[xen/f20] HVM qemu unexpectedly enabling emulated VGA graphics backends

myoung myoung at fedoraproject.org
Thu Mar 12 22:19:28 UTC 2015 

commit 86e5ba86e2617a2d0457f1daf33a2c79e639b955
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Thu Mar 12 22:18:38 2015 +0000

    HVM qemu unexpectedly enabling emulated VGA graphics backends

 xen.spec              |  8 ++++-
 xsa119-unstable.patch | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+), 1 deletion(-)
---
diff --git a/xen.spec b/xen.spec
index 93ef29c..c2da603 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.3.3
-Release: 11%{?dist}
+Release: 12%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -121,6 +121,7 @@ Patch37: xsa116-4.3-4.2.patch
 Patch38: xsa121.patch
 Patch39: xsa122.patch
 Patch40: xsa123-4.3-4.2.patch
+Patch41: xsa119-unstable.patch
 
 
 Patch100: xen-configure-xend.patch
@@ -326,6 +327,7 @@ manage Xen virtual machines.
 %patch38 -p1
 %patch39 -p1
 %patch40 -p1
+%patch41 -p1
 
 %patch100 -p1
 
@@ -899,6 +901,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Thu Mar 12 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.3-12
+- HVM qemu unexpectedly enabling emulated VGA graphics backends [XSA-119,
+	CVE-2015-2152] (#1201365)
+
 * Wed Mar 11 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.3-11
 - Hypervisor memory corruption due to x86 emulator flaw [XSA-123,
 	CVE-2015-2151] (#1200398)
diff --git a/xsa119-unstable.patch b/xsa119-unstable.patch
new file mode 100644
index 0000000..f696eb5
--- /dev/null
+++ b/xsa119-unstable.patch
@@ -0,0 +1,99 @@
+From f433bfafbaf7d8a41c4c27aa3e8e78b1ab900b69 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <ian.campbell at citrix.com>
+Date: Fri, 20 Feb 2015 14:41:09 +0000
+Subject: [PATCH] tools: libxl: Explicitly disable graphics backends on qemu
+ cmdline
+
+By default qemu will try to create some sort of backend for the
+emulated VGA device, either SDL or VNC.
+
+However when the user specifies sdl=0 and vnc=0 in their configuration
+libxl was not explicitly disabling either backend, which could lead to
+one unexpectedly running.
+
+If either sdl=1 or vnc=1 is configured then both before and after this
+change only the backends which are explicitly enabled are configured,
+i.e. this issue only occurs when all backends are supposed to have
+been disabled.
+
+This affects qemu-xen and qemu-xen-traditional differently.
+
+If qemu-xen was compiled with SDL support then this would result in an
+SDL window being opened if $DISPLAY is valid, or a failure to start
+the guest if not. Passing "-display none" to qemu before any further
+-sdl options disables this default behaviour and ensures that SDL is
+only started if the libxl configuration demands it.
+
+If qemu-xen was compiled without SDL support then qemu would instead
+start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1
+(IPv4 localhost) with IPv6 preferred if available. Explicitly pass
+"-vnc none" when vnc is not enabled in the libxl configuration to
+remove this possibility.
+
+qemu-xen-traditional would never start a vnc backend unless asked.
+However by default it will start an SDL backend, the way to disable
+this is to pass a -vnc option. In other words passing "-vnc none" will
+disable both vnc and sdl by default. sdl can then be reenabled if
+configured by subsequent use of the -sdl option.
+
+Tested with both qemu-xen and qemu-xen-traditional built with SDL
+support and:
+	xl cr # defaults
+	xl cr sdl=0 vnc=0
+	xl cr sdl=1 vnc=0
+	xl cr sdl=0 vnc=1
+	xl cr sdl=0 vnc=0 vga=\"none\"
+	xl cr sdl=0 vnc=0 nographic=1
+with both valid and invalid $DISPLAY.
+
+This is XSA-119.
+
+Reported-by: Sander Eikelenboom <linux at eikelenboom.it>
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+Acked-by: Ian Jackson <ian.jackson at eu.citrix.com>
+---
+ tools/libxl/libxl_dm.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
+index 8599a6a..3b918c6 100644
+--- a/tools/libxl/libxl_dm.c
++++ b/tools/libxl/libxl_dm.c
+@@ -180,7 +180,14 @@ static char ** libxl__build_device_model_args_old(libxl__gc *gc,
+         if (libxl_defbool_val(vnc->findunused)) {
+             flexarray_append(dm_args, "-vncunused");
+         }
+-    }
++    } else
++        /*
++         * VNC is not enabled by default by qemu-xen-traditional,
++         * however passing -vnc none causes SDL to not be
++         * (unexpectedly) enabled by default. This is overridden by
++         * explicitly passing -sdl below as required.
++         */
++        flexarray_append_pair(dm_args, "-vnc", "none");
+ 
+     if (sdl) {
+         flexarray_append(dm_args, "-sdl");
+@@ -522,7 +529,17 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc,
+         }
+ 
+         flexarray_append(dm_args, vncarg);
+-    }
++    } else
++        /*
++         * Ensure that by default no vnc server is created.
++         */
++        flexarray_append_pair(dm_args, "-vnc", "none");
++
++    /*
++     * Ensure that by default no display backend is created. Further
++     * options given below might then enable more.
++     */
++    flexarray_append_pair(dm_args, "-display", "none");
+ 
+     if (sdl) {
+         flexarray_append(dm_args, "-sdl");
+-- 
+2.1.4
+

More information about the scm-commits mailing list