back to article Party like it's 1989... SVGA code bug haunts VMware's house, lets guests flee to host OS

Get busy, VMware admins and users: the virtualisation virtuoso has patched a programming blunder in ESXi, Workstation Pro and Player, and Fusion and Fusion Pro products that can be exploited by malicious code to jump from guest OS to host machine. The bug, disclosed here, is designated CVE-2018-6974. The out-of-bounds read is …

  1. Simon Harris

    A standard dating back to 1987?

    I remember plain VGA being introduced as a standard in 1987, but back then I seem to remember every manufacturer going "Pah! 640x480 in 16 colours? We can do better than that" and everyone found their own way of building on top of VGA to create a mess of different SVGAs and lots of display drivers that came with every piece of software that wanted to use them. It wasn't until the 90s with the VESA VBE video bios extensions that things got a bit more standardised and even then there was no guarantee that a mode you'd used on one card would exist on another.

    1. Lee D Silver badge

      Re: A standard dating back to 1987?

      Ah, VESA VBE.

      UNIVBE and Scitech Display Doctor.

      Yes, I remember those days, but I have no idea of the timescale. I do remember, though, having monitors with post-"Standard Definition" resolutions about 15-20 years before people started buying HD TV's.

      They never understood why I wasn't at all impressed.

      Hell, I remember running... Fractint? In ridiculous resolutions. And a DOS program called "display" (which is non-existent now and impossible to Google) that could utilise those ridiculously high resolutions that monitors were capable of back then. Until you hit the one res that was a little too much and your whole screen spocked out trying to show it (no "Out of Range" messages in those days, just a monitor slowly damaging itself...)

      I still have a Philips 105S that I used extensively in those days. It still functions some 20 years later as a CCTV monitor, and the picture is as clear as the first day I turned it on.

      1. Steve Walker

        Re: A standard dating back to 1987?

        Yup remember it well, my pride and joy a VLB Tseng 4000 was the dogs back then and Fractint showed me so! Project still seems alive even today https://www.fractint.org/ - for those that can't imagine PCs taking minutes to draw images ...

        1. Nigel Campbell

          Re: A standard dating back to 1987?

          I used to play Doom quite happily on an ET-4000 based card - on a 386/20 with no VL bus, albeit at lower display fidelity and size settings. The ET-4000 (and its predecessor, an Artist ZX1) worked passibly well for something with such constrained I/O. After that I upgraded to a 486 with VL bus S3 video card and it really flew, even without the hardware acceleration on the S3.

      2. Hans Neeson-Bumpsadese Silver badge

        Re: A standard dating back to 1987?

        Yes, I remember those days, but I have no idea of the timescale. I do remember, though, having monitors with post-"Standard Definition" resolutions about 15-20 years before people started buying HD TV's.

        Indeed - I remember reading about the awesome new tellyboxes that were going to be able to display 720 horizonal lines...I was reading the story on a rather elderly monitor running at 1280x1024 and wondering either what the fuss was about, or what the misprint was

        1. Lee D Silver badge

          Re: A standard dating back to 1987?

          I still contest that a WinTV card plugged into a decent aerial put onto a computer (via the old purple-overlay-on-screen-with-a-cable-passthrough trick) was some of the best quality TV images I'd ever seen. I was enjoying full-screen, smoothed-but-sharpened progressive-and-deinterlaced TV at HD res long before HD was a thing.

          Hell, teletext was also a dream - it cached EVERY page of teletext on the entire channel, so you literally clicked around it on the three-digit page numbers like hyperlinks.

          1. BinkyTheMagicPaperclip Silver badge

            Re: A standard dating back to 1987?

            You're talking about the Hauppauge WinTV Celebrity full length ISA card, aren't you? I still have one - got it second hand as new it was hideously expensive. Gorgeous thing, scaling direct into the overlay without blitting to the screen (as per the later cards).

            Little bit useless now analogue TV no longer exists, although it could be used to record/view composite sources etc.

        2. Dazed and Confused

          Re: A standard dating back to 1987?

          Indeed - I remember reading about the awesome new tellyboxes that were going to be able to display 720 horizonal lines...I was reading the story on a rather elderly monitor running at 1280x1024 and wondering either what the fuss was about, or what the misprint was

          Likewise, workstations had been running 1024x768 for years by then and most had switched to 1280x1024. In about 1991 Sony were pushing 1920x1200 as their proposal for HDTV and lent me a graphics card and a 40" reference monitor to go with their workstation we were marketing. Could have sold them by the lorry load at the AliPali computer graphic show that year if we'd had any SW to run on them, the stand was usually swamp with people wanting to take a look.

          By the early 2000s 1920x1200 was pretty common on laptops then came to big switch to HD (HA!) and screens went all crappy again and we lost lots of our lovely pixels.

