[oss-security] 20180115 CVE-2017-18030 Qemu: Out-of-bounds access in cirrus_invalidate_region routine

102520

https://git.qemu.org/?p=qemu.git;a=commit;h=f153b563f8cf121aebf5a2fff5f0110faf58ccb3

[debian-lts-announce] 20180906 [SECURITY] [DLA 1497-1] qemu security update

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0039 for details.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=077233184260bd831e7c4afdd4aebb0bced6ee32

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=6e676a4ba6bbd437a2a8dbfc3c6e591d920b013b

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86/vtd: Hide superpage support for SandyBridge IOMMUs     (Andrew Cooper) [Orabug: 31366846] (CVE-2018-12207)     (CVE-2018-12207)

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=4cfb88a0f248605ca655e0609f0650c4563be653

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=6e676a4ba6bbd437a2a8dbfc3c6e591d920b013b

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86/spec-ctrl: Allow the RDRAND/RDSEED features to be     hidden (Andrew Cooper) [Orabug: 31470704]     (CVE-2020-0543) (CVE-2020-0543)

  - cirrus: handle negative pitch in     cirrus_invalidate_region (Wolfgang Bumiller) [Orabug:
    31476272] (CVE-2017-18030)

  - cirrus: fix oob access in mode4and5 write functions     (Gerd Hoffmann) [Orabug: 31476272] (CVE-2017-15289)

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=3206f3109cfd432d6e5bbffbcc9839f5b8ed1e44

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86/spec-ctrl: Mitigate the Special Register Buffer Data     Sampling sidechannel (Andrew Cooper) [Orabug: 31470704]     (CVE-2020-0543) (CVE-2020-0543)

  - x86/spec-ctrl: CPUID/MSR definitions for Special     Register Buffer Data Sampling (Andrew Cooper) [Orabug:
    31470704] (CVE-2020-0543) (CVE-2020-0543)

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=0bef1944b340a7ec3e93a20b472effa654f5ee16

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86/crash: force unlock console before printing on kexec     crash (Igor Druzhinin) [Orabug: 31255931]

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=69a58ac753bd61961615f9208f8e1ee5ce946538

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - redtape: x86/tsx: TAA regressions (Patrick Colp)     [Orabug: 31240359]

This security advisory was retracted by OracleVM on 2020/07/16.

Several vulnerabilities were found in qemu, a fast processor emulator :

CVE-2015-8666

Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator

CVE-2016-2198

NULL pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service

CVE-2016-6833

Use after free while writing in the vmxnet3 device that could be used to cause a denial of service

CVE-2016-6835

Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service

CVE-2016-8576

Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support

CVE-2016-8667 / CVE-2016-8669

Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service

CVE-2016-9602

Improper link following with VirtFS

CVE-2016-9603

Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support

CVE-2016-9776

Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator

CVE-2016-9907

Memory leakage in the USB redirector usb-guest support 

CVE-2016-9911

Memory leakage in ehci_init_transfer in the USB EHCI support

CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916

Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver

CVE-2016-9921 / CVE-2016-9922

Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support 

CVE-2016-10155

Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations.

CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718

Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service

CVE-2017-5525 / CVE-2017-5526

Memory leakage issues in the ac97 and es1370 device emulation

CVE-2017-5579

Most memory leakage in the 16550A UART emulation

CVE-2017-5667

Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support.

CVE-2017-5715

Mitigations against the Spectre v2 vulnerability. For more information please refer to https://www.qemu.org/2018/01/04/spectre/

CVE-2017-5856

Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support

CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505

Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list

CVE-2017-7377

9pfs: host memory leakage via v9fs_create

CVE-2017-7493

Improper access control issues in the host directory sharing via 9pfs support.

