[Bug 1581936] Re: Frozen Windows 7 VMs with VGA CVE-2016-3712 fix (2.6.0 and 2.5.1.1)
Launchpad Bug Tracker
1581936 at bugs.launchpad.net
Tue May 16 15:28:10 UTC 2017
This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu10.14
---------------
qemu (1:2.5+dfsg-5ubuntu10.14) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service via leak in virtFS
- debian/patches/CVE-2017-7377.patch: fix file descriptor leak in
hw/9pfs/virtio-9p.c.
- CVE-2017-7377
* SECURITY UPDATE: denial of service in cirrus_vga
- debian/patches/CVE-2017-7718.patch: check parameters in
hw/display/cirrus_vga_rop.h.
- CVE-2017-7718
* SECURITY UPDATE: code execution via cirrus_vga OOB r/w
- debian/patches/CVE-2017-7980-1.patch: handle negative pitch in
hw/display/cirrus_vga.c.
- debian/patches/CVE-2017-7980-2.patch: allow zero source pitch in
hw/display/cirrus_vga.c.
- debian/patches/CVE-2017-7980-3.patch: fix blit address mask handling
in hw/display/cirrus_vga.c.
- debian/patches/CVE-2017-7980-4.patch: fix patterncopy checks in
hw/display/cirrus_vga.c.
- debian/patches/CVE-2017-7980-5.patch: revert allow zero source pitch
in hw/display/cirrus_vga.c.
- debian/patches/CVE-2017-7980-6.patch: stop passing around dst
pointers in hw/display/cirrus_vga.c, hw/display/cirrus_vga_rop.h,
hw/display/cirrus_vga_rop2.h.
- debian/patches/CVE-2017-7980-7.patch: stop passing around src
pointers in hw/display/cirrus_vga.c, hw/display/cirrus_vga_rop.h,
hw/display/cirrus_vga_rop2.h.
- debian/patches/CVE-2017-7980-8.patch: fix off-by-one in
hw/display/cirrus_vga_rop.h.
- debian/patches/CVE-2017-7980-9.patch: fix cirrus_invalidate_region in
hw/display/cirrus_vga.c.
- CVE-2017-7980
* SECURITY UPDATE: denial of service via memory leak in virtFS
- debian/patches/CVE-2017-8086.patch: fix leak in
hw/9pfs/virtio-9p-xattr.c.
- CVE-2017-8086
* SECURITY UPDATE: denial of service via leak in audio
- debian/patches/CVE-2017-8309.patch: release capture buffers in
audio/audio.c.
- CVE-2017-8309
* SECURITY UPDATE: denial of service via leak in keyboard
- debian/patches/CVE-2017-8379-1.patch: limit kbd queue depth in
ui/input.c.
- debian/patches/CVE-2017-8379-2.patch: don't queue delay if paused in
ui/input.c.
- CVE-2017-8379
* SECURITY REGRESSION: Windows 7 VGA compatibility issue (LP: #1581936)
- debian/patches/lp1581936.patch: add sr_vbe register set to
hw/display/vga.c, hw/display/vga_int.h.
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Wed, 10 May 2017
10:09:29 -0400
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1581936
Title:
Frozen Windows 7 VMs with VGA CVE-2016-3712 fix (2.6.0 and 2.5.1.1)
Status in QEMU:
Fix Released
Status in qemu package in Ubuntu:
Fix Released
Status in qemu source package in Trusty:
Fix Released
Status in qemu source package in Xenial:
Fix Released
Bug description:
Hi,
As already posted on the QEMU devel list [1] I stumbled upon a problem
with QEMU in version 2.5.1.1 and 2.6.0.
the VM shows Windows loading
files for the installation, then the "Starting Windows" screen appears
here it hangs and never continues.
Changing the "-vga" option to cirrus solves this, the installation can
proceed and finish. When changing back to std (or also qxl, vmware) the
installed VM also hangs on the "Starting Windows" screen while qemu
showing a little but no excessive load.
This phenomena appears also with QEMU 2.6.0 but not with 2.6.0-rc4, a
git bisect shows fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7 (vga: make
sure vga register setup for vbe stays intact (CVE-2016-3712)) as the
culprit for this regression, as its a fix for a DoS its not an option to
just revert it, I guess.
The bisect log is:
git bisect start
# bad: [bfc766d38e1fae5767d43845c15c79ac8fa6d6af] Update version for v2.6.0 release
git bisect bad bfc766d38e1fae5767d43845c15c79ac8fa6d6af
# good: [975eb6a547f809608ccb08c221552f666611af25] Update version for v2.6.0-rc4 release
git bisect good 975eb6a547f809608ccb08c221552f666611af25
# good: [2068192dcccd8a80dddfcc8df6164cf9c26e0fc4] vga: update vga register setup on vbe changes
git bisect good 2068192dcccd8a80dddfcc8df6164cf9c26e0fc4
# bad: [53db932604dfa7bb9241d132e0173894cf54261c] Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160509-1' into staging
git bisect bad 53db932604dfa7bb9241d132e0173894cf54261c
# bad: [fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7] vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
git bisect bad fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7
# first bad commit: [fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7] vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
I could reproduce that with QEMU 2.5.1 and QEMU 2.6 on a Debian derivate
(Promox VE) with 4.4 Kernel and also with QEMU 2.6 on an Arch Linux
System with a 4.5 Kernel, so it should not be host distro depended. Both
machines have Intel x86_64 processors.
The problem should be reproducible with said Versions or a build from
git including the above mentioned commit (fd3c136) by starting a VM with
an Windows 7 ISO, e.g.:
Freezing installation (as vga defaults to std I marked it as optional):
./x86_64-softmmu/qemu-system-x86_64 -boot d -cdrom win7.iso -m 1024 [-vga (std|qxl|vmware)]
Working installation:
./x86_64-softmmu/qemu-system-x86_64 -boot d -cdrom win7.iso -m 1024 -vga cirrus
If someone has already an installed Windows 7 VM this behaviour should be
also observable when trying to start it with the new versions of QEMU.
Noteworthy may be that Windows 10 is working, I do not had time to get
other Windows versions and test them, I'll do that as soon as possible.
Various Linux system also seems do work fine, at least I did not ran
into an issue there yet.
I also tried testing with SeaBIOS and OVMF as firmware, as initially I
had no idea what broke, both lead to the same result - without the
CVE-2016-3712 fix they both work, with not.
Further, KVM enabled and disabled does not make any difference.
[1] http://lists.nongnu.org/archive/html/qemu-devel/2016-05/msg02416.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1581936/+subscriptions
More information about the Ubuntu-sponsors
mailing list