Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
Am 27.07.2015 um 15:54 schrieb Kevin Wolf: Am 27.07.2015 um 15:46 hat Peter Lieven geschrieben: Am 27.07.2015 um 15:38 schrieb Kevin Wolf: Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben: Am 27.07.2015 um 14:28 schrieb John Snow: On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote: Am 27.07.2015 um 14:01 schrieb John Snow: The following changes since commit f793d97e454a56d17e404004867985622ca1a63b: Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100) are available in the git repository at: https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request Any details on this CVE? Is RCE possible? Only if IDE is used? Stefan It's a heap overflow. The most likely outcome is a segfault, but the guest is allowed to continue writing past the end of the PIO buffer at its leisure. This makes it similar to CVE-2015-3456. This CVE can be mitigated unlike CVE-2015-3456 by just removing the CD-ROM drive until the patch can be applied. Thanks. The seclist article explicitly references xen. So it does not apply to qemu/kvm? Sorry for asking may be stupid questions. The IDE emulation is shared between Xen and KVM, so both are affected. The reason why the seclist mail only mentions Xen is probably because the Xen security team posted it. Meanwhile there is also a Red Hat CVE page available, which mentions qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154 The redhat advisory says that some Redhat versions are not affected "because they did not backport the upstream commit that introduced this issue ". Can you point out which commit exactly introduced the issue? That's the commit that introduced the code fixed in patch 2: Commit ce560dcf ('ATAPI: STARTSTOPUNIT only eject/load media if powercondition is 0'). Okay, so as far as I can see this is in any Qemu >= 1.3.0. Peter
Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
Am 27.07.2015 um 15:46 hat Peter Lieven geschrieben: > Am 27.07.2015 um 15:38 schrieb Kevin Wolf: > > Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben: > > Am 27.07.2015 um 14:28 schrieb John Snow: > > > On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote: > > Am 27.07.2015 um 14:01 schrieb John Snow: > > The following changes since commit > f793d97e454a56d17e404004867985622ca1a63b: > > Merge remote-tracking branch > 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100) > > are available in the git repository at: > > https://github.com/jnsnow/qemu.git > tags/cve-2015-5154-pull-request > > Any details on this CVE? Is RCE possible? Only if IDE is used? > > Stefan > > > It's a heap overflow. The most likely outcome is a segfault, but > the > guest is allowed to continue writing past the end of the PIO > buffer at > its leisure. This makes it similar to CVE-2015-3456. > > This CVE can be mitigated unlike CVE-2015-3456 by just removing > the > CD-ROM drive until the patch can be applied. > > Thanks. The seclist article explicitly references xen. So it does not > apply to qemu/kvm? Sorry for asking may be stupid questions. > > The IDE emulation is shared between Xen and KVM, so both are affected. > The reason why the seclist mail only mentions Xen is probably because > the Xen security team posted it. > > Meanwhile there is also a Red Hat CVE page available, which mentions > qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154 > > > The redhat advisory says that some Redhat versions are not affected > "because they did not backport the upstream commit that introduced this issue > ". > > Can you point out which commit exactly introduced the issue? That's the commit that introduced the code fixed in patch 2: Commit ce560dcf ('ATAPI: STARTSTOPUNIT only eject/load media if powercondition is 0'). Kevin
Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
Am 27.07.2015 um 15:38 schrieb Kevin Wolf: Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben: Am 27.07.2015 um 14:28 schrieb John Snow: On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote: Am 27.07.2015 um 14:01 schrieb John Snow: The following changes since commit f793d97e454a56d17e404004867985622ca1a63b: Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100) are available in the git repository at: https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request Any details on this CVE? Is RCE possible? Only if IDE is used? Stefan It's a heap overflow. The most likely outcome is a segfault, but the guest is allowed to continue writing past the end of the PIO buffer at its leisure. This makes it similar to CVE-2015-3456. This CVE can be mitigated unlike CVE-2015-3456 by just removing the CD-ROM drive until the patch can be applied. Thanks. The seclist article explicitly references xen. So it does not apply to qemu/kvm? Sorry for asking may be stupid questions. The IDE emulation is shared between Xen and KVM, so both are affected. The reason why the seclist mail only mentions Xen is probably because the Xen security team posted it. Meanwhile there is also a Red Hat CVE page available, which mentions qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154 The redhat advisory says that some Redhat versions are not affected "because they did not backport the upstream commit that introduced this issue ". Can you point out which commit exactly introduced the issue? Thanks, Peter
Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben: > > Am 27.07.2015 um 14:28 schrieb John Snow: > > > > > > On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote: > >> > >> Am 27.07.2015 um 14:01 schrieb John Snow: > >>> The following changes since commit > >>> f793d97e454a56d17e404004867985622ca1a63b: > >>> > >>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into > >>> staging (2015-07-24 13:07:10 +0100) > >>> > >>> are available in the git repository at: > >>> > >>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request > >> > >> Any details on this CVE? Is RCE possible? Only if IDE is used? > >> > >> Stefan > >> > > > > It's a heap overflow. The most likely outcome is a segfault, but the > > guest is allowed to continue writing past the end of the PIO buffer at > > its leisure. This makes it similar to CVE-2015-3456. > > > > This CVE can be mitigated unlike CVE-2015-3456 by just removing the > > CD-ROM drive until the patch can be applied. > > Thanks. The seclist article explicitly references xen. So it does not > apply to qemu/kvm? Sorry for asking may be stupid questions. The IDE emulation is shared between Xen and KVM, so both are affected. The reason why the seclist mail only mentions Xen is probably because the Xen security team posted it. Meanwhile there is also a Red Hat CVE page available, which mentions qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154 Kevin
Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
Am 27.07.2015 um 14:28 schrieb John Snow: > > > On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote: >> >> Am 27.07.2015 um 14:01 schrieb John Snow: >>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b: >>> >>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into >>> staging (2015-07-24 13:07:10 +0100) >>> >>> are available in the git repository at: >>> >>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request >> >> Any details on this CVE? Is RCE possible? Only if IDE is used? >> >> Stefan >> > > It's a heap overflow. The most likely outcome is a segfault, but the > guest is allowed to continue writing past the end of the PIO buffer at > its leisure. This makes it similar to CVE-2015-3456. > > This CVE can be mitigated unlike CVE-2015-3456 by just removing the > CD-ROM drive until the patch can be applied. Thanks. The seclist article explicitly references xen. So it does not apply to qemu/kvm? Sorry for asking may be stupid questions. Stefan >>> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc: >>> >>> ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 >>> -0400) >>> >>> >>> >>> >>> >>> Kevin Wolf (3): >>> ide: Check array bounds before writing to io_buffer (CVE-2015-5154) >>> ide/atapi: Fix START STOP UNIT command completion >>> ide: Clear DRQ after handling all expected accesses >>> >>> hw/ide/atapi.c | 1 + >>> hw/ide/core.c | 32 >>> 2 files changed, 29 insertions(+), 4 deletions(-) >>>
Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote: > > Am 27.07.2015 um 14:01 schrieb John Snow: >> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b: >> >> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into >> staging (2015-07-24 13:07:10 +0100) >> >> are available in the git repository at: >> >> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request > > Any details on this CVE? Is RCE possible? Only if IDE is used? > > Stefan > It's a heap overflow. The most likely outcome is a segfault, but the guest is allowed to continue writing past the end of the PIO buffer at its leisure. This makes it similar to CVE-2015-3456. This CVE can be mitigated unlike CVE-2015-3456 by just removing the CD-ROM drive until the patch can be applied. >> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc: >> >> ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 >> -0400) >> >> >> >> >> >> Kevin Wolf (3): >> ide: Check array bounds before writing to io_buffer (CVE-2015-5154) >> ide/atapi: Fix START STOP UNIT command completion >> ide: Clear DRQ after handling all expected accesses >> >> hw/ide/atapi.c | 1 + >> hw/ide/core.c | 32 >> 2 files changed, 29 insertions(+), 4 deletions(-) >>
Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote: > > Am 27.07.2015 um 14:01 schrieb John Snow: >> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b: >> >> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into >> staging (2015-07-24 13:07:10 +0100) >> >> are available in the git repository at: >> >> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request > > Any details on this CVE? Is RCE possible? Only if IDE is used? > > Stefan > >> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc: >> >> ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 >> -0400) >> >> >> >> >> >> Kevin Wolf (3): >> ide: Check array bounds before writing to io_buffer (CVE-2015-5154) >> ide/atapi: Fix START STOP UNIT command completion >> ide: Clear DRQ after handling all expected accesses >> >> hw/ide/atapi.c | 1 + >> hw/ide/core.c | 32 >> 2 files changed, 29 insertions(+), 4 deletions(-) >> See also http://seclists.org/oss-sec/2015/q3/212
Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
Am 27.07.2015 um 14:01 schrieb John Snow: > The following changes since commit f793d97e454a56d17e404004867985622ca1a63b: > > Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into > staging (2015-07-24 13:07:10 +0100) > > are available in the git repository at: > > https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request Any details on this CVE? Is RCE possible? Only if IDE is used? Stefan > for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc: > > ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 > -0400) > > > > > > Kevin Wolf (3): > ide: Check array bounds before writing to io_buffer (CVE-2015-5154) > ide/atapi: Fix START STOP UNIT command completion > ide: Clear DRQ after handling all expected accesses > > hw/ide/atapi.c | 1 + > hw/ide/core.c | 32 > 2 files changed, 29 insertions(+), 4 deletions(-) >