CVE-2017-7980

Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service

CVE-2017-8086

9pfs: host memory leakage via v9pfs_list_xattr

CVE-2017-8112

Infinite loop in the VMWare PVSCSI emulation

CVE-2017-8309 / CVE-2017-8379

Host memory leakage issues via the audio capture buffer and the keyboard input event handlers 

CVE-2017-9330

Infinite loop due to incorrect return value in USB OHCI that may result in denial of service

CVE-2017-9373 / CVE-2017-9374

Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service

CVE-2017-9503

NULL pointer dereference while processing megasas command

CVE-2017-10806

Stack buffer overflow in USB redirector

CVE-2017-10911

Xen disk may leak stack data via response ring

CVE-2017-11434

Out-of-bounds read while parsing Slirp/DHCP options

CVE-2017-14167

Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code

CVE-2017-15038

9pfs: information disclosure when reading extended attributes

CVE-2017-15289

Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service

CVE-2017-16845

Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration 

CVE-2017-18043

Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service

CVE-2018-7550

Incorrect handling of memory during multiboot that could may result in execution of arbitrary code

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u7.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for kvm fixes the following issues: This update has the next round of Spectre v2 related patches, which now integrates with corresponding changes in libvirt. A January 2018 release of qemu initially addressed the Spectre v2 vulnerability for KVM guests by exposing the spec-ctrl feature for all x86 vcpu types, which was the quick and dirty approach, but not the proper solution. We remove that initial patch and now rely on patches from upstream. This update defines spec_ctrl and ibpb cpu feature flags as well as new cpu models which are clones of existing models with either -IBRS or -IBPB added to the end of the model name. These new vcpu models explicitly include the new feature(s), whereas the feature flags can be added to the cpu parameter as with other features. In short, for continued Spectre v2 protection, ensure that either the appropriate cpu feature flag is added to the QEMU command-line, or one of the new cpu models is used.
Although migration from older versions is supported, the new cpu features won't be properly exposed to the guest until it is restarted with the cpu features explicitly added. A reboot is insufficient. A warning patch is added which attempts to detect a migration from a qemu version which had the quick and dirty fix (it only detects certain cases, but hopefully is helpful.) For additional information on Spectre v2 as it relates to QEMU, see:
https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/ (CVE-2017-5715 bsc#1068032) A patch is added to continue to detect Spectre v2 mitigation features (as shown by cpuid), and if found provide that feature to guests, even if running on older KVM (kernel) versions which do not yet expose that feature to QEMU. (bsc#1082276) Additional security fixes :

  - CVE-2018-5683: An out-of-bounds read in vga_draw_text     routine was fixed which could lead to crashes or     information leakage. (bsc#1076114)

  - CVE-2018-7550: multiboot OOB access while loading kernel     image was fixed that could lead to crashes (bsc#1083291)

  - CVE-2017-18030: An out-of-bounds access in     cirrus_invalidate_region routine could lead to crashes     or information leakage (bsc#1076179)

  - Eliminate bogus use of CPUID_7_0_EDX_PRED_CMD which     we've carried since the initial Spectre v2 patch was     added. EDX bit 27 of CPUID Leaf 07H, Sub-leaf 0 provides     status on STIBP, and not the PRED_CMD MSR. Exposing the     STIBP CPUID feature bit to the guest is wrong in     general, since the VM doesn't directly control the     scheduling of physical hyperthreads. This is left     strictly to the L0 hypervisor.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for kvm fixes the following issues :

  - This update has the next round of Spectre v2 related     patches, which now integrates with corresponding changes     in libvirt. A January 2018 release of qemu initially     addressed the Spectre v2 vulnerability for KVM guests by     exposing the spec-ctrl feature for all x86 vcpu types,     which was the quick and dirty approach, but not the     proper solution. We remove that initial patch and now     rely on patches from upstream. This update defines     spec_ctrl and ibpb cpu feature flags as well as new cpu     models which are clones of existing models with either
    -IBRS or -IBPB added to the end of the model name. These     new vcpu models explicitly include the new feature(s),     whereas the feature flags can be added to the cpu     parameter as with other features. In short, for     continued Spectre v2 protection, ensure that either the     appropriate cpu feature flag is added to the QEMU     command-line, or one of the new cpu models is used.
    Although migration from older versions is supported, the     new cpu features won't be properly exposed to the guest     until it is restarted with the cpu features explicitly     added. A reboot is insufficient.