    2. Anonymous Coward
      Anonymous Coward

      Re: A standard dating back to 1987?

      VSphere is a more mature product than Hyper-v Server yet it continually has an order of magnitude more security vulnerabilities. Crappy coding?

    3. diodesign (Written by Reg staff) Silver badge

      Re: A standard dating back to 1987?

      Yeah, VGA appeared 1987 and SVGA cards* arrived that year, too, although it wasn't until 1989 that a standard for programming them was defined. It doesn't help that what exactly SVGA is isn't formally defined like VGA was.

      Maybe it should be 1989.

      C.

      * eg: Cirrus Logic CL-GD410.

    4. GnuTzu

      Re: A standard dating back to 1987? -- Backward

      Anyone feel like this much backward compatibility is just backward? Well, at least it shouldn't be baked in so that you can no load it unless you need it, and rip it out if you never want to see it again.

      1. Gene Cash Silver badge

        Re: A standard dating back to 1987? -- Backward

        No, because if you want to do things like run your Linux guest w/o X11, but with a higher resolution console, this is what you need.

        Those shitheads at nvidia think the way you do, and don't support SVGA in console, so I have to accept fonts with characters the size of my thumb when I'm doing cold backups and the like.

        1. GnuTzu

          Re: A standard dating back to 1987? -- Backward

          Ah, thank you for the clarification. My sympathy on the challenge. Crappy console fonts and not being forced to install X11 are more than valid justifications. Voted up.

        2. Nate Amsden

          Re: A standard dating back to 1987? -- Backward

          I prefer a lower (standard) resolution on the console myself, whatever the default has been forever 320x240? I don't know.

          My P50 laptop has Nvidia in it of course, and in X11 I have it fixed to 1080p (it is a 4k display). On the grub boot menu as well as the linux console the characters are the size of a tip of a pen, if that. And grub takes about 3 seconds to refresh the screen for choosing another OS to boot from.

          Fortunately I don't need the console often on my laptop only to recover from the very rare issue affecting X11, but still would be nice to have a normal resolution for the console.

    5. TaabuTheCat

      Re: A standard dating back to 1987 - and a bug fixed in August 2019?

      Color me confused. If the KB is right the fix for 6.5 was included in the August 2019 patch release (Build 9298722). How is this just becoming news now?

      1. TaabuTheCat

        Re: A standard dating back to 1987 - and a bug fixed in August 2019?

        Sorry - meant 2018. Really wish I could time travel.

  2. Richard 12 Silver badge

    So that's every vmware VM vulnerable.

    Given that the virtual SVGA adapter is one of the few virtual devices that practically every virtual machine will have.

    I'm not sure if it's even supported to create an ESXi instance that doesn't have the SVGA display adapter.

  3. Korev Silver badge
    Windows

    For those unaware, SVGA – aka Super Video Graphics Array – is a computer display standard dating back to 1987

    Thanks for making me feel old!

    1. stiine Silver badge
      Pint

      don't feel bad

      I was just graduating High School in 1987...oh. I am old, too.

      1. Hans Neeson-Bumpsadese Silver badge

        Re: don't feel bad

        I remember getting excited because I had a PC with a Hercules graphics card delivering monochrome graphical goodness into my fishbowl-like amber-on-black 12" CRT monitor.

        Now that really makes me feel old

  4. Fading

    SVGA?

    MCGA is where it's at..... in 1987

  5. Michael H.F. Wilkinson Silver badge

    That brings back memories

    Back in 1988, in my first programming job, I remember having to support Hercules, EGA, VGA, several flavours of SVGA and two different Matrox frame-grabber and image processing boards (PIP-1024 and MVP-AT/NP) both for my graphics packages and for text output. Great fun. The VESA standard made life a lot easier, taming the explosion of different SVGA options available.

  6. Anonymous Coward
    Anonymous Coward

    I had an Orchid ProDesigner IIS graphics card back in the day 1990/91'ish with 1 WHOLE Mb of RAM

  7. Dan from Chicago

    The big bang is when the escape is on AWS

    Hook into the host process (up the chain to the top) that updates infrastructure and guest OS's and deploy a ransomware "patch."

    let it get replicated and backed up for a couple days, on all storage types, then fire it off on D-day (d for the dummies who didn't have some form of offline backup, whether local or cloud).

    Clean up costs would be incredible. Millions of servers would be looking at pay up or start from scratch. Tracking down and re-running even a couple of days of transactions would be an incredible amount of work.

    Cryptocurrencies are a big part of the problem. They make getting away while keeping ransom payments too easy.

  8. Anonymous Coward
    Anonymous Coward

    I just remember adding a half meg to my video card so that I had a full meg of ram to be able to support SVGA in Windows 3.1 - sigh, those were the days!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like