990923 – (CVE-2016-5403) VUL-0: CVE-2016-5403: xen: Qemu: virtio: unbounded memory allocation on host via guest leading to DoS (XSA-184)

Bug 990923 (CVE-2016-5403) - VUL-0: CVE-2016-5403: xen: Qemu: virtio: unbounded memory allocation on host via guest leading to DoS (XSA-184)

Summary: VUL-0: CVE-2016-5403: xen: Qemu: virtio: unbounded memory allocation on host ...

Status:	RESOLVED FIXED

Alias:	CVE-2016-5403

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/171405/
Whiteboard:	CVSSv2:RedHat:CVE-2016-5403:2.3:(AV:A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-07-27 19:39 UTC by Andreas Stieger
Modified:	2017-09-21 14:38 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-07-27 19:39:45 UTC

https://xenbits.xen.org/xsa/advisory-184.txt

            Xen Security Advisory CVE-2016-5403 / XSA-184
                              version 2

               virtio: unbounded memory allocation issue

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

A guest can submit virtio requests without bothering to wait for
completion and is therefore not bound by virtqueue size.  (This
requires reusing vring descriptors in more than one request, which is
incorrect but possible.)  Processing a request allocates a
VirtQueueElement and therefore causes unbounded memory allocation
controlled by the guest.

IMPACT
======

A malicious guest administrator can cause unbounded memory allocation
in QEMU, which can cause an Out-of-Memory condition in the domain
running qemu.

Thus, a malicious guest administrator can cause a denial of service
affecting the whole host.

VULNERABLE SYSTEMS
==================

ARM systems are not vulnerable.

PV domains are not vulnerable.

Only HVM domains where virtio-net devices are provided to the guest
are vulnerable.  Note that NO such devices are provided by default,
so the default configuration is not vulnerable.

HVM domains run with QEMU stub domains are not vulnerable.

(Note that all virtio subsystems are affected; but only virtio-net is
a supported configuration.  See docs/misc/qemu-xen-security.)

MITIGATION
==========

Running PV only will avoid the issue.

Running HVM domains with Xen PV drivers instead of virtio-net will
avoid the issue.

Running HVM domains with with stubdomains will mitigate the issue.

CREDITS
=======

This issue was discovered by Zhenhao Hong of the 360 Marvel Team.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa184-qemuu-master.patch  qemu-upstream, Xen unstable, 4.7.x, 4.6.x, 4.5.x, 4.4.x
xsa184-qemut-master.patch  qemu-traditional, Xen unstable, 4.7.x, 4.6.x, 4.5.x, 4.4.x

$ sha256sum xsa184*
ea41a25dac82cc5c0ef8e599feb6ed400e99414110d4dba8017d6bd048bc3de4  xsa184-qemut-master.patch
2d675e5e08d9443cf2e5f3aa37521241d6ed898a602b5111d6969023e67b9b6b  xsa184-qemuu-master.patch
$

NOTES ON THE EMBARGO PERIOD
===========================

Note that the embargo period is shorter than normal as the Xen
Security team were only notified of the issue on 25 July.

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1358359
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5403
http://seclists.org/oss-sec/2016/q3/167
http://seclists.org/oss-sec/2016/q3/170

Comment 1 Swamp Workflow Management 2016-07-27 22:00:39 UTC

bugbot adjusting priority

Comment 2 Swamp Workflow Management 2016-08-17 16:18:19 UTC

SUSE-SU-2016:2093-1: An update that solves 27 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,957986,958848,961600,963161,964427,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.3_08-17.1

Comment 3 Swamp Workflow Management 2016-08-18 16:20:05 UTC

SUSE-SU-2016:2100-1: An update that solves 26 vulnerabilities and has 16 fixes is now available.

Category: security (important)
Bug References: 954872,955399,957986,958848,961600,963161,964427,967630,973188,974038,974912,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,985503,986586,988675,989235,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_07-37.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_07-37.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_07-37.1

Comment 4 Charles Arnold 2016-10-03 17:30:15 UTC

Submitted for,

SLE-11-SP3
SLE-11-SP4
SLE-12
SLE-12-SP1

Comment 5 Swamp Workflow Management 2016-10-11 17:17:47 UTC

openSUSE-SU-2016:2494-1: An update that solves 46 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,955104,958848,959330,959552,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990500,990843,990923,990970,991934,992224,993665,994421,994625,994761,994772,994775,995785,995789,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2015-7512,CVE-2015-8504,CVE-2015-8558,CVE-2015-8568,CVE-2015-8613,CVE-2015-8743,CVE-2016-1714,CVE-2016-1981,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.3_10-15.2

Comment 6 Swamp Workflow Management 2016-10-11 17:28:33 UTC

openSUSE-SU-2016:2497-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,958848,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_05-49.1

Comment 7 Swamp Workflow Management 2016-10-13 19:17:46 UTC

SUSE-SU-2016:2533-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,957986,958848,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_04-22.22.2
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_04-22.22.2

Comment 8 Swamp Workflow Management 2016-11-04 14:15:57 UTC

SUSE-SU-2016:2725-1: An update that solves 21 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 954872,961600,963161,973188,973631,974038,975130,975138,976470,978164,978295,978413,980716,980724,981264,982224,982225,982960,983984,985503,988675,990843,990923,995785,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-5238,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-7092,CVE-2016-7094
Sources used:
SUSE OpenStack Cloud 5 (src):    xen-4.2.5_21-27.1
SUSE Manager Proxy 2.1 (src):    xen-4.2.5_21-27.1
SUSE Manager 2.1 (src):    xen-4.2.5_21-27.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-27.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-27.1

Comment 9 Alexander Bergmann 2016-11-23 08:12:56 UTC

I've checked, but it is still unclear for me if Xen versions prior to SLE-11-SP3 are affected by this. The SLE-10 codestream does not have the virtio stuff, but SLE-11-SP1 has a copy.

   xen-4.0.3-testing/tools/ioemu-qemu-xen/hw/virtio.c

Comment 10 Charles Arnold 2016-11-24 18:45:06 UTC

(In reply to Alexander Bergmann from comment #9)
> I've checked, but it is still unclear for me if Xen versions prior to
> SLE-11-SP3 are affected by this. The SLE-10 codestream does not have the
> virtio stuff, but SLE-11-SP1 has a copy.
> 
>    xen-4.0.3-testing/tools/ioemu-qemu-xen/hw/virtio.c

virtio is not supported in the old qemu 'traditional' version found in
all distro versions we have. This patch is applicable for the 'upstream'
qemu version found in SLE11 SP3 and newer.

Comment 11 Marcus Meissner 2016-12-22 11:58:09 UTC

released