  - A warning patch is added which attempts to detect a     migration from a qemu version which had the quick and     dirty fix (it only detects certain cases, but hopefully     is helpful.) For additional information on Spectre v2 as     it relates to QEMU, see:
    https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-     update/ (CVE-2017-5715 bsc#1068032)

  - A patch is added to continue to detect Spectre v2     mitigation features (as shown by cpuid), and if found     provide that feature to guests, even if running on older     KVM (kernel) versions which do not yet expose that     feature to QEMU. (bsc#1082276) These two patches will be     removed when we can reasonably assume everyone is     running with the appropriate updates.

  - Security fixes for the following CVE issues:
    (bsc#1076114 CVE-2018-5683) (bsc#1083291 CVE-2018-7550)

  - This patch is already included, add here for CVE track     (bsc#1076179 CVE-2017-18030)

  - Toolchain changes have cause the built size of     pxe-virtio.rom to exceed 64K. Tweak rarely used strings     in code to reduce size of the binary so it fits again.

  - Eliminate bogus use of CPUID_7_0_EDX_PRED_CMD which     we've carried since the initial Spectre v2 patch was     added. EDX bit 27 of CPUID Leaf 07H, Sub-leaf 0 provides     status on STIBP, and not the PRED_CMD MSR. Exposing the     STIBP CPUID feature bit to the guest is wrong in     general, since the VM doesn't directly control the     scheduling of physical hyperthreads. This is left     strictly to the L0 hypervisor.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201804-08 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker could execute arbitrary code, cause a Denial of Service       condition, or obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

This update for qemu fixes the following issues: This update has the next round of Spectre v2 related patches, which now integrate with corresponding changes in libvirt. (CVE-2017-5715 bsc#1068032) The January 2018 release of qemu initially addressed the Spectre v2 vulnerability for KVM guests by exposing the spec-ctrl feature for all x86 vcpu types, which was the quick and dirty approach, but not the proper solution. We replaced our initial patch by the patches from upstream. This update defines spec_ctrl and ibpb cpu feature flags as well as new cpu models which are clones of existing models with either
-IBRS or -IBPB added to the end of the model name. These new vcpu models explicitly include the new feature(s), whereas the feature flags can be added to the cpu parameter as with other features. In short, for continued Spectre v2 protection, ensure that either the appropriate cpu feature flag is added to the QEMU command-line, or one of the new cpu models is used. Although migration from older versions is supported, the new cpu features won't be properly exposed to the guest until it is restarted with the cpu features explicitly added. A reboot is insufficient. A warning patch is added which attempts to detect a migration from a qemu version which had the quick and dirty fix (it only detects certain cases, but hopefully is helpful.) For additional information on Spectre v2 as it relates to QEMU, see:
https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/ A patch is added to continue to detect Spectre v2 mitigation features (as shown by cpuid), and if found provide that feature to guests, even if running on older KVM (kernel) versions which do not yet expose that feature to QEMU. (bsc#1082276) These two patches will be removed when we can reasonably assume everyone is running with the appropriate updates. Also security fixes for the following CVE issues are included :

  - CVE-2017-15119: The Network Block Device (NBD) server in     Quick Emulator (QEMU), was vulnerable to a denial of     service issue. It could occur if a client sent large     option requests, making the server waste CPU time on     reading up to 4GB per request. A client could use this     flaw to keep the NBD server from serving other requests,     resulting in DoS. (bsc#1070144)

  - CVE-2017-15124: VNC server implementation in Quick     Emulator (QEMU) was found to be vulnerable to an     unbounded memory allocation issue, as it did not     throttle the framebuffer updates sent to its client. If     the client did not consume these updates, VNC server     allocates growing memory to hold onto this data. A     malicious remote VNC client could use this flaw to cause     DoS to the server host. (bsc#1073489)

  - CVE-2017-16845: The PS2 driver in Qemu did not validate     'rptr' and 'count' values during guest migration,     leading to out-of-bounds access. (bsc#1068613)

  - CVE-2017-17381: The Virtio Vring implementation in QEMU     allowed local OS guest users to cause a denial of     service (divide-by-zero error and QEMU process crash) by     unsetting vring alignment while updating Virtio rings.
    (bsc#1071228)

