[xen/f20] HVM qemu unexpectedly enabling emulated VGA graphics backends
myoung
myoung at fedoraproject.org
Thu Mar 12 22:19:28 UTC 2015
commit 86e5ba86e2617a2d0457f1daf33a2c79e639b955
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Thu Mar 12 22:18:38 2015 +0000
HVM qemu unexpectedly enabling emulated VGA graphics backends
xen.spec | 8 ++++-
xsa119-unstable.patch | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 106 insertions(+), 1 deletion(-)
---
diff --git a/xen.spec b/xen.spec
index 93ef29c..c2da603 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.3.3
-Release: 11%{?dist}
+Release: 12%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -121,6 +121,7 @@ Patch37: xsa116-4.3-4.2.patch
Patch38: xsa121.patch
Patch39: xsa122.patch
Patch40: xsa123-4.3-4.2.patch
+Patch41: xsa119-unstable.patch
Patch100: xen-configure-xend.patch
@@ -326,6 +327,7 @@ manage Xen virtual machines.
%patch38 -p1
%patch39 -p1
%patch40 -p1
+%patch41 -p1
%patch100 -p1
@@ -899,6 +901,10 @@ rm -rf %{buildroot}
%endif
%changelog
+* Thu Mar 12 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.3-12
+- HVM qemu unexpectedly enabling emulated VGA graphics backends [XSA-119,
+ CVE-2015-2152] (#1201365)
+
* Wed Mar 11 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.3-11
- Hypervisor memory corruption due to x86 emulator flaw [XSA-123,
CVE-2015-2151] (#1200398)
diff --git a/xsa119-unstable.patch b/xsa119-unstable.patch
new file mode 100644
index 0000000..f696eb5
--- /dev/null
+++ b/xsa119-unstable.patch
@@ -0,0 +1,99 @@
+From f433bfafbaf7d8a41c4c27aa3e8e78b1ab900b69 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <ian.campbell at citrix.com>
+Date: Fri, 20 Feb 2015 14:41:09 +0000
+Subject: [PATCH] tools: libxl: Explicitly disable graphics backends on qemu
+ cmdline
+
+By default qemu will try to create some sort of backend for the
+emulated VGA device, either SDL or VNC.
+
+However when the user specifies sdl=0 and vnc=0 in their configuration
+libxl was not explicitly disabling either backend, which could lead to
+one unexpectedly running.
+
+If either sdl=1 or vnc=1 is configured then both before and after this
+change only the backends which are explicitly enabled are configured,
+i.e. this issue only occurs when all backends are supposed to have
+been disabled.
+
+This affects qemu-xen and qemu-xen-traditional differently.
+
+If qemu-xen was compiled with SDL support then this would result in an
+SDL window being opened if $DISPLAY is valid, or a failure to start
+the guest if not. Passing "-display none" to qemu before any further
+-sdl options disables this default behaviour and ensures that SDL is
+only started if the libxl configuration demands it.
+
+If qemu-xen was compiled without SDL support then qemu would instead
+start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1
+(IPv4 localhost) with IPv6 preferred if available. Explicitly pass
+"-vnc none" when vnc is not enabled in the libxl configuration to
+remove this possibility.
+
+qemu-xen-traditional would never start a vnc backend unless asked.
+However by default it will start an SDL backend, the way to disable
+this is to pass a -vnc option. In other words passing "-vnc none" will
+disable both vnc and sdl by default. sdl can then be reenabled if
+configured by subsequent use of the -sdl option.
+
+Tested with both qemu-xen and qemu-xen-traditional built with SDL
+support and:
+ xl cr # defaults
+ xl cr sdl=0 vnc=0
+ xl cr sdl=1 vnc=0
+ xl cr sdl=0 vnc=1
+ xl cr sdl=0 vnc=0 vga=\"none\"
+ xl cr sdl=0 vnc=0 nographic=1
+with both valid and invalid $DISPLAY.
+
+This is XSA-119.
+
+Reported-by: Sander Eikelenboom <linux at eikelenboom.it>
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+Acked-by: Ian Jackson <ian.jackson at eu.citrix.com>
+---
+ tools/libxl/libxl_dm.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
+index 8599a6a..3b918c6 100644
+--- a/tools/libxl/libxl_dm.c
++++ b/tools/libxl/libxl_dm.c
+@@ -180,7 +180,14 @@ static char ** libxl__build_device_model_args_old(libxl__gc *gc,
+ if (libxl_defbool_val(vnc->findunused)) {
+ flexarray_append(dm_args, "-vncunused");
+ }
+- }
++ } else
++ /*
++ * VNC is not enabled by default by qemu-xen-traditional,
++ * however passing -vnc none causes SDL to not be
++ * (unexpectedly) enabled by default. This is overridden by
++ * explicitly passing -sdl below as required.
++ */
++ flexarray_append_pair(dm_args, "-vnc", "none");
+
+ if (sdl) {
+ flexarray_append(dm_args, "-sdl");
+@@ -522,7 +529,17 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc,
+ }
+
+ flexarray_append(dm_args, vncarg);
+- }
++ } else
++ /*
++ * Ensure that by default no vnc server is created.
++ */
++ flexarray_append_pair(dm_args, "-vnc", "none");
++
++ /*
++ * Ensure that by default no display backend is created. Further
++ * options given below might then enable more.
++ */
++ flexarray_append_pair(dm_args, "-display", "none");
+
+ if (sdl) {
+ flexarray_append(dm_args, "-sdl");
+--
+2.1.4
+
More information about the scm-commits
mailing list