FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

Affected packages
xen-tools < 4.7.0_2


VuXML ID e6ce6f50-4212-11e6-942d-bc5ff45d0f28
Discovery 2016-05-09
Entry 2016-07-04

The Xen Project reports:

Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations.

Qemu VGA module allows guest to edit certain registers in 'vbe' and 'vga' modes.

A privileged guest user could use CVE-2016-3710 to exceed the bank address window and write beyond the said memory area, potentially leading to arbitrary code execution with privileges of the Qemu process. If the system is not using stubdomains, this will be in domain 0.

A privileged guest user could use CVE-2016-3712 to cause potential integer overflow or OOB read access issues in Qemu, resulting in a DoS of the guest itself. More dangerous effect, such as data leakage or code execution, are not known but cannot be ruled out.


CVE Name CVE-2016-3710
CVE Name CVE-2016-3712