  - CVE-2017-18030: A problem in the Cirrus driver in Qemu     allowed local OS guest privileged users to cause a     denial of service (out-of-bounds array access and QEMU     process crash) via vectors related to negative pitch.
    (bsc#1076179)

  - CVE-2017-18043: Integer overflow in the macro ROUND_UP     (n, d) in Quick Emulator (Qemu) allowed a user to cause     a denial of service (Qemu process crash). (bsc#1076775)

  - CVE-2018-5683: The VGA driver in Qemu allowed local OS     guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging improper memory address validation.
    (bsc#1076114)

  - CVE-2018-7550: The multiboot functionality in Quick     Emulator (aka QEMU) allowed local guest OS users to     execute arbitrary code on the QEMU host via an     out-of-bounds read or write memory access. (bsc#1083291)     Also the following bugs were fixed :

  - Eliminate bogus use of CPUID_7_0_EDX_PRED_CMD which     we've carried since the initial Spectre v2 patch was     added. EDX bit 27 of CPUID Leaf 07H, Sub-leaf 0 provides     status on STIBP, and not the PRED_CMD MSR. Exposing the     STIBP CPUID feature bit to the guest is wrong in     general, since the VM doesn't directly control the     scheduling of physical hyperthreads. This is left     strictly to the L0 hypervisor.

  - Spectre fixes for IBM Z series by providing more hw     features to guests (bsc#1076814)

  - Pre-add group kvm for qemu-tools (bsc#1040202)

  - the qemu-tools package also needs a prerequire of group     management tools, from the shadow package. (bsc#1085598)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent     information leaks via side effects of speculative     execution, aka 'Spectre' and 'Meltdown' attacks     (bsc#1074562, bsc#1068032)

  - CVE-2018-5683: The vga_draw_text function allowed local     OS guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging improper memory address validation     (bsc#1076116).

  - CVE-2017-18030: The cirrus_invalidate_region function     allowed local OS guest privileged users to cause a     denial of service (out-of-bounds array access and QEMU     process crash) via vectors related to negative pitch     (bsc#1076180).

  - CVE-2017-15595: x86 PV guest OS users were able to cause     a DoS (unbounded recursion, stack consumption, and     hypervisor crash) or possibly gain privileges via     crafted page-table stacking (bsc#1061081)

  - CVE-2017-17566: Prevent PV guest OS users to cause a     denial of service (host OS crash) or gain host OS     privileges in shadow mode by mapping a certain auxiliary     page (bsc#1070158).

  - CVE-2017-17563: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging an incorrect mask for reference-count     overflow checking in shadow mode (bsc#1070159).

  - CVE-2017-17564: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging incorrect error handling for reference     counting in shadow mode (bsc#1070160).

  - CVE-2017-17565: Prevent PV guest OS users to cause a     denial of service (host OS crash) if shadow mode and     log-dirty mode are in place, because of an incorrect     assertion related to M2P (bsc#1070163).

  - Added missing intermediate preemption checks for guest     requesting removal of memory. This allowed malicious     guest administrator to cause denial of service due to     the high cost of this operation (bsc#1080635).

  - Because of XEN not returning the proper error messages     when transitioning grant tables from v2 to v1 a     malicious guest was able to cause DoS or potentially     allowed for privilege escalation as well as information     leaks (bsc#1080662).

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow flaw allowing a     privileged user to crash the Qemu process on the host     resulting in DoS (bsc#1024307)

  - Unprivileged domains could have issued well-timed writes     to xenstore which conflict with transactions to stall     progress of the control domain or driver domain,     possibly leading to DoS (bsc#1030144, XSA-206).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. This new feature was included :

  - add script and sysv service to watch for vcpu     online/offline events in a HVM domU These security     issues were fixed :

  - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent     information leaks via side effects of speculative     execution, aka 'Spectre' and 'Meltdown' attacks     (bsc#1074562, bsc#1068032)

  - CVE-2018-5683: The vga_draw_text function allowed local     OS guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging improper memory address validation     (bsc#1076116).

