Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Xen bends own embargo rules to unbork risky Cirrus video emulation

It's 2017 and a VGA driver can take down a cloud. Seriously

The Xen Project has bent its own rules of vulnerability disclosure for a buggy and possibly exploitable video component that needs urgent attention.

It's not a hypervisor escape yet, but as the Xen advisory notes, it could be a pathway to one.

The crashable component is a VGA driver, of all things – the default Cirrus video emulator, which can be crashed by fiddling with display settings.

The bug is triggered by changing the display geometry, while simultaneously selecting a blank screen mode. The resize doesn't happen, but “will be properly handled during the next time a non-blank mode is selected during an update.”

So far so good. The problem is that other console components (the advisory picks out VNC emulation) see the resize and try to apply it. “When the display is resized to be larger than before, this can result in a heap overflow as console components will expect the display buffer to be larger than it is currently allocated.”

For Hardware Virtual Machine (HVM) guests, the process will crash through, but should only get the privileges of their guest kernel.

The Xen Project usually slaps a two-week embargo on bugs, so that clouds that use the hypervisor can sort things out before every hacker capable of spelling "HTML" descends on the millions of VMs they run.

However, what led to this one being shipped ahead of the normal embargo cycle is that the developers couldn't rule out a more serious exploit emerging.

“But the ability of a userspace process to trigger this vulnerability via legitimate commands to the kernel driver (thus elevating its privileges to that of the guest kernel) cannot be ruled out,” the advisory says. It also offers another reason for the early public disclosure, namely "to enable the community to have oversight of the Xen Project Security Team's decision-making."

The advisory includes patches. Users can also mitigate by running HVM with a stub domain; the advisory says it can also be mitigated by using the stgvga, but warns against this until the embargo period ends:

“It is NOT permitted during the embargo to switch from Cirrus VGA to Stdvga on public-facing systems with untrusted guest users or administrators. This is because it may give a clue where the issue lies. This mitigation is only permitted AFTER the embargo ends.” ®

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like