This article is more than 1 year old
Xen bends own embargo rules to unbork risky Cirrus video emulation
It's 2017 and a VGA driver can take down a cloud. Seriously
The Xen Project has bent its own rules of vulnerability disclosure for a buggy and possibly exploitable video component that needs urgent attention.
It's not a hypervisor escape yet, but as the Xen advisory notes, it could be a pathway to one.
The crashable component is a VGA driver, of all things – the default Cirrus video emulator, which can be crashed by fiddling with display settings.
The bug is triggered by changing the display geometry, while simultaneously selecting a blank screen mode. The resize doesn't happen, but “will be properly handled during the next time a non-blank mode is selected during an update.”
So far so good. The problem is that other console components (the advisory picks out VNC emulation) see the resize and try to apply it. “When the display is resized to be larger than before, this can result in a heap overflow as console components will expect the display buffer to be larger than it is currently allocated.”
For Hardware Virtual Machine (HVM) guests, the process will crash through, but should only get the privileges of their guest kernel.
The Xen Project usually slaps a two-week embargo on bugs, so that clouds that use the hypervisor can sort things out before every hacker capable of spelling "HTML" descends on the millions of VMs they run.
However, what led to this one being shipped ahead of the normal embargo cycle is that the developers couldn't rule out a more serious exploit emerging.
“But the ability of a userspace process to trigger this vulnerability via legitimate commands to the kernel driver (thus elevating its privileges to that of the guest kernel) cannot be ruled out,” the advisory says. It also offers another reason for the early public disclosure, namely "to enable the community to have oversight of the Xen Project Security Team's decision-making."
The advisory includes patches. Users can also mitigate by running HVM with a stub domain; the advisory says it can also be mitigated by using the stgvga, but warns against this until the embargo period ends:
“It is NOT permitted during the embargo to switch from Cirrus VGA to Stdvga on public-facing systems with untrusted guest users or administrators. This is because it may give a clue where the issue lies. This mitigation is only permitted AFTER the embargo ends.” ®