  - CVE-2017-18030: The cirrus_invalidate_region function     allowed local OS guest privileged users to cause a     denial of service (out-of-bounds array access and QEMU     process crash) via vectors related to negative pitch     (bsc#1076180).

  - CVE-2017-15595: x86 PV guest OS users were able to cause     a DoS (unbounded recursion, stack consumption, and     hypervisor crash) or possibly gain privileges via     crafted page-table stacking (bsc#1061081)

  - CVE-2017-17566: Prevent PV guest OS users to cause a     denial of service (host OS crash) or gain host OS     privileges in shadow mode by mapping a certain auxiliary     page (bsc#1070158).

  - CVE-2017-17563: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging an incorrect mask for reference-count     overflow checking in shadow mode (bsc#1070159).

  - CVE-2017-17564: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging incorrect error handling for reference     counting in shadow mode (bsc#1070160).

  - CVE-2017-17565: Prevent PV guest OS users to cause a     denial of service (host OS crash) if shadow mode and     log-dirty mode are in place, because of an incorrect     assertion related to M2P (bsc#1070163).

  - Added missing intermediate preemption checks for guest     requesting removal of memory. This allowed malicious     guest administrator to cause denial of service due to     the high cost of this operation (bsc#1080635).

  - Because of XEN not returning the proper error messages     when transitioning grant tables from v2 to v1 a     malicious guest was able to cause DoS or potentially     allowed for privilege escalation as well as information     leaks (bsc#1080662).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent     information leaks via side effects of speculative     execution, aka 'Spectre' and 'Meltdown' attacks     (bsc#1074562, bsc#1068032)

  - CVE-2018-5683: The vga_draw_text function allowed local     OS guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging improper memory address validation     (bsc#1076116).

  - CVE-2017-18030: The cirrus_invalidate_region function     allowed local OS guest privileged users to cause a     denial of service (out-of-bounds array access and QEMU     process crash) via vectors related to negative pitch     (bsc#1076180).

  - CVE-2017-15595: x86 PV guest OS users were able to cause     a DoS (unbounded recursion, stack consumption, and     hypervisor crash) or possibly gain privileges via     crafted page-table stacking (bsc#1061081)

  - CVE-2017-17566: Prevent PV guest OS users to cause a     denial of service (host OS crash) or gain host OS     privileges in shadow mode by mapping a certain auxiliary     page (bsc#1070158).

  - CVE-2017-17563: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging an incorrect mask for reference-count     overflow checking in shadow mode (bsc#1070159).

  - CVE-2017-17564: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging incorrect error handling for reference     counting in shadow mode (bsc#1070160).

  - CVE-2017-17565: Prevent PV guest OS users to cause a     denial of service (host OS crash) if shadow mode and     log-dirty mode are in place, because of an incorrect     assertion related to M2P (bsc#1070163).

  - Added missing intermediate preemption checks for guest     requesting removal of memory. This allowed malicious     guest administrator to cause denial of service due to     the high cost of this operation (bsc#1080635).

  - Because of XEN not returning the proper error messages     when transitioning grant tables from v2 to v1 a     malicious guest was able to cause DoS or potentially     allowed for privilege escalation as well as information     leaks (bsc#1080662).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent     information leaks via side effects of speculative     execution, aka 'Spectre' and 'Meltdown' attacks     (bsc#1074562, bsc#1068032)

  - CVE-2017-15595: x86 PV guest OS users were able to cause     a DoS (unbounded recursion, stack consumption, and     hypervisor crash) or possibly gain privileges via     crafted page-table stacking (bsc#1061081)

  - CVE-2017-17566: Prevent PV guest OS users to cause a     denial of service (host OS crash) or gain host OS     privileges in shadow mode by mapping a certain auxiliary     page (bsc#1070158).

  - CVE-2017-17563: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging an incorrect mask for reference-count     overflow checking in shadow mode (bsc#1070159).

