition
> is 0').
Okay, so as far as I can see this is in any Qemu >= 1.3.0.
Peter
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2015-07-27 14:05 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-27 12:01 [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 1/3] ide: Check array bounds before writing to io_buffer (CVE-2015-5154) John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 2/3] ide/atapi: Fix START STOP UNIT command completion John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 3/3] ide: Clear DRQ after handling all expected accesses John Snow
2015-07-27 12:10 ` [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches Stefan Priebe - Profihost AG
2015-07-27 12:28 ` John Snow
2015-07-27 13:25 ` Stefan Priebe - Profihost AG
2015-07-27 13:38 ` Kevin Wolf
2015-07-27 13:46 ` Peter Lieven
2015-07-27 13:54 ` Kevin Wolf
2015-07-27 14:05 ` Peter Lieven
2015-07-27 12:34 ` John Snow
2015-07-27 13:44 ` [Qemu-devel] " Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.