CVE-2016-3710 - Out-of-Bounds read/write vulnerability in QEMU VGA emulator

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7 (RHSA-2016:0724)
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • OpenStack Platform 4 (RHEL 6)
  • OpenStack Platform 5 (RHEL 6)
  • OpenStack Platform 5 (RHEL 7)
  • OpenStack Platform 6 (RHEL 7)
  • Red Hat Enteprise Virtualization 3 (RHEL 6)
  • Red Hat Enteprise Virtualization 3 (RHEL 7) (RHSA-2016:0725)

Issue

Red Hat Product Security has been made aware of an out-of-bounds (OOB) read/write vulnerability affecting the VGA emulation with Vesa BIOS Extensions (VBE) support implemented in the QEMU component of the KVM/QEMU and Xen hypervisors. This issue has been assigned CVE-2016-3710 and rated as having an Important impact.

Impact
A privileged guest user could use this flaw to crash the guest or potentially, execute arbitrary code with privileges of the corresponding Qemu process on the host.

Resolution

Please install the updated QEMU, KVM, or Xen packages that have been made available through the respective advisories.

To install these updates, use the Yum package manager as follows:

    # yum update

To only update the QEMU package (or the relevant packages for your system)

    # yum update qemu-kvm

Once installed, the guests (virtual machines) need to be rebooted (power off -> power on) for the updates to take effect. It is also possible to migrate guests away from the affected host, update the host, and then migrate the guests back. Please note that it is not enough to restart the guests because a restarted guest would continue running using the same (old, not updated) QEMU binary.

The sVirt and Seccomp functionalities used to restrict host's QEMU process privileges and resource access might mitigate the impact of successful exploitation of this issue. A possible policy-based workaround is to avoid granting untrusted users administrator privileges within guests.

Root Cause

This issue occurs during VGA I/O operations via the vga_mem_readb() and vga_mem_writeb() functions. In the standard VGA memory access mode, these functions accessed VGA memory as an integer-sized variable instead of a byte-sized variable:

    s->latch = ((uint32_t *)s->vram_ptr)[addr];

    ((uint32_t *)s->vram_ptr)[addr] = (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | (val & write_mask);

This type promotion throws the given address beyond maximum size of the video memory (that is, 16 MB), resulting in an out-of-bounds read/write access.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.