  - CVE-2017-17564: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging incorrect error handling for reference     counting in shadow mode (bsc#1070160).

  - CVE-2017-17565: Prevent PV guest OS users to cause a     denial of service (host OS crash) if shadow mode and     log-dirty mode are in place, because of an incorrect     assertion related to M2P (bsc#1070163).

  - CVE-2018-5683: The vga_draw_text function allowed local     OS guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging improper memory address validation     (bsc#1076116).

  - CVE-2017-18030: The cirrus_invalidate_region function     allowed local OS guest privileged users to cause a     denial of service (out-of-bounds array access and QEMU     process crash) via vectors related to negative pitch     (bsc#1076180).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues.

These security issues were fixed :

  - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent     information leaks via side effects of speculative     execution, aka 'Spectre' and 'Meltdown' attacks     (bsc#1074562, bsc#1068032)

  - CVE-2017-15595: x86 PV guest OS users were able to cause     a DoS (unbounded recursion, stack consumption, and     hypervisor crash) or possibly gain privileges via     crafted page-table stacking (bsc#1061081)

  - CVE-2017-17566: Prevent PV guest OS users to cause a     denial of service (host OS crash) or gain host OS     privileges in shadow mode by mapping a certain auxiliary     page (bsc#1070158).

  - CVE-2017-17563: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging an incorrect mask for reference-count     overflow checking in shadow mode (bsc#1070159).

  - CVE-2017-17564: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging incorrect error handling for reference     counting in shadow mode (bsc#1070160).

  - CVE-2017-17565: Prevent PV guest OS users to cause a     denial of service (host OS crash) if shadow mode and     log-dirty mode are in place, because of an incorrect     assertion related to M2P (bsc#1070163).

  - CVE-2018-5683: The vga_draw_text function allowed local     OS guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging improper memory address validation     (bsc#1076116).

  - CVE-2017-18030: The cirrus_invalidate_region function     allowed local OS guest privileged users to cause a     denial of service (out-of-bounds array access and QEMU     process crash) via vectors related to negative pitch     (bsc#1076180).

These non-security issues were fixed :

  - bsc#1067317: pass cache=writeback|unsafe|directsync to     qemu depending on the libxl disk settings

  - bsc#1051729: Prevent invalid symlinks after install of     SLES 12 SP2

  - bsc#1035442: Increased the value of     LIBXL_DESTROY_TIMEOUT from 10 to 100 seconds. If many     domUs shutdown in parallel the backends couldn't keep up 

  - bsc#1027519: Added several upstream patches This update     was imported from the SUSE:SLE-12-SP3:Update update     project.

ID	Name	Product	Family	Severity
140019	OracleVM 3.4 : xen (OVMSA-2020-0039) (Bunker Buster) (Foreshadow) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
138415	OracleVM 3.4 : xen (OVMSA-2020-0027) (deprecated)	Nessus	OracleVM Local Security Checks	low
117351	Debian DLA-1497-1 : qemu security update (Spectre)	Nessus	Debian Local Security Checks	high
109886	SUSE SLES11 Security Update : kvm (SUSE-SU-2018:1308-1) (Spectre)	Nessus	SuSE Local Security Checks	medium
109358	SUSE SLES11 Security Update : kvm (SUSE-SU-2018:1077-1) (Spectre)	Nessus	SuSE Local Security Checks	medium
108929	GLSA-201804-08 : QEMU: Multiple vulnerabilities (Spectre)	Nessus	Gentoo Local Security Checks	high
108686	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:0831-1) (Spectre)	Nessus	SuSE Local Security Checks	high
108369	SUSE SLES11 Security Update : xen (SUSE-SU-2018:0678-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
107254	SUSE SLES11 Security Update : xen (SUSE-SU-2018:0638-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
107144	SUSE SLES12 Security Update : xen (SUSE-SU-2018:0609-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
107140	SUSE SLES12 Security Update : xen (SUSE-SU-2018:0601-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
106901	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:0472-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
106864	openSUSE Security Update : xen (openSUSE-2018-169) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
106834	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:0438-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high

CVE-2017-18030

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins